Setting up Single Sign-On (SSO)
You can configure your Vaultwarden instance so that users sign in via Single Sign-On (SSO) against your identity provider. Vaultwarden supports the OpenID Connect standard for this — so it works with Authentik, Keycloak, Zitadel, Google Workspace, Microsoft Entra ID, and other OIDC providers.
- An active Vaultwarden subscription at server.camp
- A reachable, OIDC-capable identity provider instance
- Admin access to both systems
Create a new OAuth2/OpenID application for Vaultwarden at your identity provider. The exact procedure differs per provider — Vaultwarden maintains an excellent provider guide in its official wiki:
- Vaultwarden SSO wiki: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect
- Provider-specific examples:
- Authentik: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#authentik
- with Authentik, the email mapping needs to be added: https://integrations.goauthentik.io/security/vaultwarden/#authentik-configuration
- Keycloak: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#keycloak
- Zitadel: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#zitadel
- Google: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#google-auth
- Microsoft Entra ID: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#microsoft-entra-id
In every case, enter the following redirect URI at your IdP:
https://<your-vaultwarden-domain>/identity/connect/oidc-signin
If you use a custom domain for Vaultwarden, add its callback URL as well.
Finally, note down the client ID, client secret, and the issuer URL (also called “authority” or “OpenID configuration issuer”). The issuer URL is the base URL under which /.well-known/openid-configuration is reachable.
In the customer portal, open the configuration of your Vaultwarden subscription and enter these four values under “Advanced configuration”:
| Key | Value |
|---|---|
| Enable SSO | Checked |
| SSO issuer URL | Issuer URL from your IdP |
| SSO client ID | Copied from your IdP |
| SSO client secret | Copied from your IdP |
Save and wait for the deployment to finish (about 1–2 minutes). On the next login, the Vaultwarden web vault shows an additional “Enterprise Single Sign-On” button.
The following values are optional and usually don’t need to be set — Vaultwarden has sensible defaults. Only set them if you specifically need to deviate:
| Key | Default | Effect |
|---|---|---|
| SSO only | false |
Check this to disable the classic master-password login. Caution: this locks you out if the IdP is unavailable. |
| SSO scopes | email profile openid offline_access |
Only override if your IdP provides additional claims. |
| SSO PKCE | true |
PKCE flow for added security. Only disable if your provider requires it. |
| Link SSO with existing accounts | true |
Links SSO logins to existing Vaultwarden accounts via the email address. |
| Allow unknown email verification status | false |
Ignores the email verification status from the identity provider. Only enable if the email addresses in the IdP are guaranteed correct and cannot be changed. |
- Open the Vaultwarden web vault
- Enter the email address and click “Enterprise Single Sign-On”
- Redirect to the IdP, sign in there
- Back in the vault: set or enter the master password once — it still encrypts the vault locally and is required even with SSO active.
- “redirect_uri mismatch” at the IdP: check that the redirect URI is stored at the provider exactly — including path and trailing slash.
- No SSO button visible: is
sso_enabledcorrectly set totrue? Has the deployment in the portal finished? - “Invalid issuer”:
sso_authoritymust exactly match the issuer URL from/.well-known/openid-configuration, including a trailing slash if present.
If you have any further questions, reach our support via the customer portal.