SSO: "Failed to retrieve the associated organization" #326

New Issue

MrUnknownDE · 2026-04-05T20:54:20+02:00

MrUnknownDE commented

2026-04-05 20:54:20 +02:00

Originally created by @mkjeller on 10/19/2025

Prerequisites

I have searched the existing Closed AND Open Issues AND Discussions
I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.34.3-3f010a50
Web-vault version: v2025.9.1
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Database type: SQLite
Database version: 3.50.2
Uses config.json: true
Uses a reverse proxy: true
IP Header check: true (cf-connecting-ip)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*********************",
  "domain_origin": "*****://*********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "K-VAULT",
  "invitations_allowed": true,
  "ip_header": "cf-connecting-ip",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***********************",
  "smtp_from_name": "K-VAULT Administration",
  "smtp_host": "****************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "***********************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://*******************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://**************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 30,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.34.3-3f010a50

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

cloudflared

Host/Server Operating System

Linux

Operating System Version

Docker

Clients

Web Vault

Client Version

v2025.9.1

Steps To Reproduce

Go to https://vault.example.domain/#/sso
Enter anything in the SSO identifier (documentation does not make it clear what should go here, in this case "TESTSTRING" was used.)
Sign in with SSO service (in this case PocketID)
Create a master password
Click Create account

Expected Result

Master password is saved and login flow continues / user is presented with their brand new vault

Actual Result

The web interface hangs for a few seconds before failing with a toast in the top right corner stating:

An error has occurred.
Failed to retrieve the associated organization

Logs

[2025-10-19 08:26:21.977][vaultwarden::api::identity][INFO] User test logged in successfully. IP: [REDACTED IPv6]

[2025-10-19 08:26:21.978][response][INFO] (login) POST /identity/connect/token => 200 OK

[2025-10-19 08:26:22.028][request][INFO] GET /api/sync?excludeDomains=true

[2025-10-19 08:26:22.030][response][INFO] (sync) GET /api/sync?<data..> => 200 OK

[2025-10-19 08:26:22.092][request][INFO] POST /identity/connect/token

[2025-10-19 08:26:22.410][response][INFO] (login) POST /identity/connect/token => 200 OK

[2025-10-19 08:26:22.457][request][INFO] GET /api/sync?excludeDomains=true

[2025-10-19 08:26:22.459][response][INFO] (sync) GET /api/sync?<data..> => 200 OK

[2025-10-19 08:26:22.506][request][INFO] GET /api/organizations/TESTSTRING/auto-enroll-status

[2025-10-19 08:26:22.507][response][INFO] (get_auto_enroll_status) GET /api/organizations/<identifier>/auto-enroll-status => 200 OK

[2025-10-19 08:26:22.552][request][INFO] GET /api/organizations/e2c6120f-9036-4984-a46b-8091393130a4/policies/master-password

[2025-10-19 08:26:22.553][response][INFO] (get_master_password_policy) GET /api/organizations/<org_id>/policies/master-password => 200 OK

[2025-10-19 08:26:49.594][request][INFO] POST /api/accounts/set-password

[2025-10-19 08:26:49.978][vaultwarden::api::core::accounts][ERROR] Failed to retrieve the associated organization

[2025-10-19 08:26:49.978][response][INFO] (post_set_password) POST /api/accounts/set-password => 400 Bad Request

Additional Context

This has been tested with the following settings toggled on and off in various combinations.
The error persists in all cases.

Allow new signups
Only SSO login

Error does NOT occur if the user creates an account first in the traditional way then goes back and re-attempts SSO login. Email association takes over and the OIDC ID is linked to the account.
SSO logins work from then on, but the user is still prompted for their Master Password (but I believe this is intended behaviour?)

*Originally created by @mkjeller on 10/19/2025* ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-3f010a50 * Web-vault version: v2025.9.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (cf-connecting-ip) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, ADMIN_TOKEN **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*********************", "domain_origin": "*****://*********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "K-VAULT", "invitations_allowed": true, "ip_header": "cf-connecting-ip", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***********************", "smtp_from_name": "K-VAULT Administration", "smtp_host": "****************", "smtp_password": "***", "smtp_port": 465, "smtp_security": "force_tls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "***********************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://*******************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://**************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "************************************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_pkce": true, "sso_scopes": "email profile", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 30, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.34.3-3f010a50 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy cloudflared ### Host/Server Operating System Linux ### Operating System Version Docker ### Clients Web Vault ### Client Version v2025.9.1 ### Steps To Reproduce 1. Go to https://vault.example.domain/#/sso 2. Enter anything in the SSO identifier (documentation does not make it clear what should go here, in this case "TESTSTRING" was used.) 3. Sign in with SSO service (in this case PocketID) 4. Create a master password 5. Click Create account ### Expected Result Master password is saved and login flow continues / user is presented with their brand new vault ### Actual Result The web interface hangs for a few seconds before failing with a toast in the top right corner stating: > An error has occurred. > Failed to retrieve the associated organization ### Logs ```text [2025-10-19 08:26:21.977][vaultwarden::api::identity][INFO] User test logged in successfully. IP: [REDACTED IPv6] [2025-10-19 08:26:21.978][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-19 08:26:22.028][request][INFO] GET /api/sync?excludeDomains=true [2025-10-19 08:26:22.030][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2025-10-19 08:26:22.092][request][INFO] POST /identity/connect/token [2025-10-19 08:26:22.410][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-19 08:26:22.457][request][INFO] GET /api/sync?excludeDomains=true [2025-10-19 08:26:22.459][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2025-10-19 08:26:22.506][request][INFO] GET /api/organizations/TESTSTRING/auto-enroll-status [2025-10-19 08:26:22.507][response][INFO] (get_auto_enroll_status) GET /api/organizations/<identifier>/auto-enroll-status => 200 OK [2025-10-19 08:26:22.552][request][INFO] GET /api/organizations/e2c6120f-9036-4984-a46b-8091393130a4/policies/master-password [2025-10-19 08:26:22.553][response][INFO] (get_master_password_policy) GET /api/organizations/<org_id>/policies/master-password => 200 OK [2025-10-19 08:26:49.594][request][INFO] POST /api/accounts/set-password [2025-10-19 08:26:49.978][vaultwarden::api::core::accounts][ERROR] Failed to retrieve the associated organization [2025-10-19 08:26:49.978][response][INFO] (post_set_password) POST /api/accounts/set-password => 400 Bad Request ``` ### Additional Context This has been tested with the following settings toggled on and off in various combinations. The error persists in all cases. - Allow new signups - Only SSO login Error does NOT occur if the user creates an account first in the traditional way then goes back and re-attempts SSO login. Email association takes over and the OIDC ID is linked to the account. SSO logins work from then on, but the user is still prompted for their Master Password (but I believe this is intended behaviour?)

MrUnknownDE closed this issue

2026-04-05 20:54:20 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#326