Deploy 1Password SCIM Bridge on DigitalOcean App Platform

A diagram showing the connection of identity providers to 1Password SCIM Bridge to 1Password servers.

With 1Password Business, you can automate many common administrative tasks using 1Password SCIM Bridge. It uses the System for Cross-domain Identity Management (SCIM) protocol to connect 1Password with your existing identity provider, like Google Workspace, JumpCloud, Microsoft Entra ID, Okta, OneLogin, or Rippling.

When you deploy 1Password SCIM Bridge with DigitalOcean App Platform instead of the DigitalOcean Marketplace, you can save on costs and keep management simpler without the need to create a DNS record or TLS certificate. You’ll need a DigitalOcean account with available quotas for two droplets.

Step 1: Generate credentials in 1Password

Sign in to your account on 1Password.com.
Choose Integrations in the sidebar.
Choose your identity provider from the User Provisioning section.
Select Custom, then choose Next.
Choose Save in 1Password for both the scimsession file and bearer token to save them as items in your 1Password account. Save each item in an appropriate shared vault.
Choose beside the scimsession file and save it to your computer.

Step 2: Create resources in DigitalOcean

These steps were recorded in December 2023 and might have changed since. Refer to the DigitalOcean documentation for the most up-to-date steps.

Before you begin the deployment, download the app spec template op-scim-bridge.yaml from the 1Password SCIM Bridge deployment examples repo on GitHub . Then follow these steps.

2.1: Add the 1Password SCIM Bridge app

Go to the DigitalOcean Apps portal and choose Create App.
Select Docker Hub from the service provider list, then enter 1password/scim in the Repository field and choose Next.
Choose Edit beside 1-password-scim, then choose Edit beside the Name field.
Enter op-scim-bridge in the Resource Name field, then choose Save and choose Back at the bottom of the page.
Choose Edit Plan, then select Basic.
From the Instance Size menu, select $5.00/mo - Basic, then choose Back.
Choose Next on the Resources page, then choose Next on the Environment page.
On the Info page, choose Edit in the App Info section.
Enter op-scim-bridge in the Name field, then choose Save.
If you’d like to change the region, choose Edit beside it and select a region, then choose Save.
Choose Next on the Info page, then scroll down on the Review page and choose Create Resources.

The deployment of 1Password SCIM Bridge will start and after a few minutes fail, which is expected because the configuration has not been defined. After you see the “deployment failed” message, continue to step 2.2.

2.2: Upload the app manifest

Choose the Settings tab on the app page, then scroll down and choose Edit beside App Spec.
Choose Upload File, then select the op-scim-bridge.yaml file you downloaded earlier.
Choose Replace, then wait a moment for the SCIM bridge to deploy.

Step 3: Configure and deploy your SCIM bridge

After you see the “deployment went live” message at the top of the page, choose op-scim-bridge from the Components list, then scroll down and choose Edit beside Environment Variables.
Choose beside OP_SESSION to remove it. You’ll upload your own in a moment.

Open a terminal window on your computer, then get the Base64 encoded contents of your scimsession file:

Bash:
```
  cat ./scimsession | base64
```

PowerShell:

  [Convert]::ToBase64String([IO.File]::ReadAllBytes((Join-Path $PWD.Path 'scimsession')))

Copy the output value. You’ll need it to create the secret for the deployment.
Go back to the Environment Variables section of your app’s Component Settings in DigitalOcean.
Create a new environment variable and enter OP_SESSION in the Keys field, then paste the base64 value of your scimsession secret in the Values field.
Select Encrypt beside the value, then choose Save. The deployment will take a moment to update.
After the deployment is live, use the Live App button at the top of the page to open your SCIM bridge. You can also use the URL link at the top of the page below your project name.
Enter your bearer token and choose Verify.

Step 4: Connect your identity provider to the SCIM bridge

Important

If you’ve already been using 1Password Business, make sure the email addresses and group names in your 1Password account are identical to those in your identity provider.

If anyone is using a different email address in 1Password, ask them to change it.
If you have existing groups in 1Password that you want to sync with groups in your identity provider, adjust the group names in 1Password.

Because 1Password SCIM Bridge provides a SCIM 2.0-compatible web service that accepts OAuth bearer tokens for authorization, you can use it with a variety of identity providers.

Connect to the load balancer where you’ve configured the SCIM bridge (for example: https://scim.example.com) and authenticate using your OAuth bearer token.

User Guide

Learn how to connect your identity provider:

Update your SCIM bridge

The latest version of 1Password SCIM Bridge is posted on the release notes website. To update your SCIM bridge:

Navigate to the DigitalOcean Apps portal and select your SCIM bridge (by default, op-scim-bridge) from the list of apps.
Choose op-scim-bridge in the Compute section.
Select Edit in the Source section.
Change the version number in the Tag field to match the latest version from the SCIM Bridge release notes page .
Select Save. The SCIM bridge will redeploy with the new version.
Navigate to your SCIM bridge URL and sign in with your bearer token.
Check the version in the top left of the page.

Get help

Get help with the SCIM bridge, like if you lose your bearer token or session file.

To get more help or share feedback, contact 1Password Business Support or join the discussion with the 1Password Support Community.