Most of the comments seem to confirm (all but one at time of writing) that this feature is more intended for corporate/business environments. Does anyone know if Vaultwarden has commercial users? By no means am I arguing against the inclusion of this feature, I'm just curious. Everywhere I've worked that was big enough to use SSO was also wary of selfhosting FOSS tools. I should clarify I don't consider myself working in tech, fwiw.
SSO is really important in the "few tools, many users" case, but just as important in the "many tools, few users" case. I'm self hosting dozens of tools, and without SSO I'd have to set up username, password, TOTP and WebAuthn for each and every one of them, my 2FA app would be 90% my own services.
With SSO though, it's much simpler. I can just run an OIDC server and log into all my self-hosted services once, and I can use all of them. Vaultwarden is an exception to the rule though, as you can't really bootstrap that in the individual case.
Another use case I'm currently exploring is for sharing netflix/prime/disney+ passwords with roommates, partners and friends. They just sign in with their Google/Apple/whatever account and get access to the shared streaming provider passwords.
I used to use oauth2-proxy with PocketID, but migrated to caddy-security for stuff that doesn't directly support OIDC as part of a general move to Caddy. It's nice not needing the sidecar container, though the docs for caddy-security are a bit confusing and I still find Caddy's whole approach to plugins a bit... odd. It does give you quite a lot of flexibility once you figure it out, and I think it was worthwhile after the initial learning period.
Yeah that's hard to scale when you have lots of services. For now, I am running multiple instances of oauth2-proxy instances and assigning user groups in pocket-id. How do you deal with apps not having native OIDC support?
Adding another +1 to Pocket ID. I looked at a couple of the ones you mentioned but they looked too heavy and complex for what I wanted. Pocket ID does one thing and does it well.
Kanidm made some weird decision that ruled it out in one of big organisation I try to deploy it. Separate Radius password. For telco that’s half its use cases, and there is separate random password. Whole Network engineering department was like WTF ? You can’t have single password which is one of important reasons to have SSOA.
As someone who manages the vault warden instance for a nonprofit with many volunteers but no fulltime employees I see this as a wonderful thing. Yes bitwarden has a nonprofit discount but no playing wack a mole with which of the 20+ volunteers are active at any moment to avoid getting a huge bill isn't worth it vs self hosting.
I'm in a similar situation, having many volunteers does not mean we have the budget to pay 5-10 euros per month for all of them for all the tools needed for work. Self-hosting and managed hosting of open-source software are the best option for us, including SSO and password management
I support an installation for a couple hundred users. It's been working fine for several years now, including browser plugins and mobile clients. If the project goes under, it's easy to export everything and import into the official Bitwarden.
(Whose server I really don't enjoy, it's very enterprise-y and heavy on resources for no real reason I could find.)
Vaultwarden is a lot easier to self host than Bitwarden
But like all community-made open source stuff, If you want to use it for "production" stuff you should invest in audits and contribute/fund development
I've been self-hosting Bitwarden (and giving them money) for a few years now, it is really easy with Docker and a reverse proxy. What kind of challenges did you encounter with Bitwarden?
Vaultwarden uses fewer resources and runs fine on a $5 digital ocean VPS where I had some issues with Bitwarden. I hardly have to remember that I'm running it myself.
I'm hosting it for our team at a public institute, we are strongly supportive of OSS and have interest in keeping our data on premise.
Team of <10 though so hosting is trivial with NixOS. We also have almost no money available for purchasing software so official self-hosted bitwarden was not an option unfortunately (if we had money, that would've been the way to go).
I'm a user, not an expert on all this but: SSO is indeed meant for a corporate environment, not for personal use. And from what I saw, companies would rather pay for a simple SSO provider than use any self-hosted solution. That means you either use Google or Microsoft, nothing else.
LastPass is out of question due to the security issues in the past. I always advocate for Bitwarden but I'm not sure they can handle any kind of SSO yet. And Vaultwarden, being a fork of a not-so-famous-yet password vault (at least in the managers's world), is not a contender anywhere.
And also, in what world is SSO meant for enterprise?
It's Single Sign On, not having to login separately for each service is perfect for any context of any size - wherever these services only have 1 user or 100 thousand.
My company just implemented the SaaS Bitwarden with Google SAML on their Enterprise Plan. Very easy to set up, not too expensive ($6/user/month). Their compliance page made it much easier to sell to my manager who had to give the final approval: https://bitwarden.com/compliance/. It is only used by my department so far and we're still doing manual invites rather than integrating with the SCIM features so I can't speak to that. My biggest annoyance is that, as an admin, unlocking the vault still prompts for the master password rather than letting me select SSO without logging all the way out.
I recall a happy/fun environment using Microsoft Entra (Azure AD) SSO, in order to sign into Okta SSO, in order to access Azure environment(s), among other apps. SSO Inception.
SSO chaining is super common in large corporate environments. Different orgs might have their own SSO IDP, acquisitions often bring their own, etc. Once a provider is in use, it is quite difficult to tear out later while keeping everyone in their proper accounts in all the apps that tie in. Many apps are really bad at SSO migrations, or deduplicating multiple SSO identities to a single user account.
The whole "SSO is meant for enterprise" thing is sales bullshit. Big enterprises can't live without SSO, so everyone started charging extra for that to milk more money out of them, but this doesn't mean it's not hugely beneficial or "meant for" smaller orgs or even individuals.
Anyone can spin up an Authentik/Authelia/Keycloak/whatever instance or even use Microsoft/Google if they already pay for it in a matter of minutes. The only reason people don't is because tons of apps make it annoyingly difficult to integrate SSO or don't offer it at all in the lower price tiers.
If app installers started with "create a root user or paste the OIDC secret here", everyone and their dog would be running SSO. But that's not as profitable.
Same here! - 350-400 employees, but the main requirement was that it could be accessed with no internet. Came from Keepass, love it. SSO just makes it better.
Vaultwarden has been in use at two companies I’ve worked for, yeah. Modest, mid-size companies, one with a delusion of grandeur. While both didn’t care for self-hosting, the executives were wary, in both cases, of SaaS password management after LastPass.
I love this product have used it for a long time now but more recently started getting worried about security. I hope the maintainers are doing their due diligence around securing their docker hub account (many of us run VW in docker) and are careful about libraries the project depends on. Some questionable coding practices were made that I'm not sure I agree with (calling a 3rd party sites in some scenarios). As more of us switch to self hosting VW it will become a juicer target for bad actors. Really hoping we don't wake up one day to find out that our database was uploaded by a BA
If you're running on kubernetes, a simple network policy and blocking the container from using DNS will stop any compromised image from performing a data exfill.
I do this for most containers.
If the container must have web access in some form, setup a squid proxy and only whitelist safe and trusted domains that can't be exfilled to.
For extra security, an intermediary can set Content Security Policy (CSP) headers that instruct browsers to only connect to certain domains. CSP headers aren't a total solution, but they're a good tool in the toolkit for redundancy against exfiltration.
It could be a system without a web ui, like a database or database proxy. Or it could have multiple web and native UIs (that are open source), e.g. a matrix service.
I've threat modeled this myself, and as I understand it the Bitwarden client side decrypts/encrypts everything locally. So even if backend was entirely compromised, it's never getting anything without the master password, and that's never sent across by the client. Then again, there's also the web interface.
Mostly unrelated. Does anyone know of an alternative open source extension to the Bitwarden extension? I don't mind paying for the Bitwarden service to sync etc. but the new React-based extension is incredibly slow on my M1 Max.
Difference between work and personal. For personal, you’re right because there is nothing to bootstrap off of.
But in corporate it’s provisioned to a user account that exists first.
My personal bootstrap is two Yubikeys (for redundancy) that contains the password and 2FA for my Proton Pass. This plays the role of what IT would in a company with a user directory.
> A master password is still required and not controlled by the SSO
From the Bitwarden documentation[1]:
> Locking your vault will maintain vault data on the device, so unlocking your vault can be done offline. You will be required to enter your master password or PIN, or use biometrics, but won't need to use any active two-step login methods.
That really ought to quell the majority of the concerns IMO. Though for personal usage I use KeepassXC, because not having any remote authentication at all is even simpler than SSO.
So you're going to play IT and duplicate all the groups and all the roles manually that already are maintained and automated for on/off-boarding? And not have them be auto-offboarded when they are let go? That introduces compliance risks and imo more problems than having SSO on your password manager. Yes, keep some master password for a rainy day if you have to, but otherwise, the more "dangerous" the thing the more it should be hooked up to SSO.
Separate accounts for work and private. SSO for the work account is perfectly fine for me as a dev and a big advantage for the company. But yes, don't conflate the two use cases.
Well, without SSO, we (people making password managers for business) are in a weird position where we tell people "you won't have to remember passwords" then the first thing we do is to ask to remember a new password (the master password).
SSO also has the benefit that admin can impersonate another account, which is generally a good thing in a corporate environment (think of employee turn over, bus factor, etc)
I've moved my credentials over from pass to Vaultwarden about a month ago (after discovering the pass Android app was abandoned and pulled off app stores), and spent the last two weeks since discovering Pocket ID migrating a few self-hosted services to OIDC.
I selfhost vaultwarden for my use only. Can someone please explain it like I am 5 what's the use case of this new feature? Is it to log in to vaultwarden using an OpenID?
Yep, exactly. I selfhost Vaultwarden and a bunch of other apps that my family also use. So I run Authentik, which lets them only have to worry about remembering one login, and they then have a little dashboard of all our apps, and can click to login to whatever they want. It's a pretty decent little system, and I'm happy I can now add Vaultwarden to it.
The bigger your users x applications number, the bigger the benefit. It make user management easy (e.g., you only have to manage users in one place instead of N)
Same usecase for myself too. One of the biggest advantages for me is that it lets me setup a single and easily tested place for the users to reset passwords from too for when they inevitably forget or lose the post-it note. That, along with me using all the apps and not wanting to have to change 30 passwords for everything when something happens too.
I went a bit more complicated myself with Keycloak instead of Authentik, simply because I knew keycloak a little better but setting up SSO for all the stuff I run has definitely been worth it.
Yep same for me. I actually had been holding off on Vaultwarden precisely because it didn't have sso support. A single sign on is definitely better than the having the family try to remember a different password for every app.
I administer it at work and now I won't have to invite a user manually, wait for them to accept the invite link via email, manually approve their account, and then assign it to groups (collections).
In other words one less thing to worry about during onboarding / offboarding.
My team self hosts multiple internal services, including vaultwarden.
For most of these we use our standard corporate OIDC provider to provide autentication and accounting, either onto a proxy or direct on the service, that passes the user through, the hosted service is either fine (just logs the user in its local access logs for the accounting part) because it's allowed for all our corporate users, or the service uses its own authorisation logic to allow or reject the users.
Some devices are just generic user/password on the device itself -- the authorisation there is that the group responsible for that device has to keep the credential secure. Any authenticated Corp user can access the login page, and that gets logged, but the authorisation is a simple user/password.
If the credential isn't secure (because people are terrible with security) then at least the attacker is logged, and has had to authorise access.
Some authentication is better. Our guacamole hosts for example are authenticated on proxy with OIDC, then passed through to the guacamole server which does its own authorisation based on its internal database (which itself is managed via a github approach - to add joe.bloggs@corp.com to the "Washington Servers" group you add his identity to the right part of the "groups.conf" file and when the PR is merged it applies across the estate within a minute or two). Then they can access all connections in "Washington", but "davey.jones@corp.com" isn't in that group, so can't.
Likewise our IPAM will create a user in the "readonly" group automatically (our policy is ip records are available to everyone in the company), but they then need moving into an elevated rights using IPAM tooling to allocate IP addresses.
Vaultwarden though we maintain separate user and password, we still have the OIDC front end, but it's completely ignored for another layer of authorisation. I'm about to go on leave so I won't be thinking too much about if this will help, but its good to have the option.
For single user or family supported instances this will not make huge difference because this will still require entering master password (which is good). It would be good for cases when it would make it easier in team or company settings when the manual work to add and setup accounts with access to password collections is annoying.
Depending on how many services you host, this is a huge deal for family and/or friends setups. I run around a dozen things that various family members and friends use, so being able to have one accout that they can log into anything with (including password change and reset) without me having to manually manage accounts makes the whole endeavour much more viable.
Definitely cool functionality to see. I hope this doesn't pull too much from what might otherwise be Enterprise Bitwarden customers. Definitely supportive of the upstream project, while Vaultwarden seems to take less server resources to run, and simpler from what I understand.
Creating, deleting, blocking accounts is the main one - you only do it once for a user and they get access to all your services. It also lets you do MFA and security checks on login (like on a new device) which can prevent break-ins even if your users use easily crackable passwords.
Interesting to see a PR being merged after good 2 years. Thought about the idea of reviewing the changes for self learning, however the number of files involved made me to give up on that idea soon enough. The number of comments (610) gave an impression that the PR must have been reviewed thoroughly, however a close look tells that the comments are mostly about the topic itself, not about the code changes. Unless the code review is managed internally, the PR gives an impression of mostly happy paths.
I like the spirit of this comment (pointing out that it's OSS). I don't even disagree with discouraging people from asking questions that have readily searchable answers they'd be well served to direct themselves to.
But I think it can be assumed that someone asking such a questions is highly unlikely to be a world-class security researcher equipped to answer it for themselves by auditing the source code, so your response comes across as snarky for the sake of snark.
Most of the comments seem to confirm (all but one at time of writing) that this feature is more intended for corporate/business environments. Does anyone know if Vaultwarden has commercial users? By no means am I arguing against the inclusion of this feature, I'm just curious. Everywhere I've worked that was big enough to use SSO was also wary of selfhosting FOSS tools. I should clarify I don't consider myself working in tech, fwiw.
SSO is really important in the "few tools, many users" case, but just as important in the "many tools, few users" case. I'm self hosting dozens of tools, and without SSO I'd have to set up username, password, TOTP and WebAuthn for each and every one of them, my 2FA app would be 90% my own services.
With SSO though, it's much simpler. I can just run an OIDC server and log into all my self-hosted services once, and I can use all of them. Vaultwarden is an exception to the rule though, as you can't really bootstrap that in the individual case.
Another use case I'm currently exploring is for sharing netflix/prime/disney+ passwords with roommates, partners and friends. They just sign in with their Google/Apple/whatever account and get access to the shared streaming provider passwords.
What's your (OSS?) OIDC server of choice?
Authelia? Authentik? Keycloak? (These are the three I see a lot about.) Something else?
Pocket ID[1] is what I use, and I cannot recommend it enough. It's an incredible project.
[1] https://pocket-id.org
Love pocket-id. Do you use oauth2-proxy with it? How did you set up oauth2-proxy to work with multiple apps?
I used to use oauth2-proxy with PocketID, but migrated to caddy-security for stuff that doesn't directly support OIDC as part of a general move to Caddy. It's nice not needing the sidecar container, though the docs for caddy-security are a bit confusing and I still find Caddy's whole approach to plugins a bit... odd. It does give you quite a lot of flexibility once you figure it out, and I think it was worthwhile after the initial learning period.
I've dabbled in oauth2-proxy but I'm not running it currently. I recall my goto was launching one instance per remote i want to target.
Yeah that's hard to scale when you have lots of services. For now, I am running multiple instances of oauth2-proxy instances and assigning user groups in pocket-id. How do you deal with apps not having native OIDC support?
Adding another +1 to Pocket ID. I looked at a couple of the ones you mentioned but they looked too heavy and complex for what I wanted. Pocket ID does one thing and does it well.
I've used Authelia for a few years and it's great. It does exactly what I need/want. Not more, not less. It's also never failed me.
For self hosting, PocketID is about as easy to set up and maintain as it gets.
I use Authelia backed by lldap. Really like it so far
Can recommend Kanidm
Kanidm made some weird decision that ruled it out in one of big organisation I try to deploy it. Separate Radius password. For telco that’s half its use cases, and there is separate random password. Whole Network engineering department was like WTF ? You can’t have single password which is one of important reasons to have SSOA.
Mine is zitadel
As someone who manages the vault warden instance for a nonprofit with many volunteers but no fulltime employees I see this as a wonderful thing. Yes bitwarden has a nonprofit discount but no playing wack a mole with which of the 20+ volunteers are active at any moment to avoid getting a huge bill isn't worth it vs self hosting.
I'm in a similar situation, having many volunteers does not mean we have the budget to pay 5-10 euros per month for all of them for all the tools needed for work. Self-hosting and managed hosting of open-source software are the best option for us, including SSO and password management
I support an installation for a couple hundred users. It's been working fine for several years now, including browser plugins and mobile clients. If the project goes under, it's easy to export everything and import into the official Bitwarden.
(Whose server I really don't enjoy, it's very enterprise-y and heavy on resources for no real reason I could find.)
SSO isn’t an enterprise feature, it is an access control and governance feature regardless of user population.
Who needs it except entreprises for the 99.99% usecase?
E.g. the homelab admin who doesn't want their family to have to create and manage accounts on 12 different self-hosted services.
Self-hosters so you don't need to record 100 different passwords for your own services?
Everyone from the single-user homelab to the biggest companies should have SSO.
Vaultwarden is a lot easier to self host than Bitwarden
But like all community-made open source stuff, If you want to use it for "production" stuff you should invest in audits and contribute/fund development
I've been self-hosting Bitwarden (and giving them money) for a few years now, it is really easy with Docker and a reverse proxy. What kind of challenges did you encounter with Bitwarden?
Vaultwarden uses fewer resources and runs fine on a $5 digital ocean VPS where I had some issues with Bitwarden. I hardly have to remember that I'm running it myself.
Resource usage is a fair point. My home computer is 64 cores and 1TB RAM so I don't even notice Bitwarden running.
Last time i checked you needed a MS SQL db...
https://bitwarden.com/help/database-options/
"All Bitwarden self-hosted server deployments, except for unified, ship with an MSSQL Express image by default."
> Last time i checked you needed a MS SQL db...
For real? That would mean a requirement for a software license that costs about $1,000 for the cheapest option.
There is a new Unified one that can use SQLite and other options. I have been using that one for a year or more
It is all included in their Docker compose file.
I use Kubernetes
But also what about the whole lifecycle?
I can easily deploy a HA Postgres cluster that is backed up for me. I'd have to do the same thing to back up BW.
Don't know much about HA (it looks like Bitwarden does this through Helm https://bitwarden.com/help/self-host-with-helm/), but backup is a matter of simply copying files: https://bitwarden.com/help/backup-on-premise/
Started working (based on previous work already done) then maintaining the PR for my personal self-hosted stack.
Had then some fun adding roles/groups support (not yet merged).
I'm hosting it for our team at a public institute, we are strongly supportive of OSS and have interest in keeping our data on premise.
Team of <10 though so hosting is trivial with NixOS. We also have almost no money available for purchasing software so official self-hosted bitwarden was not an option unfortunately (if we had money, that would've been the way to go).
> Does anyone know if Vaultwarden has commercial users?
Yes, it does.
I'm a user, not an expert on all this but: SSO is indeed meant for a corporate environment, not for personal use. And from what I saw, companies would rather pay for a simple SSO provider than use any self-hosted solution. That means you either use Google or Microsoft, nothing else.
LastPass is out of question due to the security issues in the past. I always advocate for Bitwarden but I'm not sure they can handle any kind of SSO yet. And Vaultwarden, being a fork of a not-so-famous-yet password vault (at least in the managers's world), is not a contender anywhere.
Vaultwarden is not a fork though?
And also, in what world is SSO meant for enterprise?
It's Single Sign On, not having to login separately for each service is perfect for any context of any size - wherever these services only have 1 user or 100 thousand.
My company just implemented the SaaS Bitwarden with Google SAML on their Enterprise Plan. Very easy to set up, not too expensive ($6/user/month). Their compliance page made it much easier to sell to my manager who had to give the final approval: https://bitwarden.com/compliance/. It is only used by my department so far and we're still doing manual invites rather than integrating with the SCIM features so I can't speak to that. My biggest annoyance is that, as an admin, unlocking the vault still prompts for the master password rather than letting me select SSO without logging all the way out.
> That means you either use Google or Microsoft, nothing else.
My fairly large (>20k) company uses Okta. That's just to say, be wary of issuing ultimatums.
I recall a happy/fun environment using Microsoft Entra (Azure AD) SSO, in order to sign into Okta SSO, in order to access Azure environment(s), among other apps. SSO Inception.
SSO chaining is super common in large corporate environments. Different orgs might have their own SSO IDP, acquisitions often bring their own, etc. Once a provider is in use, it is quite difficult to tear out later while keeping everyone in their proper accounts in all the apps that tie in. Many apps are really bad at SSO migrations, or deduplicating multiple SSO identities to a single user account.
The whole "SSO is meant for enterprise" thing is sales bullshit. Big enterprises can't live without SSO, so everyone started charging extra for that to milk more money out of them, but this doesn't mean it's not hugely beneficial or "meant for" smaller orgs or even individuals.
Anyone can spin up an Authentik/Authelia/Keycloak/whatever instance or even use Microsoft/Google if they already pay for it in a matter of minutes. The only reason people don't is because tons of apps make it annoyingly difficult to integrate SSO or don't offer it at all in the lower price tiers.
If app installers started with "create a root user or paste the OIDC secret here", everyone and their dog would be running SSO. But that's not as profitable.
Paid Bitwarden does SSO (SAML 2.0 or OIDC)
https://bitwarden.com/help/about-sso/
I’ve used it at a previous job. SMB, ca. 200(?) employees.
Same here! - 350-400 employees, but the main requirement was that it could be accessed with no internet. Came from Keepass, love it. SSO just makes it better.
My company just started hosting an instance for its employees 2 months ago.
Vaultwarden has been in use at two companies I’ve worked for, yeah. Modest, mid-size companies, one with a delusion of grandeur. While both didn’t care for self-hosting, the executives were wary, in both cases, of SaaS password management after LastPass.
I love this product have used it for a long time now but more recently started getting worried about security. I hope the maintainers are doing their due diligence around securing their docker hub account (many of us run VW in docker) and are careful about libraries the project depends on. Some questionable coding practices were made that I'm not sure I agree with (calling a 3rd party sites in some scenarios). As more of us switch to self hosting VW it will become a juicer target for bad actors. Really hoping we don't wake up one day to find out that our database was uploaded by a BA
If you're running on kubernetes, a simple network policy and blocking the container from using DNS will stop any compromised image from performing a data exfill.
I do this for most containers.
If the container must have web access in some form, setup a squid proxy and only whitelist safe and trusted domains that can't be exfilled to.
> a simple network policy and blocking the container from using DNS
Can you please point to some resources that can help with how to do this?
Not sure about the DNS part, but NetworkPolicies should be familiar to anyone who takes Kubernetes seriously.
https://kubernetes.io/docs/concepts/services-networking/netw...
Edit: Did some research and found that Calico has a feature for some kind of DNS filtering
https://www.tigera.io/blog/how-to-secure-kubernetes-workload...
Why do you think that DNS is required? Anything malicious could (and likely should) hard-code an IP.
You ensure DNS is disabled to stop DNS exfil. You can google it, but basically they exfil data by looking up encoded subdomains.
Hardcoding an IP won't help if the network policy disallows all network access.
The web frontend could still send secrets to third parties.
For extra security, an intermediary can set Content Security Policy (CSP) headers that instruct browsers to only connect to certain domains. CSP headers aren't a total solution, but they're a good tool in the toolkit for redundancy against exfiltration.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...
It could be a system without a web ui, like a database or database proxy. Or it could have multiple web and native UIs (that are open source), e.g. a matrix service.
I use Docker (in Unraid).
I've threat modeled this myself, and as I understand it the Bitwarden client side decrypts/encrypts everything locally. So even if backend was entirely compromised, it's never getting anything without the master password, and that's never sent across by the client. Then again, there's also the web interface.
Yeah if an attacker was able to insert javascript then it's possible.
For this particular threat vector, where the client is compromised, the backend doesn’t matter.
A compromised server can inject exfil code into the web page it serves. If you only ever use the apps then you should be fine though.
Which is only possible if logging into the web client and not when using the bitwarden desktop app or browser extensions.
Security audits have been made by German BSI for vaultwarden (and other free software):
https://www.heise.de/en/news/Password-manager-BSI-reports-cr...
Link to reports page: https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldunge...
Mostly unrelated. Does anyone know of an alternative open source extension to the Bitwarden extension? I don't mind paying for the Bitwarden service to sync etc. but the new React-based extension is incredibly slow on my M1 Max.
A password manager is the one thing I'm very skeptical to use SSO for.
Difference between work and personal. For personal, you’re right because there is nothing to bootstrap off of.
But in corporate it’s provisioned to a user account that exists first.
My personal bootstrap is two Yubikeys (for redundancy) that contains the password and 2FA for my Proton Pass. This plays the role of what IT would in a company with a user directory.
From this PR:
> A master password is still required and not controlled by the SSO
From the Bitwarden documentation[1]:
> Locking your vault will maintain vault data on the device, so unlocking your vault can be done offline. You will be required to enter your master password or PIN, or use biometrics, but won't need to use any active two-step login methods.
That really ought to quell the majority of the concerns IMO. Though for personal usage I use KeepassXC, because not having any remote authentication at all is even simpler than SSO.
[1]: https://bitwarden.com/help/vault-timeout/#vault-timeout-acti...
So you're going to play IT and duplicate all the groups and all the roles manually that already are maintained and automated for on/off-boarding? And not have them be auto-offboarded when they are let go? That introduces compliance risks and imo more problems than having SSO on your password manager. Yes, keep some master password for a rainy day if you have to, but otherwise, the more "dangerous" the thing the more it should be hooked up to SSO.
Separate accounts for work and private. SSO for the work account is perfectly fine for me as a dev and a big advantage for the company. But yes, don't conflate the two use cases.
Well, without SSO, we (people making password managers for business) are in a weird position where we tell people "you won't have to remember passwords" then the first thing we do is to ask to remember a new password (the master password).
SSO also has the benefit that admin can impersonate another account, which is generally a good thing in a corporate environment (think of employee turn over, bus factor, etc)
It's most useful for companies, where the goal is as much SSO as possible.
Been using this since it was merged. No issues so far, appreciate the work.
Convenient timing!
I've moved my credentials over from pass to Vaultwarden about a month ago (after discovering the pass Android app was abandoned and pulled off app stores), and spent the last two weeks since discovering Pocket ID migrating a few self-hosted services to OIDC.
I selfhost vaultwarden for my use only. Can someone please explain it like I am 5 what's the use case of this new feature? Is it to log in to vaultwarden using an OpenID?
Yep, exactly. I selfhost Vaultwarden and a bunch of other apps that my family also use. So I run Authentik, which lets them only have to worry about remembering one login, and they then have a little dashboard of all our apps, and can click to login to whatever they want. It's a pretty decent little system, and I'm happy I can now add Vaultwarden to it.
The bigger your users x applications number, the bigger the benefit. It make user management easy (e.g., you only have to manage users in one place instead of N)
Same usecase for myself too. One of the biggest advantages for me is that it lets me setup a single and easily tested place for the users to reset passwords from too for when they inevitably forget or lose the post-it note. That, along with me using all the apps and not wanting to have to change 30 passwords for everything when something happens too.
I went a bit more complicated myself with Keycloak instead of Authentik, simply because I knew keycloak a little better but setting up SSO for all the stuff I run has definitely been worth it.
Yep same for me. I actually had been holding off on Vaultwarden precisely because it didn't have sso support. A single sign on is definitely better than the having the family try to remember a different password for every app.
I administer it at work and now I won't have to invite a user manually, wait for them to accept the invite link via email, manually approve their account, and then assign it to groups (collections).
In other words one less thing to worry about during onboarding / offboarding.
My team self hosts multiple internal services, including vaultwarden.
For most of these we use our standard corporate OIDC provider to provide autentication and accounting, either onto a proxy or direct on the service, that passes the user through, the hosted service is either fine (just logs the user in its local access logs for the accounting part) because it's allowed for all our corporate users, or the service uses its own authorisation logic to allow or reject the users.
Some devices are just generic user/password on the device itself -- the authorisation there is that the group responsible for that device has to keep the credential secure. Any authenticated Corp user can access the login page, and that gets logged, but the authorisation is a simple user/password.
If the credential isn't secure (because people are terrible with security) then at least the attacker is logged, and has had to authorise access.
Some authentication is better. Our guacamole hosts for example are authenticated on proxy with OIDC, then passed through to the guacamole server which does its own authorisation based on its internal database (which itself is managed via a github approach - to add joe.bloggs@corp.com to the "Washington Servers" group you add his identity to the right part of the "groups.conf" file and when the PR is merged it applies across the estate within a minute or two). Then they can access all connections in "Washington", but "davey.jones@corp.com" isn't in that group, so can't.
Likewise our IPAM will create a user in the "readonly" group automatically (our policy is ip records are available to everyone in the company), but they then need moving into an elevated rights using IPAM tooling to allocate IP addresses.
Vaultwarden though we maintain separate user and password, we still have the OIDC front end, but it's completely ignored for another layer of authorisation. I'm about to go on leave so I won't be thinking too much about if this will help, but its good to have the option.
Run a community space that uses its own SSO, and needs to share passwords for socials and the like.
Fantastic! I really love vaultwarden and was looking forward to this. I have no reason to run SSO in my 3 user homelab but it makes me happygood work.
For single user or family supported instances this will not make huge difference because this will still require entering master password (which is good). It would be good for cases when it would make it easier in team or company settings when the manual work to add and setup accounts with access to password collections is annoying.
Depending on how many services you host, this is a huge deal for family and/or friends setups. I run around a dozen things that various family members and friends use, so being able to have one accout that they can log into anything with (including password change and reset) without me having to manually manage accounts makes the whole endeavour much more viable.
Definitely cool functionality to see. I hope this doesn't pull too much from what might otherwise be Enterprise Bitwarden customers. Definitely supportive of the upstream project, while Vaultwarden seems to take less server resources to run, and simpler from what I understand.
Freeing up the SSO tax.
So what is the point of this, if the user still needs a master password?
Access control -- can make it easy to add/sync users in Authentik using one username
Creating, deleting, blocking accounts is the main one - you only do it once for a user and they get access to all your services. It also lets you do MFA and security checks on login (like on a new device) which can prevent break-ins even if your users use easily crackable passwords.
SSO handles authentication (proving who you are) while the master password is still needed for decryption (as the encryption key is derived from it).
Maybe if you deactiveer a users entra id that he cant access its vaultwarden vault anymore.
Can you expand the question a bit?
Interesting to see a PR being merged after good 2 years. Thought about the idea of reviewing the changes for self learning, however the number of files involved made me to give up on that idea soon enough. The number of comments (610) gave an impression that the PR must have been reviewed thoroughly, however a close look tells that the comments are mostly about the topic itself, not about the code changes. Unless the code review is managed internally, the PR gives an impression of mostly happy paths.
How secure is Vaultwarden?
It's as secure as others promise it to be but actual security is in your own hands. I self-host vaultwarden but I keep it behind a VPN.
The logic is simple, Bitwarden is not there to detect intrusion attempts and safeguard your server so you gotta do it yourself, that's why its free.
You can read the code and see?
I like the spirit of this comment (pointing out that it's OSS). I don't even disagree with discouraging people from asking questions that have readily searchable answers they'd be well served to direct themselves to.
But I think it can be assumed that someone asking such a questions is highly unlikely to be a world-class security researcher equipped to answer it for themselves by auditing the source code, so your response comes across as snarky for the sake of snark.