Auto-Invitation for Users who joined an Organization with SSO

[jobritz]

Hi, just a quick question, because I think I see the issue but I don't know what to do. I want to skip the email invitation for users to join an organization. I invite users with SSO_ORGANIZATIONS_ID_MAPPING to my organization, but when i deactivate smtp the users are not added to the organization without an invitation link. In your README you say that if i use the SSO_ORGANIZATIONS_ID_MAPPING I should use group name mapping but I don't know what to do. Is there a specific configuration I'm missing?

Thanks for your help :).

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.30.5-7
• Web-vault version: voidc_button-v2024.1.2-6
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: false
• Internet access via a proxy: true
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: n/a
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.45.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

**Environment settings which are overridden:** ADMIN_TOKEN, SSO_MASTER_PASSWORD_POLICY ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": false, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://****************************", "domain_origin": "*****://****************************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": false, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/log/vaultwarden.log", "log_level": "debug", "log_level_override": "", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "**********************", "org_events_enabled": false, "org_groups_enabled": true, "password_hints_allowed": false, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": false, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "************,***********", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "************************", "smtp_from_name": "Vaultwarden", "smtp_host": "*******************", "smtp_password": null, "smtp_port": 25, "smtp_security": "off", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_audience_trusted": null, "sso_auth_only_not_session": true, "sso_authority": "https://login.microsoftonline.com/b70374ee-7ecf-4084-811c-1d38959350b6/v2.0", "sso_authorize_extra_params": "", "sso_callback_path": "https://vaultwarden.app.hensoldt.net/identity/connect/oidc-signin", "sso_client_cache_expiration": 0, "sso_client_id": "338002b7-91cc-4e23-8061-c7964908d8fb", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": "{\"enforceOnLogin\":true,\"minComplexity\":4,\"minLength\":12,\"requireLower\":true,\"requireNumbers\":true,\"requireSpecial\":true,\"requireUpper\":true}", "sso_only": false, "sso_organizations_id_mapping": "4a60b709-5322-4bf6-a591-32cddeabd25a:b0ee6262-8ef0-4b8c-8f66-411f0b7e9511;", "sso_organizations_invite": true, "sso_organizations_token_path": "/roles", "sso_pkce": false, "sso_roles_default_to_user": true, "sso_roles_enabled": false, "sso_roles_token_path": "/resource_access/338002b7-91cc-4e23-8061-c7964908d8fb/roles", "sso_scopes": "email profile offline_access", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ```

[Timshel]

Hey,

Just to be sure after the first login from the user did you go back with the Organization admin user to confirm the "invitation" ?

[jobritz]

Yes, but I couldn't confirm the invitation. The user is listed in the "invited" section and not in the "Needs confirmation" section

[Timshel]

Hey,

I can reproduce. I would not recommend running the server without mail activated outside of testing; but will have a look.

[jobritz]

Hi,

I did some testing in the meantime and I realized, that deactivating SMTP is as you recommended not working for me because the account recovery administration isn't working without SMTP. I wanted to deactivate SMTP to make the login workflow more convient because it should need less user interaction that way. It would be awesome if you could skip the user invitation email anyway, while having smtp still running.

I also realized, that if a user is added to an organization in my enviroment via SSO, he gets access to all collections by default, Is this on purpose or would it be possible to make this configurable or set it to no collections as default value?

Thank you so far for your amazing work!

[Timshel]

It would be awesome if you could skip the user invitation email anyway, while having smtp still running.

We had some level of auto-enroll for a time to bypass a bug, it was removed when it becomes unnecessary to keep the scope of the sso PR to a minimum. But since it probably make sense with the autoenroll feature I might add it again in the main branch.

I also realized, that if a user is added to an organization in my enviroment via SSO, he gets access to all collections by default, Is this on purpose or would it be possible to make this configurable or set it to no collections as default value?

Yep it's a default, will check but should be simple to allow to default to no collections.

[Timshel]

Hey,

Just pushed 1.30.5-9 (should take 1h to build) with:

• Fix organization invitation when SMTP is disabled.

• Add SSO_ORGANIZATIONS_ALL_COLLECTIONS config to allow to grant or not access to all collections (default true)

  For the autoenroll though on it again but due to some limitation it's not possible to immediately set the user as confirmed, logic need to be splitted so for now will wait to see if there are more interests.

[jobritz]

Awesome, thank you for your help.

[jobritz]

Hey, don't worry I just reopend to see if there are any more interests. I found a discussion on the main vaultwarden repo about an auto-confirmation script (https://github.com/dani-garcia/vaultwarden/discussions/3954). I also think that auto-confirmation is not really necessary, but auto-invitation would be a cool feature. If somebody still wants to use auto-comfirmation this script would be an option, but for me I'd be super happy if there is an option to skip the invitation step

[michael-harman]

I am also very interested in this feature as it is the last thing for me to achieve seamless LDAP integration to Vaultwarden.

Having some issues with the script mentioned above. Have you been able to get it to work? Seems like it was written for an older version of the CLI and I have not had success updating it.

[jobritz]

No sorry, I do not plan to use it and therefore didn't test it

[KornKalle]

I would love to see auto-confirmation happening, for our use-case the "confirmations" when adding the user to the right sso group, so everything which needs less interaction would be great for us

[dlehman83]

I just want to add my vote to this as well. I’ve been testing Vault Warden this last week and want it as simple as possible for users.
If a user signs in via SSO there should be no need for confirmation, as only valid accounts could SSO.
I have not got the org mapping setup yet, but that is my next step.

Edit: I've setup org mapping today. My test user was auto invited to the org. The user still had to accept and admin confirm.
I'd like to see a new config option for SSO auto accept invite. This way the admin could choose the work flow. I know nothing about rust, but would think it would be a simple if statement.

I will create a PR to update my notes on the org mapping for EntraID.

[Timshel]

Some comment I added to the main PR discussion:

Still for some clarification, auto accept was added to bypass the org invitation bug then removed when it become unnecessary. It was requested again but for now I did not add-it back mainly because in the case of a new user the Org check is done before the user set a new password/obtain a key; And confirming an accepted user with no key resulted in a broken state :(.

Of course the check could be split in two places, but then the code would be quite janky since you would need to stay in the invited state first but without sending the invited email since you expect to automatically switch to accepted later-on.

I believe some guards were added, and now you can't confirm a user with no key, but if I remember correctly no error message is displayed :(. Still if I ever add it again it will probably be this way; will have to check it again.

Additionally, wanted to clarify that only auto accept is discussed here, Auto confirmation is another problem since I believe it requires key manipulation and an unlocked session.

And for those wanting a more advanced synchronization you can look at the Directoy Connector (but I have no experience with it).

[Timshel]

Hey,

Had a look again and added ORGANIZATION_INVITE_AUTO_ACCEPT to allow to directly set user as Accepted. Will work for manual invitation or when using groups. An Enrolled mail is sent to the user.

As mentioned if you try to confirm a user which did not finish creating his account it will fail. You'll need to run with the SSO_FRONTEND=override for the error to be visible (no public key).

For now available only under the testing tag.

[jobritz]

Awesome, thanks for your work. I have no access to my environment right now but I will test it as soon as possible. Just to be sure I understand it correctly: Does it work if the account is created by the organization invitation, is this meant by 'groups'?

[Timshel]

Does it work if the account is created by the organization invitation

Yes, but what might be weird is that the invitation is not needed anymore, so there will not be any link; User just has to create an account or log using SSO. Hum looking at it again had not realized that if you closed registration then invitation system used by Vaultwarden is in fact the Org invitation system with a dummy org value, will have to test it a bit more.

Sorry not very clear the groups is in reference to how the equivalent of organizations is usually named in your provider when using the SSO_ORGANIZATIONS_INVITE setting.

[jobritz]

Okay thanks, this is actually exactly what I want because I have user who ignore the invitation link, and I that didn't allow me to enforce certain policies

[dlehman83]

This is making good progress. I attempted to write this code but ran out of time before our busy season.

I just tested and the org invitation was auto accepted / verified.

Any plans to also auto confirm, or would that me too insecure? I was worried how am I going to know I need to confirm someone, but VW sent me an email.

Once things slow down at work, I may be able to invite others to test this with me now.

Thank you for all the hard work.

[Timshel]

Any plans to also auto confirm, or would that me too insecure?

Not planned since it would require some key manipulation that are only done in the client.