[GH-ISSUE #7205] SSO login flow requires redundant email input before IdP redirect #30133

Closed
opened 2026-06-17 09:52:42 -05:00 by GiteaMirror · 1 comment
Owner

Originally created by @David-Bratkov on GitHub (May 12, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7205

Summary

The current SSO login flow requires users to enter their email address in the Vaultwarden web vault before being redirected to the external identity provider (e.g., Keycloak). This is confusing and creates unnecessary friction.

Current Flow

  1. User visits vault.example.com
  2. User must enter their email address in the Vaultwarden login form
  3. Vaultwarden redirects user to Keycloak
  4. User enters their username and password in Keycloak
  5. Keycloak redirects back to Vaultwarden

Problem

Step 2 is redundant and confusing:

  • The email entered in Vaultwarden is not used to authenticate — Keycloak handles that entirely
  • Users don't understand why they need to enter an email before being sent to their SSO provider
  • Organizations using SSO-only mode (SSO_ONLY=true) have no reason to collect an email first — the IdP owns the identity
  • Most SSO implementations (Google Workspace, Okta, Azure AD) go directly to the IdP with a single button click, with no pre-input step

Expected Behavior

When SSO_ONLY=true is set, clicking the login/SSO button should redirect directly to the configured IdP without requiring the user to enter any information first. The IdP is the source of truth for identity — there is no value in collecting the email beforehand.

Environment

  • Vaultwarden: 1.36.0
  • IdP: Keycloak 26.x (OIDC)
  • SSO_ONLY=true, PKCE enabled
Originally created by @David-Bratkov on GitHub (May 12, 2026). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7205 ## Summary The current SSO login flow requires users to enter their email address in the Vaultwarden web vault **before** being redirected to the external identity provider (e.g., Keycloak). This is confusing and creates unnecessary friction. ## Current Flow 1. User visits `vault.example.com` 2. User must enter their **email address** in the Vaultwarden login form 3. Vaultwarden redirects user to Keycloak 4. User enters their **username and password** in Keycloak 5. Keycloak redirects back to Vaultwarden ## Problem Step 2 is redundant and confusing: - The email entered in Vaultwarden is not used to authenticate — Keycloak handles that entirely - Users don't understand why they need to enter an email before being sent to their SSO provider - Organizations using SSO-only mode (`SSO_ONLY=true`) have no reason to collect an email first — the IdP owns the identity - Most SSO implementations (Google Workspace, Okta, Azure AD) go directly to the IdP with a single button click, with no pre-input step ## Expected Behavior When `SSO_ONLY=true` is set, clicking the login/SSO button should redirect **directly** to the configured IdP without requiring the user to enter any information first. The IdP is the source of truth for identity — there is no value in collecting the email beforehand. ## Environment - Vaultwarden: 1.36.0 - IdP: Keycloak 26.x (OIDC) - `SSO_ONLY=true`, PKCE enabled
Author
Owner

@stefan0xC commented on GitHub (May 12, 2026):

As explained before this is how upstream works: https://github.com/dani-garcia/vaultwarden/discussions/6793#discussioncomment-15707005 - So the entered email address is used to lookup the saved 2FA remember token. If you don't care about that (e.g. because you don't have 2FA enabled), you can skip this by bookmarking the URL with something like /#/sso?identifier=00000000-01DC-01DC-01DC-000000000000 as recommended by Bitwarden as well.

Note that there already is a PR https://github.com/vaultwarden/vw_web_builds/pull/24 to change the behavior in the client which I am not against.

<!-- gh-comment-id:4427616623 --> @stefan0xC commented on GitHub (May 12, 2026): As explained before this is how upstream works: https://github.com/dani-garcia/vaultwarden/discussions/6793#discussioncomment-15707005 - So the entered email address is used to lookup the saved 2FA remember token. If you don't care about that (e.g. because you don't have 2FA enabled), you can skip this by bookmarking the URL with something like `/#/sso?identifier=00000000-01DC-01DC-01DC-000000000000` [as recommended by Bitwarden](https://bitwarden.com/help/using-sso/) as well. Note that there already is a PR https://github.com/vaultwarden/vw_web_builds/pull/24 to change the behavior in the client which I am not against.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#30133