Vaultwarden SAML Installer

One-line installer for Vaultwarden with SAML SSO support - a Bitwarden-compatible server with enterprise SSO capabilities.

Quick Install

curl -sSL https://raw.githubusercontent.com/Jacadasag-dev/vaultwarden-saml-installer/master/install.sh | bash

Secure Install (Recommended)

# Download and review the script first
curl -sSL https://raw.githubusercontent.com/Jacadasag-dev/vaultwarden-saml-installer/master/install.sh -o install.sh
cat install.sh  # Review the script
chmod +x install.sh
./install.sh

What it installs

• Docker and Docker Compose (if not present)
• Vaultwarden server with SAML support
• SQLite database (lightweight, perfect for personal/small team use)
• Management commands

After Installation

The installer creates a vaultwarden-saml command:

vaultwarden-saml start        # Start Vaultwarden
vaultwarden-saml stop         # Stop Vaultwarden
vaultwarden-saml status       # Check status
vaultwarden-saml logs         # View logs
vaultwarden-saml update       # Update to latest version
vaultwarden-saml backup       # Create backup
vaultwarden-saml restore      # Restore from backup
vaultwarden-saml config       # Show configuration
vaultwarden-saml admin-token  # Display admin token
vaultwarden-saml enable-saml  # Enable SAML SSO
vaultwarden-saml disable-saml # Disable SAML SSO
vaultwarden-saml uninstall    # Remove everything

Access

After installation, access Vaultwarden at:

• Web Interface: http://localhost:80
• Admin Panel: http://localhost:80/admin
• Config: ~/.local/share/vaultwarden-saml/.env

SAML SSO Setup

1. Configure your Identity Provider

Edit the configuration file:

nano ~/.local/share/vaultwarden-saml/.env

Add your IdP settings:

SAML_ENABLED=true
SAML_IDP_METADATA_URL=https://your-idp.com/metadata.xml
SAML_IDP_ENTITY_ID=https://your-idp.com/entity-id

2. Enable SAML

vaultwarden-saml enable-saml
vaultwarden-saml restart

3. Configure IdP with SP Metadata

Share your Service Provider metadata with your IdP admin:

• Metadata URL: http://your-server/saml/metadata
• ACS URL: http://your-server/saml/acs
• Entity ID: http://your-server/saml

Example IdP Configurations

Okta

SAML_IDP_METADATA_URL=https://dev-12345.okta.com/app/exk1234567890/sso/saml/metadata
SAML_IDP_ENTITY_ID=http://www.okta.com/exk1234567890

Azure AD

SAML_IDP_METADATA_URL=https://login.microsoftonline.com/tenant-id/federationmetadata/2007-06/federationmetadata.xml
SAML_IDP_ENTITY_ID=https://sts.windows.net/tenant-id/

Google Workspace

SAML_IDP_METADATA_URL=https://accounts.google.com/saml2/metadata?idpid=C01234567
SAML_IDP_ENTITY_ID=https://accounts.google.com/o/saml2?idpid=C01234567

Keycloak

SAML_IDP_METADATA_URL=https://keycloak.example.com/auth/realms/master/protocol/saml/descriptor
SAML_IDP_ENTITY_ID=https://keycloak.example.com/auth/realms/master

Client Configuration

Configure Bitwarden clients (desktop, mobile, browser extension):

1. Click the gear icon ⚙️ before login
2. Set Server URL to: http://your-server-ip
3. Save and login

Production Setup

For production use, you should:

1. Set up SSL/TLS:

   • Use a reverse proxy (nginx, caddy, traefik)
   • Obtain SSL certificates (Let's Encrypt)
   • Update DOMAIN in .env to use HTTPS

2. Configure Firewall:

   • Allow ports 80/443 for web access
   • Allow port 3012 for WebSocket notifications

3. Update SAML URLs:

   • Change all URLs to use HTTPS
   • Update IdP configuration with production URLs

4. Backup Strategy:

   # Create regular backups
   crontab -e
   # Add: 0 2 * * * vaultwarden-saml backup

System Requirements

• Ubuntu or Debian-based Linux (20.04+ recommended)
• 64-bit architecture (AMD64)
• Docker and Docker Compose
• At least 1GB RAM
• 2GB free disk space

Security Notes

The installer:

• Generates secure admin tokens automatically
• Sets proper file permissions (600 for .env)
• Uses SQLite with WAL mode for data integrity
• Supports encrypted backups
• Never exposes secrets in logs

Troubleshooting

Permission Errors

# Log out and back in to apply docker group membership
# Or use sudo with the vaultwarden-saml command
sudo vaultwarden-saml start

SAML Login Issues

1. Check IdP metadata URL is accessible
2. Verify Entity IDs match between IdP and SP
3. Check logs: vaultwarden-saml logs
4. Ensure user attributes (email, name) are being sent

Database Issues

# Create backup before any fixes
vaultwarden-saml backup

# Check database integrity
docker exec -it vaultwarden-saml sqlite3 /data/db.sqlite3 "PRAGMA integrity_check;"

Migrate from Standard Vaultwarden

If you have an existing Vaultwarden installation:

1. Create a backup of your existing data
2. Stop old Vaultwarden instance
3. Install Vaultwarden SAML
4. Copy your data directory to ~/.local/share/vaultwarden-saml/vw-data
5. Start Vaultwarden SAML

Uninstall

To completely remove Vaultwarden SAML:

vaultwarden-saml uninstall

⚠️ Warning: This removes all data including stored passwords! Create a backup first.

Support

• GitHub Issues: https://github.com/jacadasag/ipmvaultwarden/issues
• Docker Hub: https://hub.docker.com/r/jacadasag/vaultwarden-saml
• Original Vaultwarden: https://github.com/dani-garcia/vaultwarden

License

This project is based on Vaultwarden, which is licensed under AGPL-3.0.# Updated Wed, Aug 6, 2025 1:51:32 PM