We rolled Bitwarden Enterprise out to an organization with a few hundred users 18 months ago. This is the honest write-up. It is mostly positive, with some sharp edges worth knowing before you sign.
What Works
SSO with SCIM
Okta SAML + SCIM provisioning does what you want. A new hire's Okta group membership creates their Bitwarden account, puts them in the right collections via group-to-collection mapping, and the day-one password vault is ready before their laptop ships. Offboarding is equally clean — the SCIM deprovision fires, Bitwarden revokes the user, and their vault is gone from their device on next sync.
Collections and Groups
The mental model is simple: users → groups → collections → items. We run about 40 collections mapped to team boundaries. The permission matrix (can view, can edit, can manage) is granular enough without being PowerPoint material. Engineering has their shared infra credentials, Finance has payment rails, IT has the rest. No one accidentally sees what they should not.
Self-Hosting Option
We run Bitwarden cloud, but the ability to self-host the full stack (or the Unified container since 2023) is a real compliance card to play. The vault data is end-to-end encrypted either way, so this is more about who holds the CSP contract than who sees your secrets.
CLI and API
The bw CLI is workable for scripting. Service accounts via Bitwarden Secrets Manager (separate SKU) are where it gets actually useful for CI/CD — injecting secrets into pipelines without long-lived tokens. We use it with GitHub Actions.
bws secret get --access-token $BWS_TOKEN $SECRET_IDPricing
Enterprise is $6/user/month. Compared to 1Password Business at $8 and LastPass Business at $7 (and LastPass being, you know, LastPass), Bitwarden prices like the challenger it is. Secrets Manager is a separate line and worth it if you are replacing HashiCorp Vault at small scale.
What Is Rough
SCIM Nuances
The SCIM provisioner is correct about 98% of the time. The 2% is: renaming a group in Okta does not always propagate cleanly, and nested groups are effectively flattened. We had one incident where a restructured org chart left 30 users temporarily without collection access for a morning. Not a data exposure — just a helpdesk spike.
Workaround: any material identity change gets a manual verification in the Bitwarden admin console the same day. Annoying, but cheap.
Mobile UX Edge Cases
iOS autofill from the app works most of the time. The edge cases pile up on business apps with non-standard login webviews — Salesforce mobile, some banking apps, Workday. Users end up copy-pasting, which works but trains bad muscle memory. The iOS Passkeys support landed late compared to 1Password and is still catching up.
Android is better. Accessibility-service autofill plus the native Autofill Framework makes Android feel more mature than iOS here, which is an odd sentence to type in 2026.
Admin Console UI
Functional. Not delightful. Reporting is thin — you can see who logged in, who has weak passwords in their personal vault (if they consent), and what is shared where. If you want detailed audit events exported to a SIEM, the Event Logs API works but is paginated awkwardly and rate-limited.
Password History and Shared Item Auditing
When a shared item's password gets rotated, the previous value is kept in history — fine — but there is no built-in "who last viewed this item" log for shared collections without enabling the Enterprise Policies event stream. Make sure you turn that on at deployment, not six months in when someone asks.
Things to Do on Day One
- Enforce 2FA at the org level. TOTP and WebAuthn for admins.
- Turn on the Master Password policy — 14+ characters, enforce a complexity score.
- Enable Event Logs + stream to your SIEM.
- Disable personal ownership for new items (force everything into a collection).
- Write the break-glass plan: two admin accounts with physical YubiKeys in a safe.
Verdict
Yes, with caveats. Bitwarden Enterprise is the right answer for most mid-market orgs that want an open-source-foundation password manager with real SSO, decent SCIM, and a non-insulting price. 1Password's polish is real and worth the premium if your users push back on UX friction. But for shops that value auditability and cost over the last 10% of mobile smoothness, Bitwarden earns the deployment.