Set up 1Password hosted provisioning with Okta (beta)

With 1Password Business, you can integrate 1Password with Okta to automate many common administrative tasks:

To get started, sign in to your account on Okta.com  , select Admin in the top right, and follow these steps.

Before you begin

Before you can integrate 1Password with Okta, you’ll need to:

• Have the lifecycle management feature in your Okta account.
• Be an administrator in your 1Password Business account.

Step 1: Turn on provisioning in 1Password

1. Sign in to your account on 1Password.com.
2. Select Integrations in the sidebar.
3. Select Okta in the User Provisioning section.
4. Select Set up hosted provisioning.
5. Save your credentials in 1Password in case you need it later, then select Next.
6. Leave this page open and continue to step 2.

Step 2: Add the 1Password Business application to Okta

These steps were recorded in July 2025 and may have changed since. Refer to the Okta documentation for the most up-to-date steps.

To add the 1Password Business application to Okta:

1. Select Applications, then select Browse App Catalog.
2. Search for 1Password Business and select it, then select Add Integration.
3. Choose the region for your 1Password account, then enter the beginning of your sign-in address (for example: acme) and select Next.
4. From the sign on methods, select Bookmark-only > Done.

You’ll see the details of the application you just created.

Step 3: Configure the application

On the 1Password Business application details page, select Provisioning. Then follow these steps.

3.1: Set up API integration

1. Select Configure API Integration, then turn on Enable API Integration.
2. Fill out the following fields:
   • Base URL: Copy and paste your SCIM URL from the hosted provisioning setup page (not your 1Password account sign-in address). Do not include a trailing slash. For example: https://provisioning.dev.us.svc.1infrapreview.net/scim/v2.
   • API Token: Copy and paste your bearer token from the hosted provisioning setup page.
3. Select Save.
4. Go back to the 1Password setup page and select Finish.

3.2: Set up provisioning to 1Password

Select Assignments and assign the users and groups you want to provision to 1Password. Then follow these steps:

1. Select Provisioning.
2. Select Edit and turn on these options:
   • Create Users
   • Update User Attributes
   • Deactivate Users
3. Select Save.

3.3: Map the displayName attribute

To make sure display names in 1Password sync correctly from Okta, you’ll need to map the displayName SCIM attribute. This step is required after the application setup is complete.

On the Provisioning tab, follow these steps:

1. Select Go to Profile Editor
2. Select Add Attribute.
3. Fill out the following fields:
   • Display name: Enter DisplayName.
   • Variable name: Enter displayName.
   • External namespace: Copy and paste the following: urn:ietf:params:scim:schemas:core:2.0:User
4. Select Save, then select Mappings.
5. Map the displayName attribute to displayName, then select Save Mappings > Apply updates.

If you prefer to use the user’s first and last name as the displayName, follow these steps:

1. Select Applications in the sidebar and select the 1Password Business application, then select the Provisioning tab.
2. Select Show Unmapped Attributes.
3. Select the pen beside DisplayName.
4. Select Select a type > Expression.
5. Enter the following formula: String.join(" ", user.firstName, user.lastName)
6. Select Create and update, then select Save.

Next steps

When you turn on provisioning, existing 1Password users will be linked to Okta users if their email address matches. If their email address is different, they’ll be invited to 1Password again, so make sure any affected team members update their email address before you turn on provisioning.

If a team member hasn’t accepted their invite after 2 days, they’ll receive a reminder email. Invites don’t expire.

If you have existing groups in 1Password that you want to sync with Okta, add them to the groups managed by provisioning:

1. Sign in to your account on 1Password.com.
2. Choose Integrations in the sidebar and choose Automated User Provisioning.
3. Choose Manage in the Managed Groups section, then select the groups to sync.

If you've previously used the SCIM bridge, make sure to select any groups that were already synced with Okta. This will prevent problems syncing with your identity provider, including duplicate groups.

Manage your settings

To turn off synchronization, select Active > Deactivate.

To change the region to match your 1Password account, select General, then select your account’s region from the Region Type menu.

Learn more in the Okta Help Center.

Get help

If you need to manage team members with 1Password CLI, you’ll need to turn off hosted provisioning. You’ll be able to use 1Password CLI and hosted provisioning together in the future.

If users and groups aren’t being provisioned, make sure provisioning is turned on in your 1Password account:

1. Sign in to your account on 1Password.com.
2. Select Integrations in the sidebar.
3. Select Hosted Provisioning.
4. Make sure Sync 1Password with my identity provider is turned on.

Appendix: Attribute mappings

The following are the default attribute mappings for the 1Password Business application in Okta:

Learn how to map Okta attributes to app attributes in the Profile Editor.