mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-15 18:12:14 -05:00
[GH-ISSUE #7205] SSO login flow requires redundant email input before IdP redirect #30133
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @David-Bratkov on GitHub (May 12, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7205
Summary
The current SSO login flow requires users to enter their email address in the Vaultwarden web vault before being redirected to the external identity provider (e.g., Keycloak). This is confusing and creates unnecessary friction.
Current Flow
vault.example.comProblem
Step 2 is redundant and confusing:
SSO_ONLY=true) have no reason to collect an email first — the IdP owns the identityExpected Behavior
When
SSO_ONLY=trueis set, clicking the login/SSO button should redirect directly to the configured IdP without requiring the user to enter any information first. The IdP is the source of truth for identity — there is no value in collecting the email beforehand.Environment
SSO_ONLY=true, PKCE enabled@stefan0xC commented on GitHub (May 12, 2026):
As explained before this is how upstream works: https://github.com/dani-garcia/vaultwarden/discussions/6793#discussioncomment-15707005 - So the entered email address is used to lookup the saved 2FA remember token. If you don't care about that (e.g. because you don't have 2FA enabled), you can skip this by bookmarking the URL with something like
/#/sso?identifier=00000000-01DC-01DC-01DC-000000000000as recommended by Bitwarden as well.Note that there already is a PR https://github.com/vaultwarden/vw_web_builds/pull/24 to change the behavior in the client which I am not against.