Auto-Invitation for Users who joined an Organization with SSO
jobritz opened this issue · 19 comments
Hi, just a quick question, because I think I see the issue but I don't know what to do.
I want to skip the email invitation for users to join an organization. I invite users with
SSO_ORGANIZATIONS_ID_MAPPING to my organization, but when i deactivate smtp
the users are not added to the organization without an invitation link. In your README
you say that if i use the SSO_ORGANIZATIONS_ID_MAPPING I should use group name mapping
but I don't know what to do. Is there a specific configuration I'm missing?
Thanks for your help :).
Your environment (Generated via diagnostics page)
- Vaultwarden version: v1.30.5-7
- Web-vault version: voidc_button-v2024.1.2-6
- OS/Arch: linux/x86_64
- Running within a container: true (Base: Debian)
- Environment settings overridden: true
- Uses a reverse proxy: true
- IP Header check: true (X-Real-IP)
- Internet access: false
- Internet access via a proxy: true
- DNS Check: true
- Browser/Server Time Check: true
- Server/NTP Time Check: n/a
- Domain Configuration Check: true
- HTTPS Check: true
- Database type: SQLite
- Database version: 3.45.0
- Clients used:
- Reverse proxy and version:
- Other relevant information:
Config (Generated via diagnostics page)
Show Running Config
Environment settings which are overridden: ADMIN_TOKEN, SSO_MASTER_PASSWORD_POLICY
{
"_duo_akey": null,
"_enable_duo": false,
"_enable_email_2fa": false,
"_enable_smtp": true,
"_enable_yubico": false,
"_icon_service_csp": "",
"_icon_service_url": "",
"_ip_header_enabled": true,
"_smtp_img_src": "cid:",
"admin_ratelimit_max_burst": 3,
"admin_ratelimit_seconds": 300,
"admin_session_lifetime": 20,
"admin_token": "***",
"allowed_iframe_ancestors": "",
"attachments_folder": "data/attachments",
"auth_request_purge_schedule": "30 * * * * *",
"authenticator_disable_time_drift": false,
"data_folder": "data",
"database_conn_init": "",
"database_max_conns": 10,
"database_timeout": 30,
"database_url": "***************",
"db_connection_retries": 15,
"disable_2fa_remember": false,
"disable_admin_token": false,
"disable_icon_download": false,
"domain": "*****://****************************",
"domain_origin": "*****://****************************",
"domain_path": "",
"domain_set": true,
"duo_host": null,
"duo_ikey": null,
"duo_skey": null,
"email_2fa_auto_fallback": false,
"email_2fa_enforce_on_verified_invite": false,
"email_attempts_limit": 3,
"email_change_allowed": false,
"email_expiration_time": 600,
"email_token_size": 6,
"emergency_access_allowed": true,
"emergency_notification_reminder_schedule": "0 3 * * * *",
"emergency_request_timeout_schedule": "0 7 * * * *",
"enable_db_wal": true,
"enable_websocket": true,
"event_cleanup_schedule": "0 10 0 * * *",
"events_days_retain": null,
"experimental_client_feature_flags": "fido2-vault-credentials",
"extended_logging": true,
"helo_name": null,
"hibp_api_key": null,
"icon_blacklist_non_global_ips": true,
"icon_blacklist_regex": null,
"icon_cache_folder": "data/icon_cache",
"icon_cache_negttl": 259200,
"icon_cache_ttl": 2592000,
"icon_download_timeout": 10,
"icon_redirect_code": 302,
"icon_service": "internal",
"incomplete_2fa_schedule": "30 * * * * *",
"incomplete_2fa_time_limit": 3,
"invitation_expiration_hours": 120,
"invitation_org_name": "Vaultwarden",
"invitations_allowed": true,
"ip_header": "X-Real-IP",
"job_poll_interval_ms": 30000,
"log_file": "/log/vaultwarden.log",
"log_level": "debug",
"log_level_override": "",
"log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
"login_ratelimit_max_burst": 10,
"login_ratelimit_seconds": 60,
"org_attachment_limit": null,
"org_creation_users": "**********************",
"org_events_enabled": false,
"org_groups_enabled": true,
"password_hints_allowed": false,
"password_iterations": 600000,
"purge_incomplete_sso_nonce": "0 20 0 * * *",
"push_enabled": false,
"push_identity_uri": "https://identity.bitwarden.com",
"push_installation_id": "***",
"push_installation_key": "***",
"push_relay_uri": "https://push.bitwarden.com",
"reload_templates": false,
"require_device_email": false,
"rsa_key_filename": "data/rsa_key",
"send_purge_schedule": "0 5 * * * *",
"sendmail_command": null,
"sends_allowed": false,
"sends_folder": "data/sends",
"show_password_hint": false,
"signups_allowed": false,
"signups_domains_whitelist": "************,***********",
"signups_verify": false,
"signups_verify_resend_limit": 6,
"signups_verify_resend_time": 3600,
"smtp_accept_invalid_certs": false,
"smtp_accept_invalid_hostnames": false,
"smtp_auth_mechanism": null,
"smtp_debug": false,
"smtp_embed_images": true,
"smtp_explicit_tls": null,
"smtp_from": "************************",
"smtp_from_name": "Vaultwarden",
"smtp_host": "*******************",
"smtp_password": null,
"smtp_port": 25,
"smtp_security": "off",
"smtp_ssl": null,
"smtp_timeout": 15,
"smtp_username": null,
"sso_audience_trusted": null,
"sso_auth_only_not_session": true,
"sso_authority": "https://login.microsoftonline.com/b70374ee-7ecf-4084-811c-1d38959350b6/v2.0",
"sso_authorize_extra_params": "",
"sso_callback_path": "https://vaultwarden.app.hensoldt.net/identity/connect/oidc-signin",
"sso_client_cache_expiration": 0,
"sso_client_id": "338002b7-91cc-4e23-8061-c7964908d8fb",
"sso_client_secret": "***",
"sso_debug_tokens": false,
"sso_enabled": true,
"sso_master_password_policy": "{\"enforceOnLogin\":true,\"minComplexity\":4,\"minLength\":12,\"requireLower\":true,\"requireNumbers\":true,\"requireSpecial\":true,\"requireUpper\":true}",
"sso_only": false,
"sso_organizations_id_mapping": "4a60b709-5322-4bf6-a591-32cddeabd25a:b0ee6262-8ef0-4b8c-8f66-411f0b7e9511;",
"sso_organizations_invite": true,
"sso_organizations_token_path": "/roles",
"sso_pkce": false,
"sso_roles_default_to_user": true,
"sso_roles_enabled": false,
"sso_roles_token_path": "/resource_access/338002b7-91cc-4e23-8061-c7964908d8fb/roles",
"sso_scopes": "email profile offline_access",
"sso_signups_match_email": true,
"templates_folder": "data/templates",
"tmp_folder": "data/tmp",
"trash_auto_delete_days": null,
"trash_purge_schedule": "0 5 0 * * *",
"use_sendmail": false,
"use_syslog": false,
"user_attachment_limit": null,
"user_send_limit": null,
"web_vault_enabled": true,
"web_vault_folder": "web-vault/",
"yubico_client_id": null,
"yubico_secret_key": null,
"yubico_server": null
}Hey,
Just to be sure after the first login from the user did you go back with the Organization admin user to confirm the "invitation" ?
Yes, but I couldn't confirm the invitation. The user is listed in the "invited" section and not in the "Needs confirmation" section
Hey,
I can reproduce.
I would not recommend running the server without mail activated outside of testing; but will have a look.
Hi,
I did some testing in the meantime and I realized, that deactivating SMTP is as you recommended not working for me because the account recovery administration isn't working without SMTP. I wanted to deactivate SMTP to make the login workflow more convient because it should need less user interaction that way.
It would be awesome if you could skip the user invitation email anyway, while having smtp still running.
I also realized, that if a user is added to an organization in my enviroment via SSO, he gets access to all collections by default, Is this on purpose or would it be possible to make this configurable or set it to no collections as default value?
Thank you so far for your amazing work!
It would be awesome if you could skip the user invitation email anyway, while having smtp still running.
We had some level of auto-enroll for a time to bypass a bug, it was removed when it becomes unnecessary to keep the scope of the sso PR to a minimum. But since it probably make sense with the autoenroll feature I might add it again in the main branch.
I also realized, that if a user is added to an organization in my enviroment via SSO, he gets access to all collections by default, Is this on purpose or would it be possible to make this configurable or set it to no collections as default value?
Yep it's a default, will check but should be simple to allow to default to no collections.
Hey,
Just pushed 1.30.5-9 (should take 1h to build) with:
- Fix organization invitation when SMTP is disabled.
- Add
SSO_ORGANIZATIONS_ALL_COLLECTIONSconfig to allow to grant or not access to all collections (defaulttrue)
For the autoenroll though on it again but due to some limitation it's not possible to immediately set the user as confirmed, logic need to be splitted so for now will wait to see if there are more interests.
Awesome, thank you for your help.
Hey, don't worry I just reopend to see if there are any more interests. I found a discussion on the main vaultwarden repo about an auto-confirmation script (dani-garcia#3954). I also think that auto-confirmation is not really necessary, but auto-invitation would be a cool feature. If somebody still wants to use auto-comfirmation this script would be an option, but for me I'd be super happy if there is an option to skip the invitation step
I am also very interested in this feature as it is the last thing for me to achieve seamless LDAP integration to Vaultwarden.
Having some issues with the script mentioned above. Have you been able to get it to work? Seems like it was written for an older version of the CLI and I have not had success updating it.
No sorry, I do not plan to use it and therefore didn't test it
I would love to see auto-confirmation happening, for our use-case the "confirmations" when adding the user to the right sso group, so everything which needs less interaction would be great for us
I just want to add my vote to this as well.
I’ve been testing Vault Warden this last week and want it as simple as possible for users.
If a user signs in via SSO there should be no need for confirmation, as only valid accounts could SSO.
I have not got the org mapping setup yet, but that is my next step.
Edit:
I've setup org mapping today. My test user was auto invited to the org. The user still had to accept and admin confirm.
I'd like to see a new config option for SSO auto accept invite. This way the admin could choose the work flow. I know nothing about rust, but would think it would be a simple if statement.
I will create a PR to update my notes on the org mapping for EntraID.