Email address not required if SSO_ONLY enabled

[Sp1l]

(Other than usability nits so far OIDCwarden is working fine, great job! Thanks for taking this up!)

I'm trying to figure out if I can use this for my internal teams at work where we have Microsoft EntraID.

For regular users, the UI confusing. Landing page is the "Email address (required)" page, whereas Vaultwarden will get the email address from the OIDC endpoint. If SSO_ONLY is enabled, and there's no authenticated session, I'd expect the user to be redirected to the OIDC login flow and return authenticated.
The secondary logon page has "Master password (required)" where for SSO_ONLY, it should only be an "Enterprise Single sign-on" button only page (or redirect to OIDC flow) if there's no OIDC session context yet.

Not sure if this is easily fixable or feasible at all. As it currently stands, I'd have to create some documentation for users' on-boarding to get through the flow proper.

Currently using:
container oidcwarden/vaultwarden-oidc:latest-alpine

SSO_ONLY=true

[Sp1l]

Sorry for the noise! Closing issue.

Added to my container's EnvironmentFile:

SSO_FRONTEND=override

Landingpage now shows:

"Log in using your organization's single sign-on portal."

Thank you!