[GH-ISSUE #7072] SSO_ONLY users don't receive organisation invites #35557

Open
opened 2026-07-13 20:22:53 -05:00 by GiteaMirror · 4 comments
Owner

Originally created by @ovrebane on GitHub (Apr 9, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7072

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.35.4
  • Web-vault version: v2026.1.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: PostgreSQL
  • Database version: PostgreSQL 17.9 (Debian 17.9-0+deb13u1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 14.2.0-19) 14.2.0, 64-bit
  • Uses config.json: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • TZ environment: Europe/Tallinn
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, SHOW_PASSWORD_HINT, ADMIN_TOKEN, SSO_ENABLED, SSO_ONLY, SSO_SIGNUPS_MATCH_EMAIL, SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_SCOPES, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD, SMTP_TIMEOUT

Config:

{
  "_duo_akey": "***",
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "**********://************************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://************",
  "domain_origin": "*****://************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": "api-da365e79.duosecurity.com",
  "duo_ikey": "DIXLHY4UFD6Y2BHEKZPK",
  "duo_skey": "***",
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": false,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": false,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Spin TEK",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/log/vaultwarden.log",
  "log_level": "warn",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "***********,************",
  "org_events_enabled": false,
  "org_groups_enabled": true,
  "password_hints_allowed": false,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": false,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "*******",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*******************",
  "smtp_from_name": "***********",
  "smtp_host": "***************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "*************",
  "sso_allow_unknown_email_verification": true,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://**********************************************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://*****************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "********************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "openid profile email",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.35.4

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

traefik v3.6.12

Host/Server Operating System

Linux

Operating System Version

Debian 13

Clients

Web Vault

Client Version

Firefox 149.0

Steps To Reproduce

  1. Previously not registered user logs in via SSO
  2. An account is created for them automatically, this account stays in "invited" status
    User receives no email nor notification in UI to accept this invite. Manually (re)inviting via email has same result. User cannot join organisation without manual database changes.

Expected Result

  1. Previously not registered user logs in via SSO
  2. An account is created for them automatically
  3. Admin invites user to org
  4. User accepts invite
  5. Admin confirms, user successfuly joins org

Actual Result

  1. Previously not registered user logs in via SSO
  2. An account is created for them automatically, this account stays in "invited" status
  3. User receives no email nor notification in UI to accept this invite. Manually (re)inviting via email has same result.
  4. User cannot join org

Workaround is to set their invites as accepted by user manually in database:
UPDATE users_organizations SET status = 1 WHERE status = 0 AND org_uuid = 'a29455c3-ce80-470f-a2e9-c36f7b68b0f4';

After this in admin console member view "Needs confirmation" appears. Upon confirmation everything seems to work like it's supposed to. User can access their collections etc. I tried setting status = 2 directly, but that caused a broken user state, as some automatic processes regarding encryption are skipped I presume.

Logs


Screenshots or Videos

No response

Additional Context

No response

Originally created by @ovrebane on GitHub (Apr 9, 2026). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7072 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.35.4 * Web-vault version: v2026.1.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: PostgreSQL * Database version: PostgreSQL 17.9 (Debian 17.9-0+deb13u1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 14.2.0-19) 14.2.0, 64-bit * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * TZ environment: Europe/Tallinn * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, SHOW_PASSWORD_HINT, ADMIN_TOKEN, SSO_ENABLED, SSO_ONLY, SSO_SIGNUPS_MATCH_EMAIL, SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_SCOPES, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD, SMTP_TIMEOUT **Config:** ```json { "_duo_akey": "***", "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "**********://************************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://************", "domain_origin": "*****://************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": "api-da365e79.duosecurity.com", "duo_ikey": "DIXLHY4UFD6Y2BHEKZPK", "duo_skey": "***", "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": false, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": false, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Spin TEK", "invitations_allowed": false, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/log/vaultwarden.log", "log_level": "warn", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "***********,************", "org_events_enabled": false, "org_groups_enabled": true, "password_hints_allowed": false, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": false, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "*******", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*******************", "smtp_from_name": "***********", "smtp_host": "***************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "*************", "sso_allow_unknown_email_verification": true, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://**********************************************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://*****************************************", "sso_client_cache_expiration": 0, "sso_client_id": "********************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_pkce": true, "sso_scopes": "openid profile email", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.35.4 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy traefik v3.6.12 ### Host/Server Operating System Linux ### Operating System Version Debian 13 ### Clients Web Vault ### Client Version Firefox 149.0 ### Steps To Reproduce 1. Previously not registered user logs in via SSO 2. An account is created for them automatically, this account stays in "invited" status User receives no email nor notification in UI to accept this invite. Manually (re)inviting via email has same result. User cannot join organisation without manual database changes. ### Expected Result 1. Previously not registered user logs in via SSO 2. An account is created for them automatically 3. Admin invites user to org 4. User accepts invite 5. Admin confirms, user successfuly joins org ### Actual Result 1. Previously not registered user logs in via SSO 2. An account is created for them automatically, this account stays in "invited" status 3. User receives no email nor notification in UI to accept this invite. Manually (re)inviting via email has same result. 4. User cannot join org Workaround is to set their invites as accepted by user manually in database: `UPDATE users_organizations SET status = 1 WHERE status = 0 AND org_uuid = 'a29455c3-ce80-470f-a2e9-c36f7b68b0f4';` After this in admin console member view "Needs confirmation" appears. Upon confirmation everything seems to work like it's supposed to. User can access their collections etc. I tried setting status = 2 directly, but that caused a broken user state, as some automatic processes regarding encryption are skipped I presume. ### Logs ```text ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_
GiteaMirror added the bug label 2026-07-13 20:22:53 -05:00
Author
Owner

@stefan0xC commented on GitHub (Apr 9, 2026):

According to the support string you don't allow invitations. How has the user been invited to the organization?

<!-- gh-comment-id:4214317139 --> @stefan0xC commented on GitHub (Apr 9, 2026): According to the support string you don't allow invitations. How has the user been invited to the organization?
Author
Owner

@ovrebane commented on GitHub (Apr 9, 2026):

That setting only affects users as far as I'm aware. Organisation owners are able to invite just fine from admin console, that's what I used.

Image
<!-- gh-comment-id:4214350760 --> @ovrebane commented on GitHub (Apr 9, 2026): That setting only affects users as far as I'm aware. Organisation owners are able to invite just fine from admin console, that's what I used. <img width="2559" height="1232" alt="Image" src="https://github.com/user-attachments/assets/9918aa96-f86f-4c82-8e53-ed0d8511ac48" />
Author
Owner

@stefan0xC commented on GitHub (Apr 9, 2026):

Normal users don't have access to the Admin Console in the first place so they can't invite other users to an organization.

If I try to invite a user that does not exist with invitations_allowed: false I get an error message:
Image

I can try later to invite a user that has already registered via SSO. Maybe the cleanup function triggers when it should not:
a6b43651ca/src/api/core/organizations.rs (L1131-L1136)

Did you invite multiple addresses to your organization?

<!-- gh-comment-id:4214952196 --> @stefan0xC commented on GitHub (Apr 9, 2026): Normal users don't have access to the Admin Console in the first place so they can't invite other users to an organization. If I try to invite a user that does not exist with `invitations_allowed: false` I get an error message: <img width="325" height="78" alt="Image" src="https://github.com/user-attachments/assets/bbd9bb72-1516-4eb1-bd0e-c5576f575916" /> I can try later to invite a user that has already registered via SSO. Maybe the cleanup function triggers when it should not: https://github.com/dani-garcia/vaultwarden/blob/a6b43651ca2896fad9ecf8583f0a20d8101f2443/src/api/core/organizations.rs#L1131-L1136 Did you invite multiple addresses to your organization?
Author
Owner

@ovrebane commented on GitHub (Apr 13, 2026):

Apologies for the late reply. Yes I invited all the people on that screenshot, they are from the same whitelisted domain name. But I see you have already found the source of the problem, thank you!

<!-- gh-comment-id:4234349858 --> @ovrebane commented on GitHub (Apr 13, 2026): Apologies for the late reply. Yes I invited all the people on that screenshot, they are from the same whitelisted domain name. But I see you have already found the source of the problem, thank you!
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#35557