You can use automated provisioning with 1Password to save time on administrative tasks by connecting 1Password with your identity provider. 1Password hosted provisioning makes SCIM API endpoints available to external identity providers like Okta and Entra ID so you can manage 1Password users directly from your identity provider.
Read More
Learn more about what 1Password SCIM Bridge is and why we made it
Security model
1Password hosted provisioning extends the 1Password end-to-end encryption with zero-knowledge security model to operations performed on behalf of your identity provider in the 1Password infrastructure. Hosted provisioning is able to perform cryptographic operations in the 1Password infrastructure while guaranteeing that neither 1Password or AWS, our cloud provider, have access to your key material. In contrast, 1Password SCIM Bridge can only operate in an environment you own and control so that decrypted keys remain in your ownership. 1Password hosted provisioning is able to remove the hosting requirement by running some of our systems on our Confidential Computing platform with AWS Nitro Enclaves , plus public key infrastructure in the form of an Account Trust Log.
1Password Provisioning extends the zero-knowledge security model for 1Password to operations performed on behalf of your Identity Provider in 1Password infrastructure.
Trust and automated provisioning
While 1Password uses zero-knowledge encryption, some components of automated provisioning require you to rely on the integrity of the infrastructure. When you use automated provisioning, you trust that:
| Component | 1Password hosted provisioning | Self-hosted SCIM bridge |
|---|---|---|
| Infrastructure security | 1Password infrastructure is adequately secured with access controls. | Your deployment of the 1Password SCIM Bridge is adequately secured with proper access controls. |
| Device security | 1Password Provisioning systems running in the Confidential Computing platform do not contain malicious code. | Your SCIM bridge does not contain malicious code. |
| Public key authenticity | The public keys in the 1Password server database at the time of enabling Provisioning are authentic. | The SCIM bridge does not verify the authenticity of public keys provided by 1Password and they are trusted by default. |
| Email domain authenticity | The set of account invitation email domains on 1Password server database when you set up hosted provisioning are authentic and untampered. | The SCIM bridge does not verify the authenticity of account invitation email domains on 1Password servers and they are trusted by default. |
| Invite integrity | The 1Password Confidential Computing trust store contains only an authentic AWS Root Certificate. | The 1Password servers are not intercepting or maliciously inserting invites to your account. |
The Confidential Computing assertions are verified by a previous penetration test and external security audit. Secure Operating Controls (SOCII) certification for 1Password is routinely audited. 1Password hosted provisioning assertions will be verified by a forthcoming penetration test and external security audit.
Confidential Computing allows us to host services that are isolated from 1Password to prevent 1Password from directly accessing the underlying software and any associated encryption keys.
The key verification problem
Prior to introducing provisioning with a 1Password-hosted API, all 1Password clients including the 1Password SCIM Bridge had no way to verify public keys. Without verification, all 1Password clients were vulnerable to an active attacker posing as a 1Password server. This problem is discussed in length in the 1Password Security Design White Paper, Appendix A.3: No Public Key Verification and Appendix C: Verifying Public Keys .
Such an attack could be carried out by a compromised 1Password server returning a malicious encrypted keyset in place of an authentic user keyset. The client device, such as 1Password SCIM Bridge, is unable to differentiate between keysets and assumes the malicious keyset is authentic. We addressed the key verification problem by introducing an Account Trust Log for provisioning.
Account Trust Log
Hosted provisioning is the first 1Password service to verify user and group public keys through the Account Trust Log. The Account Trust Log is a cryptographic chain that describes how the “trust” for a given account has changed over time. An account administrator in 1Password Business initiates a one-time trust event when they set up hosted provisioning for the first time. When they do this, every user keyset and group key is added to the Account Trust Log by the administrator who set up the integration. Any further modification to the Trust Log requires signatures from an administrator already on the Trust Log.
The Trust Log is used to verify the authenticity of every public key provided before carrying out any operations. Therefore if a compromised 1Password server replaced an authentic user keyset with a malicious keyset, Provisioning would be unable to verify the malicious keyset and so reject the operation.
Further protections
1Password hosted provisioning introduces further protections that were not offered in 1Password SCIM Bridge:
- Email domains of invited users are now cryptographically verified. Trusted account invitation email domains are signed when you set up hosted provisioning, so each new user must be within those domains. Provisioning verifies the authenticity of the trusted email domains before a new user is created or a user’s email address is changed.
- Groups with global cryptographic access won’t be automatically managed. Groups with global cryptographic access, such as permission to recover accounts, can’t be automatically managed with hosted provisioning, which prevents a compromise in your identity provider from leading to a 1Password account compromise. This includes default and custom groups with permissions such as “Complete Recovery” and “Manage All Groups”. For existing users in groups with these permissions, a migration will be required to manage them with hosted provisioning.