-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sso Support based off existing PR's #3154
Conversation
Is mailing enabled within your delevoping environment? If not, the necessary accept ( To test it you have to enable proper mailing |
Hi @bmunro-peralex, thanks a lot!! I can confirm it's working on Docker and Keycloak splendidly 👍 Do you think it will be possible to skip the "SSO Identifier" page? Ot is there a direct link to access SSO without input the organization first? Thanks |
Hey Funny timing was working on it too, with the same idea of setting the SSO as a global conf. But I was more aggressive in deleting organization change (for example kept only the For the sso I' m using |
Maybe it will help, the keycloak endpoint (SSO_AUTHORITY variable) it the "issuer" field in the well-known configuration Also, I agree that it would be great to import orgs membership based on a SSO token claim (easily mapped to an LDAP attribute), it should go hand-in-hand with the skip of "SSO Identifier" page Thanks again for the work 👍 |
I though I had tested it :D. thx @Skiepp. |
On phone so this will be brief, also forgot I'm on my personal github account not my work one so excuse the name change My main goal here was to remove the need for any patches to the web-vault front-end like previous PRS and just work with both web + client The sso identifier page that saves the identifier is used by alot of calls during the sso process so I'm pretty sure it can be hidden by a web client patch but will break alot of the call process This approach will mean the first org policies are the master for the sso as you can put anything into the identifier and the first org will be used. I have no idea what's up with the org invite process though. Accept is never called from the front-end after the login process using the sso so I guess since the sso is linked to an org so the invite just gets accepted by the server since it should be already linked. |
Hi I'm trying to test this using Azure as the IdP and I can't get it to work. I get
I have followed the bitwarden oidc docs for the azure config and the relevant vaultwarden config looks like this:
I have tried the sso_authority with and without a trailing slash. Anyone see what I'm doing wrong? Thanks |
bitwarden documentation looks wrong, just tested with azure and it looks to be working. the openid client uses the So In azure click endpoints on the overview page you should see a list of end points, find the metadata document will look something like this
Use in your compose file
|
This is working, and i don't have time to look at this anymore. The organization invite can probably be handled the same as registration, or for now accepting org invites just login with a master password to accept. |
@BlackDex any chance that this great work from @bmunro-peralex can be merged into the main branch? |
That would be awesome 👌 |
Had a look at trying to obtain a cleaner flow when registering with One option might be to just build a separate release of the front-end and modify the default redirection. |
I wonder if it makes sense to move this to its own end point to not clutter the other code, so bitwarden.example.com/sso instead of reusing identity/connect/ |
Hey Just tested the different flow and wanted to ensure I did not missed anything. Initial setup :
If those steps are not done the sso flow will crash on the User account creation: If user follow a link to
User account login:
On page refresh: On logout Interrogations Error on the set password screen, did I messed something up in my setup ? Comments Won't comment too much in case I messed something up but in general from a friends/familly setup point of view I find the flows to be quite long/complicated. |
User account creation: Point 5 the 401 error is the web client going to bitwarden.example.com/organizations/<org_id>/policies/invited-user?<_userId> with no auth header, I don't know why or if it's by design but vaultwarden blocks this request in the auth routine. the return to login screen I'm not sure, possibly the set-password call is not returning everything, or its due to the sstamp reset. The requiresso section I never tested and is from the existing PR's above. SSO, in general, the flows will be long and over-complicated, there is the key connector to skip passwords but that is a whole nother process that requires SSO working before it's looked at which will reduce the complexity. as i said I'm changing nothing bitwarden was doing already and this is pretty much their process where the password is always required even if SSO login, unless a seperate key-connector is configured to automate that part to a degree. |
On the point 5 I insisted to ensure I was not wrong because if there if no solution to this error I think it would be better to just fail earlier by for example not even implementing things like This would allow to drop the requirement to have existing organization (could end up something like this). For the return to the login screen after the set-password it's tricky I had a quick look and could not find a backend solution. I could find some front-end modifications which were still compatible with a non sso instance but :(. For the |
OK fixed both issues above, the policy stuff will probably rip out for now since it won't work with the current setup and probably will need to be done by global config or something. |
Hey nice :). Sorry will insist one last time ^^, it's possible to make the SSO logic work with no modification to the web-vault code while not requiring to create any org. I think it's better since it remove some setup, is more inline with the configuration being global and I don't believe the target is to ever integrate it at the org level as is done by the official server. For the front even if with the latest change the flow is quite nice I still made a custom web-vault which redirect to the sso page by default and remove the identifier field from it, if someone want to play with it : https://github.com/Timshel/oidc_web_builds/releases/tag/2023-01-28 |
@LePresidente hey sorry if you are just busy but in case you missed it, I opened two PR against your branch :
|
Thank you for your contribution. I'm looking for writing the code that handles the SSO settings for an organisation in the webvault itself. Should the SSO be organisation-tied? |
There already is a UI available, built-in into the web-vault. |
yes, but whenever I click on it, I am redirected to my personal vault. Where is it handled? |
Looks like it calls a |
I see no API call from my web browser, is that normal? |
The per org config doesn't work, its also being moved to the business portal so it should be hidden. This config above makes your whole instance support SSO using environment variables instead. |
Yeah, but I think we should mimic the way bitwarden does it. If it is organisation-wide we should keep it as it is. Do you confirm that on the bitwarden-side it is removed from the org and became a paid feature? |
There is no Business Console anymore. But there is a Bitwarden Licensed web-vault part, that isn't part of the OSS build. Though, it looks like in |
Okay so for VW we don't need to put any web interface to configure SSO settings? Should I put them in the .env file and patch VW to handle them? |
so 18 hours this was done, i'll have a look at going per org again if they opening it up, but when I worked on the above the org settings panel did nothing. |
So i got the same result: it makes my whole system unresponsive to anything and i need to power cycle it. |
You are likely running out of RAM. |
How muth does it need to build it ? More than 6gb? |
Please focus this channel for the SSO topic. If you have RAM problems or problems building a custom image it is not the responsibility of this channel. |
I am trying to test the sso but can't get it to work |
@Timon321 , can we have dockerfile for deployment. |
I found an error while testing if using Authelia instead of Keycloak as it removes the trailing slash at the end of
|
@archef2000 If I understand correctly it mean that setting |
Yes that works it is just to strict with the trailing slash |
Also i needed to set the redirect url in Authelia to |
Spent some time on the issue of the organization invitation not working when using sso login. From my understanding the org invite and url are kept in memory and lost during the external redirection of the sso flow (No idea how/if it works with the official server or how it could be fixed with only a back-end change). Managed to make a front-end patch to fix it. Front-end build with it are available at timshel/oidc_web_builds. Added :
|
Pushed to timshel/sso-support some improvement when using
Added @tribut would be nice to integrate the latest change to the PR :); and since I'm not aware of any issue it might be ready for some feedback/review. |
@Timshel (and whoever may be interested) I was thinking about how to best manage frontend patching to enable SSO.
In this way we don't have to mantain the frontend on a different repository but we will still have the official build with the official webvault. What do you think? |
Will depends on what the maintainers wants :) (@BlackDex ?). From what I remember/extrapolated from previous discussion :
|
Hi there, I've build the image using the branch called sso-support and added the env variables to enable SSO support, but I can't see the SSO button at the login page. I can see the new version has been installed (Web vault) Version 2023.7.1. Is there anything else that needs to be in order to get SSO support? Thanks! |
@davidroler you are running an unpatched front-end so on the screen asking for the
If you want a version with a modified |
As far I've understood, in the official Bitwarden release there's a licensed web-vault, that isn't part of the OSS build. Which means, if I'm not wrong, that they also manage this feature with two different distributions. My point is that, from a user perspective, it makes little sense to merge this pull request into the main repository if you still need to dig into the code to enable SSO. It's obviously only my point of view and I just want to make it easier to enjoy your hard work :) |
@gianlucapisati I'm not sure which "code" you are referencing ? With just the minimum patch to revert hiding the sso button (which is compatible with the non-sso version) there is the issue of the organization invitation link not working but that's why there is the |
I got it to work using your repo, thanks! Is it possible to use Google Workspace as SSO provider instead of Azure? I don't see the option to use a certificate instead a client secret. |
With "digging into the code" I mean that if we merge the pull request as is (which means that the functionality is completed, working and tested) you still need to apply the patch to use it. I think that many people will do the same "mistake" as davidroler and many users will open an issue here. |
@gianlucapisati ? of course if it's merged a corresponding change will be done to bw_web_builds to as mentioned at minima revert hiding the SSO button. No PR is open since this one has yet to be reviewed so no need to split discussion. @davidroler the underlying library used to handle the flow support multiple authentication method of which :
But I don't expect I'll work on it, if you want to have a look you'll need to replace the secret here. |
What about just having an environment variable such as |
aaaah my bad sorry! I didn't get the web vault was in a separate repo 🤦 Sorry! |
Hello all. I'm very busy with a lot of other stuff in my spare time, mostly Vaultwarden stuff but all other items. So, i do not have that much time to check all the PR's. And since this PR seems to still need some love what i see is being said by the people who work on it and test this, which is great, i'm putting my efforts on other items. If there are any main guidelines needed, like, should we do this or that, please ask that in a straight question, like with bullet-points or something, so that the main contributors can look at them and give there opinion. I also see a lot of people having issues with the web-vault not showing the button. This can be easily solved with just one single line of command, or, if you build a container from this PR and run that afterwards, you can have that done automatically during startup. Here is an example. Create a file called #!/usr/bin/env sh
# Remove CSS to hide SSO Link
sed -i 's#a\[routerlink="/sso"\],##' /web-vault/app/main.*.css Add the following volume mount to your docker/docker-compose config: This file will then be called before vaultwarden starts, which modifies the CSS file to remove the CSS that hides the button. |
@BlackDex outside of merging timshel/sso-support (@tribut ? :), I'm unsure of what is needed ? (Of course I can understand you won't look at it while it's not in this PR just wanted to be sure I'm not missing anything else ^^) For issues in need of answer, I can think of :
Edit: additionally I played with Playwright and wrote a simple scenario to test SSO unboarding then login using a Keycloak instance run with |
For a good review i need to have the full picture and able to test this. If I'm correct there is some documentation on how to do this so that will help when i come to it.
That frontend patch looks complicated to maintain. If they just adjust something to this logic, it's going to be a pain to test.
I would have to see the logic, but there might be a different option, but for that, i would have to really dive into this PR and setup a test environment to test this whole flow including the mentioned issues.
The front-end should stay compatible with people who do not use SSO. So, any adjustments to the front-end which will break that are a no-go. But as mentioned above i would like to only have small adjustments done on the web-vault. |
There is some written by @tribut, alternatively I can point you to the docker-compose I'm using. |
Closing due to being superseded by #3899 |
Based off previous work by @pinpox and @m4w0lf
#2787
#2449
All config is now done in the environment variables, removed all unneeded calls.
Bitwarden removed the identify payload from the client so the first organization is always used when using a domain_hint
Currently Working:
Not Working:
The above has a workaround that can be enabled to accept all invites on login
How to test:
Add the following environment variables and have at least one organization created in your instance
`
SSO_ENABLED: "true"
SSO_CLIENT_ID: "111111111111111111111111111111111"
SSO_CLIENT_SECRET: "222222222222222222222222222222222222222222222"
SSO_AUTHORITY: "https://auth.example.com"
//Optional
SSO_ACCEPTALL_INVITES: "true"
`
The callback url currently is always:
Replace example.com with your vaultwarden domain.
https://example.com/identity/connect/oidc-signin