[PM-29142] Config for SSO cookie vending (#6880)

This config may be used when a load balancer in front of Bitwarden is first verifying an auth cookie issued by an IdP before proxying the request to Bitwarden.
2026-01-31 06:03:12 +08:00 · 2026-01-22 15:20:38 -06:00
parent bab4750caa
commit 415821f173
5 changed files with 39 additions and 2 deletions
--- a/dev/secrets.json.example
+++ b/dev/secrets.json.example
@@ -39,6 +39,14 @@
    },
    "licenseDirectory": "<full path to license directory>",
    "enableNewDeviceVerification": true,
-    "enableEmailVerification": true
+    "enableEmailVerification": true,
+    "communication": {
+      "bootstrap": "none",
+      "ssoCookieVendor": {
+        "idpLoginUrl": "",
+        "cookieName": "",
+        "cookieDomain": ""
+      }
+    }
  }
 }
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@@ -83,7 +83,6 @@ public class GlobalSettings : IGlobalSettings
    public virtual ILaunchDarklySettings LaunchDarkly { get; set; } = new LaunchDarklySettings();
    public virtual string DevelopmentDirectory { get; set; }
    public virtual IWebPushSettings WebPush { get; set; } = new WebPushSettings();
-
    public virtual int SendAccessTokenLifetimeInMinutes { get; set; } = 5;
    public virtual bool EnableEmailVerification { get; set; }
    public virtual string KdfDefaultHashKey { get; set; }
@@ -93,6 +92,7 @@ public class GlobalSettings : IGlobalSettings
    public virtual string SendDefaultHashKey { get; set; }
    public virtual string PricingUri { get; set; }
    public virtual Fido2Settings Fido2 { get; set; } = new Fido2Settings();
+    public virtual ICommunicationSettings Communication { get; set; } = new CommunicationSettings();

    public string BuildExternalUri(string explicitValue, string name)
    {
@@ -776,4 +776,17 @@ public class GlobalSettings : IGlobalSettings
    {
        public HashSet<string> Origins { get; set; }
    }
+
+    public class CommunicationSettings : ICommunicationSettings
+    {
+        public string Bootstrap { get; set; } = "none";
+        public ISsoCookieVendorSettings SsoCookieVendor { get; set; } = new SsoCookieVendorSettings();
+    }
+
+    public class SsoCookieVendorSettings : ISsoCookieVendorSettings
+    {
+        public string IdpLoginUrl { get; set; }
+        public string CookieName { get; set; }
+        public string CookieDomain { get; set; }
+    }
 }
--- a/src/Core/Settings/ICommunicationSettings.cs
+++ b/src/Core/Settings/ICommunicationSettings.cs
@@ -0,0 +1,7 @@
+namespace Bit.Core.Settings;
+
+public interface ICommunicationSettings
+{
+    string Bootstrap { get; set; }
+    ISsoCookieVendorSettings SsoCookieVendor { get; set; }
+}
--- a/src/Core/Settings/IGlobalSettings.cs
+++ b/src/Core/Settings/IGlobalSettings.cs
@@ -29,4 +29,5 @@ public interface IGlobalSettings
    IWebPushSettings WebPush { get; set; }
    GlobalSettings.EventLoggingSettings EventLogging { get; set; }
    GlobalSettings.WebAuthnSettings WebAuthn { get; set; }
+    ICommunicationSettings Communication { get; set; }
 }
--- a/src/Core/Settings/ISsoCookieVendorSettings.cs
+++ b/src/Core/Settings/ISsoCookieVendorSettings.cs
@@ -0,0 +1,8 @@
+namespace Bit.Core.Settings;
+
+public interface ISsoCookieVendorSettings
+{
+    string IdpLoginUrl { get; set; }
+    string CookieName { get; set; }
+    string CookieDomain { get; set; }
+}