User signup via SSO

[chaosgrid]

So not sure if I'm missing something, but I setup a new vaultwarden instance with your docker image (v2024.8.3-1). I have a Keycloak instance running. This is a fresh install with no users. I want to login via SSO (without having a Vaultwarden account yet).

The SSO redirect to Keycloak works, however, Vaultwarden then fails to proceed with Email needs to be verified before you can use VaultWarden

I have set

SIGNUPS_ALLOWED=true
SIGNUPS_VERIFY=false

But it still does not work. Do users have to create "normal" accounts first and only then login via SSO works? Also, if I use the admin panel and invite the correct Email, it still does not work. Is there any way to debug this? I only see this in the log: vaultwarden | [2024-09-13 22:07:33.685][oidcwarden::api::identity][ERROR] Email needs to be verified before you can use VaultWarden

Oh and btw: I tried the SSO_ONLY setting but it does nothing for me, I see the normal email-login page and I dont get redirected to Keycloak. Only with SSO_FRONTEND=override do I see the single button login-screen.

[Timshel]

A yes your provider Keycloak is reporting that the email is not verified, since changing the email in the warden can only done by the user decided to block login if it was not yet verified.

You should be able to set the user email as verified in Keycloak :)

[chaosgrid]

Ah thanks that was indeed the issue :) Maybe would be good to document this or have a better error message since I assumed the problem is on Vaultwarden side.