diff --git a/registry/coder/modules/vault-cli/README.md b/registry/coder/modules/vault-cli/README.md
index 776ec6bee..f8df790f7 100644
--- a/registry/coder/modules/vault-cli/README.md
+++ b/registry/coder/modules/vault-cli/README.md
@@ -13,7 +13,7 @@ Installs the [Vault](https://www.vaultproject.io/) CLI and optionally configures
 ```tf
 module "vault_cli" {
   source     = "registry.coder.com/coder/vault-cli/coder"
-  version    = "1.0.0"
+  version    = "1.1.0"
   agent_id   = coder_agent.example.id
   vault_addr = "https://vault.example.com"
 }
@@ -34,7 +34,7 @@ If you have a Vault token, you can provide it to automatically configure authent
 ```tf
 module "vault_cli" {
   source      = "registry.coder.com/coder/vault-cli/coder"
-  version     = "1.0.0"
+  version     = "1.1.0"
   agent_id    = coder_agent.example.id
   vault_addr  = "https://vault.example.com"
   vault_token = var.vault_token # Optional
@@ -50,7 +50,7 @@ Install the Vault CLI without any authentication:
 ```tf
 module "vault_cli" {
   source     = "registry.coder.com/coder/vault-cli/coder"
-  version    = "1.0.0"
+  version    = "1.1.0"
   agent_id   = coder_agent.example.id
   vault_addr = "https://vault.example.com"
 }
@@ -61,7 +61,7 @@ module "vault_cli" {
 ```tf
 module "vault_cli" {
   source            = "registry.coder.com/coder/vault-cli/coder"
-  version           = "1.0.0"
+  version           = "1.1.0"
   agent_id          = coder_agent.example.id
   vault_addr        = "https://vault.example.com"
   vault_cli_version = "1.15.0"
@@ -73,7 +73,7 @@ module "vault_cli" {
 ```tf
 module "vault_cli" {
   source      = "registry.coder.com/coder/vault-cli/coder"
-  version     = "1.0.0"
+  version     = "1.1.0"
   agent_id    = coder_agent.example.id
   vault_addr  = "https://vault.example.com"
   install_dir = "/home/coder/bin"
@@ -87,7 +87,7 @@ For Vault Enterprise users who need to specify a namespace:
 ```tf
 module "vault_cli" {
   source          = "registry.coder.com/coder/vault-cli/coder"
-  version         = "1.0.0"
+  version         = "1.1.0"
   agent_id        = coder_agent.example.id
   vault_addr      = "https://vault.example.com"
   vault_token     = var.vault_token
@@ -95,6 +95,20 @@ module "vault_cli" {
 }
 ```
 
+### Vault Enterprise Binary
+
+Install the Vault Enterprise binary. This is required if using SAML authentication to Vault:
+
+```tf
+module "vault_cli" {
+  source     = "registry.coder.com/coder/vault-cli/coder"
+  version    = "1.1.0"
+  agent_id   = coder_agent.example.id
+  vault_addr = "https://vault.example.com"
+  enterprise = true
+}
+```
+
 ## Related Modules
 
 For more advanced authentication methods, see:
diff --git a/registry/coder/modules/vault-cli/main.tf b/registry/coder/modules/vault-cli/main.tf
index eaacb66b0..1fa2011c5 100644
--- a/registry/coder/modules/vault-cli/main.tf
+++ b/registry/coder/modules/vault-cli/main.tf
@@ -48,6 +48,12 @@ variable "vault_namespace" {
   default     = null
 }
 
+variable "enterprise" {
+  type        = bool
+  description = "Whether to install the enterprise version of the Vault CLI. Required if using SAML authentication to Vault."
+  default     = false
+}
+
 data "coder_workspace" "me" {}
 
 resource "coder_script" "vault_cli" {
@@ -59,6 +65,7 @@ resource "coder_script" "vault_cli" {
     VAULT_TOKEN       = var.vault_token
     INSTALL_DIR       = var.install_dir
     VAULT_CLI_VERSION = var.vault_cli_version
+    ENTERPRISE        = var.enterprise
   })
   run_on_start       = true
   start_blocks_login = true
diff --git a/registry/coder/modules/vault-cli/main.tftest.hcl b/registry/coder/modules/vault-cli/main.tftest.hcl
index 94a9b7aca..5f1f82140 100644
--- a/registry/coder/modules/vault-cli/main.tftest.hcl
+++ b/registry/coder/modules/vault-cli/main.tftest.hcl
@@ -163,3 +163,14 @@ run "test_vault_cli_with_token_and_namespace" {
     error_message = "VAULT_NAMESPACE should match the provided vault_namespace"
   }
 }
+
+run "test_vault_cli_enterprise" {
+  variables {
+    enterprise = true
+  }
+
+  assert {
+    condition     = resource.coder_script.vault_cli.display_name == "Vault CLI"
+    error_message = "Display name should be 'Vault CLI'"
+  }
+}
diff --git a/registry/coder/modules/vault-cli/run.sh b/registry/coder/modules/vault-cli/run.sh
index a1917f994..18803ee5c 100644
--- a/registry/coder/modules/vault-cli/run.sh
+++ b/registry/coder/modules/vault-cli/run.sh
@@ -5,6 +5,7 @@ VAULT_ADDR=${VAULT_ADDR}
 VAULT_TOKEN=${VAULT_TOKEN}
 INSTALL_DIR=${INSTALL_DIR}
 VAULT_CLI_VERSION=${VAULT_CLI_VERSION}
+ENTERPRISE=${ENTERPRISE}
 
 # Fetch URL content. If dest is provided, write to file; otherwise output to stdout.
 # Usage: fetch <url> [dest]
@@ -75,9 +76,18 @@ install() {
 
   # Fetch release information from HashiCorp API
   if [ "$${VAULT_CLI_VERSION}" = "latest" ]; then
-    API_URL="https://api.releases.hashicorp.com/v1/releases/vault/latest"
+    if [ "$${ENTERPRISE}" = "true" ]; then
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/latest?license_class=enterprise"
+    else
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/latest"
+    fi
   else
-    API_URL="https://api.releases.hashicorp.com/v1/releases/vault/$${VAULT_CLI_VERSION}"
+    # For specific version, append +ent suffix for enterprise
+    if [ "$${ENTERPRISE}" = "true" ]; then
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/$${VAULT_CLI_VERSION}+ent"
+    else
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/$${VAULT_CLI_VERSION}"
+    fi
   fi
 
   API_RESPONSE=$(fetch "$${API_URL}")