How can I set up all SSO users to automatically be members?

[Erudition]

I use Authentik for SSO at our nonprofit makerspace and just set up Vaultwarden for our shared passwords. It's all self-hosted on-premises.

While I have SSO working, I can't really see how to get the whole organization (20 or so people at least) on board when I have t manually:

1. Get the user, who already has an SSO account, to sign in to the Vaultwarden app specifically so their VW account gets created - else I can't invite them since they don't exist
   a. They are now logged in, but only to a personal vault, and can't do anything until I'm available again to do the next step, so we have to wait on each other back and forth
2. Invite the user to the organization, since auto-joining organizations is not supported, by manually entering their name in the organization settings
   b. I now have to wait again for them to get an email and accept the invite before I can go any further
3. Once they join the organization, I then have to manually add them to groups and give them permissions to shared vault items, as I can't find a way to sync this with Authentik roles or groups

Which is a lot of work when I want any SSO member to have complete self-service in getting onto the Vaultwarden instance.

Do I have this right? Am I missing something obvious?

[dennisbitsonline]

Still struggling with sso in combination with authelia on nginx proxy, docker enviroment variables, secrets and not able to activate.
Client gets enterprise SSO option, but unable to configure serverside.
Mind sharing some config pointers in the meantime?

[dennisbitsonline]

I've a working SSO install now, had conflicting data between enviroment variables and data.json (scopes for instance). Dropped the .env data and updated the data on admin page. that solved it.
My iOSapp got stuck on 2 factor sso couldnt webauth passkey without looping the whole authentication process over and over. Disabled webauth in Authelia fixed that.

[maddingamer]

I think currently in testing it's "only" SSO, but what you need for mapping users/groups to organizations is SCIM (as described in #3842)

[floriandeutsch89]

You can still use the regular sync app or am I missing something?
https://bitwarden.com/help/directory-sync-desktop/

This works fine for EntraID. I guess it's pretty similar with Authentik as it's all OpenID.

You will want to use groups and assign them to the respective collection(s)
ORG_GROUPS_ENABLED=true