This feature is only available to beta participants.
With 1Password Business and Okta, you can bring single sign-on (SSO) authentication to your team. When you set up Unlock with Identity Provider using Okta, you can:
- Specify which groups will unlock 1Password with Okta.
- Set a grace period for team members to migrate to Unlock with Okta.
- Turn on biometric unlock for team members using Unlock with Okta.
During the beta period, you can use Unlock with Okta with production or test accounts. If you use production accounts, team members should be ready to work within the limitations of the beta period.
During the beta period, Unlock with Identity Provider functionality will have some limitations. Additional platforms, identity providers, and protocols will be available in the future.
- Unlock with Okta is an authentication method and doesn’t include automatic provisioning. Set up 1Password SCIM Bridge for automated provisioning.
- During the beta period, Unlock with Identity Provider will be available only for Okta using the OpenID Connect (OIDC) protocol.
- Signing in with Okta will only be available on 1Password.com and in 1Password for the browser.
Team members won't be able to sign in to 1Password on iOS, Android, Linux, Windows, or Mac while testing Unlock with Okta.
To participate in the Unlock with Okta beta, you must:
- Be an administrator of your 1Password account.
- Have Application Administrator and Group Administrator privileges in Okta. You need to be able to create Okta test accounts, or be willing to use production accounts.
- Attend an implementation session with the 1Password team.
We recommend that you maintain a backup 1Password administrator account that unlocks with an account password and Secret Key for account recovery purposes.
During implementation calls with the 1Password team, you’ll set up Unlock with Okta on your 1Password Business account. After successfully unlocking 1Password with Okta, you can add additional team members to participate in the beta.
- Add the 1Password Business application to Okta.
- Configure the Okta application integration.
- Configure 1Password Unlock with Identity Provider.
- Add team members to participate in testing Unlock with Okta.
Can I stop using Unlock with Okta?
Yes. Group membership determines unlock method. If team members are moved to a group that isn’t set to unlock with Okta, they’ll go through the account recovery process and choose a new account password and save their Secret Key and Emergency Kit.
To turn off unlocking with Okta for all team members, select “No one” on the Unlock with Identity Provider settings page.
What happens to a team member’s other devices when they convert their account to unlock with Okta?
When a team member switches to unlock with Okta, they’ll be signed out of all other devices. They’ll need to authorize their other devices to unlock with Okta.
During the beta period, only 1Password.com and 1Password in the browser (Chrome, Firefox, Edge, Brave, and Safari) will support unlock with Okta. Team members won’t be able to unlock 1Password on other platforms during this phase of the beta.
Can two-factor authentication be used alongside unlock with Okta?
Yes. When using Okta to sign in to 1Password, Okta handles any multi-factor authentication, not 1Password. Team members who sign in to 1Password with Okta will use two-factor authentication if your Okta configuration requires it.
Can I turn on Unlock with Okta for only certain team members?
Yes. Unlock with Okta permissions are set at the group level. While you can’t turn Unlock with Okta on for a specific team member, you can designate which groups will use Okta to login.
Does Unlock with Okta support offline access and biometric unlock?
Yes. Administrators can allow team members to unlock 1Password using biometrics by selecting the option on the 1Password Unlock with Identity Provider settings page. When active, team members can access their vaults when their device is offline by using cached credentials obtained after a prior successful Unlock with Okta session. Admins can specify how long offline access is allowed before team members must re-authenticate with Okta.
What happens if a team member is logged in to multiple accounts on one device?
Unlock with Okta will only unlock a team member’s business account. For example, a person with a family account will continue to use their account password and Secret Key even if their business account authenticates with Okta.
Can administrators be switched to unlock with Okta?
Yes. You can set any group to unlock with Okta, including groups that contain administrators.
Can multiple identity providers be active at the same time?
No. Only one identify provider can be active at a time, and only Okta is available during the beta period.
Does Unlock with Okta replace the account password and Secret Key?
Yes. If Unlock with Okta is active, team members won’t use an account password, Secret Key, or Emergency Kit.
What happens if a team member reaches the end of the grace period?
If a team member doesn’t switch to Unlock with Okta before the end of the grace period, they’ll be signed out on all of their devices. They’ll need to contact their 1Password administrator to recover their account.
Does Unlock with Identity Provider also do automatic provisioning?
No. 1Password SCIM Bridge is still the solution for automatic provisioning and can be used alongside Unlock with Okta. You can use Unlock with Okta with manual provisioning if your organization doesn’t use 1Password SCIM Bridge.
If you’re having trouble with 1Password Unlock with Okta, contact 1Password Support with a description of the problem.