Cloudron documentation outdated? Bitwarden now supports SSO
-
@andreasdueren said in Cloudron documentation outdated? Bitwarden now supports SSO:
SSO_AUTHORITY=
I encountered an issue when attempting to activate SSO using Cloudron OpenID.
I don't know why SSO_AUTHORITY, I just input my Cloudron URL (my.cloudron.example), but the SSO failed.
Do you face the same problem?
@IniBudi I haven't looked at this at all, but as I understand it on Cloudron it's generally not possible to migrate an existing app from "let up manage users" to "LDAP or OIDC". It has to be chosen at install.
Presumably a fresh new install would work?
-
Hello @inibudi
Currently, the Cloudron @vaultwarden app does not yet support OIDC/SSO.As stated above:
@girish said in Cloudron documentation outdated? Bitwarden now supports SSO:
thanks, I have created a task internally for @vladimir.d .
-
Hello @inibudi
Currently, the Cloudron @vaultwarden app does not yet support OIDC/SSO.As stated above:
@girish said in Cloudron documentation outdated? Bitwarden now supports SSO:
thanks, I have created a task internally for @vladimir.d .
-
I am attempting to get a brand new installation of VaultWarden working with Cloudron OIDC SSO.
I have already very carefully read over:
https://docs.cloudron.io/user-directory/#openid-connect
https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connectto produce the below (redacted) config.json..
https://my.knownelement.com/openid/.well-known/openid-configuration/ https://my.cloudron.example/.well-known/openid-configuration https://my.cloudron.example/openid/.well-known/openid-configuration SSO_AUTHORITY : the OpenID Connect Discovery endpoint of your SSO Should not include the /.well-known/openid-configuration part and no trailing / $SSO_AUTHORITY/.well-known/openid-configuration should return the a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse { "domain": "https://passwords.knownelement.com", "sends_allowed": true, "incomplete_2fa_time_limit": 3, "disable_icon_download": false, "signups_allowed": false, "signups_verify": false, "signups_verify_resend_time": 3600, "signups_verify_resend_limit": 6, "invitations_allowed": false, "emergency_access_allowed": true, "email_change_allowed": false, "password_iterations": 600000, "password_hints_allowed": false, "show_password_hint": false, "admin_token": "heavily-redacted :) ", "invitation_org_name": "KNEL Password Vault", "ip_header": "X-Forwarded-For", "icon_redirect_code": 302, "icon_cache_ttl": 2592000, "icon_cache_negttl": 259200, "icon_download_timeout": 10, "http_request_block_non_global_ips": true, "disable_2fa_remember": false, "authenticator_disable_time_drift": false, "require_device_email": false, "reload_templates": false, "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "admin_session_lifetime": 20, "increase_note_size_limit": false, "dns_prefer_ipv6": false, "sso_enabled": true, "sso_only": true, "sso_signups_match_email": true, "sso_allow_unknown_email_verification": false, "sso_client_id": "redacted", "sso_client_secret": "redacted", "sso_authority": "https://my.knownelement.com", "sso_scopes": "openid email profile", "sso_pkce": true, "sso_callback_path": "https://passwords.knownelement.com/identity/connect/oidc-signin", "sso_auth_only_not_session": true, "sso_client_cache_expiration": 0, "sso_debug_tokens": false, "_enable_yubico": true, "_enable_duo": true, "_enable_smtp": true, "use_sendmail": false, "smtp_host": "mail", "smtp_security": "off", "smtp_port": 2525, "smtp_from": "passwords.app@knownelement.com", "smtp_from_name": "Vaultwarden", "smtp_username": "passwords.app@knownelement.com", "smtp_password": "redacted", "smtp_auth_mechanism": "Plain", "smtp_timeout": 15, "smtp_embed_images": true, "smtp_accept_invalid_certs": true, "smtp_accept_invalid_hostnames": true, "_enable_email_2fa": false, "email_token_size": 6, "email_expiration_time": 600, "email_attempts_limit": 3, "email_2fa_enforce_on_verified_invite": false, "email_2fa_auto_fallback": false }I suppose I can increase logging to see if that helps.
Vaultwarden keeps asking for a master password, even though I've disabled that and set sso only.
-
Hello @inibudi
Currently, the Cloudron @vaultwarden app does not yet support OIDC/SSO.As stated above:
@girish said in Cloudron documentation outdated? Bitwarden now supports SSO:
thanks, I have created a task internally for @vladimir.d .
-
@james Oh is this something that actually needs to be changed in the app json to make OIDC integration work at all?
-
@charlesnw there is a task for @vladimir.d to fix the package itself to support SSO. He is still on vacation and should add this when he is back .
-
@charlesnw there is a task for @vladimir.d to fix the package itself to support SSO. He is still on vacation and should add this when he is back .
@joseph I just tested, and now I can use the SSO login. Thank you @james and @vladimir.d
-
@joseph I just tested, and now I can use the SSO login. Thank you @james and @vladimir.d
-
Hi @joseph, I just followed the Vaultwarden instructions to set up Cloudron OIDC.
Here is the reference:
https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect-
Set up SSO on Vaultwarden Admin Dashboard
-
Create OpenID Clients
Add your login callback URL
https://vaultwarden.example.tld/identity/connect/oidc-signin- Make sure your email is the same as your user email on Cloudron.
Login you can log in using SSO.
-
