[PR #6949] [CLOSED] feat: SSO improvements — auto-redirect, Key Connector, logout redirect, auto-enrollment #8763

New Issue

GiteaMirror · 2026-04-16T12:36:58-05:00

GiteaMirror commented

2026-04-16 12:36:58 -05:00

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/6949
Author: @brendan-kite
Created: 3/16/2026
Status: ❌ Closed

Base: main ← Head: sso-improvements

📝 Commits (1)

6fc40c0 feat: SSO improvements — auto-redirect, Key Connector, logout redirect, auto-enrollment

📊 Changes

7 files changed (+673 additions, -15 deletions)

View changed files

📝 src/api/core/accounts.rs (+139 -2)
📝 src/api/identity.rs (+77 -2)
📝 src/api/web.rs (+162 -2)
📝 src/config.rs (+29 -0)
📝 src/crypto.rs (+253 -0)
📝 src/db/models/organization.rs (+12 -8)
📝 src/db/models/user.rs (+1 -1)

📄 Description

Summary

Five new opt-in configuration flags that address long-standing SSO usability gaps:

SSO_AUTO_REDIRECT — Skip the login form entirely, go straight to the IdP (#6191)
SSO_LOGOUT_REDIRECT — End the IdP session on logout, preventing auto-re-login loops
SSO_KEY_CONNECTOR — Built-in Key Connector so SSO users never need a master password (#2583)
SSO_AUTO_ENROLL — Auto-create org and enroll users on first SSO login
SSO_IDENTIFIER — Custom org identifier for the above features

All features are off by default and fully backwards-compatible. 547 lines added across 7 files.

Motivation

With SSO_ONLY=true, several flows are broken or frustrating:

Users must manually click "Enterprise SSO", enter an identifier, then authenticate — SSO_AUTO_REDIRECT eliminates this
After logout, the auto-redirect immediately re-authenticates (IdP session is still active) — SSO_LOGOUT_REDIRECT fixes this with OIDC RP-Initiated Logout
SSO users still need a master password for vault encryption (#2583, 21 upvotes, open since 2022) — SSO_KEY_CONNECTOR provides a clean-room, file-based Key Connector
New SSO users have no organization — SSO_AUTO_ENROLL creates one automatically

Security Note

Key Connector stores wrapped master keys server-side, trading the zero-knowledge property for usability. This is the same tradeoff as Bitwarden's official Key Connector. The feature is opt-in and clearly documented.

Configuration

SSO_AUTO_REDIRECT=true      # Requires SSO_ONLY=true
SSO_LOGOUT_REDIRECT=true    # Requires SSO_AUTO_REDIRECT=true
SSO_KEY_CONNECTOR=true      # Requires SSO_ONLY=true
SSO_AUTO_ENROLL=true
SSO_IDENTIFIER=my-org       # Optional, defaults to internal identifier

Test Plan

- SSO_AUTO_REDIRECT: Visit login page → auto-redirected to IdP → login → vault loads
- SSO_LOGOUT_REDIRECT: Logout → redirected to IdP logout → session ended → re-login requires credentials
- SSO_KEY_CONNECTOR: New SSO user → Key Connector setup → vault unlocked without master password → subsequent logins retrieve key automatically
- SSO_AUTO_ENROLL: First SSO login → org created → user enrolled as member
- All features disabled: No behavioral changes from upstream v1.35.4

Files Changed (7)

┌───────────────────────────────┬────────┬───────────────────────────────────────────────────────────┐
│             File              │ Lines  │                          Purpose                          │
├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤
│ src/config.rs                 │ +10    │ 5 new config flags                                        │
├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤
│ src/api/web.rs                │ +164   │ Auto-redirect JS injection, PKCE flow, logout detection   │
├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤
│ src/api/identity.rs           │ +79    │ KeyConnectorOption in login response, SSO auto-enrollment │
├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤
│ src/api/core/accounts.rs      │ +153   │ Key Connector endpoints (5 routes)                        │
├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤
│ src/crypto.rs                 │ +134   │ Org key generation (RSA-2048 + AES-256), KC key storage   │
├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤
│ src/db/models/organization.rs │ +20/-7 │ Dynamic SSO/KC flags in org JSON                          │
├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤
│ src/db/models/user.rs         │ +1/-1  │ Dynamic usesKeyConnector in profile                       │
└───────────────────────────────┴────────┴───────────────────────────────────────────────────────────┘

Addresses: #2583, #6191, #6316

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/6949 **Author:** [@brendan-kite](https://github.com/brendan-kite) **Created:** 3/16/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `sso-improvements` --- ### 📝 Commits (1) - [`6fc40c0`](https://github.com/dani-garcia/vaultwarden/commit/6fc40c09b6eb8084dc80b587661d71556c6397d6) feat: SSO improvements — auto-redirect, Key Connector, logout redirect, auto-enrollment ### 📊 Changes **7 files changed** (+673 additions, -15 deletions) <details> <summary>View changed files</summary> 📝 `src/api/core/accounts.rs` (+139 -2) 📝 `src/api/identity.rs` (+77 -2) 📝 `src/api/web.rs` (+162 -2) 📝 `src/config.rs` (+29 -0) 📝 `src/crypto.rs` (+253 -0) 📝 `src/db/models/organization.rs` (+12 -8) 📝 `src/db/models/user.rs` (+1 -1) </details> ### 📄 Description ## Summary Five new opt-in configuration flags that address long-standing SSO usability gaps: - **`SSO_AUTO_REDIRECT`** — Skip the login form entirely, go straight to the IdP (#6191) - **`SSO_LOGOUT_REDIRECT`** — End the IdP session on logout, preventing auto-re-login loops - **`SSO_KEY_CONNECTOR`** — Built-in Key Connector so SSO users never need a master password (#2583) - **`SSO_AUTO_ENROLL`** — Auto-create org and enroll users on first SSO login - **`SSO_IDENTIFIER`** — Custom org identifier for the above features All features are **off by default** and fully backwards-compatible. 547 lines added across 7 files. ## Motivation With `SSO_ONLY=true`, several flows are broken or frustrating: - Users must manually click "Enterprise SSO", enter an identifier, then authenticate — `SSO_AUTO_REDIRECT` eliminates this - After logout, the auto-redirect immediately re-authenticates (IdP session is still active) — `SSO_LOGOUT_REDIRECT` fixes this with OIDC RP-Initiated Logout - SSO users still need a master password for vault encryption (#2583, 21 upvotes, open since 2022) — `SSO_KEY_CONNECTOR` provides a clean-room, file-based Key Connector - New SSO users have no organization — `SSO_AUTO_ENROLL` creates one automatically ## Security Note Key Connector stores wrapped master keys server-side, trading the zero-knowledge property for usability. This is the **same tradeoff** as [Bitwarden's official Key Connector](https://bitwarden.com/help/about-key-connector/). The feature is opt-in and clearly documented. ## Configuration ```env SSO_AUTO_REDIRECT=true # Requires SSO_ONLY=true SSO_LOGOUT_REDIRECT=true # Requires SSO_AUTO_REDIRECT=true SSO_KEY_CONNECTOR=true # Requires SSO_ONLY=true SSO_AUTO_ENROLL=true SSO_IDENTIFIER=my-org # Optional, defaults to internal identifier Test Plan - SSO_AUTO_REDIRECT: Visit login page → auto-redirected to IdP → login → vault loads - SSO_LOGOUT_REDIRECT: Logout → redirected to IdP logout → session ended → re-login requires credentials - SSO_KEY_CONNECTOR: New SSO user → Key Connector setup → vault unlocked without master password → subsequent logins retrieve key automatically - SSO_AUTO_ENROLL: First SSO login → org created → user enrolled as member - All features disabled: No behavioral changes from upstream v1.35.4 Files Changed (7) ┌───────────────────────────────┬────────┬───────────────────────────────────────────────────────────┐ │ File │ Lines │ Purpose │ ├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤ │ src/config.rs │ +10 │ 5 new config flags │ ├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤ │ src/api/web.rs │ +164 │ Auto-redirect JS injection, PKCE flow, logout detection │ ├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤ │ src/api/identity.rs │ +79 │ KeyConnectorOption in login response, SSO auto-enrollment │ ├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤ │ src/api/core/accounts.rs │ +153 │ Key Connector endpoints (5 routes) │ ├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤ │ src/crypto.rs │ +134 │ Org key generation (RSA-2048 + AES-256), KC key storage │ ├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤ │ src/db/models/organization.rs │ +20/-7 │ Dynamic SSO/KC flags in org JSON │ ├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤ │ src/db/models/user.rs │ +1/-1 │ Dynamic usesKeyConnector in profile │ └───────────────────────────────┴────────┴───────────────────────────────────────────────────────────┘ Addresses: #2583, #6191, #6316 ``` --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-16 12:36:58 -05:00

GiteaMirror closed this issue

2026-04-16 12:36:58 -05:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#8763