feat: SSO improvements — auto-redirect, Key Connector, logout redirect, auto-enrollment #59

New Issue

MrUnknownDE · 2026-04-05T20:29:19+02:00

MrUnknownDE commented

2026-04-05 20:29:19 +02:00

Originally created by @brendan-kite on 3/16/2026

Summary

Five new opt-in configuration flags that address long-standing SSO usability gaps:

SSO_AUTO_REDIRECT — Skip the login form entirely, go straight to the IdP (#6191)
SSO_LOGOUT_REDIRECT — End the IdP session on logout, preventing auto-re-login loops
SSO_KEY_CONNECTOR — Built-in Key Connector so SSO users never need a master password (#2583)
SSO_AUTO_ENROLL — Auto-create org and enroll users on first SSO login
SSO_IDENTIFIER — Custom org identifier for the above features

All features are off by default and fully backwards-compatible. 547 lines added across 7 files.

Motivation

With SSO_ONLY=true, several flows are broken or frustrating:

Users must manually click "Enterprise SSO", enter an identifier, then authenticate — SSO_AUTO_REDIRECT eliminates this
After logout, the auto-redirect immediately re-authenticates (IdP session is still active) — SSO_LOGOUT_REDIRECT fixes this with OIDC RP-Initiated Logout
SSO users still need a master password for vault encryption (#2583, 21 upvotes, open since 2022) — SSO_KEY_CONNECTOR provides a clean-room, file-based Key Connector
New SSO users have no organization — SSO_AUTO_ENROLL creates one automatically

Security Note

Key Connector stores wrapped master keys server-side, trading the zero-knowledge property for usability. This is the same tradeoff as Bitwarden's official Key Connector. The feature is opt-in and clearly documented.

Configuration

SSO_AUTO_REDIRECT=true      # Requires SSO_ONLY=true
SSO_LOGOUT_REDIRECT=true    # Requires SSO_AUTO_REDIRECT=true
SSO_KEY_CONNECTOR=true      # Requires SSO_ONLY=true
SSO_AUTO_ENROLL=true
SSO_IDENTIFIER=my-org       # Optional, defaults to internal identifier

Test Plan

- SSO_AUTO_REDIRECT: Visit login page → auto-redirected to IdP → login → vault loads
- SSO_LOGOUT_REDIRECT: Logout → redirected to IdP logout → session ended → re-login requires credentials
- SSO_KEY_CONNECTOR: New SSO user → Key Connector setup → vault unlocked without master password → subsequent logins retrieve key automatically
- SSO_AUTO_ENROLL: First SSO login → org created → user enrolled as member
- All features disabled: No behavioral changes from upstream v1.35.4

Files Changed (7)

┌───────────────────────────────┬────────┬───────────────────────────────────────────────────────────┐
│             File              │ Lines  │                          Purpose                          │
├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤
│ src/config.rs                 │ +10    │ 5 new config flags                                        │
├───────────────────────────────┼──────���─┼───────────────────────────────────────────────────────────┤
│ src/api/web.rs                │ +164   │ Auto-redirect JS injection, PKCE flow, logout detection   │
├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤
│ src/api/identity.rs           │ +79    │ KeyConnectorOption in login response, SSO auto-enrollment │
├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤
│ src/api/core/accounts.rs      │ +153   │ Key Connector endpoints (5 routes)                        │
├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤
│ src/crypto.rs                 │ +134   │ Org key generation (RSA-2048 + AES-256), KC key storage   │
├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤
│ src/db/models/organization.rs │ +20/-7 │ Dynamic SSO/KC flags in org JSON                          │
├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤
│ src/db/models/user.rs         │ +1/-1  │ Dynamic usesKeyConnector in profile                       │
└───────────────────────────────┴────────┴───────────────────────────────────────────────────────────┘

Addresses: #2583, #6191, #6316

*Originally created by @brendan-kite on 3/16/2026* ## Summary Five new opt-in configuration flags that address long-standing SSO usability gaps: - **`SSO_AUTO_REDIRECT`** — Skip the login form entirely, go straight to the IdP (#6191) - **`SSO_LOGOUT_REDIRECT`** — End the IdP session on logout, preventing auto-re-login loops - **`SSO_KEY_CONNECTOR`** — Built-in Key Connector so SSO users never need a master password (#2583) - **`SSO_AUTO_ENROLL`** — Auto-create org and enroll users on first SSO login - **`SSO_IDENTIFIER`** — Custom org identifier for the above features All features are **off by default** and fully backwards-compatible. 547 lines added across 7 files. ## Motivation With `SSO_ONLY=true`, several flows are broken or frustrating: - Users must manually click "Enterprise SSO", enter an identifier, then authenticate — `SSO_AUTO_REDIRECT` eliminates this - After logout, the auto-redirect immediately re-authenticates (IdP session is still active) — `SSO_LOGOUT_REDIRECT` fixes this with OIDC RP-Initiated Logout - SSO users still need a master password for vault encryption (#2583, 21 upvotes, open since 2022) — `SSO_KEY_CONNECTOR` provides a clean-room, file-based Key Connector - New SSO users have no organization — `SSO_AUTO_ENROLL` creates one automatically ## Security Note Key Connector stores wrapped master keys server-side, trading the zero-knowledge property for usability. This is the **same tradeoff** as [Bitwarden's official Key Connector](https://bitwarden.com/help/about-key-connector/). The feature is opt-in and clearly documented. ## Configuration ```env SSO_AUTO_REDIRECT=true # Requires SSO_ONLY=true SSO_LOGOUT_REDIRECT=true # Requires SSO_AUTO_REDIRECT=true SSO_KEY_CONNECTOR=true # Requires SSO_ONLY=true SSO_AUTO_ENROLL=true SSO_IDENTIFIER=my-org # Optional, defaults to internal identifier Test Plan - SSO_AUTO_REDIRECT: Visit login page → auto-redirected to IdP → login → vault loads - SSO_LOGOUT_REDIRECT: Logout → redirected to IdP logout → session ended → re-login requires credentials - SSO_KEY_CONNECTOR: New SSO user → Key Connector setup → vault unlocked without master password → subsequent logins retrieve key automatically - SSO_AUTO_ENROLL: First SSO login → org created → user enrolled as member - All features disabled: No behavioral changes from upstream v1.35.4 Files Changed (7) ┌───────────────────────────────┬────────┬───────────────────────────────────────────────────────────┐ │ File │ Lines │ Purpose │ ├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤ │ src/config.rs │ +10 │ 5 new config flags │ ├───────────────────────────────┼──────��─┼───────────────────────────────────────────────────────────┤ │ src/api/web.rs │ +164 │ Auto-redirect JS injection, PKCE flow, logout detection │ ├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤ │ src/api/identity.rs │ +79 │ KeyConnectorOption in login response, SSO auto-enrollment │ ├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤ │ src/api/core/accounts.rs │ +153 │ Key Connector endpoints (5 routes) │ ├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤ │ src/crypto.rs │ +134 │ Org key generation (RSA-2048 + AES-256), KC key storage │ ├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤ │ src/db/models/organization.rs │ +20/-7 │ Dynamic SSO/KC flags in org JSON │ ├───────────────────────────────┼────────┼───────────────────────────────────────────────────────────┤ │ src/db/models/user.rs │ +1/-1 │ Dynamic usesKeyConnector in profile │ └───────────────────────────────┴────────┴───────────────────────────────────────────────────────────┘ Addresses: #2583, #6191, #6316 ```

MrUnknownDE closed this issue

2026-04-05 20:29:19 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#59