Connecting Bitwarden and Gitlab using OIDC
Security is not relevant just for our infrastructure, but also to our passwords. Some people tend to store those in their written notebook, others use excel to store them digitally. The bigger the password database, the bigger the damage done, if those fall into the wrong hands.
To further improve our password storage at AD IT Systems, aside from the obvious self-hosted storage, Single Sign-On, as well as groups, were a requirement.
Bitwarden fulfilled all those criteria, so I decided to give it a spin. SSO is only supported with an Enterprise plan, and the “open source” version (Vaultwarden) explicitly states that these Enterprise features won’t be supported. I can live with this, so the “upstream” Enterprise plan it is.
On-Premise vs Cloud: both are fine
Although we will be using both systems “on-premise”, this about Single Sign-On between Gitlab and Bitwarden will work for installations on-premise and in the cloud equally.
To simplify, I will reference both instances with on-premise URLs:
Install Bitwarden on-premise
Thanks to Docker and a very nice article in the help, the setup of on-premise hosting of Bitwarden works smooth.
Configure the organization in Bitwarden
I’m following now the already existing article on how to configure SSO with OIDC.
After the initial setup, head to the Settings of your organization and set a Identifier. Without this, the SSO login will not be possible.
Add OIDC application in Gitlab
To now configure SSO in Bitwarden, go to Gitlab and create a new OAuth2 application. Feel free to configure the application in Gitlab on a user, group, or even instance level - but keep in mind that all users with access to this OAuth application will be able to access your Bitwarden organization!
When you configure the application, supply the following details:
Name: your own choice.
Redirect URI: the URL to your Bitwarden Vault. In our case, it’s
- Check the scopes of
To allow login to Bitwarden only for one specific group, the application in Gitlab will look now similar to this:
(Kudos to the Gitlab UI designers that have shortened the fields with the secrets, so they don’t need to be redacted in screenshots!)
Configure Bitwarden with OpenID Connect
Keep the tab with the Gitlab details open and access the Business Portal of your vault in a second tab (e.g.,
https://vault.example.com/portal), where you go to Single Sign-On.
Set the Type to
Fill in the remaining form fields:
- the OIDC
Authorityis the full URL to your Gitlab installation, including protocol:
Client IDcopy the
Application IDfrom Gitlab.
- similarly, the
Client Secretis your Gitlab
Metadata addressis a bit hidden from the Gitlab documentation. Specify here the URL to your Gitlab installation, with a
- change the
OIDC Redirect Behaviorto
- further scopes/claims were not required for us.
Important: if you set
Form POST as
OIDC Redirect Behavior, Gitlab will complain about a
The change you requested was rejected.! In the logs, a
ActionController::InvalidAuthenticityToken exception will be shown, together with
Can't verify CSRF token authenticity. Keep this option on
Finally, use the
Enabled checkbox at the top of the settings to enable
OpenID Connect and
If everything has been set up correctly, you return now to your vault.
Link your SSO account
A bit hidden, go the
Settings and select
Organizations. When you now hover over your organization, on the right side the menu cog icon will appear and allow you to
Link SSO (Help). This will redirect you to Gitlab, where you may now authorize your SSO application.
In the future, you’re able to use the
Enterprise SSO Login. Keep in mind that your master password is still required to decrypt your secrets!
If everything works, the vault owner can go back to the Business portal and the policies. Activating
Single Sign-On Authentication will require all your (non-admin) users to pass through Gitlab SSO.
This allows provisioning of new users into your Bitwarden vault: on the first Single Sign-On request back to your vault, Bitwarden will create a new user. This user will receive the state of
accepted, similar to “has accepted an invitation”, and must be manually confirmed by an admin (and also assigned to groups, if applicable).
Some additional notes in the end:
- Gitlab documentation is nice, only the different terms as well as “missing” URLs required further research.
- Bitwarden shares documentation on how to connect Azure as well as Okta.
Both, combined with testing, were sufficient to connect Gitlab for SSO with Bitwarden.
Further information on SSO, on Bitwarden and Gitlab, as well as the help articles I have consulted:
- Bitwarden: OIDC Configuration
- Gitlab: OIDC OmniAuth Provider
- Gitlab as OpenID Connect identity provider
- Gitlab: OpenID Connect Configuration URL
Feel free to reach out, if I have omitted relevant details or otherwise missing information.