Automate provisioning in 1Password Business using SCIM

Learn how to set up and use the 1Password SCIM bridge to integrate with your identity provider.

With 1Password Business, you can automate many common administrative tasks using the System for Cross-domain Identity Management (SCIM) bridge. It’s SCIM 2.0 compatible and works with your existing identity provider, like Azure Active Directory or Okta, so you can:

  • Create users and groups, including automated account confirmation
  • Grant and revoke access to groups
  • Suspend and delete users

Prepare your 1Password account

Before you can deploy the 1Password SCIM bridge, you’ll need to prepare your 1Password account and generate an OAuth bearer token and an encrypted scimsession file. To protect your bearer token and scimsession file, clone the scim-examples repository and run the setup script to generate them locally on your own system.

Step 1: Install Docker

The SCIM bridge setup process requires Docker. On your local system, install Docker.  

Step 2: Clone the scim-examples repository

All of the scripts and configuration files needed to set up and deploy the SCIM bridge are available in the scim-examples repository on GitHub.

To clone the repository, open your terminal app, switch to the directory where you want to clone the repository, and run the following command:

git clone

Step 3: Run the setup script

To begin the setup process, run the included setup script:


The SCIM bridge will create a group called “Provision Managers”, give it the required permissions for provisioning, and create a new user account in that group.

Make sure you have a separate email address (or an email alias) to use for the new user account. You can’t reuse the email address that you use for your administrator account.

This setup process will:

  1. Ask you to sign in to your administrator account
  2. Create the provision managers group and the provision manager account
  3. Set up the provision manager account
  4. Generate your bearer token and session file

From now on, the provision manager account can be used with the SCIM bridge to provision people.


The scimsession file contains the encrypted credentials for the account you created for provision management. The bearer token and scimsession file combined can be used to sign in to that account. You’ll need to share the bearer token with your identity provider, but it’s important to never share it with anyone else. And never share your scimsession file with anyone at all.

Deploy the SCIM bridge

Before you can deploy the 1Password SCIM bridge, you’ll need to set up a Google Cloud Platform account. Then follow the steps below.

Step 1: Create a project

The SCIM bridge must be deployed within a project. To create a project:

  1. Visit the Manage resources page and click Create Project.
  2. Enter a Project Name. If you’re part of an organization, choose it.

    If you can’t choose your organization, contact your Google Cloud Platform organization administrator.

  3. Click Create.

After the project has been created, you can configure the SCIM bridge.

Step 2: Configure the SCIM bridge

Visit 1Password SCIM bridge on Google Cloud Platform Marketplace and click Configure. If prompted, choose the project you created above.

If you see “‘Kubernetes Engine Admin’ role is required”, ignore it. The message will go away after you create a cluster.

Configure the SCIM bridge and click Deploy:

  • Cluster
    Choose one or click “Create a new cluster”. If you create a new cluster, refresh the page after it has been created.
  • Namespace
    Use the provided default. Or if you have an existing application in the cluster, create a new namespace called “1password”.
  • App instance name
    Use the provided default.
  • 1Password sign-in address
    Your 1Password sign-in address. For example:

After the SCIM bridge is deployed, you’ll see its application details.

Step 3: Set up the SCIM bridge

In the “SCIM bridge info” section of the application details, the “1Password SCIM bridge public IP” begins with 10. For example:

  1. Refresh the page until the 1Password SCIM bridge public IP changes, then click it. You’ll see the 1Password SCIM Bridge Setup.
  2. Follow the onscreen instructions:

    • Configure a DNS record to point your domain to the 1Password SCIM bridge public IP, and then enter the domain name to verify it.

    • Upload your scimsession file.

    • Enter your OAuth bearer token to verify the status of the SCIM bridge.

SCIM bridge setup is now complete.

Step 4: Configure a static IP address


When you first deploy the 1Password SCIM bridge, an ephemeral IP address is assigned to it. This address is not guaranteed to remain constant, which may interrupt your automated provisioning.

To use the SCIM bridge without interruption, promote the “1Password SCIM bridge public IP” to a static IP address. Learn how to configure a static IP address.  

To update the 1Password SCIM bridge

Learn how to update the SCIM bridge when a new version is available.

Connect your identity provider to the SCIM bridge

Because the 1Password SCIM bridge provides a SCIM 2.0-compatible web service that accepts OAuth bearer tokens for authorization, you can use it with a variety of identity providers.

Connect to the TLS-secured API gateway, proxy, or load balancer where you’ve configured the SCIM bridge (for example: and authenticate using your OAuth bearer token.

Learn how to connect your identity provider:

Azure Active Directory


Get help

The 1Password SCIM bridge for Google Cloud Platform requires 1Password Business and a supported SCIM 2.0-compatible identity provider: Azure Active Directory or Okta.

If you change the Master Password, Secret Key, or email address for the account you created for provision management, you’ll need to generate a new bearer token and session file and redeploy the SCIM bridge.

For more information, contact your 1Password Business representative. To get help and share feedback, join the discussion in the 1Password Support forum.

Learn more