Comment by DoctorOW
3 hours ago
Most of the comments seem to confirm (all but one at time of writing) that this feature is more intended for corporate/business environments. Does anyone know if Vaultwarden has commercial users? By no means am I arguing against the inclusion of this feature, I'm just curious. Everywhere I've worked that was big enough to use SSO was also wary of selfhosting FOSS tools. I should clarify I don't consider myself working in tech, fwiw.
SSO is really important in the "few tools, many users" case, but just as important in the "many tools, few users" case. I'm self hosting dozens of tools, and without SSO I'd have to set up username, password, TOTP and WebAuthn for each and every one of them, my 2FA app would be 90% my own services.
With SSO though, it's much simpler. I can just run an OIDC server and log into all my self-hosted services once, and I can use all of them. Vaultwarden is an exception to the rule though, as you can't really bootstrap that in the individual case.
Another use case I'm currently exploring is for sharing netflix/prime/disney+ passwords with roommates, partners and friends. They just sign in with their Google/Apple/whatever account and get access to the shared streaming provider passwords.
What's your (OSS?) OIDC server of choice?
Authelia? Authentik? Keycloak? (These are the three I see a lot about.) Something else?
I support an installation for a couple hundred users. It's been working fine for several years now, including browser plugins and mobile clients. If the project goes under, it's easy to export everything and import into the official Bitwarden.
(Whose server I really don't enjoy, it's very enterprise-y and heavy on resources for no real reason I could find.)
Started working (based on previous work already done) then maintaining the PR for my personal self-hosted stack.
Had then some fun adding roles/groups support (not yet merged).
As someone who manages the vault warden instance for a nonprofit with many volunteers but no fulltime employees I see this as a wonderful thing. Yes bitwarden has a nonprofit discount but no playing wack a mole with which of the 20+ volunteers are active at any moment to avoid getting a huge bill isn't worth it vs self hosting.
SSO isn’t an enterprise feature, it is an access control and governance feature regardless of user population.
Who needs it except entreprises for the 99.99% usecase?
I'm hosting it for our team at a public institute, we are strongly supportive of OSS and have interest in keeping our data on premise.
Team of <10 though so hosting is trivial with NixOS. We also have almost no money available for purchasing software so official self-hosted bitwarden was not an option unfortunately (if we had money, that would've been the way to go).
I'm a user, not an expert on all this but: SSO is indeed meant for a corporate environment, not for personal use. And from what I saw, companies would rather pay for a simple SSO provider than use any self-hosted solution. That means you either use Google or Microsoft, nothing else.
LastPass is out of question due to the security issues in the past. I always advocate for Bitwarden but I'm not sure they can handle any kind of SSO yet. And Vaultwarden, being a fork of a not-so-famous-yet password vault (at least in the managers's world), is not a contender anywhere.
My company just implemented the SaaS Bitwarden with Google SAML on their Enterprise Plan. Very easy to set up, not too expensive ($6/user/month). Their compliance page made it much easier to sell to my manager who had to give the final approval: https://bitwarden.com/compliance/. It is only used by my department so far and we're still doing manual invites rather than integrating with the SCIM features so I can't speak to that. My biggest annoyance is that, as an admin, unlocking the vault still prompts for the master password rather than letting me select SSO without logging all the way out.
> That means you either use Google or Microsoft, nothing else.
My fairly large (>20k) company uses Okta. That's just to say, be wary of issuing ultimatums.
I recall a happy/fun environment using Microsoft Entra (Azure AD) SSO, in order to sign into Okta SSO, in order to access Azure environment(s), among other apps. SSO Inception.
The whole "SSO is meant for enterprise" thing is sales bullshit. Big enterprises can't live without SSO, so everyone started charging extra for that to milk more money out of them, but this doesn't mean it's not hugely beneficial or "meant for" smaller orgs or even individuals.
Anyone can spin up an Authentik/Authelia/Keycloak/whatever instance or even use Microsoft/Google if they already pay for it in a matter of minutes. The only reason people don't is because tons of apps make it annoyingly difficult to integrate SSO or don't offer it at all in the lower price tiers.
If app installers started with "create a root user or paste the OIDC secret here", everyone and their dog would be running SSO. But that's not as profitable.
Paid Bitwarden does SSO (SAML 2.0 or OIDC)
https://bitwarden.com/help/about-sso/
Vaultwarden is a lot easier to self host than Bitwarden
But like all community-made open source stuff, If you want to use it for "production" stuff you should invest in audits and contribute/fund development
I've been self-hosting Bitwarden (and giving them money) for a few years now, it is really easy with Docker and a reverse proxy. What kind of challenges did you encounter with Bitwarden?
Vaultwarden uses fewer resources and runs fine on a $5 digital ocean VPS where I had some issues with Bitwarden. I hardly have to remember that I'm running it myself.
1 reply →
Last time i checked you needed a MS SQL db...
2 replies →