Most of the comments seem to confirm (all but one at time of writing) that this feature is more intended for corporate/business environments. Does anyone know if Vaultwarden has commercial users? By no means am I arguing against the inclusion of this feature, I'm just curious. Everywhere I've worked that was big enough to use SSO was also wary of selfhosting FOSS tools. I should clarify I don't consider myself working in tech, fwiw.
elashri · 2m ago
For single user or family supported instances this will not make huge difference because this will still require entering master password (which is good). It would be good for cases when it would make it easier in team or company settings when the manual work to add and setup accounts with access to password collections is annoying.
ronnier · 39m ago
I love this product have used it for a long time now but more recently started getting worried about security. I hope the maintainers are doing their due diligence around securing their docker hub account (many of us run VW in docker) and are careful about libraries the project depends on. Some questionable coding practices were made that I'm not sure I agree with (calling a 3rd party sites in some scenarios). As more of us switch to self hosting VW it will become a juicer target for bad actors. Really hoping we don't wake up one day to find out that our database was uploaded by a BA
crimsonnoodle58 · 22m ago
If you're running on kubernetes, a simple network policy and blocking the container from using DNS will stop any compromised image from performing a data exfill.
I do this for most containers.
If the container must have web access in some form, setup a squid proxy and only whitelist safe and trusted domains that can't be exfilled to.
ronnier · 20m ago
I use Docker (in Unraid).
surge · 32m ago
I've threat modeled this myself, and as I understand it the Bitwarden client side decrypts/encrypts everything locally. So even if backend was entirely compromised, it's never getting anything without the master password, and that's never sent across by the client. Then again, there's also the web interface.
ronnier · 20m ago
Yeah if an attacker was able to insert javascript then it's possible.
andix · 1h ago
A password manager is the one thing I'm very skeptical to use SSO for.
lucasyvas · 57m ago
Difference between work and personal. For personal, you’re right because there is nothing to bootstrap off of.
But in corporate it’s provisioned to a user account that exists first.
My personal bootstrap is two Yubikeys (for redundancy) that contains the password and 2FA for my Proton Pass. This plays the role of what IT would in a company with a user directory.
jchw · 56m ago
From this PR:
> A master password is still required and not controlled by the SSO
From the Bitwarden documentation[1]:
> Locking your vault will maintain vault data on the device, so unlocking your vault can be done offline. You will be required to enter your master password or PIN, or use biometrics, but won't need to use any active two-step login methods.
That really ought to quell the majority of the concerns IMO. Though for personal usage I use KeepassXC, because not having any remote authentication at all is even simpler than SSO.
Separate accounts for work and private. SSO for the work account is perfectly fine for me as a dev and a big advantage for the company. But yes, don't conflate the two use cases.
vasco · 1h ago
So you're going to play IT and duplicate all the groups and all the roles manually that already are maintained and automated for on/off-boarding? And not have them be auto-offboarded when they are let go? That introduces compliance risks and imo more problems than having SSO on your password manager. Yes, keep some master password for a rainy day if you have to, but otherwise, the more "dangerous" the thing the more it should be hooked up to SSO.
wazzaps · 1h ago
It's most useful for companies, where the goal is as much SSO as possible.
jedahan · 1h ago
Been using this since it was merged. No issues so far, appreciate the work.
cromka · 1h ago
I selfhost vaultwarden for my use only. Can someone please explain it like I am 5 what's the use case of this new feature? Is it to log in to vaultwarden using an OpenID?
input_sh · 26m ago
I administer it at work and now I won't have to invite a user manually, wait for them to accept the invite link via email, manually approve their account, and then assign it to groups (collections).
In other words one less thing to worry about during onboarding / offboarding.
the_gastropod · 1h ago
Yep, exactly. I selfhost Vaultwarden and a bunch of other apps that my family also use. So I run Authentik, which lets them only have to worry about remembering one login, and they then have a little dashboard of all our apps, and can click to login to whatever they want. It's a pretty decent little system, and I'm happy I can now add Vaultwarden to it.
The bigger your users x applications number, the bigger the benefit. It make user management easy (e.g., you only have to manage users in one place instead of N)
simcop2387 · 1h ago
Same usecase for myself too. One of the biggest advantages for me is that it lets me setup a single and easily tested place for the users to reset passwords from too for when they inevitably forget or lose the post-it note. That, along with me using all the apps and not wanting to have to change 30 passwords for everything when something happens too.
I went a bit more complicated myself with Keycloak instead of Authentik, simply because I knew keycloak a little better but setting up SSO for all the stuff I run has definitely been worth it.
cycomanic · 56m ago
Yep same for me. I actually had been holding off on Vaultwarden precisely because it didn't have sso support. A single sign on is definitely better than the having the family try to remember a different password for every app.
Valodim · 1h ago
So what is the point of this, if the user still needs a master password?
cephi · 1h ago
Access control -- can make it easy to add/sync users in Authentik using one username
maxvisser · 1h ago
Maybe if you deactiveer a users entra id that he cant access its vaultwarden vault anymore.
esseph · 1h ago
Can you expand the question a bit?
razighter777 · 1h ago
Fantastic! I really love vaultwarden and was looking forward to this. I have no reason to run SSO in my 3 user homelab but it makes me happygood work.
I do this for most containers.
If the container must have web access in some form, setup a squid proxy and only whitelist safe and trusted domains that can't be exfilled to.
But in corporate it’s provisioned to a user account that exists first.
My personal bootstrap is two Yubikeys (for redundancy) that contains the password and 2FA for my Proton Pass. This plays the role of what IT would in a company with a user directory.
> A master password is still required and not controlled by the SSO
From the Bitwarden documentation[1]:
> Locking your vault will maintain vault data on the device, so unlocking your vault can be done offline. You will be required to enter your master password or PIN, or use biometrics, but won't need to use any active two-step login methods.
That really ought to quell the majority of the concerns IMO. Though for personal usage I use KeepassXC, because not having any remote authentication at all is even simpler than SSO.
[1]: https://bitwarden.com/help/vault-timeout/#vault-timeout-acti...
In other words one less thing to worry about during onboarding / offboarding.
The bigger your users x applications number, the bigger the benefit. It make user management easy (e.g., you only have to manage users in one place instead of N)
I went a bit more complicated myself with Keycloak instead of Authentik, simply because I knew keycloak a little better but setting up SSO for all the stuff I run has definitely been worth it.