Update SSO.md

SSO.md

@@ -12,29 +12,29 @@ This introduces another way to control who can use the vault without having to u
 
 The following configurations are available
 
- - `SSO_ENABLED` : Activate the SSO
- - `SSO_ONLY` : disable email+Master password authentication
- - `SSO_SIGNUPS_MATCH_EMAIL`: On SSO Signup if a user with a matching email already exists make the association (default `true`)
- - `SSO_AUTHORITY` : the OpenID Connect Discovery endpoint of your SSO
- 	- Should not include the `/.well-known/openid-configuration` part and no trailing `/`
- 	- $SSO_AUTHORITY/.well-known/openid-configuration should return the a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
- - `SSO_SCOPES` : Optional, allow to override scopes if needed (default `"email profile"`)
- - `SSO_AUTHORIZE_EXTRA_PARAMS` : Optional, allow to add extra parameter to the authorize redirection (default `""`)
- - `SSO_PKCE`: Activate PKCE for the Auth Code flow. Recommended but disabled for now waiting for feedback on support (default `false`).
- - `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`.
- - `SSO_CLIENT_ID` : Client Id
- - `SSO_CLIENT_SECRET` : Client Secret
- - `SSO_MASTER_PASSWORD_POLICY`: Optional Master password policy
- - `SSO_AUTH_ONLY_NOT_SESSION`: Enable to use SSO only for authentication not session lifecycle.
- - `SSO_ROLES_ENABLED`: control if the mapping is done, default is `false`
- - `SSO_ROLES_DEFAULT_TO_USER`: do not block login in case of missing or invalid roles, default is `true`.
- - `SSO_ROLES_TOKEN_PATH=/resource_access/${SSO_CLIENT_ID}/roles`: path to read roles in the Id token
- - `SSO_ORGANIZATIONS_INVIT`: control if the mapping is done, default is `false`
- - `SSO_ORGANIZATIONS_TOKEN_PATH`: path to read groups/organization in the Id token
- - `SSO_ORGANIZATIONS_ID_MAPPING`: Optional, allow to map provider group to a Vaultwarden organization `uuid` (default `""`, format: `"ProviderId:VaultwardenId;"`)
- - `SSO_ORGANIZATIONS_ALL_COLLECTIONS`: Grant access to all collections, default is `true`
- - `SSO_CLIENT_CACHE_EXPIRATION`: Cache calls to the discovery endpoint, duration in seconds, `0` to disable (default `0`);
- - `SSO_DEBUG_TOKENS`: Log all tokens for easier debugging (default `false`, `LOG_LEVEL=debug` or `LOG_LEVEL=info,vaultwarden::sso=debug` need to be set)
+- `SSO_ENABLED` : Activate the SSO
+- `SSO_ONLY` : disable email+Master password authentication
+- `SSO_SIGNUPS_MATCH_EMAIL`: On SSO Signup if a user with a matching email already exists make the association (default `true`)
+- `SSO_AUTHORITY` : the OpenID Connect Discovery endpoint of your SSO
+  - Should not include the `/.well-known/openid-configuration` part and no trailing `/`
+  - $SSO_AUTHORITY/.well-known/openid-configuration should return the a json document: <https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse>
+- `SSO_SCOPES` : Optional, allow to override scopes if needed (default `"email profile"`)
+- `SSO_AUTHORIZE_EXTRA_PARAMS` : Optional, allow to add extra parameter to the authorize redirection (default `""`)
+- `SSO_PKCE`: Activate PKCE for the Auth Code flow. Recommended but disabled for now waiting for feedback on support (default `false`).
+- `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`.
+- `SSO_CLIENT_ID` : Client Id
+- `SSO_CLIENT_SECRET` : Client Secret
+- `SSO_MASTER_PASSWORD_POLICY`: Optional Master password policy
+- `SSO_AUTH_ONLY_NOT_SESSION`: Enable to use SSO only for authentication not session lifecycle.
+- `SSO_ROLES_ENABLED`: control if the mapping is done, default is `false`
+- `SSO_ROLES_DEFAULT_TO_USER`: do not block login in case of missing or invalid roles, default is `true`.
+- `SSO_ROLES_TOKEN_PATH=/resource_access/${SSO_CLIENT_ID}/roles`: path to read roles in the Id token
+- `SSO_ORGANIZATIONS_INVIT`: control if the mapping is done, default is `false`
+- `SSO_ORGANIZATIONS_TOKEN_PATH`: path to read groups/organization in the Id token
+- `SSO_ORGANIZATIONS_ID_MAPPING`: Optional, allow to map provider group to a Vaultwarden organization `uuid` (default `""`, format: `"ProviderId:VaultwardenId;"`)
+- `SSO_ORGANIZATIONS_ALL_COLLECTIONS`: Grant access to all collections, default is `true`
+- `SSO_CLIENT_CACHE_EXPIRATION`: Cache calls to the discovery endpoint, duration in seconds, `0` to disable (default `0`);
+- `SSO_DEBUG_TOKENS`: Log all tokens for easier debugging (default `false`, `LOG_LEVEL=debug` or `LOG_LEVEL=info,vaultwarden::sso=debug` need to be set)
 
 The callback url is : `https://your.domain/identity/connect/oidc-signin`
 
@@ -43,17 +43,17 @@ The callback url is : `https://your.domain/identity/connect/oidc-signin`
 When logging in with SSO an identifier (`{iss}/{sub}` claims from the IdToken) is saved in a separate table (`sso_users`).
 This is used to link to the SSO provider identifier without changing the default Vaultwarden user `uuid`. This is needed because:
 
- - Storing the SSO identifier is important to prevent account takeover due to email change.
- - We can't use the identifier as the User uuid since it's way longer (Max 255 chars for the `sub` part, cf [spec](https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken)).
- - We want to be able to associate existing account based on `email` but only when the user logs in for the first time (controlled by `SSO_SIGNUPS_MATCH_EMAIL`).
- - We need to be able to associate with existing stub account, such as the one created when inviting a user to an org (association is possible only if the user does not have a private key).
+- Storing the SSO identifier is important to prevent account takeover due to email change.
+- We can't use the identifier as the User uuid since it's way longer (Max 255 chars for the `sub` part, cf [spec](https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken)).
+- We want to be able to associate existing account based on `email` but only when the user logs in for the first time (controlled by `SSO_SIGNUPS_MATCH_EMAIL`).
+- We need to be able to associate with existing stub account, such as the one created when inviting a user to an org (association is possible only if the user does not have a private key).
 
 Additionally:
 
- - Signup to Vaultwarden will be blocked if the Provider reports the email as `unverified`.
- - Changing the email needs to be done by the user since it requires updating the `key`.
- 	 On login if the email returned by the provider is not the one saved in Vaultwarden an email will be sent to the user to ask him to update it.
- - If set `SIGNUPS_DOMAINS_WHITELIST` is applied on SSO signup and when attempting to change the email.
+- Signup to Vaultwarden will be blocked if the Provider reports the email as `unverified`.
+- Changing the email needs to be done by the user since it requires updating the `key`.
+   On login if the email returned by the provider is not the one saved in Vaultwarden an email will be sent to the user to ask him to update it.
+- If set `SIGNUPS_DOMAINS_WHITELIST` is applied on SSO signup and when attempting to change the email.
 
 This means that if you ever need to change the provider url or the provider itself; you'll have to first delete the association
 then ensure that `SSO_SIGNUPS_MATCH_EMAIL` is activated to allow a new association.
@@ -120,7 +120,6 @@ Config will look like:
 
 - `SSO_SCOPES="email profile offline_access"`
 
-
 ## Authentik
 
 Default access token lifetime might be only `5min`, set a longer value otherwise it will collide with `VaultWarden` front-end expiration detection which is also set at `5min`.
@@ -146,7 +145,7 @@ An [issue](https://github.com/casdoor/casdoor/issues/3001) was opened but the fi
 
 Create an application in your Gitlab Settings with
 
-- `redirectURI`: https://your.domain/identity/connect/oidc-signin
+- `redirectURI`: <https://your.domain/identity/connect/oidc-signin>
 - `Confidential`: `true`
 - `scopes`: `openid`, `profile`, `email`
 
@@ -166,12 +165,14 @@ By default without extra [configuration](https://developers.google.com/identity/
 Configure your server with :
 
 - `SSO_AUTHORITY=https://accounts.google.com`
+
 - ```conf
   SSO_AUTHORIZE_EXTRA_PARAMS="
   access_type=offline
   prompt=consent
   "
   ```
+
 - `SSO_PKCE=true`
 - `SSO_CLIENT_ID`
 - `SSO_CLIENT_SECRET`
@@ -198,17 +199,31 @@ Only the v2 endpoint is compliant with the OpenID spec, see <https://github.com/
 
 Your configuration should look like this:
 
-* `SSO_AUTHORITY=https://login.microsoftonline.com/${Directory (tenant) ID}/v2.0`
-* `SSO_SCOPES="email profile offline_access"`
-* `SSO_CLIENT_ID=${Application (client) ID}`
-* `SSO_CLIENT_SECRET=${Secret Value}`
+- `SSO_AUTHORITY=https://login.microsoftonline.com/${Directory (tenant) ID}/v2.0`
+- `SSO_SCOPES="email profile offline_access"`
+- `SSO_CLIENT_ID=${Application (client) ID}`
+- `SSO_CLIENT_SECRET=${Secret Value}`
 
-If you want to leverage role mapping you have to create app roles first as described here: https://learn.microsoft.com/en-us/entra/identity-platform/howto-add-app-roles-in-apps.
+If you want to leverage role mapping you have to create app roles first as described here: <https://learn.microsoft.com/en-us/entra/identity-platform/howto-add-app-roles-in-apps>.
 Afterwards you can use these settings to derive the `admin` role from the ID token:
 
-* `SSO_ROLES_ENABLED=true`
-* `SSO_ROLES_DEFAULT_TO_USER=true`
-* `SSO_ROLES_TOKEN_PATH=/roles
+- `SSO_ROLES_ENABLED=true`
+- `SSO_ROLES_DEFAULT_TO_USER=true`
+- `SSO_ROLES_TOKEN_PATH=/roles
+
+If you want to use Org mapping, you need to setup [Optional Claims](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=appui)
+
+1. Goto your Entra App Registration.
+2. Click on Token Configuration.
+3. Click Add Group Claim.
+4. Check security groups and then add.
+5. Get the group ObjectID from Entra groups list.
+6. Get the vaultwarden org uuid from the admin page.
+
+Use this configuration
+
+- `SSO_ORGANIZATIONS_INVITE=true`
+- `SSO_ORGANIZATIONS_ID_MAPPING="EntraObjectID:vaultwardenuuid"`
 
 ## Zitadel
 
@@ -262,7 +277,6 @@ Probably not much hope, an [issue](https://github.com/bitwarden/clients/issues/2
 
 On Windows you'll be presented with a prompt the first time you log to confirm which application should be launched (But there is a bug at the moment you might end-up with an empty vault after login atm).
 
-
 On Linux it's a bit more tricky.
 First you'll need to add some config in `about:config` :
 

src/main.rs

@@ -327,10 +327,6 @@ fn init_logging() -> Result<log::LevelFilter, Error> {
         logger = logger.level_for(path.to_string(), level);
     }
 
-    for (path, level) in CONFIG.log_overrides() {
-        logger = logger.level_for(path, level);
-    }
-
     if CONFIG.extended_logging() {
         logger = logger.format(|out, message, record| {
             out.finish(format_args!(