Cloudron documentation outdated? Bitwarden now supports SSO
-
Hello!
I believe the Cloudron documentation may be outdated:
Bitwarden now supports SSO: https://bitwarden.com/help/about-sso/
Can we expect SSO to be added to Vaultwarden?
@marylou said in Cloudron documentation outdated? Bitwarden now supports SSO:
Can we expect SSO to be added to Vaultwarden?
I wonder if it could too. But I'm guessing perhaps not given SSO on Bitwarden is an enterprise-only feature.
-
I've been watching this for a while. This has been a longstanding feature request #3899 is the merged one from the seemingly hundreds of requests lol. But it does seem to be close to being finalized and merged.
-
@andreasdueren cool! I'm intrigued as to how exactly this will work in practice... will have to have a play around once we've got it in the Cloudron package...
-
https://github.com/dani-garcia/vaultwarden/pull/3899#event-19062298364
Finally merged. Didn’t believe in it anymore lol
-
Can we have this preconfigured on install, now that this is supported?
##################################### ### SSO settings (OpenID Connect) ### ##################################### ## Controls whether users can login using an OpenID Connect identity provider # SSO_ENABLED=false ## Prevent users from logging in directly without going through SSO # SSO_ONLY=false ## On SSO Signup if a user with a matching email already exists make the association # SSO_SIGNUPS_MATCH_EMAIL=true ## Allow unknown email verification status. Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover. # SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false ## Base URL of the OIDC server (auto-discovery is used) ## - Should not include the `/.well-known/openid-configuration` part and no trailing `/` ## - ${SSO_AUTHORITY}/.well-known/openid-configuration should return a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse # SSO_AUTHORITY=https://auth.example.com ## Authorization request scopes. Optional SSO scopes, override if email and profile are not enough (`openid` is implicit). # SSO_SCOPES="email profile" ## Additional authorization url parameters (ex: to obtain a `refresh_token` with Google Auth). # SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent" ## Activate PKCE for the Auth Code flow. # SSO_PKCE=true ## Regex for additional trusted Id token audience (by default only the client_id is trusted). # SSO_AUDIENCE_TRUSTED='^$' ## Set your Client ID and Client Key # SSO_CLIENT_ID=11111 # SSO_CLIENT_SECRET=AAAAAAAAAAAAAAAAAAAAAAAA ## Optional Master password policy (minComplexity=[0-4]), `enforceOnLogin` is not supported at the moment. # SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}' ## Use sso only for authentication not the session lifecycle # SSO_AUTH_ONLY_NOT_SESSION=false ## Client cache for discovery endpoint. Duration in seconds (0 to disable). # SSO_CLIENT_CACHE_EXPIRATION=0 ## Log all the tokens, LOG_LEVEL=debug is required # SSO_DEBUG_TOKENS=false -
@andreasdueren thanks, I have created a task internally for @vladimir.d .
edit: er, @andreasdueren looks like this is not released yet right ? https://github.com/dani-garcia/vaultwarden/releases has no releases saying so.
-
@andreasdueren thanks, I have created a task internally for @vladimir.d .
edit: er, @andreasdueren looks like this is not released yet right ? https://github.com/dani-garcia/vaultwarden/releases has no releases saying so.
@girish said in Cloudron documentation outdated? Bitwarden now supports SSO:
looks like this is not released yet right
I guess you're right, merge happened after the last release.
-
Can we have this preconfigured on install, now that this is supported?
##################################### ### SSO settings (OpenID Connect) ### ##################################### ## Controls whether users can login using an OpenID Connect identity provider # SSO_ENABLED=false ## Prevent users from logging in directly without going through SSO # SSO_ONLY=false ## On SSO Signup if a user with a matching email already exists make the association # SSO_SIGNUPS_MATCH_EMAIL=true ## Allow unknown email verification status. Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover. # SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false ## Base URL of the OIDC server (auto-discovery is used) ## - Should not include the `/.well-known/openid-configuration` part and no trailing `/` ## - ${SSO_AUTHORITY}/.well-known/openid-configuration should return a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse # SSO_AUTHORITY=https://auth.example.com ## Authorization request scopes. Optional SSO scopes, override if email and profile are not enough (`openid` is implicit). # SSO_SCOPES="email profile" ## Additional authorization url parameters (ex: to obtain a `refresh_token` with Google Auth). # SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent" ## Activate PKCE for the Auth Code flow. # SSO_PKCE=true ## Regex for additional trusted Id token audience (by default only the client_id is trusted). # SSO_AUDIENCE_TRUSTED='^$' ## Set your Client ID and Client Key # SSO_CLIENT_ID=11111 # SSO_CLIENT_SECRET=AAAAAAAAAAAAAAAAAAAAAAAA ## Optional Master password policy (minComplexity=[0-4]), `enforceOnLogin` is not supported at the moment. # SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}' ## Use sso only for authentication not the session lifecycle # SSO_AUTH_ONLY_NOT_SESSION=false ## Client cache for discovery endpoint. Duration in seconds (0 to disable). # SSO_CLIENT_CACHE_EXPIRATION=0 ## Log all the tokens, LOG_LEVEL=debug is required # SSO_DEBUG_TOKENS=false@andreasdueren said in Cloudron documentation outdated? Bitwarden now supports SSO:
SSO_AUTHORITY=
I encountered an issue when attempting to activate SSO using Cloudron OpenID.
I don't know why SSO_AUTHORITY, I just input my Cloudron URL (my.cloudron.example), but the SSO failed.
Do you face the same problem?
-
@andreasdueren said in Cloudron documentation outdated? Bitwarden now supports SSO:
SSO_AUTHORITY=
I encountered an issue when attempting to activate SSO using Cloudron OpenID.
I don't know why SSO_AUTHORITY, I just input my Cloudron URL (my.cloudron.example), but the SSO failed.
Do you face the same problem?
@IniBudi I haven't looked at this at all, but as I understand it on Cloudron it's generally not possible to migrate an existing app from "let up manage users" to "LDAP or OIDC". It has to be chosen at install.
Presumably a fresh new install would work?
-
Hello @inibudi
Currently, the Cloudron @vaultwarden app does not yet support OIDC/SSO.As stated above:
@girish said in Cloudron documentation outdated? Bitwarden now supports SSO:
thanks, I have created a task internally for @vladimir.d .
-
Hello @inibudi
Currently, the Cloudron @vaultwarden app does not yet support OIDC/SSO.As stated above:
@girish said in Cloudron documentation outdated? Bitwarden now supports SSO:
thanks, I have created a task internally for @vladimir.d .
-
I am attempting to get a brand new installation of VaultWarden working with Cloudron OIDC SSO.
I have already very carefully read over:
https://docs.cloudron.io/user-directory/#openid-connect
https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connectto produce the below (redacted) config.json..
https://my.knownelement.com/openid/.well-known/openid-configuration/ https://my.cloudron.example/.well-known/openid-configuration https://my.cloudron.example/openid/.well-known/openid-configuration SSO_AUTHORITY : the OpenID Connect Discovery endpoint of your SSO Should not include the /.well-known/openid-configuration part and no trailing / $SSO_AUTHORITY/.well-known/openid-configuration should return the a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse { "domain": "https://passwords.knownelement.com", "sends_allowed": true, "incomplete_2fa_time_limit": 3, "disable_icon_download": false, "signups_allowed": false, "signups_verify": false, "signups_verify_resend_time": 3600, "signups_verify_resend_limit": 6, "invitations_allowed": false, "emergency_access_allowed": true, "email_change_allowed": false, "password_iterations": 600000, "password_hints_allowed": false, "show_password_hint": false, "admin_token": "heavily-redacted :) ", "invitation_org_name": "KNEL Password Vault", "ip_header": "X-Forwarded-For", "icon_redirect_code": 302, "icon_cache_ttl": 2592000, "icon_cache_negttl": 259200, "icon_download_timeout": 10, "http_request_block_non_global_ips": true, "disable_2fa_remember": false, "authenticator_disable_time_drift": false, "require_device_email": false, "reload_templates": false, "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "admin_session_lifetime": 20, "increase_note_size_limit": false, "dns_prefer_ipv6": false, "sso_enabled": true, "sso_only": true, "sso_signups_match_email": true, "sso_allow_unknown_email_verification": false, "sso_client_id": "redacted", "sso_client_secret": "redacted", "sso_authority": "https://my.knownelement.com", "sso_scopes": "openid email profile", "sso_pkce": true, "sso_callback_path": "https://passwords.knownelement.com/identity/connect/oidc-signin", "sso_auth_only_not_session": true, "sso_client_cache_expiration": 0, "sso_debug_tokens": false, "_enable_yubico": true, "_enable_duo": true, "_enable_smtp": true, "use_sendmail": false, "smtp_host": "mail", "smtp_security": "off", "smtp_port": 2525, "smtp_from": "passwords.app@knownelement.com", "smtp_from_name": "Vaultwarden", "smtp_username": "passwords.app@knownelement.com", "smtp_password": "redacted", "smtp_auth_mechanism": "Plain", "smtp_timeout": 15, "smtp_embed_images": true, "smtp_accept_invalid_certs": true, "smtp_accept_invalid_hostnames": true, "_enable_email_2fa": false, "email_token_size": 6, "email_expiration_time": 600, "email_attempts_limit": 3, "email_2fa_enforce_on_verified_invite": false, "email_2fa_auto_fallback": false }I suppose I can increase logging to see if that helps.
Vaultwarden keeps asking for a master password, even though I've disabled that and set sso only.
-
Hello @inibudi
Currently, the Cloudron @vaultwarden app does not yet support OIDC/SSO.As stated above:
@girish said in Cloudron documentation outdated? Bitwarden now supports SSO:
thanks, I have created a task internally for @vladimir.d .
-
@james Oh is this something that actually needs to be changed in the app json to make OIDC integration work at all?
-
@charlesnw there is a task for @vladimir.d to fix the package itself to support SSO. He is still on vacation and should add this when he is back .
