Vaultwarden commit introduces SSO using OpenID Connect
74 comments
·August 15, 2025DoctorOW
kuschku
SSO is really important in the "few tools, many users" case, but just as important in the "many tools, few users" case. I'm self hosting dozens of tools, and without SSO I'd have to set up username, password, TOTP and WebAuthn for each and every one of them, my 2FA app would be 90% my own services.
With SSO though, it's much simpler. I can just run an OIDC server and log into all my self-hosted services once, and I can use all of them. Vaultwarden is an exception to the rule though, as you can't really bootstrap that in the individual case.
Another use case I'm currently exploring is for sharing netflix/prime/disney+ passwords with roommates, partners and friends. They just sign in with their Google/Apple/whatever account and get access to the shared streaming provider passwords.
arjvik
What's your (OSS?) OIDC server of choice?
Authelia? Authentik? Keycloak? (These are the three I see a lot about.) Something else?
samgnesin
Pocket ID[1] is what I use, and I cannot recommend it enough. It's an incredible project.
thedanbob
Adding another +1 to Pocket ID. I looked at a couple of the ones you mentioned but they looked too heavy and complex for what I wanted. Pocket ID does one thing and does it well.
mmcnl
I've used Authelia for a few years and it's great. It does exactly what I need/want. Not more, not less. It's also never failed me.
gh02t
For self hosting, PocketID is about as easy to set up and maintain as it gets.
eloh
Can recommend Kanidm
homebrewer
I support an installation for a couple hundred users. It's been working fine for several years now, including browser plugins and mobile clients. If the project goes under, it's easy to export everything and import into the official Bitwarden.
(Whose server I really don't enjoy, it's very enterprise-y and heavy on resources for no real reason I could find.)
raybb
As someone who manages the vault warden instance for a nonprofit with many volunteers but no fulltime employees I see this as a wonderful thing. Yes bitwarden has a nonprofit discount but no playing wack a mole with which of the 20+ volunteers are active at any moment to avoid getting a huge bill isn't worth it vs self hosting.
Timshel
Started working (based on previous work already done) then maintaining the PR for my personal self-hosted stack.
Had then some fun adding roles/groups support (not yet merged).
toomuchtodo
SSO isn’t an enterprise feature, it is an access control and governance feature regardless of user population.
rat9988
Who needs it except entreprises for the 99.99% usecase?
arjvik
E.g. the homelab admin who doesn't want their family to have to create and manage accounts on 12 different self-hosted services.
mcpherrinm
Everyone from the single-user homelab to the biggest companies should have SSO.
cyberax
Self-hosters so you don't need to record 100 different passwords for your own services?
c0balt
I'm hosting it for our team at a public institute, we are strongly supportive of OSS and have interest in keeping our data on premise.
Team of <10 though so hosting is trivial with NixOS. We also have almost no money available for purchasing software so official self-hosted bitwarden was not an option unfortunately (if we had money, that would've been the way to go).
Disposal8433
I'm a user, not an expert on all this but: SSO is indeed meant for a corporate environment, not for personal use. And from what I saw, companies would rather pay for a simple SSO provider than use any self-hosted solution. That means you either use Google or Microsoft, nothing else.
LastPass is out of question due to the security issues in the past. I always advocate for Bitwarden but I'm not sure they can handle any kind of SSO yet. And Vaultwarden, being a fork of a not-so-famous-yet password vault (at least in the managers's world), is not a contender anywhere.
threePointFive
My company just implemented the SaaS Bitwarden with Google SAML on their Enterprise Plan. Very easy to set up, not too expensive ($6/user/month). Their compliance page made it much easier to sell to my manager who had to give the final approval: https://bitwarden.com/compliance/. It is only used by my department so far and we're still doing manual invites rather than integrating with the SCIM features so I can't speak to that. My biggest annoyance is that, as an admin, unlocking the vault still prompts for the master password rather than letting me select SSO without logging all the way out.
stronglikedan
> That means you either use Google or Microsoft, nothing else.
My fairly large (>20k) company uses Okta. That's just to say, be wary of issuing ultimatums.
tracker1
I recall a happy/fun environment using Microsoft Entra (Azure AD) SSO, in order to sign into Okta SSO, in order to access Azure environment(s), among other apps. SSO Inception.
ffsm8
Vaultwarden is not a fork though?
And also, in what world is SSO meant for enterprise?
It's Single Sign On, not having to login separately for each service is perfect for any context of any size - wherever these services only have 1 user or 100 thousand.
FuriouslyAdrift
Paid Bitwarden does SSO (SAML 2.0 or OIDC)
franga2000
The whole "SSO is meant for enterprise" thing is sales bullshit. Big enterprises can't live without SSO, so everyone started charging extra for that to milk more money out of them, but this doesn't mean it's not hugely beneficial or "meant for" smaller orgs or even individuals.
Anyone can spin up an Authentik/Authelia/Keycloak/whatever instance or even use Microsoft/Google if they already pay for it in a matter of minutes. The only reason people don't is because tons of apps make it annoyingly difficult to integrate SSO or don't offer it at all in the lower price tiers.
If app installers started with "create a root user or paste the OIDC secret here", everyone and their dog would be running SSO. But that's not as profitable.
preisschild
Vaultwarden is a lot easier to self host than Bitwarden
But like all community-made open source stuff, If you want to use it for "production" stuff you should invest in audits and contribute/fund development
warkdarrior
I've been self-hosting Bitwarden (and giving them money) for a few years now, it is really easy with Docker and a reverse proxy. What kind of challenges did you encounter with Bitwarden?
fkyoureadthedoc
Vaultwarden uses fewer resources and runs fine on a $5 digital ocean VPS where I had some issues with Bitwarden. I hardly have to remember that I'm running it myself.
preisschild
Last time i checked you needed a MS SQL db...
arjie
Mostly unrelated. Does anyone know of an alternative open source extension to the Bitwarden extension? I don't mind paying for the Bitwarden service to sync etc. but the new React-based extension is incredibly slow on my M1 Max.
ronnier
I love this product have used it for a long time now but more recently started getting worried about security. I hope the maintainers are doing their due diligence around securing their docker hub account (many of us run VW in docker) and are careful about libraries the project depends on. Some questionable coding practices were made that I'm not sure I agree with (calling a 3rd party sites in some scenarios). As more of us switch to self hosting VW it will become a juicer target for bad actors. Really hoping we don't wake up one day to find out that our database was uploaded by a BA
crimsonnoodle58
If you're running on kubernetes, a simple network policy and blocking the container from using DNS will stop any compromised image from performing a data exfill.
I do this for most containers.
If the container must have web access in some form, setup a squid proxy and only whitelist safe and trusted domains that can't be exfilled to.
victor106
> a simple network policy and blocking the container from using DNS
Can you please point to some resources that can help with how to do this?
currysausage
The web frontend could still send secrets to third parties.
maxwellg
For extra security, an intermediary can set Content Security Policy (CSP) headers that instruct browsers to only connect to certain domains. CSP headers aren't a total solution, but they're a good tool in the toolkit for redundancy against exfiltration.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...
ronnier
I use Docker (in Unraid).
surge
I've threat modeled this myself, and as I understand it the Bitwarden client side decrypts/encrypts everything locally. So even if backend was entirely compromised, it's never getting anything without the master password, and that's never sent across by the client. Then again, there's also the web interface.
ronnier
Yeah if an attacker was able to insert javascript then it's possible.
blr_lpm
For this particular threat vector, where the client is compromised, the backend doesn’t matter.
9cb14c1ec0
Which is only possible if logging into the web client and not when using the bitwarden desktop app or browser extensions.
andix
A password manager is the one thing I'm very skeptical to use SSO for.
lucasyvas
Difference between work and personal. For personal, you’re right because there is nothing to bootstrap off of.
But in corporate it’s provisioned to a user account that exists first.
My personal bootstrap is two Yubikeys (for redundancy) that contains the password and 2FA for my Proton Pass. This plays the role of what IT would in a company with a user directory.
jchw
From this PR:
> A master password is still required and not controlled by the SSO
From the Bitwarden documentation[1]:
> Locking your vault will maintain vault data on the device, so unlocking your vault can be done offline. You will be required to enter your master password or PIN, or use biometrics, but won't need to use any active two-step login methods.
That really ought to quell the majority of the concerns IMO. Though for personal usage I use KeepassXC, because not having any remote authentication at all is even simpler than SSO.
[1]: https://bitwarden.com/help/vault-timeout/#vault-timeout-acti...
vasco
So you're going to play IT and duplicate all the groups and all the roles manually that already are maintained and automated for on/off-boarding? And not have them be auto-offboarded when they are let go? That introduces compliance risks and imo more problems than having SSO on your password manager. Yes, keep some master password for a rainy day if you have to, but otherwise, the more "dangerous" the thing the more it should be hooked up to SSO.
forty
Well, without SSO, we (people making password managers for business) are in a weird position where we tell people "you won't have to remember passwords" then the first thing we do is to ask to remember a new password (the master password).
SSO also has the benefit that admin can impersonate another account, which is generally a good thing in a corporate environment (think of employee turn over, bus factor, etc)
kriops
Separate accounts for work and private. SSO for the work account is perfectly fine for me as a dev and a big advantage for the company. But yes, don't conflate the two use cases.
wazzaps
It's most useful for companies, where the goal is as much SSO as possible.
sandeepkd
Interesting to see a PR being merged after good 2 years. Thought about the idea of reviewing the changes for self learning, however the number of files involved made me to give up on that idea soon enough. The number of comments (610) gave an impression that the PR must have been reviewed thoroughly, however a close look tells that the comments are mostly about the topic itself, not about the code changes. Unless the code review is managed internally, the PR gives an impression of mostly happy paths.
jedahan
Been using this since it was merged. No issues so far, appreciate the work.
tracker1
Definitely cool functionality to see. I hope this doesn't pull too much from what might otherwise be Enterprise Bitwarden customers. Definitely supportive of the upstream project, while Vaultwarden seems to take less server resources to run, and simpler from what I understand.
Freeing up the SSO tax.
cromka
I selfhost vaultwarden for my use only. Can someone please explain it like I am 5 what's the use case of this new feature? Is it to log in to vaultwarden using an OpenID?
input_sh
I administer it at work and now I won't have to invite a user manually, wait for them to accept the invite link via email, manually approve their account, and then assign it to groups (collections).
In other words one less thing to worry about during onboarding / offboarding.
jedahan
Run a community space that uses its own SSO, and needs to share passwords for socials and the like.
the_gastropod
Yep, exactly. I selfhost Vaultwarden and a bunch of other apps that my family also use. So I run Authentik, which lets them only have to worry about remembering one login, and they then have a little dashboard of all our apps, and can click to login to whatever they want. It's a pretty decent little system, and I'm happy I can now add Vaultwarden to it.
The bigger your users x applications number, the bigger the benefit. It make user management easy (e.g., you only have to manage users in one place instead of N)
simcop2387
Same usecase for myself too. One of the biggest advantages for me is that it lets me setup a single and easily tested place for the users to reset passwords from too for when they inevitably forget or lose the post-it note. That, along with me using all the apps and not wanting to have to change 30 passwords for everything when something happens too.
I went a bit more complicated myself with Keycloak instead of Authentik, simply because I knew keycloak a little better but setting up SSO for all the stuff I run has definitely been worth it.
cycomanic
Yep same for me. I actually had been holding off on Vaultwarden precisely because it didn't have sso support. A single sign on is definitely better than the having the family try to remember a different password for every app.
ta1243
My team self hosts multiple internal services, including vaultwarden.
For most of these we use our standard corporate OIDC provider to provide autentication and accounting, either onto a proxy or direct on the service, that passes the user through, the hosted service is either fine (just logs the user in its local access logs for the accounting part) because it's allowed for all our corporate users, or the service uses its own authorisation logic to allow or reject the users.
Some devices are just generic user/password on the device itself -- the authorisation there is that the group responsible for that device has to keep the credential secure. Any authenticated Corp user can access the login page, and that gets logged, but the authorisation is a simple user/password.
If the credential isn't secure (because people are terrible with security) then at least the attacker is logged, and has had to authorise access.
Some authentication is better. Our guacamole hosts for example are authenticated on proxy with OIDC, then passed through to the guacamole server which does its own authorisation based on its internal database (which itself is managed via a github approach - to add joe.bloggs@corp.com to the "Washington Servers" group you add his identity to the right part of the "groups.conf" file and when the PR is merged it applies across the estate within a minute or two). Then they can access all connections in "Washington", but "davey.jones@corp.com" isn't in that group, so can't.
Likewise our IPAM will create a user in the "readonly" group automatically (our policy is ip records are available to everyone in the company), but they then need moving into an elevated rights using IPAM tooling to allocate IP addresses.
Vaultwarden though we maintain separate user and password, we still have the OIDC front end, but it's completely ignored for another layer of authorisation. I'm about to go on leave so I won't be thinking too much about if this will help, but its good to have the option.
elashri
For single user or family supported instances this will not make huge difference because this will still require entering master password (which is good). It would be good for cases when it would make it easier in team or company settings when the manual work to add and setup accounts with access to password collections is annoying.
franga2000
Depending on how many services you host, this is a huge deal for family and/or friends setups. I run around a dozen things that various family members and friends use, so being able to have one accout that they can log into anything with (including password change and reset) without me having to manually manage accounts makes the whole endeavour much more viable.
razighter777
Fantastic! I really love vaultwarden and was looking forward to this. I have no reason to run SSO in my 3 user homelab but it makes me happygood work.
xxmarkuski
How secure is Vaultwarden?
Valodim
So what is the point of this, if the user still needs a master password?
franga2000
Creating, deleting, blocking accounts is the main one - you only do it once for a user and they get access to all your services. It also lets you do MFA and security checks on login (like on a new device) which can prevent break-ins even if your users use easily crackable passwords.
cephi
Access control -- can make it easy to add/sync users in Authentik using one username
null
maxvisser
Maybe if you deactiveer a users entra id that he cant access its vaultwarden vault anymore.
esseph
Can you expand the question a bit?
Most of the comments seem to confirm (all but one at time of writing) that this feature is more intended for corporate/business environments. Does anyone know if Vaultwarden has commercial users? By no means am I arguing against the inclusion of this feature, I'm just curious. Everywhere I've worked that was big enough to use SSO was also wary of selfhosting FOSS tools. I should clarify I don't consider myself working in tech, fwiw.