Definitely cool functionality to see. I hope this doesn't pull too much from what might otherwise be Enterprise Bitwarden customers. Definitely supportive of the upstream project, while Vaultwarden seems to take less server resources to run, and simpler from what I understand.
Freeing up the SSO tax.
DoctorOW 2 hours ago [-]
Most of the comments seem to confirm (all but one at time of writing) that this feature is more intended for corporate/business environments. Does anyone know if Vaultwarden has commercial users? By no means am I arguing against the inclusion of this feature, I'm just curious. Everywhere I've worked that was big enough to use SSO was also wary of selfhosting FOSS tools. I should clarify I don't consider myself working in tech, fwiw.
kuschku 15 minutes ago [-]
SSO is really important in the "few tools, many users" case, but just as important in the "many tools, few users" case. I'm self hosting dozens of tools, and without SSO I'd have to set up username, password, TOTP and WebAuthn for each and every one of them, my 2FA app would be 90% my own services.
With SSO though, it's much simpler. I can just run an OIDC server and log into all my self-hosted services once, and I can use all of them. Vaultwarden is an exception to the rule though, as you can't really bootstrap that in the individual case.
Another use case I'm currently exploring is for sharing netflix/prime/disney+ passwords with roommates, partners and friends. They just sign in with their Google/Apple/whatever account and get access to the shared streaming provider passwords.
Timshel 8 minutes ago [-]
Started working (based on previous work already done) then maintaining the PR for my personal self-hosted stack.
Had then some fun adding roles/groups support (not yet merged).
homebrewer 35 minutes ago [-]
I support an installation for a couple hundred users. It's been working fine for several years now, including browser plugins and mobile clients. If the project goes under, it's easy to export everything and import into the official Bitwarden.
(Whose server I really don't enjoy, it's very enterprise-y and heavy on resources for no real reason I could find.)
raybb 1 hours ago [-]
As someone who manages the vault warden instance for a nonprofit with many volunteers but no fulltime employees I see this as a wonderful thing. Yes bitwarden has a nonprofit discount but no playing wack a mole with which of the 20+ volunteers are active at any moment to avoid getting a huge bill isn't worth it vs self hosting.
c0balt 43 minutes ago [-]
I'm hosting it for our team at a public institute, we are strongly supportive of OSS and have interest in keeping our data on premise.
Team of <10 though so hosting is trivial with NixOS. We also have almost no money available for purchasing software so official self-hosted bitwarden was not an option unfortunately (if we had money, that would've been the way to go).
Disposal8433 2 hours ago [-]
I'm a user, not an expert on all this but: SSO is indeed meant for a corporate environment, not for personal use. And from what I saw, companies would rather pay for a simple SSO provider than use any self-hosted solution. That means you either use Google or Microsoft, nothing else.
LastPass is out of question due to the security issues in the past. I always advocate for Bitwarden but I'm not sure they can handle any kind of SSO yet. And Vaultwarden, being a fork of a not-so-famous-yet password vault (at least in the managers's world), is not a contender anywhere.
threePointFive 23 minutes ago [-]
My company just implemented the SaaS Bitwarden with Google SAML on their Enterprise Plan. Very easy to set up, not too expensive ($6/user/month). Their compliance page made it much easier to sell to my manager who had to give the final approval: https://bitwarden.com/compliance/. It is only used by my department so far and we're still doing manual invites rather than integrating with the SCIM features so I can't speak to that. My biggest annoyance is that, as an admin, unlocking the vault still prompts for the master password rather than letting me select SSO without logging all the way out.
> That means you either use Google or Microsoft, nothing else.
My fairly large (>20k) company uses Okta. That's just to say, be wary of issuing ultimatums.
tracker1 21 minutes ago [-]
I recall a happy/fun environment using Microsoft Entra (Azure AD) SSO, in order to sign into Okta SSO, in order to access Azure environment(s), among other apps. SSO Inception.
preisschild 1 hours ago [-]
Vaultwarden is a lot easier to self host than Bitwarden
But like all community-made open source stuff, If you want to use it for "production" stuff you should invest in audits and contribute/fund development
warkdarrior 45 minutes ago [-]
I've been self-hosting Bitwarden (and giving them money) for a few years now, it is really easy with Docker and a reverse proxy. What kind of challenges did you encounter with Bitwarden?
fkyoureadthedoc 17 minutes ago [-]
Vaultwarden uses fewer resources and runs fine on a $5 digital ocean VPS where I had some issues with Bitwarden. I hardly have to remember that I'm running it myself.
warkdarrior 5 minutes ago [-]
Resource usage is a fair point. My home computer is 64 cores and 1TB RAM so I don't even notice Bitwarden running.
preisschild 15 minutes ago [-]
Last time i checked you needed a MS SQL db...
warkdarrior 6 minutes ago [-]
It is all included in their Docker compose file.
preisschild 2 minutes ago [-]
I use Kubernetes
But also what about the whole lifecycle?
I can easily deploy a HA Postgres cluster that is backed up for me. I'd have to do the same thing to back up BW.
ronnier 2 hours ago [-]
I love this product have used it for a long time now but more recently started getting worried about security. I hope the maintainers are doing their due diligence around securing their docker hub account (many of us run VW in docker) and are careful about libraries the project depends on. Some questionable coding practices were made that I'm not sure I agree with (calling a 3rd party sites in some scenarios). As more of us switch to self hosting VW it will become a juicer target for bad actors. Really hoping we don't wake up one day to find out that our database was uploaded by a BA
crimsonnoodle58 2 hours ago [-]
If you're running on kubernetes, a simple network policy and blocking the container from using DNS will stop any compromised image from performing a data exfill.
I do this for most containers.
If the container must have web access in some form, setup a squid proxy and only whitelist safe and trusted domains that can't be exfilled to.
victor106 2 hours ago [-]
> a simple network policy and blocking the container from using DNS
Can you please point to some resources that can help with how to do this?
ronnier 2 hours ago [-]
I use Docker (in Unraid).
surge 2 hours ago [-]
I've threat modeled this myself, and as I understand it the Bitwarden client side decrypts/encrypts everything locally. So even if backend was entirely compromised, it's never getting anything without the master password, and that's never sent across by the client. Then again, there's also the web interface.
ronnier 2 hours ago [-]
Yeah if an attacker was able to insert javascript then it's possible.
blr_lpm 2 hours ago [-]
For this particular threat vector, where the client is compromised, the backend doesn’t matter.
sandeepkd 57 minutes ago [-]
Interesting to see a PR being merged after good 2 years. Thought about the idea of reviewing the changes for self learning, however the number of files involved made me to give up on that idea soon enough. The number of comments (610) gave an impression that the PR must have been reviewed thoroughly, however a close look tells that the comments are mostly about the topic itself, not about the code changes. Unless the code review is managed internally, the PR gives an impression of mostly happy paths.
andix 3 hours ago [-]
A password manager is the one thing I'm very skeptical to use SSO for.
lucasyvas 3 hours ago [-]
Difference between work and personal. For personal, you’re right because there is nothing to bootstrap off of.
But in corporate it’s provisioned to a user account that exists first.
My personal bootstrap is two Yubikeys (for redundancy) that contains the password and 2FA for my Proton Pass. This plays the role of what IT would in a company with a user directory.
jchw 3 hours ago [-]
From this PR:
> A master password is still required and not controlled by the SSO
From the Bitwarden documentation[1]:
> Locking your vault will maintain vault data on the device, so unlocking your vault can be done offline. You will be required to enter your master password or PIN, or use biometrics, but won't need to use any active two-step login methods.
That really ought to quell the majority of the concerns IMO. Though for personal usage I use KeepassXC, because not having any remote authentication at all is even simpler than SSO.
So you're going to play IT and duplicate all the groups and all the roles manually that already are maintained and automated for on/off-boarding? And not have them be auto-offboarded when they are let go? That introduces compliance risks and imo more problems than having SSO on your password manager. Yes, keep some master password for a rainy day if you have to, but otherwise, the more "dangerous" the thing the more it should be hooked up to SSO.
kriops 3 hours ago [-]
Separate accounts for work and private. SSO for the work account is perfectly fine for me as a dev and a big advantage for the company. But yes, don't conflate the two use cases.
wazzaps 3 hours ago [-]
It's most useful for companies, where the goal is as much SSO as possible.
elashri 2 hours ago [-]
For single user or family supported instances this will not make huge difference because this will still require entering master password (which is good). It would be good for cases when it would make it easier in team or company settings when the manual work to add and setup accounts with access to password collections is annoying.
jedahan 3 hours ago [-]
Been using this since it was merged. No issues so far, appreciate the work.
cromka 4 hours ago [-]
I selfhost vaultwarden for my use only. Can someone please explain it like I am 5 what's the use case of this new feature? Is it to log in to vaultwarden using an OpenID?
input_sh 2 hours ago [-]
I administer it at work and now I won't have to invite a user manually, wait for them to accept the invite link via email, manually approve their account, and then assign it to groups (collections).
In other words one less thing to worry about during onboarding / offboarding.
jedahan 1 hours ago [-]
Run a community space that uses its own SSO, and needs to share passwords for socials and the like.
the_gastropod 4 hours ago [-]
Yep, exactly. I selfhost Vaultwarden and a bunch of other apps that my family also use. So I run Authentik, which lets them only have to worry about remembering one login, and they then have a little dashboard of all our apps, and can click to login to whatever they want. It's a pretty decent little system, and I'm happy I can now add Vaultwarden to it.
The bigger your users x applications number, the bigger the benefit. It make user management easy (e.g., you only have to manage users in one place instead of N)
simcop2387 3 hours ago [-]
Same usecase for myself too. One of the biggest advantages for me is that it lets me setup a single and easily tested place for the users to reset passwords from too for when they inevitably forget or lose the post-it note. That, along with me using all the apps and not wanting to have to change 30 passwords for everything when something happens too.
I went a bit more complicated myself with Keycloak instead of Authentik, simply because I knew keycloak a little better but setting up SSO for all the stuff I run has definitely been worth it.
cycomanic 3 hours ago [-]
Yep same for me. I actually had been holding off on Vaultwarden precisely because it didn't have sso support. A single sign on is definitely better than the having the family try to remember a different password for every app.
razighter777 3 hours ago [-]
Fantastic! I really love vaultwarden and was looking forward to this. I have no reason to run SSO in my 3 user homelab but it makes me happygood work.
Valodim 3 hours ago [-]
So what is the point of this, if the user still needs a master password?
cephi 3 hours ago [-]
Access control -- can make it easy to add/sync users in Authentik using one username
2 hours ago [-]
maxvisser 3 hours ago [-]
Maybe if you deactiveer a users entra id that he cant access its vaultwarden vault anymore.
Freeing up the SSO tax.
With SSO though, it's much simpler. I can just run an OIDC server and log into all my self-hosted services once, and I can use all of them. Vaultwarden is an exception to the rule though, as you can't really bootstrap that in the individual case.
Another use case I'm currently exploring is for sharing netflix/prime/disney+ passwords with roommates, partners and friends. They just sign in with their Google/Apple/whatever account and get access to the shared streaming provider passwords.
Had then some fun adding roles/groups support (not yet merged).
(Whose server I really don't enjoy, it's very enterprise-y and heavy on resources for no real reason I could find.)
Team of <10 though so hosting is trivial with NixOS. We also have almost no money available for purchasing software so official self-hosted bitwarden was not an option unfortunately (if we had money, that would've been the way to go).
LastPass is out of question due to the security issues in the past. I always advocate for Bitwarden but I'm not sure they can handle any kind of SSO yet. And Vaultwarden, being a fork of a not-so-famous-yet password vault (at least in the managers's world), is not a contender anywhere.
https://bitwarden.com/help/about-sso/
My fairly large (>20k) company uses Okta. That's just to say, be wary of issuing ultimatums.
But like all community-made open source stuff, If you want to use it for "production" stuff you should invest in audits and contribute/fund development
But also what about the whole lifecycle?
I can easily deploy a HA Postgres cluster that is backed up for me. I'd have to do the same thing to back up BW.
I do this for most containers.
If the container must have web access in some form, setup a squid proxy and only whitelist safe and trusted domains that can't be exfilled to.
Can you please point to some resources that can help with how to do this?
But in corporate it’s provisioned to a user account that exists first.
My personal bootstrap is two Yubikeys (for redundancy) that contains the password and 2FA for my Proton Pass. This plays the role of what IT would in a company with a user directory.
> A master password is still required and not controlled by the SSO
From the Bitwarden documentation[1]:
> Locking your vault will maintain vault data on the device, so unlocking your vault can be done offline. You will be required to enter your master password or PIN, or use biometrics, but won't need to use any active two-step login methods.
That really ought to quell the majority of the concerns IMO. Though for personal usage I use KeepassXC, because not having any remote authentication at all is even simpler than SSO.
[1]: https://bitwarden.com/help/vault-timeout/#vault-timeout-acti...
In other words one less thing to worry about during onboarding / offboarding.
The bigger your users x applications number, the bigger the benefit. It make user management easy (e.g., you only have to manage users in one place instead of N)
I went a bit more complicated myself with Keycloak instead of Authentik, simply because I knew keycloak a little better but setting up SSO for all the stuff I run has definitely been worth it.