Connecting Bitwarden and Gitlab using OIDC

Security is not relevant just for our infrastructure, but also to our passwords. Some people tend to store those in their written notebook, others use excel to store them digitally. The bigger the password database, the bigger the damage done, if those fall into the wrong hands.

To further improve our password storage at AD IT Systems, aside from the obvious self-hosted storage, Single Sign-On, as well as groups, were a requirement.

Bitwarden fulfilled all those criteria, so I decided to give it a spin. SSO is only supported with an Enterprise plan, and the “open source” version (Vaultwarden) explicitly states that these Enterprise features won’t be supported. I can live with this, so the “upstream” Enterprise plan it is.

On-Premise vs Cloud: both are fine

Although we will be using both systems “on-premise”, this about Single Sign-On between Gitlab and Bitwarden will work for installations on-premise and in the cloud equally.

To simplify, I will reference both instances with on-premise URLs:

Install Bitwarden on-premise

Thanks to Docker and a very nice article in the help, the setup of on-premise hosting of Bitwarden works smooth.

Configure the organization in Bitwarden

I’m following now the already existing article on how to configure SSO with OIDC.

After the initial setup, head to the Settings of your organization and set a Identifier. Without this, the SSO login will not be possible.

Add OIDC application in Gitlab

To now configure SSO in Bitwarden, go to Gitlab and create a new OAuth2 application. Feel free to configure the application in Gitlab on a user, group, or even instance level - but keep in mind that all users with access to this OAuth application will be able to access your Bitwarden organization!

When you configure the application, supply the following details:

To allow login to Bitwarden only for one specific group, the application in Gitlab will look now similar to this:

Group Application in Gitlab

(Kudos to the Gitlab UI designers that have shortened the fields with the secrets, so they don’t need to be redacted in screenshots!)

Configure Bitwarden with OpenID Connect

Keep the tab with the Gitlab details open and access the Business Portal of your vault in a second tab (e.g., https://vault.example.com/portal), where you go to Single Sign-On.

Set the Type to OpenID Connect.

Fill in the remaining form fields:

Important: if you set Form POST as OIDC Redirect Behavior, Gitlab will complain about a The change you requested was rejected.! In the logs, a ActionController::InvalidAuthenticityToken exception will be shown, together with Can't verify CSRF token authenticity. Keep this option on Redirect GET.

Finally, use the Enabled checkbox at the top of the settings to enable OpenID Connect and Save.

If everything has been set up correctly, you return now to your vault.

A bit hidden, go the Settings and select Organizations. When you now hover over your organization, on the right side the menu cog icon will appear and allow you to Link SSO (Help). This will redirect you to Gitlab, where you may now authorize your SSO application.

In the future, you’re able to use the Enterprise SSO Login. Keep in mind that your master password is still required to decrypt your secrets!

If everything works, the vault owner can go back to the Business portal and the policies. Activating Single Sign-On Authentication will require all your (non-admin) users to pass through Gitlab SSO.

Conclusion

This allows provisioning of new users into your Bitwarden vault: on the first Single Sign-On request back to your vault, Bitwarden will create a new user. This user will receive the state of accepted, similar to “has accepted an invitation”, and must be manually confirmed by an admin (and also assigned to groups, if applicable).

Some additional notes in the end:

Further information on SSO, on Bitwarden and Gitlab, as well as the help articles I have consulted:

Feel free to reach out, if I have omitted relevant details or otherwise missing information.