SSO User can bypass organisation two-step login requirement

[exu-g]

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.35.2
• Web-vault version: v2025.12.1+build.3
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: PostgreSQL
• Database version: PostgreSQL 16.10 (OnGres 16.10-build-6.44) on x86_64-pc-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-28), 64-bit
• Uses config.json: true
• Uses a reverse proxy: true
• IP Header check: false (X-Forwarded-For)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD, SMTP_TIMEOUT

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "config/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "config",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "********://*********************************************************************************************************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://*************************",
  "domain_origin": "*****://*************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "config/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "config/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "config/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "****************************",
  "smtp_from_name": "***********",
  "smtp_host": "***********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "****************************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://***************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://******************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "*******************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile offline_access",
  "sso_signups_match_email": true,
  "templates_folder": "config/templates",
  "tmp_folder": "config/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.35.2

Deployment method

Official Container Image

Custom deployment method

Deployed on Kubernetes

Reverse Proxy

haproxy

Host/Server Operating System

Linux

Operating System Version

Kubernetes

Clients

Web Vault

Client Version

Firefox 147 - v2025.12.1

Steps To Reproduce

1. Enable SSO
2. Create account with SSO
3. Set master password
4. Join organisation with enforced two-step login
5. Log out
6. Log in using email and master password. Button "Other", not SSO

Expected Result

The login with email & password should not be allowed as it is missing two-step verification.

Actual Result

Login succeeds using email & master password only

Logs

[2026-02-02 09:11:39.863][request][INFO] GET /api/devices/knowndevice
[2026-02-02 09:11:39.869][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2026-02-02 09:11:48.914][request][INFO] POST /identity/accounts/prelogin
[2026-02-02 09:11:48.919][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2026-02-02 09:11:49.635][request][INFO] POST /identity/connect/token
[2026-02-02 09:11:49.805][vaultwarden::api::identity][INFO] User futffu logged in successfully. IP: 10.128.10.103
[2026-02-02 09:11:49.805][response][INFO] (login) POST /identity/connect/token => 200 OK
[2026-02-02 09:11:49.824][request][INFO] GET /api/config
[2026-02-02 09:11:49.824][response][INFO] (config) GET /api/config => 200 OK
[2026-02-02 09:11:49.828][request][INFO] GET /api/sync?excludeDomains=true
[2026-02-02 09:11:49.844][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2026-02-02 09:11:49.844][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 10.128.10.103
[2026-02-02 09:11:49.845][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2026-02-02 09:11:50.156][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2026-02-02 09:11:50.186][request][INFO] GET /api/accounts/profile
[2026-02-02 09:11:50.196][response][INFO] (profile) GET /api/accounts/profile => 200 OK
[2026-02-02 09:11:50.352][request][INFO] GET /api/accounts/revision-date
[2026-02-02 09:11:50.374][request][INFO] GET /api/accounts/revision-date
[2026-02-02 09:11:50.377][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
[2026-02-02 09:11:50.382][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
[2026-02-02 09:11:50.437][request][INFO] GET /api/auth-requests/pending
[2026-02-02 09:11:50.451][response][INFO] (get_auth_requests_pending) GET /api/auth-requests/pending => 200 OK

Screenshots or Videos

Organisation two-step policy is active

The policy is applied to a user that was invited without SSO, but not the SSO user (futffu)

Additional Context

No response

[stefan0xC]

The Require 2FA policy does not apply to Admins and Owners.

The policy is applied to a user that was invited without SSO, but not the SSO user (futffu)

The membership overview will only inform you if a user (no matter their role) has enabled 2FA.

[cwchristerw]

I would recommend enabling 2FA in SSO level instead to make sure that all users are required to have 2FA or Passkey.