KC (#805)

* initial draft

* codeblock e.g.'s

* initial draft of f4e end-user doc

* first round of feedback

* feedback round 2

* feedback round 3

* update screenshots

* safari/macos import guide sketch

* adios, friendly name

* cli note

* fix typo

* finish import from macos/safari

* feedback round 4

* more feedback

* updated diagrams

* fix typo

* linked custom fields & more release note items

* new auto-fill unlock behavior for context menu & keyboard!

* release notes - autofill unlock

* new events

* fixes to 'using sso'

* updated KC screenshot & test step

* KC URL

* send extension & release notes

* hide ios extension

* updates to sso faqs

* SEO desc's & tags

* Key Connector > Impact on Unlock > Add a note for online dependency

* clarify "account is lost"

* add some references to CME

* final edits

* f4e

* quick edit to RN

_articles/account/delete-your-account.md

@@ -5,7 +5,7 @@ categories: [plans-and-pricing]
 featured: false
 popular: false
 tags: [account, delete]
-order: "08"
+order: "09"
 description: "This article explains how to delete a Bitwarden account or Organization if you forget your master password and need to create a new account."
 ---
 

_articles/account/export-your-data.md

@@ -5,7 +5,7 @@ categories: [import-export]
 featured: false
 popular: false
 tags: [export, accounts, csv]
-order: "08"
+order: "09"
 description: "This article explains how to export your personal Vault data from any client application, or export an Organization Vault from the Web Vault or CLI."
 ---
 

_articles/faqs/billing-faqs.md

@@ -6,7 +6,7 @@ featured: true
 popular: false
 hidden: false
 tags: []
-order: "09"
+order: "10"
 description: "This article contains FAQs regarding billing and subscriptions for the Bitwarden password manager."
 ---
 

_articles/faqs/import-faqs.md

@@ -6,7 +6,7 @@ featured: true
 popular: false
 hidden: false
 tags: []
-order: "11"
+order: "12"
 description: "This article contains FAQs regarding importing and exporting data to and from the Bitwarden password manager."
 ---
 
@@ -18,7 +18,7 @@ This article contains Frequently Asked Questions (FAQs) regarding **Import &
 
 ### Q: Can I import to Bitwarden from iCloud/Mac Keychain/Safari?
 
-**A:** As of Safari 15.0, you can export passwords from Safari in a `.csv` file. Once you do, [condition your .csv]({{site.baseurl}}/article/condition-bitwarden-import/) to meet Bitwarden's format and [import your data]({{site.baseurl/article/import-data/}}).
+**A:** As of Safari 15.0, you can export passwords from Safari in a `.csv` file. Once you do, [condition your .csv]({{site.baseurl}}/article/condition-bitwarden-import/) to meet Bitwarden's format and [import your data]({{site.baseurl}}/article/import-data/}}).
 
 ### Q: How do I import items directly to Collections?
 

_articles/faqs/send-faqs.md

@@ -5,7 +5,7 @@ categories: [send]
 featured: true
 popular: false
 tags: []
-order: "09"
+order: "10"
 description: "This article contains FAQs regarding Bitwarden Send, a tool for transmitting encrypted plaintext and file attachments to anybody securely"
 ---
 

_articles/faqs/sso-faqs.md

@@ -6,7 +6,7 @@ featured: true
 popular: false
 hidden: false
 tags: [sso, enterprise, security]
-order: "07"
+order: "08"
 description: "This article contains FAQs regarding Login with SSO - an enterprise feature of the Bitwarden password manager."
 ---
 This article contains Frequently Asked Questions (FAQs) regarding **Login with SSO**.
@@ -17,42 +17,39 @@ For more high-level information about **Login with SSO**, refer to [About Login
 
 ### Q: Why does Login with SSO require my Master Password?
 
-**A:** Today’s employees are surrounded by software-as-a-service (SaaS) applications. As a result, many companies are leveraging Single Sign-On (SSO) as a way to unify employees’ access to increasingly large numbers of accounts.
-
-Some applications don’t have SSO integrations yet; and even for those that do, it’s still mission critical to protect sensitive information and practice good security habits - the perfect job for a password manager, like Bitwarden.
-
-Bitwarden, recognizing the importance of SSO to today’s enterprises, has an SSO integration of its own; allowing your employees to use your existing Identity Provider (IdP) to **authenticate** their identities (i.e. prove they are who they say they are).
-
-What makes the Bitwarden SSO implementation unique compared to other tools is that it retains our end-to-end zero-knowledge encryption model. Nobody at Bitwarden should have access to your Vault data and, importantly, **neither should your Identity Provider**.
+**A:** Login with SSO allows your employees to use your existing Identity Provider (IdP) to **authenticate** their identities (i.e. prove they are who they say they are). What makes Login with SSO unique compared to other tools is that it retains our end-to-end zero-knowledge encryption model. Nobody at Bitwarden should have access to your Vault data and, importantly, **neither should your Identity Provider**.
 
 That’s why the Bitwarden Login with SSO offering **decouples authentication and decryption**. Your IdP can confirm that Alice is, in fact, Alice, but cannot and should not have the tools to decrypt Alice’s Vault. Only Alice can have that tool and, conveniently, it’s her Master Password!
 
 In practice, that means that anytime an employee logs in to Bitwarden using SSO, they’ll need to use their Master Password to decrypt their Vault, protecting your businesses’ critical credentials and secrets.
 
+{% callout info %}
+**Organizations self-hosting Bitwarden** can leverage [Key Connector]({{site.baseurl}}/article/about-key-connector/) to server decryption keys to Bitwarden clients *instead* of requiring users to decrypt Vault data with their Master Passwords. Learn more [here]({{site.baseurl}}/article/sso-decryption-options) and [here]({{site.baseurl}}/article/about-key-connector/).
+{% endcallout %}
 
 ### Q: Will changing my SSO password affect my Bitwarden Master Password?
 
-  **A:** No. Your Master Password will remain the same and will still be used to decrypt your Vault data.
+**A:** No, your Master Password will remain the same. Unless your Organization is using [Key Connector]({{site.baseurl}}/article/about-key-connector) to self-host decryption keys, your Master Password must be used to decrypt Vault data.
 
 ### Q: Does SSO authentication replace my Master Password and Email?
 
-  **A:** No. Login with SSO leverages your existing Identity Provider (IdP) to authenticate you into Bitwarden, however your Master Password and Email must still be entered in order to decrypt your Vault data.
+**A:** No. Login with SSO leverages your existing Identity Provider (IdP) to authenticate you into Bitwarden, however your Master Password and Email must still be entered in order to decrypt your Vault data unless your Organization is using [Key Connector]({{site.baseurl}}/article/about-key-connector) to self-host decryption keys.
 
 ### Q: Can I still log in with my Master Password if my Organization has SSO enabled?
 
-  **A:** By default, yes, you can use your email address and Master Password to login to Bitwarden. However, if your Organization enables both the [Single Organization]({{site.baseurl}}/article/policies/#single-organization) and [Single Sign-On Authentication]({{site.baseurl}}/article/policies/#single-sign-on-authentication) policies, all non-administrator users will be required to login with SSO.
+**A:** By default, yes, you can use your email address and Master Password to login to Bitwarden. However, if your Organization enables both the [Single Organization]({{site.baseurl}}/article/policies/#single-organization) and [Single Sign-On Authentication]({{site.baseurl}}/article/policies/#single-sign-on-authentication) policies, or if your Organization users uses [Key Connector]({{site.baseurl}}/article/about-key-connector/), all non-administrator users will be required to login with SSO.
 
 ### Q: How does Login with SSO work for new users ("just-in-time")?
 
-  **A:** New users who log into their Organization using Login with SSO will be placed in the *Accepted* status of their Organization until they are confirmed by an administrator. When that user is assigned to a Group manually or via the Bitwarden Directory Connector, they will receive access to the appropriate shared items.
+**A:** New users who log into their Organization using Login with SSO will be placed in the *Accepted* status of their Organization until they are confirmed by an administrator. When that user is assigned to a Group manually or via the Bitwarden Directory Connector, they will receive access to the appropriate shared items.
 
 ### Q: Do I still need to use Bitwarden Directory Connector?
 
-  **A:** If you manage your Bitwarden Group and Collection assignments directly within Bitwarden, there is no need to leverage the Directory Connector. However, if you would like to have Groups and users automatically synchronized with your organizations directory, we recommend using Login with SSO in conjunction with Directory Connector for the most complete solution.
+**A:** If you manage your Bitwarden Group and Collection assignments directly within Bitwarden, there is no need to leverage the Directory Connector. However, if you would like to have Groups and users automatically synchronized with your organizations directory, we recommend using Login with SSO in conjunction with Directory Connector for the most complete solution.
 
 ### Q: Do I need to enter my Organization Identifier every time I login?
 
-  **A:** Nope! Bookmarking the **Enterprise Single Sign-On** page with your Organization Identifier included as a query string will save you the trouble of entering it each time. For example:
+**A:** Nope! Bookmarking the **Enterprise Single Sign-On** page with your Organization Identifier included as a query string will save you the trouble of entering it each time. For example:
 
   - `https://vault.bitwarden.com/#/sso?identifier=your-org-id` for Cloud-hosted instances
   - `https://your.domain.com/#/sso?identifier=your-org-id` for Self-hosted instances
@@ -65,7 +62,7 @@ In practice, that means that anytime an employee logs in to Bitwarden using SSO,
 
 ### Q: How does Login with SSO work with the zero-knowledge model?
 
-  **A:** Bitwarden Login with SSO only performs user authentication and does not decrypt user data. Adding SSO functionality does not introduce any further individually identifiable information into the Bitwarden database.
+**A:** Bitwarden Login with SSO & Master Password only performs user authentication and does not decrypt user data. Adding SSO functionality does not introduce any further individually identifiable information into the Bitwarden database.
 
 ## Billing
 

_articles/features/auto-fill-browser.md

@@ -10,12 +10,12 @@ description: "Learn how to autofill logins stored in the Bitwarden password mana
 ---
 
 {% callout success %}
-Most auto-fill functionality relies on the attribution of URIs to Login items. If you're unfamiliar with using URIs, see [Using URIs]({{site.baseurl}}/article/uri-match-detection/).
+**If your Browser Extension is having issues auto-filling usernames and passwords for a particular site**, using [Linked custom fields]({{site.baseurl}}/article/auto-fill-custom-fields/#using-linked-custom-fields) can force an auto-fill.
 
-Additionally, **basic authentication prompts** work a little differently than regular auto-fills. See our breakout article on [Basic Auth Prompts]({{site.baseurl}}/article/basic-auth-autofill/)
+Additionally, **basic authentication prompts** work a little differently than regular auto-fills. For more information, see the separate article on [Basic Auth Prompts]({{site.baseurl}}/article/basic-auth-autofill/).
 {% endcallout %}
 
-Bitwarden Browser Extensions have a unique **Tab** view, which automatically detects the URI (e.g. `myturbotax.intuit.com`) of the page displayed in the open tab and surfaces any Vault items with corresponding URIs.
+Bitwarden Browser Extensions have a unique **Tab** view, which automatically detects the URI (e.g. `myturbotax.intuit.com`) of the page displayed in the open tab and surfaces any Vault items with corresponding URIs. If you're unfamiliar with using URIs, we recommend reading [this article]({{site.baseurl}}/article/uri-match-detection/).
 
 When a Vault item has a corresponding URI, the Bitwarden icon will overlay a badge counter reporting the number of Vault items for that web page (*pictured below*).
 
@@ -27,11 +27,7 @@ If you want, you can disable the badge counter using a toggle in the {% icon fa-
 {% image autofill/disable-counter-badge.png Disable Badge Counter %}
 {% endcallout %}
 
-Simply clicking on the Vault item inside the Browser Extension **Tab** view will auto-fill login information to the detected input fields.
-
-There are a few alternative auto-fill options for Browser Extensions. In all cases (except [manually](#manually-auto-fill)):
-- The Browser Extension must be unlocked for the auto-fill functionality to operate.
-- In cases where a web page or service has **multiple** Login items with relevant URIs, it will auto-fill the last-used Login.
+Simply clicking on the Vault item inside the Browser Extension **Tab** view will auto-fill login information to the detected input fields.  In cases where a web page or service has **multiple** Login items with relevant URIs, it will auto-fill the last-used Login.
 
 ## Using the Context-Menu
 
@@ -39,13 +35,13 @@ There are a few alternative auto-fill options for Browser Extensions. In all cas
 Currently unavailable in the Safari Browser Extension.
 {% endcallout %}
 
-Without opening your Browser Extension, you can right-click on the username or password input field and use the **Bitwarden** → **Auto-fill** option. Your Vault must be unlocked for this option to be available.
+Without opening your Browser Extension, you can right-click on the username or password input field and use the **Bitwarden** → **Auto-fill** option. If your Vault isn't locked when you attempt this, a new tab will open prompting you to unlock. When unlocked, the Browser Extension will automatically proceed with auto-filling your credentials.
 
 {% image getting-started/browserext/browserext-context.png %}
 
 ## Using Keyboard Shortcuts
 
-Bitwarden Browser Extensions provide a set of keyboard shortcuts (a.k.a *hot keys*) to auto-fill login information. Your Vault must be unlocked for these options to be available.
+Bitwarden Browser Extensions provide a set of keyboard shortcuts (a.k.a *hot keys*) to auto-fill login information. If your Vault isn't locked when you attempt this, a new tab will open prompting you to unlock. When unlocked, the Browser Extension will automatically proceed with auto-filling your credentials.
 
 To auto-fill login information, use the following **default** shortcuts. If there are multiple Login items with the detected URI, the last-used login will be used for the auto-fill operation. You can cycle through multiple Logins by repeatedly using the keyboard shortcut:
 

_articles/features/auto-fill-custom-fields.md

@@ -10,10 +10,12 @@ tags: [browser, autofill, auto-fill, custom fields, form fill]
 
 Bitwarden can do more than just [auto-fill your usernames and passwords]({{site.baseurl}}/article/auto-fill-browser/)! **Bitwarden Browser Extensions** can auto-fill [custom fields]({{site.baseurl}}/article/custom-fields) to simplify fill-in of security questions, PINS, and more using the [unique Tab view]({{site.baseurl}}/article/auto-fill-browser/)).
 
+Additionally, if your Browser Extension is having issues auto-filling usernames and passwords for a particular site, using [Linked custom fields](#using-linked-custom-fields) can force an auto-fill.
+
 ## Auto-fill Custom Fields
 
 {% callout success %}
-It's important to name the custom field correctly in order for auto-fill to work. [Learn how to name custom fields]({{site.baseurl}}/article/custom-fields/#custom-field-names).
+It's important to name the custom field correctly in order for auto-fill to work ([learn more]({{site.baseurl}}/article/custom-fields/#custom-field-names)).
 {% endcallout %}
 
 To auto-fill custom fields:
@@ -27,6 +29,21 @@ To auto-fill custom fields:
 
 The Browser Extension will find any fields that match the [custom field name]({{site.baseurl}}/article/custom-fields/custom-field-names) and auto-fill that field's value.
 
+### Using Linked Custom Fields
+
+Linked custom fields can be used to solve issues where your Browser Extension can't auto-fill usernames and passwords for a particular site. To create and auto-fill a Linked custom field:
+
+1. In the **Custom Fields** section of a Vault item's **Edit Item** panel, choose **Linked** from the dropdown and select {% icon fa-plus %} **New Custom Field**:
+
+   {% image features/linked-custom-field.png Add a Linked Custom Field %}
+2. In the **Name** input, [give the custom field a name]({{site.baseurl}}/article/custom-fields/#custom-field-names) that corresponds to the username or password's HTML form element `id`, `name`, `aria-label`, or `placeholder`.
+
+   {% callout success %}You can get the right value by right-clicking the form element and using the **Copy Custom Field Name** context menu option:<br><br>{% image features/custom-fields-contextmenu.png %}{% endcallout %}
+3. From the **Value** dropdown, select **Username** or **Password** depending on which credential you're having trouble auto-filling. In many cases, you'll need to create a Linked custom field for each.
+4. **Save** the changes to your Vault item.
+
+Now that you've created one or more Linked custom fields, you can auto-fill using the [method described in an earlier section](#auto-fill-custom-fields). When you do, your Browser Extension will auto-fill the username, password, or both into the HTML form element given for a field Name.
+
 ## Special Auto-fill Scenarios
 
 ### HTML `<span>` Elements

_articles/features/custom-fields.md

@@ -14,6 +14,7 @@ Custom fields, available for any [Vault item type]({{site.baseurl}}/article/mana
 - **Text**: Field value stores a freeform input (text, numbers, etc.)
 - **Hidden**: Field value stores freeform input that is hidden from view (particularly useful for Organizations using the [Hide Password access control]({{site.baseurl}}/article/user-types-access-control/#granular-access-control)).
 - **Boolean**: Field value stores a boolean value (true/false).
+- **Linked**: Field value is linked to the item's Username or Password. Given the [right field name](#custom-field-names), Linked custom fields can be used to solve issues where your Browser Extension can't auto-fill usernames and passwords for a particular site ([learn more]({{site.baseurl}}/article/auto-fill-custom-fields/#using-linked-custom-fields)).
 
 {% callout success %}
 #### Custom Fields for Keys

_articles/getting-started/releasenotes.md

@@ -46,6 +46,19 @@ Want Release Announcements delivered straight to your inbox?
 Or subscribe to the [Bitwarden Status RSS Feed](https://status.bitwarden.com/){:target="\_blank"}.
 {% endcallout %}
 
+## 2021-12-07
+
+Bitwarden is proud to announce new enterprise features in the December release that add flexibility and value to the enterprise plans:
+
+- **Key Connector**: When using Login with SSO with customer-managed encryption, the self-hosted Key Connector application serves cryptographic keys to Bitwarden clients as an alternative to requiring a Master Password for Vault decryption (see [here]({{site.baseurl}}/article/about-key-connector)).
+- **Families for Enterprise**: Starting with this release, members of Enterprise Organizations can redeem a free [Bitwarden Families Organization]({{site.baseurl}}/article/about-bitwarden-plans/#families-organizations) for sharing with up to 5 friends or family members. Families Organizations include all premium features for all 6 users and unlimited secure data sharing (see [here]({{site.baseurl}}/article/families-for-enterprise/) for details).
+- **MacOS and Safari Importer**: We've added a custom importer for passwords exported from Safari and macOS (see [here]({{site.baseurl}}/article/import-from-safari/) for details).
+- **New Custom Field Type**: Linked custom fields can be used to solve issues where your Browser Extension has trouble auto-filling usernames and passwords for a particular site by linking usernames and passwords to bespoke form elements (see [here]({{site.baseurl}}/article/auto-fill-custom-fields/#using-linked-custom-fields) for details).
+- **Browser Extension - Unlock Vault while Auto-filling**: Trying to auto-fill with the context menu or keyboard shortcut when your Vault is locked will now prompt you to unlock your Vault and automatically auto-fill your credentials once it's unlocked.
+{% comment %}
+- **iOS - Send from Extension**: Sends can now be created directly from the iOS Extension list (see [here]({{site.baseurl}}/article/send-ios/) for details).
+{% endcomment %}
+
 ## 2021-10-26
 
 The Bitwarden team is pleased to release a set of features and updates continuing our mission of making password management easy and accessible for individuals and businesses:

_articles/importing/condition-bitwarden-import.md

@@ -5,7 +5,7 @@ categories: [import-export]
 featured: true
 popular: false
 tags: [import]
-order: "10"
+order: "11"
 description: "This article describes the format you should use when manually conditioning a .csv or .json file for import into the Bitwarden password manager."
 ---
 

_articles/importing/encrypted-export.md

@@ -5,7 +5,7 @@ categories: [import-export]
 featured: true
 popular: false
 tags: [import]
-order: "09"
+order: "10"
 description: "This article explains how to create an encrypted export of your Vault data in the Bitwarden password manager for backup."
 ---
 

_articles/importing/import-from-chrome.md

@@ -5,7 +5,7 @@ categories: [import-export]
 featured: true
 popular: false
 tags: [import, chrome, opera, vivaldi, edge]
-order: "05"
+order: "06"
 description: "This article explains how you can export data from Google Chrome or any chromium-based browser and import into Bitwarden."
 ---
 

_articles/importing/import-from-firefox.md

@@ -5,7 +5,7 @@ categories: [import-export]
 featured: true
 popular: false
 tags: [import, firefox]
-order: "06"
+order: "07"
 description: "This article explains how you can export data from Firefox and import into Bitwarden."
 ---
 

_articles/importing/import-from-passwordsafe.md

@@ -5,7 +5,7 @@ categories: [import-export]
 featured: true
 popular: false
 tags: [import, passwordsafe]
-order: "07"
+order: "08"
 description: "If you are switching password managers from Password Sage to Bitwarden, use this article guide you to export data from Password Safe and import into Bitwarden."
 ---
 

_articles/importing/import-from-safari.md

@@ -0,0 +1,80 @@
+---
+layout: article
+title: Import Data from macOS & Safari
+categories: [import-export]
+featured: true
+popular: false
+tags: [import, macos, safari]
+order: "05"
+description: "This article explains how you can export data from macOS Keychain or Safari and import into the Bitwarden password manager."
+---
+
+Use this article for help exporting data from Safari or macOS and importing into Bitwarden.
+
+{% callout success %}
+Exporting passwords requires **Safari 15.0+** or **macOS Monterey (12.0)+**.
+{% endcallout %}
+
+## Export from Safari or macOS
+
+You can export your passwords directly from Safari or from macOS System Preferences:
+
+
+<ul class="nav nav-tabs" id="myTab" role="tablist">
+  <li class="nav-item" id="tab" role="presentation">
+    <a class="nav-link active" id="safaritab" data-bs-toggle="tab" data-target="#safari" role="tab" aria-controls="safari" aria-selected="true">Safari</a>
+  </li>
+  <li class="nav-item" id="tab" role="presentation">
+    <a class="nav-link" id="mactab" data-bs-toggle="tab" data-target="#mac" role="tab" aria-controls="mac" aria-selected="false">macOS System Preferences</a>
+  </li>
+</ul>
+
+<div class="tab-content" id="clientsContent">
+  <div class="tab-pane show active" id="safari" role="tabpanel" aria-labelledby="safaritab">
+{% capture safari_content %}
+### Safari
+
+To export your data from Safari:
+
+1. Select **File** &rarr; **Export** &rarr; **Passwords...** from the macOS menu bar:
+
+   {% image importing/safari.png Export from Safari %}
+2. You will be prompted with a dialog confirming that you want to export saved passwords. Select **Export Passwords...** to continue.
+3. Save your export to any location and use Touch ID or your macOS password to complete the export.
+
+{% endcapture %}
+{{ safari_content | markdownify }}
+  </div>
+  <div class="tab-pane" id="mac" role="tabpanel" aria-labelledby="mactab">
+{% capture macos_content %}
+### macOS System Preferences
+
+To export your data from macOS:
+
+1. Open the macOS **System Preferences** app.
+2. In System Preferences, select **Passwords**. You'll be prompted to use Touch ID or your password to continue.
+3. On the Passwords dialog, select the menu icon ( {% icon fa-ellipsis-h %} ) and select **Export Passwords...**:
+
+   {% image importing/macos.png Export from macOS System preferences %}
+4. You will be prompted with a dialog confirming that you want to export saved passwords. Select **Export Passwords...** to continue.
+5. Save your export to any location and use Touch ID or your password to complete the export.
+
+{% endcapture %}
+{{ macos_content | markdownify }}
+  </div>
+</div>
+
+## Import to Bitwarden
+
+Importing data to Bitwarden **can only be done from the Web Vault** or CLI. Data is [encrypted]({{site.baseurl}}/article/what-encryption-is-used) locally before being sent to the server for storage. To import your data:
+
+1. In the Web Vault, select **Tools** from the top navigation bar.
+2. Select **Import Data** from the left-hand Tools menu.
+3. From the format dropdown, choose **Safari and macOS (csv)**.
+4. Select the **Choose File** button and add the file to import or copy/paste the contents of your file into the input box.
+
+   {% callout warning %}Import to Bitwarden can't check whether items in the file to import are duplicative of items in your Vault. This means that **importing multiple files will create duplicates** of Vault items if that item is alread in the Vault.{% endcallout %}
+5. Select the **Import Data** button to complete your import.
+6. After successful import, delete the import source file from your computer. This will protect you in the event your computer is compromised.
+
+Currently, file attachments are not included in Bitwarden import operations and will need to be uploaded to your Vault manually. For more information, see [File Attachments]({{site.baseurl}}/article/attachments/).

_articles/login-with-sso/about-key-connector.md

@@ -0,0 +1,70 @@
+---
+layout: article
+title: About Key Connector
+categories: [login-with-sso]
+featured: false
+popular: false
+tags: [key connector, customer-managed encryption, login with sso]
+order: "05"
+description: "Bitwarden enterprise plan users can take advantage of Single Sign On (SSO) Customer-managed Encryption through Key Connector to streamline Vault authentication and decryption. Find out more in this article."
+---
+
+## What is Key Connector?
+
+Key Connector is a self-hosted application that facilitates **Customer-managed Encryption**, allowing Enterprise Organizations to serve cryptographic keys to Bitwarden clients. Key Connector runs as a docker container on the same network as existing services, and can be used with [Login with SSO]({{site.baseurl}}/article/about-sso/) to serve cryptographic keys for an Organization as an alternative to requiring a Master Password for Vault decryption ([learn more](#why-use-key-connector)).
+
+ Key Connector requires connection to a **database where encrypted user keys are stored** and an **RSA Key Pair to encrypt and decrypt stored user keys**. Key Connector can be [configured]({{site.baseurl}}/article/deploy-key-connector/) with a variety of both database providers (e.g. MSSQL, PostgreSQL, MySQL) and Key Pair storage providers (e.g. Hashicorp Vault, Cloud KMS Providers, On-prem HSM devices) in order to fit your business' infrastructure requirements.
+
+{% image sso/keyconnector/keyconnector-diagram.png Key Connector Architecture %}
+
+## Why use Key Connector?
+
+**In implementations that leverage Master Password decryption**, your Identity Provider handles authentication and a member's Master Password is required for Vault decryption. This separation of concerns is an important step that ensures that only an Organization member has access to the key which is required to decrypt your Organization's sensitive Vault data.
+
+**In implementations that leverage Key Connector for decryption**, your Identity Provider still handles authentication, but Vault decryption is handled by Key Connector. By accessing an encrypted Key Database (*see the above diagram*), Key Connector provides a user their decryption key when they log in, without requiring a Master Password.
+
+We often refer to Key Connector implementations as leveraging **Customer-Managed Encryption**, because your business has sole responsibility for the management of the Key Connector application and of the Vault decryption keys it serves. For enterprises ready to deploy and maintain a Customer-Managed Encryption environment, Key Connector facilitates a streamlined Vault login experience.
+
+### Impact on Master Passwords
+
+Because Key Connector replaces Master Password-based decryption with customer-managed decryption keys, Organization members will be **required to remove the Master Password from their account**. Once removed, all Vault decryption actions will be conducted using the stored user key. Besides logging in, this will have some impacts on [offboarding](#impact-on-offboarding) and [on other features](#impact-on-other-features) you should be aware of.
+
+{% callout warning %}
+Currently, there is not a way to re-create Master Passwords for accounts that have removed them.
+
+For this reason, Organization Owners and Admins are not able to remove their Master Password and must continue using their Master Password even if using SSO. It is possible to elevate a user who has removed their Master Password to Owner or Admin, however we **strongly recommend** that your Organization always have at least one Owner with a Master Password.
+{% endcallout %}
+
+### Impact on Organization Membership
+
+Key Connector required users to [remove their Master Passwords](#impact-on-master-passwords) and instead uses a company-owned database of cryptographic keys to decrypt users' Vaults. Because Master Passwords can not be re-created for accounts that have removed them, this means that once an account uses Key Connector decryption it is for all intents and purposes **owned by the Organization**.
+
+These accounts **may not leave the Organization**, as in doing so they would lose any means of decrypting Vault data. Similarly, if an Organization administrator removes the account from the Organization, the account will lose any means of decrypting Vault data.
+
+### Impact on other Features
+
+|Feature|Impact|
+|-------|------|
+|**Verification**|There are a number of features in Bitwarden client applications that ordinarily require entry of a Master Password in order to be used, including [exporting]({{site.baseurl}}/article/export-your-data/) Vault data, changing [Two-step Login]({{site.baseurl}}/article/setup-two-step-login) settings, retrieving [API Keys]({{site.baseurl}}/article/personal-api-key/), and more.<br><br>**All these features** will replace Master Password confirmation with email-based TOTP verification.|
+|**Vault Lock/Unlock**|Under ordinary circumstances, a [locked Vault can be unlocked]({{site.baseurl}}/article/vault-timeout/#vault-timeout-action) using a Master Password. When your Organization is using Key Connector, locked client applications can only be unlocked with a [PIN]({{site.baseurl}}/article/unlock-with-pin/) or with [Biometrics]({{site.baseurl}}/article/biometrics/).<br><br>If neither PIN nor Biometrics are enabled for a client application, the Vault will always log out instead of lock. Unlike unlocking, logging in **always** requires an internet connection ([learn more]({{site.baseurl}}/article/vault-timeout/#vault-timeout-action)).|
+|**Master Password re-prompt**|When Key Connector is being used, [Master Password re-prompt]({{site.baseurl}}/article/managing-items/#protect-individual-items) will be disabled for any user that has removed their Master Password as a result of your Key Connector implementation.|
+|**Admin Password Reset**|When Key Connector is being used, [Admin Password Reset]({{site.baseurl}}/article/admin-reset/) will be disabled for any user that has removed their Master Password as a result of your Key Connector implementation.|
+|**Emergency Access**|When Key Connector is being used, the Emergency Access [Account Takeover option]({{site.baseurl}}/article/emergency-access/#user-access) will be disabled for any user that has removed their Master Password as a result of your Key Connector implementation.<br><br>Trusted emergency contacts may still **View** a grantor's personal Vault data, subject to the established [emergency access workflow]({{site.baseurl}}/article/emergency-access/#initiate-emergency-access).|
+
+## How do I start using Key Connector?
+
+In order to get started using Key Connector for Customer-managed Encryption, please review the following requirements:
+
+{% callout warning %}
+Management of cryptographic keys is incredibly sensitive and is **only recommended for enterprises with a team and infrastructure** that can securely support deploying and managing a key server.
+{% endcallout %}
+
+In order to use Key Connector you must also:
+
+- [Have an Enterprise Organization]({{site.baseurl}}/article/about-bitwarden-plans/#enterprise-organizations)
+- [Have a self-hosted Bitwarden server]({{site.baseurl}}/hosting/)
+- [Have an active SSO implementation]({{site.baseurl}}/article/about-sso/)
+- [Activate the Single Organization and Single Sign-On policies]({{site.baseurl}}/article/policies/)
+
+<br>
+If your Organization meets or can meet these requirements, including a team and infrastructure that can support management of a key server, [Contact Us](https://bitwarden.com/contact) and we'll activate Key Connector.

_articles/login-with-sso/about-sso.md

@@ -13,51 +13,34 @@ description: "Bitwarden enterprise plan users can take advantage of Single Sign
 
 ## What is Login with SSO?
 
-Login with SSO separates user authentication from Vault decryption by leveraging your existing Identity Provider (IdP) to authenticate users into their Bitwarden Vault and using Master Passwords for decryption of Vault data.
+Login with SSO is the Bitwarden solution for Single Sign-On. Using Login with SSO, [Enterprise Organizations]({{site.baseurl}}/article/about-organizations/#types-of-organizations) can leverage their existing Identity Provider to authenticate users with Bitwarden using the **SAMl 2.0** or **Open ID Connect (OIDC)** protocols.
 
-Login with SSO currently supports SAML 2.0 and OpenID Connect authentication for customers on the current Enterprise Plan.
+What makes Login with SSO unique is that it retains our zero-knowledge encryption model. Nobody at Bitwarden has access to your Vault data and, similarly, **neither should your Identity Provider**. That's why Login with SSO **decouples authentication and decryption**. In all Login with SSO implementations, your Identity Provider cannot and will not have access to the decryption key needed to decrypt Vault data.
 
-Users of Bitwarden authenticate into their vaults using the **Enterprise Single Sign-On** button located on the login screen of any Bitwarden client application. For more information, see [Using Login with SSO]({{site.baseurl}}/article/using-sso/).
+In most scenarios, that decryption key is the user's [Master Password]({{site.baseurl}}/article/master-password/), which they retain sole responsibility for, however Organizations self-hosting Bitwarden can use [Key Connector]({{site.baseurl}}/article/about-key-connector/) as an alternative means of decrypting Vault data.
 
-Administrators can configure Login with SSO from the Organization **Manage** screen.
+{% image sso/sso-workflow-2.png Login with SSO & Master Password Decryption %}
 
-{% image sso/sso-button-lg.png Enterprise Single Sign-On button %}
+## Why use Login with SSO?
 
-### Requiring SSO for Users
+Login with SSO is a flexible solution that can fit your enterprise's needs. Login with SSO includes:
 
-Using the **Single Sign-On Authentication** policy, Enterprise Organizations can require non-Owner/non-Admin users to log in to Bitwarden with Enterprise Single Sign-On. For more information about setting up this policy, see [Policies]({{site.baseurl}}/article/policies/).
+- [SAML 2.0]({{site.baseurl}}/article/configure-sso-saml/) and [OIDC]({{site.baseurl}}/article/configure-sso-oidc/) configuration options that support integration with a wide variety of Identity Providers.
+- An [Enterprise Policy]({{site.baseurl}}/article/policies/#single-sign-on-authentication) to optionally require non-Owner/non-Admin users to log in to Bitwarden with Single Sign-On.
+- Two distinct [Member Decryption Options]({{site.baseurl}}/article/sso-decryption-options/) for safe data access workflows.
+- "Just-in-time" end-user onboarding via SSO.
 
-## Enterprise Free Trial
 
-Login with SSO is available for all customers on the current Enterprise plan (for more information, see [About Bitwarden Plans]({{site.baseurl}}/article/about-bitwarden-plans/). If you're new to Bitwarden, we'd love to help you through the process of setting up an account and starting your 7 Day Free Trial Enterprise Organization with our dedicated signup page:
+## How do I start using Login with SSO?
 
-<a role="button" class="btn btn-primary" href="https://vault.bitwarden.com/#/register?org=enterprise">Start your Enterprise Free Trial</a>
-
-If you're an experienced Bitwarden user, refer to the [this article]({{site.baseurl}}/article/enterprise-free-trial/) for help. If you're self-hosting Bitwarden, you will need to generate a new license file after starting your 7 Day Free Trial. We recommend using a separate Bitwarden instance for testing Login with SSO. For more information, see [Licensing Paid Features]({{site.baseurl}}/article/licensing-on-premise/).
-
-## Requirements
-
-Login with SSO has the following requirements:
-
-### Identity Server Requirements
-Your Identity Provider must support one of the following:
-- SAML 2.0
-- OpenID Connect (OIDC)
+Login with SSO is available for all customers with an [Enterprise Organization]({{site.baseurl}}/article/about-bitwarden-plans/#enterprise-organizations). If you're new to Bitwarden, we'd love to help you through the process of setting up an account and starting your 7 Day Free Trial Enterprise Organization with our dedicated signup page:
 
-### Client Application Requirements
-Your Bitwarden client applications require the following versions:
-
-- **Desktop Application**: v1.2+
-- **Browser Extension**: v1.46+
-- **Mobile App** (Android or iOS): v2.6+
-- **CLI**: v1.12+ (Must run on systems with an available web browser)
-
-### Self-Hosting Requirements
-If you are self-hosting Bitwarden, your installation must be on v1.37+.
-
-For information on updating your self-hosted instance, see [Updating your Self-Hosted Installation]({{site.baseurl}}/article/updating-on-premise/).
+<a role="button" class="btn btn-primary" href="https://vault.bitwarden.com/#/register?org=enterprise">Start your Enterprise Free Trial</a>
 
-## Workflow Diagram
-The following diagram is an overview of the workflow used by Bitwarden to authenticate using SSO:
+**Once you have an Enterprise Organization**, deployment should include the following steps:
 
-{%image /sso/sso-workflow.png Bitwarden SSO Workflow %}
+1. Follow one of our [SAML 2.0]({{site.baseurl}}/article/configure-sso-saml/) or [OIDC]({{site.baseurl}}/article/configure-sso-oidc/) Implementation Guides to configure and deploy Login with SSO with Master Password decryption.
+2. Test [the end-user Login with SSO experience]({{site.baseurl}}/article/using-sso/) using Master Password decryption.
+3. (**If self-hosting**) Review our different [Member Decryption Options]({{site.baseurl}}/article/sso-decryption-options/) to determine whether using [Key Connector]({{site.baseurl}}/article/about-key-connector/) might be right for your Organization.
+4. (**If self-hosting**) If you're interested in implementing Key Connector, [Contact Us](https://bitwarden.com/contact/) and we'll help you get started [deploying Key Connector]({{site.baseurl}}/article/deploy-key-connector/).
+5. Educate your Organization members on how to [use Login with SSO]({{site.baseurl}}/article/using-sso/).

_articles/login-with-sso/configure-sso-oidc.md

@@ -30,9 +30,13 @@ Once you have your Organization Identifier, you can proceed to enabling and conf
 1. From the Organization Vault, navigate to the **Manage** tab and select **Single Sign-On** from the left-hand menu:
 
    {% image sso/manage-sso.png Enable SSO %}
-2. On the Single Sign-On Screen, check the **Enabled** checkbox.
+2. On the Single Sign-On Screen, check the **Allow SSO Authentication** checkbox.
 4. From the **Type** dropdown menu, select the **OpenID Connect** option. If you intend to use SAML instead, switch over the the [SAML Configuration Guide]({{site.baseurl}}/article/configure-sso-saml/).
 
+{% callout success %}
+If you're self-hosting Bitwarden, you can use alternative **Member Decryption Options**. This feature is disabled by default, so continue with **Master Password** decryption for now and learn how to get started using [Key Connector]({{site.baseurl}}/article/about-key-connector/) once your configuration is complete and successfully working. 
+{% endcallout %}
+
 ## Step 3: Configuration
 
 From this point on, **implementation will vary provider-to-provider**. Jump to one of our specific **Implementation Guides** for help completing the configuration process:

_articles/login-with-sso/configure-sso-saml.md

@@ -30,9 +30,13 @@ Once you have your Organization Identifier, you can proceed to enabling and conf
 1. From the Organization Vault, navigate to the **Manage** tab and select **Single Sign-On** from the left-hand menu:
 
    {% image sso/manage-sso.png Enable SSO %}
-2. On the Single Sign-On Screen, check the **Enabled** checkbox.
+2. On the Single Sign-On Screen, check the **Allow SSO Authentication** checkbox.
 4. From the **Type** dropdown menu, select the **SAML 2.0** option. If you intend to use OIDC instead, switch over to the [OIDC Configuration Guide]({{site.baseurl}}/article/configure-sso-oidc/).
 
+{% callout success %}
+If you're self-hosting Bitwarden, you can use alternative **Member Decryption Options**. This feature is disabled by default, so continue with **Master Password** decryption for now and learn how to get started using [Key Connector]({{site.baseurl}}/article/about-key-connector/) once your configuration is complete and successfully working.
+{% endcallout %}
+
 ## Step 3: Configuration
 
 From this point on, **implementation will vary provider-to-provider**. Jump to one of our specific **Implementation Guides** for help completing the configuration process:

_articles/login-with-sso/deploy-key-connector.md

@@ -0,0 +1,331 @@
+---
+layout: article
+title: Deploy Key Connector
+categories: [login-with-sso]
+featured: false
+popular: false
+tags: [key connector, customer-managed encryption, login with sso]
+order: "06"
+description: "This article guides you through the process of installing and deploying the Key Connector Bitwarden service to your self-hosted Bitwarden server."
+---
+
+This article will walk you through the procedure for enabling and configuring Key Connector in an existing self-hosted environment. **Before proceeding**, please thoroughly review the [About Key Connector]({{site.baseurl}}/article/about-key-connector/) article to ensure a full understanding of what Key Connector is, how it works, and the impacts of implementation.
+
+## Requirements
+
+{% callout warning %}
+Management of cryptographic keys is incredibly sensitive and is **only recommended for enterprises with a team and infrastructure** that can securely support deploying and managing a key server.
+{% endcallout %}
+
+In order to use Key Connector you must:
+
+- [Have an Enterprise Organization]({{site.baseurl}}/article/about-bitwarden-plans/#enterprise-organizations)
+- [Have a self-hosted Bitwarden server]({{site.baseurl}}/hosting/)
+- [Have an active SSO implementation]({{site.baseurl}}/article/about-sso/)
+- [Activate the Single Organization and Single Sign-On policies]({{site.baseurl}}/article/policies/)
+
+<br>
+If your Organization meets or can meet these requirements, including a team and infrastructure that can support management of a key server, [Contact Us](https://bitwarden.com/contact) and we'll activate Key Connector.
+
+## Setup & Deploy Key Connector
+
+**Once you've contacted us regarding Key Connector**, we'll reach out to kick off a Key Connector discussion. The steps that follow in this article must be completed in collaboration with Bitwarden Customer Success & Implementation specialists.
+
+### Obtain New License File
+
+Once you've contacted us regarding Key Connector, a member of the Customer Success & Implementation team will generate a Key Connector-enabled license file for your Organization. When your Bitwarden collaborator instructs you it is ready, complete the following steps to obtain the new license:
+
+1. Open your Bitwarden Cloud Web Vault and navigate to your Organization's **Settings** &rarr; **Subscription** screen.
+2. Select the **Download License** button.
+3. When prompted, enter the Installation ID that was used to install your self-hosted server and select **Submit**. If you don't know your Installation ID off-hand, you can retrieve it from `./bwdata/env/global.override.env`.
+
+You won't need your license file immediately, but you will be required to upload it to your self-hosted server [in a later step](#activate-key-connector).
+
+### Initialize Key Connector
+
+To prepare your Bitwarden server for Key Connector:
+
+1. Save a [backup]({{site.baseurl}}/article/backup-on-premise/) of, at a minimum, `.bwdata/mssql`. Once Key Connector is in use, it's recommended that you have access to a pre-Key Connector backup image in case of an issue.
+
+   {% callout info %}If you're using an [external MSSQL database]({{site.baseurl}}/article/external-db/), take a backup of your database in whatever way fits your implementation.{% endcallout %}
+2. Update your self-hosted Bitwarden installation in order to retrieve the latest changes:
+
+   ```
+   ./bitwarden.sh update
+   ```
+3. Edit the `.bwdata/config.yml` file and enable Key Connector by toggling `enable_key_connector` to `true`.
+
+   ```
+   nano bwdata/config.yml
+   ```
+4. Update your self-hosted Bitwarden installation again in order to apply the change made in **Step 3**:
+
+   ```
+   ./bitwarden.sh update
+   ```
+
+### Configure Key Connector
+
+To configure Key Connector:
+
+1. Edit the `.bwdata/env/key-connector.override.env` file that will have been downloaded with the `./bitwarden.sh update`.
+
+   ```
+   nano bwdata/env/key-connector.override.env
+   ```
+
+   {% callout warning %}This file will be pre-populated with default values that will spin up a functional local Key Connector setup, however the **default values are not recommended for production environments**.{% endcallout %}
+2. In `key-connector.override.env`, you will need to specify values for the following:
+
+   - [Endpoints](#endpoints): What Bitwarden endpoints Key Connector can communicate with.
+   - [Database](#database): Where Key Connector will store and retrieve user keys.
+   - [RSA Key Pair](#rsa-key): How Key Connector will access an RSA key pair to protect user keys at rest.
+
+#### Endpoints
+
+Automated setup will populate endpoint values based on your installation configuration, however it's recommended that you confirm the following values in `key-connector.override.env` are accurate for your setup:
+
+```
+keyConnectorSettings__webVaultUri=https://your.bitwarden.domain.com
+keyConnectorSettings__identityServerUri=https://your.bitwarden.domain.com/identity/
+```
+
+#### Database
+
+Key Connector must access a database which stores encrypted user keys keys for your Organization members. Create a secure database to store encrypted users keys and replace the default `keyConnectorSettings__database__` values in `key-connector.override.env` with the values designated in the **Required Values** column for the chosen database:
+
+{% callout warning %}
+Migration from one database to another is **not supported** at this time. Regardless of which provider you choose, **implement a frequent automated backup schedule** for the database.
+{% endcallout %}
+
+|Database|Required Values|
+|--------|---------------|
+|Local JSON (**default**)|**Not recommended outside of testing.**<br><br>`keyConnectorSettings__database__provider=json`<br>`keyConnectorSettings__database__jsonFilePath={File_Path}`|
+|Microsoft SQL Server|`keyConnectorSettings__database__provider=sqlserver`<br> `keyConnectorSettings__database__sqlServerConnectionString={Connection_String}`<br><br>[Learn how to format MSSQL Connection Strings](https://docs.microsoft.com/en-us/sql/connect/ado-net/connection-string-syntax?view=sql-server-ver15){:target="\_blank"}|
+|PostgreSQL|`keyConnectorSettings__database__provider=postgresql`<br>`keyConnectorSettings__database__postgreSqlConnectionString={Connection_String}`<br><br>[Learn how to format PostgreSQL Connection Strings](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING){:target="\_blank"}|
+|MySQL/MariaDB|`keyConnectorSettings__database__provider=mysql`<br>`keyConnectorSettings__database__mySqlConnectionString={Connection_String}`<br><br>[Learn how to format MySQL Connection Strings](https://dev.mysql.com/doc/connector-net/en/connector-net-connections-string.html){:target="\_blank"}|
+|SQLite|`keyConnectorSettings__database__provider=sqlite`<br>`keyConnectorSettings__database__sqliteConnectionString={Connection_String}`<br><br>[Learn how to format SQLite Connection Strings](https://docs.microsoft.com/en-us/dotnet/standard/data/sqlite/connection-strings){:target="\_blank"}|
+|MongoDB|`keyConnectorSettings__database__provider=mongo`<br>`keyConnectorSettings__database__mongoConnectionString={Connection_String}`<br>`keyConnectorSettings__database__mongoDatabaseName={DatabaseName}`<br><br>[Learn how to format MongoDB Connection Strings](https://docs.mongodb.com/manual/reference/connection-string/){:target="\_blank"}|
+
+#### RSA Key Pair
+
+Key Connector uses an RSA key pair to protect user keys at rest. Create a key pair and replace the default `keyConnectorSettings__rsaKey__` and `keyConnectorSettings__certificate__` values in `key-connector.override.env` with the values required for your chosen implementation.
+
+{% callout success %}
+The RSA key pair must be **at a minimum** 2048 bits in length.
+{% endcallout %}
+
+Generally, your options include granting Key Connector access to an X509 **Certificate** that contains the key pair or granting Key Connector access directly to the **Key Pair**:
+
+<ul class="nav nav-tabs" id="myTab" role="tablist">
+  <li class="nav-item" id="tab" role="presentation">
+    <a class="nav-link active" id="certtab" data-bs-toggle="tab" data-target="#cert" role="tab" aria-controls="cert" aria-selected="true">Certificate</a>
+  </li>
+  <li class="nav-item" id="tab" role="presentation">
+    <a class="nav-link" id="azuretab" data-bs-toggle="tab" data-target="#azure" role="tab" aria-controls="azure" aria-selected="false">Key Pair</a>
+  </li>
+</ul>
+
+<div class="tab-content" id="clientsContent">
+  <div class="tab-pane show active" id="cert" role="tabpanel" aria-labelledby="certtab">
+{% capture cert_content %}
+### Certificate
+
+To use an X509 certificate that contains an RSA key pair, specify the values required depending on the location where your certificate is stored (see **Filesystem**, **OS Certificate Store**, etc.):
+
+{% callout success %}
+The certificate **must** be made available as a PKCS12 `.pfx` file, for example:
+
+```
+openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout bwkc.key -out bwkc.crt -subj "/CN=Bitwarden Key Connector" -days 36500
+
+openssl pkcs12 -export -out ./bwkc.pfx -inkey bwkc.key -in bwkc.crt -passout pass:{Password}
+```
+
+In all certificate implementations, you'll need the `CN` value shown in this example.
+{% endcallout %}
+
+#### Filesystem (default)
+
+If the certificate is stored on the filesystem of the machine running Key Connector, specify the following values:
+
+{% callout info %}
+By default, Key Connector will be configured to create a `.pfx` file located at `etc/bitwarden/key-connector/bwkc.pfx` with a generated password. **It is not recommended** for enterprise implementations to use these defaults.
+{% endcallout %}
+
+```
+keyConnectorSettings__rsaKey__provider=certificate
+keyConnectorSettings__certificate__provider=filesystem
+keyConnectorSettings__certificate__filesystemPath={Certificate_Path}
+keyConnectorSettings__certificate__filesystemPassword={Certificate_Password}
+```
+
+#### OS Certificate Store
+
+If the certificate is stored on the Operating System Certificate Store of the machine running Key Connector, specify the following values:
+
+```
+keyConnectorSettings__rsaKey__provider=certificate
+keyConnectorSettings__certificate__provider=store
+keyConnectorSettings__certificate__storeThumbprint={Certificate_Thumbprint}
+```
+
+#### Azure Blob Storage
+
+If the certificate is uploaded to Azure Blob Storage, specify the following values:
+
+```
+keyConnectorSettings__rsaKey__provider=certificate
+keyConnectorSettings__certificate__provider=azurestorage
+keyConnectorSettings__certificate__azureStorageConnectionString={Connection_String}
+keyConnectorSettings__certificate__azureStorageContainer={Container_Name}
+keyConnectorSettings__certificate__azureStorageFileName={File_Name}
+keyConnectorSettings__certificate__azureStorageFilePassword={File_Password}
+```
+
+[Learn how to format Azure Blob Storage Connection Strings](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/api/connection-strings/storage#azure-blob-storage){:target="\_blank"}
+
+#### Azure Key Vault
+
+If certificate is stored in Azure Key Vault, specify the following values:
+
+{% callout info %}
+To use Azure Key Vault to store your `.pfx` certificate, you'll need to create an Active Directory **App Registration**. This App Registration must:
+- Give delegated API permissions to access Azure Key Vault
+- Have a client secret generated to allow access by Key Connector
+{% endcallout %}
+
+```
+keyConnectorSettings__certificate__provider=azurekv
+keyConnectorSettings__certificate__azureKeyvaultUri={Vault_URI}
+keyConnectorSettings__certificate__azureKeyvaultCertificateName={Certificate_Name}
+keyConnectorSettings__certificate__azureKeyvaultAdTenantId={ActiveDirectory_TenantId}
+keyConnectorSettings__certificate__azureKeyvaultAdAppId={AppRegistration_ApplicationId}
+keyConnectorSettings__certificate__azureKeyvaultAdSecret={AppRegistration_ClientSecretValue}
+```
+
+#### Hashicorp Vault
+
+If the certificate is stored in Hashicorp Vault, specify the following values:
+
+```
+keyConnectorSettings__rsaKey__provider=certificate
+keyConnectorSettings__certificate__provider=vault
+keyConnectorSettings__certificate__vaultServerUri={Server_URI}
+keyConnectorSettings__certificate__vaultToken={Token}
+keyConnectorSettings__certificate__vaultSecretMountPoint={Secret_MountPoint}
+keyConnectorSettings__certificate__vaultSecretPath={Secret_Path}
+keyConnectorSettings__certificate__vaultSecretDataKey={Secret_DataKey}
+keyConnectorSettings__certificate__vaultSecretFilePassword={Secret_FilePassword}
+```
+
+{% endcapture %}
+{{ cert_content | markdownify }}
+  </div>
+  <div class="tab-pane" id="azure" role="tabpanel" aria-labelledby="azuretab">
+{% capture key_content %}
+### Key Pair
+
+To use a Cloud Provider or physical device to store to a RSA 2048 key pair, specify the values required depending on your chosen implementation (see **Azure Key Vault**, **Google Cloud Key Management**, etc.):
+
+#### Azure Key Vault
+
+If you're using Azure Key Vault to store a RSA 2048 key pair, specify the following values:
+
+{% callout info %}
+To use Azure Key Vault to store your RSA 2048 key, you'll need to create an Active Directory **App Registration**. This App Registration must:
+- Give delegated API permissions to access Azure Key Vault
+- Have a client secret generated to allow access by Key Connector
+{% endcallout %}
+
+```
+keyConnectorSettings__rsaKey__provider=azurekv
+keyConnectorSettings__rsaKey__azureKeyvaultUri={Vault_URI}
+keyConnectorSettings__rsaKey__azureKeyvaultKeyName={Key_Name}
+keyConnectorSettings__rsaKey__azureKeyvaultAdTenantId={ActiveDirectory_TenantId}
+keyConnectorSettings__rsaKey__azureKeyvaultAdAppId={AppRegistration_ApplicationId}
+keyConnectorSettings__rsaKey__azureKeyvaultAdSecret={AppRegistration_ClientSecretValue}
+```
+
+[Learn how to use Azure Key Vault to create a key pair](https://docs.microsoft.com/en-us/azure/key-vault/keys/quick-create-portal){:target="\_blank"}
+
+#### Google Cloud Key Management
+
+If you're using Google Cloud Key Management to store a RSA 2048 key pair, specify the following values:
+
+```
+keyConnectorSettings__rsaKey__provider=gcpkms
+keyConnectorSettings__rsaKey__googleCloudProjectId={Project_Id}
+keyConnectorSettings__rsaKey__googleCloudLocationId={Location_Id}
+keyConnectorSettings__rsaKey__googleCloudKeyringId={Keyring_Id}
+keyConnectorSettings__rsaKey__googleCloudKeyId={Key_Id}
+keyConnectorSettings__rsaKey__googleCloudKeyVersionId={KeyVersionId}
+```
+
+[Learn how to use Google Cloud Key Management Service to create key rings and asymmetric keys](https://cloud.google.com/kms/docs/creating-asymmetric-keys){:target="\_blank"}
+
+#### AWS Key Management Service
+
+If you're using AWS Key Management Service (KMS) to store a RSA 2048 key pair, specify the following values:
+
+```
+keyConnectorSettings__rsaKey__provider=awskms
+keyConnectorSettings__rsaKey__awsAccessKeyId={AccessKey_Id}
+keyConnectorSettings__rsaKey__awsAccessKeySecret={AccessKey_Secret}
+keyConnectorSettings__rsaKey__awsRegion={Region_Name}
+keyConnectorSettings__rsaKey__awsKeyId={Key_Id}
+```
+
+[Learn how to use AWS KMS to create asymmetric keys](https://docs.aws.amazon.com/kms/latest/developerguide/asymm-create-key.html){:target="\_blank"}
+
+#### PKCS11 Physical HSM
+
+If you're using a physical HSM device with the PKCS11 provider, specify the following values:
+
+```
+keyConnectorSettings__rsaKey__provider=pkcs11
+keyConnectorSettings__rsaKey__pkcs11Provider={Provider}
+keyConnectorSettings__rsaKey__pkcs11SlotTokenSerialNumber={Token_SerialNumber}
+keyConnectorSettings__rsaKey__pkcs11LoginUserType={Login_UserType}
+keyConnectorSettings__rsaKey__pkcs11LoginPin={Login_PIN}
+
+ONE OF THE FOLLOWING TWO:
+keyConnectorSettings__rsaKey__pkcs11PrivateKeyLabel={PrivateKeyLabel}
+keyConnectorSettings__rsaKey__pkcs11PrivateKeyId={PrivateKeyId}
+```
+
+Where:
+- `{Provider}` can be `yubihsm` or `opensc`
+- `{Login_UserType}` can be `user`, `so`, or `context_specific`
+
+{% callout info %}
+If you're using the PKCS11 provider to store your private key on an HSM device, the associated public key must be made available and configured as a certificate using any of the options found in the **Certificates** tab.
+{% endcallout %}
+
+{% endcapture %}
+{{ key_content | markdownify }}
+  </div>
+</div>
+
+### Activate Key Connector
+
+Now that Key Connector is [fully configured](#configure-key-connector) and you have a [Key Connector-enabled license](#obtain-a-new-license), complete the following steps:
+
+1. Restart your self-hosted Bitwarden installation in order to apply the configuration changes:
+
+   ```
+   ./bitwarden.sh restart
+   ```
+2. Log in to your self-hosted Bitwarden as an **Organization Owner** and navigate to the Organization **Settings** &rarr; **Subscription** screen.
+3. Select the **Update License** button and upload the Key Connector-enabled license [retrieved in an earlier step](#obtain-new-license-file):
+
+   {% image hosting/update-license.png Update your License %}
+3. Navigate to the Organization **Manage** screen.
+4. If you haven't already, navigate to the **Policies** screen and enable the [Single Organization]({{site.baseurl}}/article/policies/#single-organization) and [Single Sign-On Authentication]({{site.baseurl}}/article/policies/#single-sign-on-authentication) policies. **Both are required to use Key Connector**.
+5. Navigate to the **Single Sign-On** screen:
+
+   {% callout success %}The next few steps assume that you already have an active [Login with SSO]({{site.baseurl}}/article/about-sso/) implementation using [SAML 2.0]({{site.baseurl}}/article/configure-sso-saml/) or [OIDC]({{site.baseurl}}/article/configure-sso-oidc/). **If you don't**, please implement and test Login with SSO before proceeding.{% endcallout %}
+   {% image sso/keyconnector/enable-keyconnector.png %}
+6. In the **Member Decryption Options** section, select **Key Connector**.
+7. In the **Key Connector URL** input, enter the address Key Connector is running at (by default, `http://localhost:5000`) and select the **Test** button to ensure you can reach Key Connector.
+8. Scroll to the bottom of the screen and select **Save**.

_articles/login-with-sso/oidc-azure.md

@@ -24,6 +24,10 @@ Navigate to your Organization's **Manage** → **Single Sign-On** screen:
 
 You don't need to edit anything on this screen yet, but keep it open for easy reference.
 
+{% callout success %}
+If you're self-hosting Bitwarden, you can use alternative **Member Decryption Options**. This feature is disabled by default, so continue with **Master Password** decryption for now and learn how to get started using [Key Connector]({{site.baseurl}}/article/about-key-connector/) once your configuration is complete and successfully working.
+{% endcallout %}
+
 ## Create an App Registration
 
 In the Azure Portal, navigate to **App registrations** and select the **New registration** button:

_articles/login-with-sso/oidc-okta.md

@@ -23,6 +23,10 @@ Navigate to your Organization's **Manage** → **Single Sign-On** screen:
 
 You don't need to edit anything on this screen yet, but keep it open for easy reference.
 
+{% callout success %}
+If you're self-hosting Bitwarden, you can use alternative **Member Decryption Options**. This feature is disabled by default, so continue with **Master Password** decryption for now and learn how to get started using [Key Connector]({{site.baseurl}}/article/about-key-connector/) once your configuration is complete and successfully working.
+{% endcallout %}
+
 ## Create an Okta App
 
 In the Okta Admin Portal, select **Applications** → **Applications** from the navigation. On the Applications screen, select the **Create App Integration** button. For Sign-on method, select **OIDC - OpenID Connect**. For Application type, select **Web Application**:

_articles/login-with-sso/saml-adfs.md

@@ -29,6 +29,10 @@ Navigate to your Organization's **Manage** → **Single Sign-On** screen:
 
 You don't need to edit anything on this screen yet, but keep it open for easy reference.
 
+{% callout success %}
+If you're self-hosting Bitwarden, you can use alternative **Member Decryption Options**. This feature is disabled by default, so continue with **Master Password** decryption for now and learn how to get started using [Key Connector]({{site.baseurl}}/article/about-key-connector/) once your configuration is complete and successfully working.
+{% endcallout %}
+
 ## Create a Relying Party Trust
 
 In the AD FS Server Manager, select **Tools** → **AD FS Management** → **Action** → **Add Relying Party Trust**. In the Wizard, make the following selections:

_articles/login-with-sso/saml-auth0.md

@@ -29,6 +29,10 @@ Navigate to your Organization's **Manage** → **Single Sign-On** screen:
 
 You don't need to edit anything on this screen yet, but keep it open for easy reference.
 
+{% callout success %}
+If you're self-hosting Bitwarden, you can use alternative **Member Decryption Options**. This feature is disabled by default, so continue with **Master Password** decryption for now and learn how to get started using [Key Connector]({{site.baseurl}}/article/about-key-connector/) once your configuration is complete and successfully working.
+{% endcallout %}
+
 ## Create an Auth0 Application
 
 In the Auth0 Portal, use the Applications menu to create a **Regular Web Application**:

_articles/login-with-sso/saml-aws.md

@@ -30,6 +30,10 @@ Navigate to your Organization's **Manage** → **Single Sign-On** screen:
 
 You don't need to edit anything on this screen yet, but keep it open for easy reference.
 
+{% callout success %}
+If you're self-hosting Bitwarden, you can use alternative **Member Decryption Options**. This feature is disabled by default, so continue with **Master Password** decryption for now and learn how to get started using [Key Connector]({{site.baseurl}}/article/about-key-connector/) once your configuration is complete and successfully working.
+{% endcallout %}
+
 ## Create an AWS SSO Application
 
 In the AWS Console, navigate to **AWS SSO**, select **Applications** from the navigation, and select the **Add a new application** button:

_articles/login-with-sso/saml-azure.md

@@ -30,6 +30,10 @@ Navigate to your Organization's **Manage** → **Single Sign-On** screen:
 
 You don't need to edit anything on this screen yet, but keep it open for easy reference.
 
+{% callout success %}
+If you're self-hosting Bitwarden, you can use alternative **Member Decryption Options**. This feature is disabled by default, so continue with **Master Password** decryption for now and learn how to get started using [Key Connector]({{site.baseurl}}/article/about-key-connector/) once your configuration is complete and successfully working.
+{% endcallout %}
+
 ## Create an Enterprise Application
 
 In the Azure Portal, navigate to **Azure Active Directory** and select **Enterprise applications** from the navigation menu:

_articles/login-with-sso/saml-duo.md

@@ -33,6 +33,10 @@ Navigate to your Organization's **Manage** → **Single Sign-On** screen:
 
 You don't need to edit anything on this screen yet, but keep it open for easy reference.
 
+{% callout success %}
+If you're self-hosting Bitwarden, you can use alternative **Member Decryption Options**. This feature is disabled by default, so continue with **Master Password** decryption for now and learn how to get started using [Key Connector]({{site.baseurl}}/article/about-key-connector/) once your configuration is complete and successfully working.
+{% endcallout %}
+
 ## Protect an Application
 
 In the Duo Admin Portal, navigate to the **Applications** screen and select the **Protect an Application** button:

_articles/login-with-sso/saml-google.md

@@ -30,6 +30,10 @@ Navigate to your Organization's **Manage** → **Single Sign-On** screen:
 
 You don't need to edit anything on this screen yet, but keep it open for easy reference.
 
+{% callout success %}
+If you're self-hosting Bitwarden, you can use alternative **Member Decryption Options**. This feature is disabled by default, so continue with **Master Password** decryption for now and learn how to get started using [Key Connector]({{site.baseurl}}/article/about-key-connector/) once your configuration is complete and successfully working.
+{% endcallout %}
+
 ## Create a SAML app
 
 In the Google Workspace Admin console, select **Apps** → **Web and mobile apps** from the navigation. On the Web and mobile apps screen, select **Add App** → **Add custom SAML app**:

_articles/login-with-sso/saml-jumpcloud.md

@@ -30,6 +30,10 @@ Navigate to your Organization's **Manage** → **Single Sign-On** screen:
 
 You don't need to edit anything on this screen yet, but keep it open for easy reference.
 
+{% callout success %}
+If you're self-hosting Bitwarden, you can use alternative **Member Decryption Options**. This feature is disabled by default, so continue with **Master Password** decryption for now and learn how to get started using [Key Connector]({{site.baseurl}}/article/about-key-connector/) once your configuration is complete and successfully working.
+{% endcallout %}
+
 ## Create a JumpCloud SAML App
 
 In the JumpCloud Portal, select **SSO** from the menu and select the {% icon fa-plus %} **Add** icon:

_articles/login-with-sso/saml-keycloak.md

@@ -29,6 +29,10 @@ Navigate to your Organization's **Manage** → **Single Sign-On** screen:
 
 You don't need to edit anything on this screen yet, but keep it open for easy reference.
 
+{% callout success %}
+If you're self-hosting Bitwarden, you can use alternative **Member Decryption Options**. This feature is disabled by default, so continue with **Master Password** decryption for now and learn how to get started using [Key Connector]({{site.baseurl}}/article/about-key-connector/) once your configuration is complete and successfully working.
+{% endcallout %}
+
 ## Create a Client
 
 In the Keycloak portal, create a new Client:

_articles/login-with-sso/saml-okta.md

@@ -30,6 +30,10 @@ Navigate to your Organization's **Manage** → **Single Sign-On** screen:
 
 You don't need to edit anything on this screen yet, but keep it open for easy reference.
 
+{% callout success %}
+If you're self-hosting Bitwarden, you can use alternative **Member Decryption Options**. This feature is disabled by default, so continue with **Master Password** decryption for now and learn how to get started using [Key Connector]({{site.baseurl}}/article/about-key-connector/) once your configuration is complete and successfully working.
+{% endcallout %}
+
 ## Create an Okta App
 
 In the Okta Admin Portal, select **Applications** → **Applications** from the navigation. On the Applications screen, select the **Add Application** button:

_articles/login-with-sso/saml-onelogin.md

@@ -29,6 +29,10 @@ Navigate to your Organization's **Manage** → **Single Sign-On** screen:
 
 You don't need to edit anything on this screen yet, but keep it open for easy reference.
 
+{% callout success %}
+If you're self-hosting Bitwarden, you can use alternative **Member Decryption Options**. This feature is disabled by default, so continue with **Master Password** decryption for now and learn how to get started using [Key Connector]({{site.baseurl}}/article/about-key-connector/) once your configuration is complete and successfully working.
+{% endcallout %}
+
 ## Create a OneLogin App
 
 In the OneLogin Portal, navigate to the the **Applications** screen and select the **Add App** button:

_articles/login-with-sso/sso-decryption-options.md

@@ -0,0 +1,24 @@
+---
+layout: article
+title: Member Decryption Options
+categories: [login-with-sso]
+featured: false
+popular: false
+tags: [key connector, customer-managed encryption, login with sso, master password decryption]
+order: "04"
+description: "This article covers the Vault decryption options available for Enterprise Organizations leveraging Login with SSO."
+---
+
+What makes Login with SSO unique is that it retains our zero-knowledge encryption model. Nobody at Bitwarden has access to your Vault data and, similarly, **neither should your Identity Provider**. That's why Login with SSO **decouples authentication and decryption**. In all Login with SSO implementations, your Identity Provider cannot and will not have access to the decryption key needed to decrypt Vault data.
+
+**Member Decryption Options** are used to determine what decryption key will be used to decrypt Vault data in scenarios where Login with SSO is handling authentication. Options include:
+
+- **Master Password**: Once authenticated, Organization members will decrypt Vault data using their [Master Passwords]({{site.baseurl}}/article/master-password/).
+- **Key Connector**: Connect Login with SSO to your self-hosted decryption key server. Using this option, Organization members won't need to use their Master Passwords to decrypt Vault data. Instead, [Key Connector]({{site.baseurl}}/article/about-key-connector/) will retrieve a decryption key securely stored in a database owned and managed by you.
+
+
+{% callout success %}
+Due to the sensitivity of storing decryption keys, the **Key Connector** option is **disabled by default** and currently **only available to Organizations self-hosting Bitwarden**.
+
+If you're interesting in using Key Connector, check out the [About Key Connector]({{site.baseurl}}/article/about-key-connector/) and [Deploy Key Connector]({{site.baseurl}}/article/deploy-key-connector/) articles and [Contact Us](https://bitwarden.com/contact/) to setup a time for us to help you get started.
+{% endcallout %}

_articles/login-with-sso/using-sso.md

@@ -5,7 +5,7 @@ categories: [login-with-sso]
 featured: false
 popular: false
 tags: [sso]
-order: "04"
+order: "07"
 redirect_from:
   - /article/link-to-sso/
   - /article/sso-access-your-vault/
@@ -24,27 +24,73 @@ Every Bitwarden Organization has a unique identifier specifically for Login with
 
 ## Login using SSO
 
-To login to Bitwarden using SSO:
+The steps required to login using SSO will be slightly different depending on whether your Organization is using [Key Connector]({{site.baseurl}}/article/about-key-connector/) or not:
 
-1. Open your Bitwarden Web Vault or App and select the **Enterprise Single Sign-On** button:
+<ul class="nav nav-tabs" id="myTab" role="tablist">
+  <li class="nav-item" id="tab" role="presentation">
+    <a class="nav-link active" id="mptab" data-bs-toggle="tab" data-target="#mp" role="tab" aria-controls="mp" aria-selected="true">Login with SSO & Master Password</a>
+  </li>
+  <li class="nav-item" id="tab" role="presentation">
+    <a class="nav-link" id="kctab" data-bs-toggle="tab" data-target="#kc" role="tab" aria-controls="kc" aria-selected="false">Login with SSO & Key Connector</a>
+  </li>
+</ul>
 
-   {% image sso/sso-button-lg.png Enterprise Single Sign-On button %}
+<div class="tab-content" id="clientsContent">
+  <div class="tab-pane show active" id="mp" role="tabpanel" aria-labelledby="mptab">
+{% capture mp_content %}
+### Login with SSO & Master Password
+
+To login using SSO and your Master Password:
+
+1. Open your Bitwarden Web Vault and select the **Enterprise Single Sign-On** button:
 
+   {% image sso/sso-button-lg.png Enterprise Single Sign-On button %}
 2. Enter your **Organization Identifier** and select **Log In**:
 
    {% image sso/org-id-input.png Organization Identifier field %}
 
-   {% callout success %}We recommend bookmarking this page with your Organization Identifier included as a query string so that you don't have to enter it each time, for example `https://vault.bitwarden.com/#/sso?identifier=YOUR-ORG-ID` or `https://your.domain.com/#/sso?identifier=YOUR-ORG-ID`.{% endcallout %}
-3. Now that you've authenticated your identity using Login with SSO, you'll be prompted to either **create** a [Master Password]({{site.baseurl}}/article/master-password/) for your new account or if you already have a Bitwarden account, to enter your [Master Password]({{site.baseurl}}/article/master-password/) on the Login screen to **decrypt** your Vault.
+   {% callout success %}We recommend bookmarking this page with your Organization Identifier included as a query string so that you don't have to enter it each time, for example `https://vault.bitwarden.com/#/sso?identifier=YOUR-ORG-ID` or `https://your.domain.com/#/sso?identifier=YOUR-ORG-ID`. {% endcallout %}
+3. Now that you've authenticated your identity using SSO, you'll be prompted to either **create** a [Master Password]({{site.baseurl}}/article/master-password/) for your new account or, if you already have a Bitwarden account, to enter your Master Password to decrypt your Vault.
 
-{% callout success %}
+{% callout info %}
 **Why is my Master Password still required?**
 
-All Vault data, including credentials [shared by your Organization]({{site.baseurl}}/article/sharing/), is kept by Bitwarden **only** in its encrypted form. This means that in order to use any of those credentials, **you** need a way to decrypt that data (we can't).
+All Vault data, including credentials [shared by your Organization]({{site.baseurl}}/article/sharing/), is kept by Bitwarden **only** in its encrypted form. This means that in order to use any of those credentials, **you** need a way to decrypt that data. We can't.
 
-Your Master Password is the source of that decryption key. Even though you're authenticating (proving your identity) to Bitwarden using SSO, you still must use that decryption key (your Master Password) to see any meaningful data.
+Your Master Password is the source of that decryption key. Even though you're authenticating (proving your identity) to Bitwarden using SSO, you still need to use a decryption key (your Master Password) to unscramble Vault data.
 {% endcallout %}
 
+{% endcapture %}
+{{ mp_content | markdownify }}
+  </div>
+  <div class="tab-pane" id="kc" role="tabpanel" aria-labelledby="kctab">
+{% capture kc_content %}
+### Login with SSO & Key Connector
+
+To login using SSO and Key Connector:
+
+1. Open your Bitwarden Web Vault and select the **Enterprise Single Sign-On** button:
+
+   {% image sso/sso-button-lg.png Enterprise Single Sign-On button %}
+2. Enter your **Organization Identifier** and select **Log In**:
+
+   {% image sso/org-id-input.png Organization Identifier field %}
+
+   {% callout success %}We recommend bookmarking this page with your Organization Identifier includes as a query string so that you don't have to enter it each time, for example `https://vault.bitwarden.com/#/sso?identifier=YOUR-ORG-ID` or `https://your.domain.com/#/sso?identifier=YOUR-ORG-ID`.{% endcallout %}
+3. Depending on your account status, you might be required to enter or create a Master Password the first time you login with SSO and Key Connector. If you do, the following dialog should prompt you to remove your Master Password:
+
+   {% image sso/keyconnector/remove-mpw.png Remove Master Password %}
+
+   {% callout success %}We encourage you to read [this]({{site.baseurl}}/article/about-key-connector/#impact-on-master-passwords) and [this]({{site.baseurl}}/article/about-key-connector/#impact-on-organization-membership) to fully understand what it means to remove a Master Password from your account. You can instead elect to **Leave the Organization** instead, however this will remove access to both Organization-owned Vault items and Collections and to Single Sign-On.{% endcallout %}
+
+Once you're removed your Master Password, or if this isn't your first time logging in using SSO and Key Connector, you'll be logged in to your Vault with no further steps required!
+
+{% endcapture %}
+{{ kc_content | markdownify }}
+  </div>
+</div>
+
+
 ## Link your Account
 
 You should only need to link your account to SSO if you already have a Bitwarden account that's a member of the Organization or if your Organization does not require you to use SSO:

_articles/miscellaneous/cli.md

@@ -562,7 +562,7 @@ bw confirm org-member 7063feab-4b10-472e-b64c-785e2b870b92 --organizationid 310d
 The `config` command specifies settings for the Bitwarden CLI to use:
 
 ```
-bw config <setting> [value]
+bw config server <setting> [value]
 ```
 
 A primary use of `bw config` is to [connect your CLI to a self-hosted]({{site.baseurl}}/article/change-client-environment/#cli) Bitwarden server:
@@ -578,14 +578,21 @@ You can read the currently connected server by passing `bw config server` withou
 Users with unique setups may elect to specify the URL of each service independently using:
 
 ```
-bw config --web-vault <url>
-bw config --api <url>
-bw config --identity <url>
-bw config --icons <url>
-bw config --notifications <url>
-bw config --events <url>
+bw config server --web-vault <url>
+bw config server --api <url>
+bw config server --identity <url>
+bw config server --icons <url>
+bw config server --notifications <url>
+bw config server --events <url>
+bw config server --key-connector <url>
 ```
 
+{% callout info %}
+The `bw config server --key-connector <url>` command is required if your Organization uses [Key Connector]({{site.baseurl}}/article/about-key-connector) and you're using the `--apikey` option to login after having [removed your Master Password]({{site.baseurl}}/article/using-sso/#login-using-sso).
+
+Contact an Organization Owner to get the required URL.
+{% endcallout %}
+
 ### sync
 
 The `sync` command downloads your encrypted vault from the Bitwarden server. This command is most useful when you've changed something in your Bitwarden Vault on another client application (e.g. Web Vault, Browser Extension, Mobile App) since [logging in](#log-in) on the CLI.

_articles/organizations/event-logs.md

@@ -37,6 +37,7 @@ All Event types are listed below, with their corresponding type codes:
 - Login attempt failed with incorrect two-step login. (`1006`)
 - User Exported their personal Vault items. (`1007`)
 - User updated a password issued through [Admin Password Reset]({{site.baseurl}}/article/admin-reset/). (`1008`)
+- User migrated their decryption key with [Key Connector]({{site.baseurl}}/article/about-key-connector/). (`1009`)
 
 ### Item Events
 - Created item *item-identifier*. (`1100`)
@@ -79,9 +80,14 @@ All Event types are listed below, with their corresponding type codes:
 - *user-identifier* withdrew from Master Password Reset. (`1507`)
 - Master Password was reset for *user-identifier*. (`1508`)
 - Reset SSO link for user *user-identifier*. (`1509`)
+- *user-identifer* logged in using SSO for the first time. (`1510`)
 - Edited organization settings. (`1600`)
 - Purged organization vault. (`1601`)
 - Organization Vault access by a managing [Provider]({{site.baseurl}}/article/providers/). (`1603`)
+- Organization enabled SSO. (`1604`)
+- Organization disabled SSO. (`1605`)
+- Organization enabled Key Connector. (`1606`)
+- Organization disabled Key Connector. (`1607`)
 - Updated a Policy. (`1700`)
 
 {% comment %}

_articles/organizations/onboarding-and-succession.md

@@ -174,15 +174,19 @@ Directory Connector will:
 
 Bitwarden Enterprise Organizations can integrate with your existing Identity Provider (IdP) using SAML 2.0 or OIDC to allow members of your Organization to login to Bitwarden using SSO. Login with SSO separates user authentication from Vault decryption:
 
-**Authentication** is completed to your chosen IdP and retains any two-factor authentication processes connected to that IdP. **Decryption** of Vault data requires the user's individual key, through the Master Password. Using Login with SSO, new Bitwarden users can authenticate into their Bitwarden Vault using their regular SSO credentials and perform decryption of this Vault with their newly created master password. Users that removed from your IdP will no longer be able to authenticate with that path.
+**Authentication** is completed throught your chosen IdP and retains any two-factor authentication processes connected to that IdP. **Decryption** of Vault data requires the user's individual key, which is derived in part from the Master Password. There are two [decryption options]({{site.baseurl}}/article/sso-decryption-options/), both of which will have users authenticate using their regular SSO credentials.
 
+- **Master Password**: Once authenticated, Organization members will decrypt Vault data using their [Master Passwords]({{site.baseurl}}/article/master-password/).
+- **Customer Managed Encryption**: Connect Login with SSO to your self-hosted decryption key server. Using this option, Organization members won't need to use their Master Passwords to decrypt Vault data. Instead, [Key Connector]({{site.baseurl}}/article/about-key-connector/) will retrieve a decryption key securely stored in a database owned and managed by you.
+
+<br>
 This approach ensures that you can:
 
 - Leverage your existing Identity Provider
 - Protect the end-to-end encryption of your data
 - Provision users automatically
 - Configure access with or without SSO
-- Decrypt Vault data wile offline
+- Decrypt Vault data according to your company's security needs
 
 ### Enterprise Policies
 

_articles/plans-and-pricing/about-bitwarden-plans.md

@@ -110,22 +110,10 @@ In the following table, "premium features" (included for **Teams Organizations**
 |[API access]({% link _articles/organizations/public-api.md %})|-|<i class="fa fa-check" aria-hidden="true"></i>|<i class="fa fa-check" aria-hidden="true"></i>|
 |[Directory Connector]({% link _articles/directory-connector/directory-sync.md %})|-|<i class="fa fa-check" aria-hidden="true"></i>|<i class="fa fa-check" aria-hidden="true"></i>|
 |[Login with SSO]({% link _articles/login-with-sso/about-sso.md %})|-|-|<i class="fa fa-check" aria-hidden="true"></i>|
+|[Key Connector]({{site.baseurl}}/article/about-key-connector/)|-|-|<i class="fa fa-check" aria-hidden="true"></i>|
 |[Enterprise Policies]({% link _articles/organizations/policies.md %})|-|-|<i class="fa fa-check" aria-hidden="true"></i>|
 |[Admin Password Reset]({{site.baseurl}}/article/admin-reset/)|-|-|<i class="fa fa-check" aria-hidden="true"></i>|
+|[Self-host Option]({{site.baseurl}}/article/install-on-premise/)|-|-|<i class="fa fa-check" aria-hidden="true"></i>|
 |[Custom Management Role]({{site.baseurl}}/article/user-types-access-control/)|-|-|<i class="fa fa-check" aria-hidden="true"></i>|
-|[Self-host option]({{site.baseurl}}/article/install-on-premise/)|-|-|<i class="fa fa-check" aria-hidden="true"></i>|
+|[Families Sponsorship for Members]({{site.baseurl}}/article/families-for-enterprise/)|-|-|<i class="fa fa-check" aria-hidden="true"></i>|
 |Cost to you|Free|$3 Per User Per Month, billed annually<br>or<br>$4 Per User Per Month, billed monthly|$5 Per User Per Month, billed annually<br>or<br>$6 Per User Per Month, billed monthly|
-
-### Next Steps
-
-For help choosing the right plan, see:
-- [What Plan is Right for Me?]({{site.baseurl}}/article/what-plan-is-right-for-me/)
-
-For help moving from an individual plan to an Organization, see:
-- [Upgrade From Individual to Organization]({{site.baseurl}}/article/upgrade-from-individual-to-org/)
-
-For help starting a free trial of Bitwarden Enterprise, see:
-- [Start a Free Trial of Bitwarden Enterprise]({{site.baseurl}}/article/enterprise-free-trial/)
-
-Still can't find what you're looking for?
-- Try our [Billing FAQs]({{site.baseurl}}/article/billing-faqs/)

_articles/plans-and-pricing/enterprise-feature-list.md

@@ -23,6 +23,7 @@ This document describes and references the features available to Bitwarden Enter
 |Desktop Applications|Available for Windows, Mac, and Linux. [Learn more]({{site.baseurl}}/article/directory-sync-desktop/).|
 |CLI|Fully featured and self-documented command-line tool. [Learn more]({{site.baseurl}}/article/cli/).
 |Streamlined UI Design|Simple and uniform interfaces across apps for complete ease-of-use.|
+|Complimentary Families Plan for Employees|All Enterprise Organization members can redeem a complimentary Bitwarden families plan for a new or existing personal Bitwarden account. [Learn more]({{site.baseurl}}/article/families-for-enterprise/).|
 
 #### Administrative Features and Capabilities
 
@@ -50,7 +51,7 @@ This document describes and references the features available to Bitwarden Enter
 |2FA for Individuals|A robust set of 2FA options for any Bitwarden user. [Learn more]({{site.baseurl}}/article/setup-two-step-login/).|
 |2FA at Organization-level|Enable 2FA via Duo for your entire Organization. [Learn more]({{site.baseurl}}/article/setup-two-step-login-duo/).|
 |Biometric Authentication|Available for:<br>-Android (fingerprint unlock or face unlock) and iOS (Touch ID and Face ID)<br>-Windows Desktop Apps (Windows Hello using PIN, Facial Recognition, and more) and macOS Desktop Apps (Touch ID)<br>-Chromium, Firefox 87+, and Safari Browser Extensions<br><br>[Learn more]({{site.baseurl}}/article/biometrics/).|
-|Login with SSO|Leverage your existing Identity Provider to authenticate your Bitwarden Organization users via SAML 2.0 or OpenID Connect (OIDC). [Learn more]({{site.baseurl}}/article/about-sso/).|
+|Login with SSO|Leverage your existing Identity Provider to authenticate your Bitwarden Organization users via SAML 2.0 or OpenID Connect (OIDC). [Learn more]({{site.baseurl}}/article/about-sso/).<br><br>Using Login with SSO, you can use one of two decryption options to determine how users decrypt Vault data once authenticated. [Learn more]({{site.baseurl}}/article/sso-decryption-options).|
 
 #### Security
 

_articles/plans-and-pricing/enterprise-free-trial.md

@@ -32,6 +32,7 @@ If you already have a Bitwarden account, complete the following steps to start y
    {% endcallout %}
 
 4. If you're trialing the Enterprise Plan on behalf of a business:
+
    - Check the **This account is owned by a business** checkbox.
    - Provide your **Business Name**.
 5. Select the **Enterprise** plan option. Doing so will trigger additional enterprise-oriented fields to be displayed.

_articles/plans-and-pricing/families-for-enterprise.md

@@ -0,0 +1,72 @@
+---
+layout: article
+title: Redeem Families Sponsorship
+categories: [plans-and-pricing]
+featured: false
+popular: false
+tags: [families organizations, enterprise organizations, sponsorship]
+order: "05"
+description: "This article explains how Enterprise Organization users can redeem a free Families Organization for use in their personal lives."
+---
+
+Members of [Enterprise Organizations]({{site.baseurl}}/article/about-organizations/#types-of-organizations) are offered a **free Families Organization** sponsorship that can be applied to a new or pre-existing Families Organization and redeemed directly from the Web Vault.
+
+Using a **Families Organization**, you can securely share Vault data between yourself and up to 5 friends or family members. Families Organizations include premium Bitwarden features for all 6 users, including [advanced Two-step Login methods]({{site.baseurl}}/article/setup-two-step-login), [encrypted file attachments]({{site.baseurl}}/article/attachments), [Emergency Access]({{site.baseurl}}/article/emergency-access/), and [more]({{site.baseurl}}/article/about-bitwarden-plans/#compare-the-plans).
+
+## Redeem your Sponsorship
+
+To redeem your sponsorship:
+
+1. Log in to the Bitwarden account attached to the sponsoring Organization.
+2. Navigate to **Settings** → **Free Bitwarden Families**:
+
+   {% image plans-and-pricing/f4e/f4e-1-alt.png Redeem your Free Bitwarden Families Sponsorship %}
+3. On this screen, provide a **personal email** you want to redeem the sponsorship with and select **Redeem**:
+
+   {% callout success%}If you already have a separate personal Bitwarden account, use the email address attached to that account. If you don't already have a separate personal Bitwarden account, you'll need to create one with the personal email you enter here.<br><br>**Do not** use the email address or Bitwarden account attached to the sponsoring Organization.{% endcallout %}
+4. In your inbox, you'll get an email from Bitwarden inviting you to accept the sponsorship:
+
+   {% image plans-and-pricing/f4e/f4e-2.png Families Sponsorship Email %}
+
+   Select **Accept Sponsorship** to continue.
+5. If there is a Bitwarden account associated with the provided **personal email**, log in. If there is not an account associated with the personal email, you'll be directed to the Create Account screen.
+6. Once you've logged in, you'll be directed to a screen where you can finish redeeming your sponsorship for a **New Families Organization** or an **Existing Families Organization**:
+
+   <ul class="nav nav-tabs" id="myTab" role="tablist">
+     <li class="nav-item" role="presentation">
+       <a class="nav-link active" id="mobtab" data-target="#mobile" role="tab" aria-controls="mobile" aria-selected="false">New Families Organization</a>
+     </li>
+     <li class="nav-item" role="presentation">
+       <a class="nav-link" id="desktab" data-target="#desktop" role="tab" aria-controls="desktop" aria-selected="false">Existing Families Organization</a>
+     </li>
+   </ul>
+   <div class="tab-content" id="clientsContent">
+     <div class="tab-pane show active" id="mobile" role="tabpanel" aria-labelledby="mobtab">
+      <br>
+      <p>Select <b>New Families Organization</b> from the dropdown:</p>
+      <img src="../../images/plans-and-pricing/f4e/f4e-4.png" style="border-style: solid; border-width: 2.5px; border-color: #DEE2E6; width: 100%;">
+      <br>
+      <br>
+      <p>Fill in the following information:</p>
+      <ul>
+        <li>An <b>Organization Name</b>.</li>
+        <li>A <b>Billing Email</b>.</li>
+        <li>Whether you want to add <b>Additional Storage (GB)</b>. Your sponsorship covers 1 GB free.</li>
+        <li><b>Payment Information</b>.</li>
+      </ul>
+      <br>
+      <p> You won't have to make any payments for the Families Organization as long as you are an active member of the sponsoring Organization, unless you add <b>Additional Storage</b>. When you're done filling in your information, select <b>Submit</b>.</p>
+     </div>
+     <div class="tab-pane" id="desktop" role="tabpanel" aria-labelledby="desktab">
+      <br>
+      <p>Select the Organization from the dropdown and select <b>Accept Offer</b>:</p>
+      <img src="../../images/plans-and-pricing/f4e/f4e-3.png" style="border-style: solid; border-width: 2.5px; border-color: #DEE2E6; width: 100%;">
+      <br>
+      <br>
+      <p>When you accept the offer, your old subscription will be replaced by the Enterprise Sponsorship. You won't have to make any payments for the Families Organization as long as you are an active member of the sponsoring Organization.</p>
+     </div>
+   </div>
+
+{% callout success %}
+**Congratulations!** If you're new to using Bitwarden Families Organizations, we recommend checking out [this article]({{site.baseurl}}/article/getting-started-organizations/#get-to-know-your-organization) to learn the basics.
+{% endcallout %}

_articles/plans-and-pricing/organization-renewal.md

@@ -6,7 +6,7 @@ featured: false
 popular: false
 hidden: false
 tags: [plans, premium, renewal]
-order: "07"
+order: "08"
 description: "Learn what to do when your Bitwarden Organization subscription renewal date approaches."
 ---
 

_articles/plans-and-pricing/premium-renewal.md

@@ -6,7 +6,7 @@ featured: false
 popular: false
 hidden: false
 tags: [plans, premium, renewal]
-order: "06"
+order: "07"
 description: "Learn what to do when your Bitwarden subscription renewal date approaches."
 
 ---

_articles/plans-and-pricing/update-billing-info.md

@@ -5,7 +5,7 @@ categories: [plans-and-pricing]
 featured: false
 popular: false
 tags: [account, billing, billing information, individual, organization, subscription]
-order: "05"
+order: "06"
 description: "Learn how to update billing info in Bitwarden, including steps for individual and Organization subscriptions."
 ---
 

_articles/plans-and-pricing/upgrade-from-individual-to-org.md

@@ -12,7 +12,7 @@ description: "Learn how to add an Organization subscription to your individual B
 This article will guide existing individual Bitwarden users ([**Free**]({{site.baseurl}}/article/about-bitwarden-plans/#free-individual) or [**Premium**]({{site.baseurl}}/article/about-bitwarden-plans/#premium-individual)) through the process of transitioning to an Organizations plan ([**Free**]({{site.baseurl}}/article/about-bitwarden-plans/#free-organizations), [**Families**]({{site.baseurl}}/article/about-bitwarden-plans/#families-organizations), [**Teams**]({{site.baseurl}}/article/about-bitwarden-plans/#teams-organizations), or [**Enterprise**]({{site.baseurl}}/article/about-bitwarden-plans/#enterprise-organizations)) in order to start securely sharing data from Organizations with friends, family, co-workers, a department, or an entire company.
 
 {% callout success %}
-If you're looking for how to upgrade an existing Free Organization to a paid Organization, see [this FAQ item]({{site.baseurl}}/article/org-faqs/#q-how-do-i-upgrade-my-free-organization) instead.
+If you're looking for how to upgrade an existing Free Organization to a paid Organization, see [this FAQ]({{site.baseurl}}/article/org-faqs/#q-how-do-i-upgrade-my-free-organization) instead.
 {% endcallout %}
 
 ## Start Your Organization
@@ -30,11 +30,14 @@ Complete the following steps to start your Organization:
    {% endcallout %}
 
 4. If you're creating an Organization on behalf of a business:
+
    - Check the **This account is owned by a business** checkbox.
    - Provide your **Business Name**.
 
+   <br>
    Checking the **This account is owned by a business** checkbox will automatically filter your plan options to those suited to businesses. If you represent a business interested in testing secure sharing using a Free Organization, leave this option unchecked.
 5. In the **Choose Your Plan** section, select which type of Organization to create. Options include:
+
    - **Free:** For testing or personal users to share with 1 other user. **[Learn more]({{site.baseurl}}/article/about-bitwarden-plans/#free-organizations)**.
    - **Families:** For personal use, to share with family & friends. **[Learn more]({{site.baseurl}}/article/about-bitwarden-plans/#families-organizations)**.
    - **Teams:** For businesses and other team organizations. **[Learn more]({{site.baseurl}}/article/about-bitwarden-plans/#teams-organizations)**.
@@ -43,6 +46,7 @@ Complete the following steps to start your Organization:
    {% callout info %}Paid Organizations (Families, Teams, or Enterprise) include premium features for all enrolled users. For more information about Premium features, see [About Bitwarden Plans]({{site.baseurl}}/article/about-bitwarden-plans/#compare-the-plans/).
    {% endcallout %}
 6. If you selected a Paid Organization, enter the following information:
+
    - For **Teams** or **Enterprise**, enter the number of **User Seats** you need. Seats will be added if you exceed this number, unless you [specify a limit]({{site.baseurl}}/article/managing-users/#set-a-seat-limit).
    - For **Families**, **Teams**, or **Enterprise**, enter the amount of **Additional Storage (GB)** you need. You plan comes with 1 GB of shared encrypted file attachments, and you can add additional storage later if needed.
    - For **Teams** or **Enterprise**, select whether you'd like to be billed **Annually** or **Monthly**. Families Organizations may only be billed annually.

_articles/plans-and-pricing/what-plan-is-right-for-me.md

@@ -4,7 +4,7 @@ title: What Plan is Right for Me?
 categories: [plans-and-pricing]
 featured: false
 popular: false
-hidden: false
+hidden: true
 tags: [free, personal, organization, enterprise, teams, family, plans, subscription]
 order: "02"
 redirect_from:

_articles/send/send-encryption.md

@@ -5,7 +5,7 @@ categories: [send]
 featured: true
 popular: false
 tags: [bitwarden send, send, about send, ephemeral sharing]
-order: "07"
+order: "08"
 description: "This article explains the security practices and implementation of Bitwarden Send - a tool for secure and ephemeral sharing."
 ---
 

_articles/send/send-hosting.md

@@ -5,7 +5,7 @@ categories: [send]
 featured: true
 popular: false
 tags: []
-order: "08"
+order: "09"
 description: "This article describes steps you may need to take to use Bitwarden Send in a self-hosted environment."
 ---
 

_articles/send/send-ios.md

@@ -0,0 +1,11 @@
+---
+layout: article
+title: Send from iOS Extension
+categories: [send]
+featured: true
+popular: false
+hidden: true
+tags: [bitwarden send, send, create a send, how to, ephemeral sharing]
+order: "07"
+description: "Learn how to use Bitwarden Send directly from the iOS Share menu."
+---