starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 01:35:54 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #6374] SSO: "Failed to retrieve the associated organization" #2413

New issue
Closed
opened 2026-03-03 02:18:06 +03:00 by kerem · 9 comments
kerem commented 2026-03-03 02:18:06 +03:00
Owner
Copy link

Originally created by @mkjeller on GitHub (Oct 19, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6374

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.34.3-3f010a50
  • Web-vault version: v2025.9.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: SQLite
  • Database version: 3.50.2
  • Uses config.json: true
  • Uses a reverse proxy: true
  • IP Header check: true (cf-connecting-ip)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*********************",
  "domain_origin": "*****://*********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "K-VAULT",
  "invitations_allowed": true,
  "ip_header": "cf-connecting-ip",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***********************",
  "smtp_from_name": "K-VAULT Administration",
  "smtp_host": "****************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "***********************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://*******************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://**************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 30,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.34.3-3f010a50

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

cloudflared

Host/Server Operating System

Linux

Operating System Version

Docker

Clients

Web Vault

Client Version

v2025.9.1

Steps To Reproduce

  1. Go to https://vault.example.domain/#/sso
  2. Enter anything in the SSO identifier (documentation does not make it clear what should go here, in this case "TESTSTRING" was used.)
  3. Sign in with SSO service (in this case PocketID)
  4. Create a master password
  5. Click Create account

Expected Result

Master password is saved and login flow continues / user is presented with their brand new vault

Actual Result

The web interface hangs for a few seconds before failing with a toast in the top right corner stating:

An error has occurred.
Failed to retrieve the associated organization

Logs

[2025-10-19 08:26:21.977][vaultwarden::api::identity][INFO] User test logged in successfully. IP: [REDACTED IPv6]

[2025-10-19 08:26:21.978][response][INFO] (login) POST /identity/connect/token => 200 OK

[2025-10-19 08:26:22.028][request][INFO] GET /api/sync?excludeDomains=true

[2025-10-19 08:26:22.030][response][INFO] (sync) GET /api/sync?<data..> => 200 OK

[2025-10-19 08:26:22.092][request][INFO] POST /identity/connect/token

[2025-10-19 08:26:22.410][response][INFO] (login) POST /identity/connect/token => 200 OK

[2025-10-19 08:26:22.457][request][INFO] GET /api/sync?excludeDomains=true

[2025-10-19 08:26:22.459][response][INFO] (sync) GET /api/sync?<data..> => 200 OK

[2025-10-19 08:26:22.506][request][INFO] GET /api/organizations/TESTSTRING/auto-enroll-status

[2025-10-19 08:26:22.507][response][INFO] (get_auto_enroll_status) GET /api/organizations/<identifier>/auto-enroll-status => 200 OK

[2025-10-19 08:26:22.552][request][INFO] GET /api/organizations/e2c6120f-9036-4984-a46b-8091393130a4/policies/master-password

[2025-10-19 08:26:22.553][response][INFO] (get_master_password_policy) GET /api/organizations/<org_id>/policies/master-password => 200 OK

[2025-10-19 08:26:49.594][request][INFO] POST /api/accounts/set-password

[2025-10-19 08:26:49.978][vaultwarden::api::core::accounts][ERROR] Failed to retrieve the associated organization

[2025-10-19 08:26:49.978][response][INFO] (post_set_password) POST /api/accounts/set-password => 400 Bad Request

Additional Context

This has been tested with the following settings toggled on and off in various combinations.
The error persists in all cases.

  • Allow new signups
  • Only SSO login

Error does NOT occur if the user creates an account first in the traditional way then goes back and re-attempts SSO login. Email association takes over and the OIDC ID is linked to the account.
SSO logins work from then on, but the user is still prompted for their Master Password (but I believe this is intended behaviour?)

Originally created by @mkjeller on GitHub (Oct 19, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6374 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-3f010a50 * Web-vault version: v2025.9.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (cf-connecting-ip) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, ADMIN_TOKEN **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*********************", "domain_origin": "*****://*********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "K-VAULT", "invitations_allowed": true, "ip_header": "cf-connecting-ip", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***********************", "smtp_from_name": "K-VAULT Administration", "smtp_host": "****************", "smtp_password": "***", "smtp_port": 465, "smtp_security": "force_tls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "***********************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://*******************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://**************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "************************************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_pkce": true, "sso_scopes": "email profile", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 30, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.34.3-3f010a50 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy cloudflared ### Host/Server Operating System Linux ### Operating System Version Docker ### Clients Web Vault ### Client Version v2025.9.1 ### Steps To Reproduce 1. Go to https://vault.example.domain/#/sso 2. Enter anything in the SSO identifier (documentation does not make it clear what should go here, in this case "TESTSTRING" was used.) 3. Sign in with SSO service (in this case PocketID) 4. Create a master password 5. Click Create account ### Expected Result Master password is saved and login flow continues / user is presented with their brand new vault ### Actual Result The web interface hangs for a few seconds before failing with a toast in the top right corner stating: > An error has occurred. > Failed to retrieve the associated organization ### Logs ```text [2025-10-19 08:26:21.977][vaultwarden::api::identity][INFO] User test logged in successfully. IP: [REDACTED IPv6] [2025-10-19 08:26:21.978][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-19 08:26:22.028][request][INFO] GET /api/sync?excludeDomains=true [2025-10-19 08:26:22.030][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2025-10-19 08:26:22.092][request][INFO] POST /identity/connect/token [2025-10-19 08:26:22.410][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-19 08:26:22.457][request][INFO] GET /api/sync?excludeDomains=true [2025-10-19 08:26:22.459][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2025-10-19 08:26:22.506][request][INFO] GET /api/organizations/TESTSTRING/auto-enroll-status [2025-10-19 08:26:22.507][response][INFO] (get_auto_enroll_status) GET /api/organizations/<identifier>/auto-enroll-status => 200 OK [2025-10-19 08:26:22.552][request][INFO] GET /api/organizations/e2c6120f-9036-4984-a46b-8091393130a4/policies/master-password [2025-10-19 08:26:22.553][response][INFO] (get_master_password_policy) GET /api/organizations/<org_id>/policies/master-password => 200 OK [2025-10-19 08:26:49.594][request][INFO] POST /api/accounts/set-password [2025-10-19 08:26:49.978][vaultwarden::api::core::accounts][ERROR] Failed to retrieve the associated organization [2025-10-19 08:26:49.978][response][INFO] (post_set_password) POST /api/accounts/set-password => 400 Bad Request ``` ### Additional Context This has been tested with the following settings toggled on and off in various combinations. The error persists in all cases. - Allow new signups - Only SSO login Error does NOT occur if the user creates an account first in the traditional way then goes back and re-attempts SSO login. Email association takes over and the OIDC ID is linked to the account. SSO logins work from then on, but the user is still prompted for their Master Password (but I believe this is intended behaviour?)
kerem 2026-03-03 02:18:06 +03:00
  • closed this issue
  • added the
    bug
    SSO
         labels
kerem commented 2026-03-03 02:18:07 +03:00
Author
Owner
Copy link

@Timshel commented on GitHub (Oct 22, 2025):

Hey
When logging from the default url, a value for the Identifier is resolved from the email.
If you want to log directly from https://vault.example.domain/#/sso you'll have to set the dummy value: VW_DUMMY_IDENTIFIER_FOR_OIDC (or the uuid from an organization ).

<!-- gh-comment-id:3431560309 --> @Timshel commented on GitHub (Oct 22, 2025): Hey When logging from the default url, a value for the Identifier is resolved from the email. If you want to log directly from https://vault.example.domain/#/sso you'll have to set the dummy value: `VW_DUMMY_IDENTIFIER_FOR_OIDC` (or the uuid from an organization ).
kerem commented 2026-03-03 02:18:07 +03:00
Author
Owner
Copy link

@mkjeller commented on GitHub (Oct 24, 2025):

I'm afraid the issue persists even with that value set in the .env file
(Server ver now: 1.34.3-a85b4851)

Image
<!-- gh-comment-id:3445266174 --> @mkjeller commented on GitHub (Oct 24, 2025): I'm afraid the issue persists even with that value set in the .env file (Server ver now: 1.34.3-a85b4851) <img width="2472" height="1496" alt="Image" src="https://github.com/user-attachments/assets/9b646a75-8c6c-46d1-aa11-03cf3bfdb8da" />
kerem commented 2026-03-03 02:18:07 +03:00
Author
Owner
Copy link

@Timshel commented on GitHub (Oct 27, 2025):

The VW_DUMMY_IDENTIFIER_FOR_OIDC is not an env setting, it's SSO identifier you need to inpurt instead of TESTSTRING.

<!-- gh-comment-id:3452592418 --> @Timshel commented on GitHub (Oct 27, 2025): The `VW_DUMMY_IDENTIFIER_FOR_OIDC` is not an env setting, it's SSO identifier you need to inpurt instead of `TESTSTRING`.
kerem commented 2026-03-03 02:18:08 +03:00
Author
Owner
Copy link

@mkjeller commented on GitHub (Oct 27, 2025):

Image

Yup, that worked, sorry for the misunderstanding there.
I'll close this issue out now.

<!-- gh-comment-id:3452609675 --> @mkjeller commented on GitHub (Oct 27, 2025): <img width="411" height="166" alt="Image" src="https://github.com/user-attachments/assets/d243e911-7fc1-4a8a-93f8-f08cf47d15a6" /> Yup, that worked, sorry for the misunderstanding there. I'll close this issue out now.
kerem commented 2026-03-03 02:18:08 +03:00
Author
Owner
Copy link

@Schweizer-Philipp commented on GitHub (Nov 8, 2025):

Is there a way to configure the invitation link so that the orgSsoIdentifier value is automatically set to either VW_DUMMY_IDENTIFIER_FOR_OIDC or the UUID of an existing organization?

I have self-registration disabled and users can only log in via SSO.
When I manually replace the orgSsoIdentifier in the invitation URL with the correct value, the invited user can register successfully — but I can’t find any configuration option in Vaultwarden to make it use that value automatically.

Currently, the invitation link always contains an empty UUID (00000000-0000-0000-0000-000000000000).

<!-- gh-comment-id:3506546779 --> @Schweizer-Philipp commented on GitHub (Nov 8, 2025): Is there a way to configure the invitation link so that the orgSsoIdentifier value is automatically set to either VW_DUMMY_IDENTIFIER_FOR_OIDC or the UUID of an existing organization? I have self-registration disabled and users can only log in via SSO. When I manually replace the orgSsoIdentifier in the invitation URL with the correct value, the invited user can register successfully — but I can’t find any configuration option in Vaultwarden to make it use that value automatically. Currently, the invitation link always contains an empty UUID (00000000-0000-0000-0000-000000000000).
kerem commented 2026-03-03 02:18:08 +03:00
Author
Owner
Copy link

@Timshel commented on GitHub (Nov 8, 2025):

Currently, the invitation link always contains an empty UUID (00000000-0000-0000-0000-000000000000).

Sounds like a bug I'll check.

<!-- gh-comment-id:3506611272 --> @Timshel commented on GitHub (Nov 8, 2025): > Currently, the invitation link always contains an empty UUID (00000000-0000-0000-0000-000000000000). Sounds like a bug I'll check.
kerem commented 2026-03-03 02:18:08 +03:00
Author
Owner
Copy link

@saschabrockel commented on GitHub (Nov 27, 2025):

I have the same bug @Schweizer-Philipp

<!-- gh-comment-id:3584695321 --> @saschabrockel commented on GitHub (Nov 27, 2025): I have the same bug @Schweizer-Philipp
kerem commented 2026-03-03 02:18:08 +03:00
Author
Owner
Copy link

@Timshel commented on GitHub (Nov 27, 2025):

@Schweizer-Philipp @saschabrockel had a look, had never used the admin invite with SSO; https://github.com/dani-garcia/vaultwarden/pull/6498 should fix the issue.

<!-- gh-comment-id:3586293426 --> @Timshel commented on GitHub (Nov 27, 2025): @Schweizer-Philipp @saschabrockel had a look, had never used the admin invite with SSO; https://github.com/dani-garcia/vaultwarden/pull/6498 should fix the issue.
kerem commented 2026-03-03 02:18:08 +03:00
Author
Owner
Copy link

@CidAlfa commented on GitHub (Dec 31, 2025):

OIDC SSO + Auto-enroll fails with Failed to retrieve the associated organization during master password setup.

Environment

Vaultwarden: latest (Docker)

Keycloak: 24.0.1 (OIDC)

Deployment: Docker + Nginx reverse proxy

OS: Ubuntu

Domain:

Vaultwarden: https://domain.com

Keycloak: https://domain.com

Login mode: SSO_ONLY = true

We are using Vaultwarden with OIDC SSO (Keycloak) and want to automatically enroll all SSO users into a single organization.

SSO login itself works correctly, but during first-time login, when Vaultwarden asks the user to set the master password, the process fails with:

Failed to retrieve the associated organization

This happens consistently on:

POST /api/accounts/set-password

Expected Behavior

After successful OIDC login:

User should be automatically associated with an organization

User should be able to set the master password

Account creation should complete successfully

Actual Behavior

OIDC login succeeds

User reaches the “Set master password” screen

On submit, Vaultwarden returns 400 Bad Request

Log shows:

Failed to retrieve the associated organization

Configuration (important parts)
.env
DOMAIN=https://domain.com

SSO_ENABLED=true
SSO_ONLY=true

SSO_AUTHORITY=https://domain.com/realms/client
SSO_CLIENT_ID=vaultwarden
SSO_CLIENT_SECRET=********
SSO_SCOPES="openid email profile"
SSO_PKCE=true

SIGNUPS_ALLOWED=true
SSO_SIGNUPS_MATCH_EMAIL=true
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false

ORG_CREATION_USERS=admin.main@domain.com

VW_DUMMY_IDENTIFIER_FOR_OIDC=442ff294-6c70-498a-8dc2-7fad2a2fc206

We also tested using an organization slug instead of UUID.

Vaultwarden Admin Settings

Allow new signups: true
Allow invitations: true
Email domain whitelist: domain.com
Org creation users: admin.main@domain.com
Invitation organization name: Vaultwarden
Only SSO login: true
Allow email association: true

Allow unknown email verification status: false

Organization Details

Organization exists and is visible in Admin UI

Organization has:

Users: 1

Collections: 1

Groups: 0

Organization UUID example:

442ff294-6c70-498a-8dc2-7fad2a2fc206

Logs (important excerpts)
Successful SSO login
[INFO] User xusan logged in successfully.
POST /identity/connect/token => 200 OK
Auto-enroll check (note identifier)
GET /api/organizations/bs.ahmedovhusan@domain.com/auto-enroll-status => 200 OK

Vaultwarden seems to use the email as organization identifier, not the org UUID or slug.

Failure during master password setup
POST /api/accounts/set-password
[ERROR] Failed to retrieve the associated organization
=> 400 Bad Request

This happens every time.

What We Tried
Resetting admin configuration
Recreating the organization
Deleting and re-creating users
Using VW_DUMMY_IDENTIFIER_FOR_OIDC with:
UUID
Organization slug
Restarting containers
Verifying OIDC discovery endpoint
Verifying callback path
Confirmed that /auto-enroll-status returns 200
None of the above resolved the issue.
Observations / Suspected Cause

Vaultwarden tries to resolve organization using email as identifier
VW_DUMMY_IDENTIFIER_FOR_OIDC does not seem to be applied during set-password
Auto-enroll logic succeeds, but organization is not attached to the user context during password creation

Question
What is the correct and supported way to:
Automatically associate OIDC users with an organization
Avoid Failed to retrieve the associated organization during master password setup
Should VW_DUMMY_IDENTIFIER_FOR_OIDC be:
UUID?
Organization slug?
Something else?
Is this a known limitation or a bug in the OIDC + auto-enroll flow?

Additional Notes
We are logging in directly via the Vaultwarden domain (not via email-first flow)
This setup worked earlier but started failing after reconfiguration
We can provide more logs or test patches if needed

@Timshel can you help with fix this problem

<!-- gh-comment-id:3702242024 --> @CidAlfa commented on GitHub (Dec 31, 2025): OIDC SSO + Auto-enroll fails with Failed to retrieve the associated organization during master password setup. Environment Vaultwarden: latest (Docker) Keycloak: 24.0.1 (OIDC) Deployment: Docker + Nginx reverse proxy OS: Ubuntu Domain: Vaultwarden: https://domain.com Keycloak: https://domain.com Login mode: SSO_ONLY = true We are using Vaultwarden with OIDC SSO (Keycloak) and want to automatically enroll all SSO users into a single organization. SSO login itself works correctly, but during first-time login, when Vaultwarden asks the user to set the master password, the process fails with: Failed to retrieve the associated organization This happens consistently on: POST /api/accounts/set-password Expected Behavior After successful OIDC login: User should be automatically associated with an organization User should be able to set the master password Account creation should complete successfully Actual Behavior OIDC login succeeds User reaches the “Set master password” screen On submit, Vaultwarden returns 400 Bad Request Log shows: Failed to retrieve the associated organization Configuration (important parts) .env DOMAIN=https://domain.com SSO_ENABLED=true SSO_ONLY=true SSO_AUTHORITY=https://domain.com/realms/client SSO_CLIENT_ID=vaultwarden SSO_CLIENT_SECRET=******** SSO_SCOPES="openid email profile" SSO_PKCE=true SIGNUPS_ALLOWED=true SSO_SIGNUPS_MATCH_EMAIL=true SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false ORG_CREATION_USERS=admin.main@domain.com VW_DUMMY_IDENTIFIER_FOR_OIDC=442ff294-6c70-498a-8dc2-7fad2a2fc206 We also tested using an organization slug instead of UUID. Vaultwarden Admin Settings Allow new signups: ✅ true Allow invitations: ✅ true Email domain whitelist: domain.com Org creation users: admin.main@domain.com Invitation organization name: Vaultwarden Only SSO login: ✅ true Allow email association: ✅ true Allow unknown email verification status: ❌ false Organization Details Organization exists and is visible in Admin UI Organization has: Users: 1 Collections: 1 Groups: 0 Organization UUID example: 442ff294-6c70-498a-8dc2-7fad2a2fc206 Logs (important excerpts) Successful SSO login [INFO] User xusan logged in successfully. POST /identity/connect/token => 200 OK Auto-enroll check (note identifier) GET /api/organizations/bs.ahmedovhusan@domain.com/auto-enroll-status => 200 OK Vaultwarden seems to use the email as organization identifier, not the org UUID or slug. Failure during master password setup POST /api/accounts/set-password [ERROR] Failed to retrieve the associated organization => 400 Bad Request This happens every time. What We Tried Resetting admin configuration Recreating the organization Deleting and re-creating users Using VW_DUMMY_IDENTIFIER_FOR_OIDC with: UUID Organization slug Restarting containers Verifying OIDC discovery endpoint Verifying callback path Confirmed that /auto-enroll-status returns 200 None of the above resolved the issue. Observations / Suspected Cause Vaultwarden tries to resolve organization using email as identifier VW_DUMMY_IDENTIFIER_FOR_OIDC does not seem to be applied during set-password Auto-enroll logic succeeds, but organization is not attached to the user context during password creation Question What is the correct and supported way to: Automatically associate OIDC users with an organization Avoid Failed to retrieve the associated organization during master password setup Should VW_DUMMY_IDENTIFIER_FOR_OIDC be: UUID? Organization slug? Something else? Is this a known limitation or a bug in the OIDC + auto-enroll flow? Additional Notes We are logging in directly via the Vaultwarden domain (not via email-first flow) This setup worked earlier but started failing after reconfiguration We can provide more logs or test patches if needed @Timshel can you help with fix this problem
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.8
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#2413
No description provided.