Unlock with SSO

Configure Unlock 1Password with Google

Learn how to set up 1Password to unlock with Google.

With 1Password Business, you can bring single sign-on (SSO) authentication to your team members by connecting Google with 1Password using Unlock with SSO.

Unlock with SSO doesn’t include automated provisioning. If you want to create users and groups, manage access, and suspend 1Password users with your identity provider, learn how to automate provisioning using SCIM.

Before you begin

Before you begin, review the considerations and requirements for Unlock with SSO. If you use automated provisioning with SCIM, check for updates to make sure your SCIM bridge is version 2.9.5 or later.

These steps were updated in July 2024 and may have changed since. Refer to the Google developer documentation  for the most up-to-date steps.

Step 1: Add the 1Password SSO application to Google Cloud

To get started, sign in to the Google Cloud console , then follow these steps:

  1. Create a new project for 1Password SSO.
  2. In the sidebar, select APIs & Services > OAuth consent screen.
  3. Select Internal, then select Create.
  4. Fill out the following fields:
    • Authorized domain 1: Enter your 1Password account’s region. For example, 1password.com.
    • Developer contact information: Enter an email address for the person or department who’s responsible for maintaining Unlock with SSO.
  5. Select Save and Continue.
  6. Select Add or Remove Scopes, then select auth/userinfo.email, auth/userinfo.profile, and openid, and select Update.
  7. Scroll to the bottom of the page and select Save and Continue.

1.2: Create client ID credentials

  1. In the sidebar, select APIs & Services > Credentials.
  2. Select Create Credentials > OAuth client ID.
  3. Select Web application for the application type.
  4. Enter a name for your application, then select Create.
  5. Select your new OAuth 2.0 Client ID details page from the list, then keep the page open and continue to the next step.

Step 2: Configure Unlock with SSO

Important

The changes you make below won’t be saved until you successfully authenticate with Google. This prevents you from losing access to 1Password.

2.1: Set up Unlock with SSO

  1. Open a new browser tab and sign in to your account on 1Password.com.
  2. Select Policies in the sidebar.
  3. Select Manage under Configure Identity Provider.
  4. Select Google, then select Next.
  5. On the application details page, fill out the following fields:
    • Client ID: Copy and paste the Client ID from your Google page.
    • Well-known URL: Enter the following for your well-known URL: https://accounts.google.com/.well-known/openid-configuration
    • Client Secret: Copy and paste the client secret from your Google page.
  6. Select Next.
  7. Copy the redirect URI, then continue to step 2.2.

2.2: Configure the Google application

From the Client ID page you’re taken to after completing step 1:

  1. Select Add URI in the Authorized redirect URIs section.
  2. Paste the redirect URI you just copied.
  3. Select Save.

2.3: Test the connection

Once you’ve configured your settings, go back to the Configure Identity Provider page and test the connection. You’ll be directed to Google to sign in, then returned to 1Password. This verifies connectivity between 1Password and Google.

After you’ve tested the connection, select Save.

Step 3: Specify which team members will unlock 1Password with Google and set a grace period

After you configure Unlock with SSO, you’ll be redirected to the settings page in your 1Password account. Before you configure your settings, you’ll need to create groups for the team members who will unlock 1Password with Google:

  1. Create a custom group.

    Give the group a descriptive name, like "Google SSO", for clarity.

  2. Add team members to the group.

    If you plan to invite additional team members to test Unlock with Google at a later date, create a new custom group for each additional set of testers.

The group(s) you create don’t have to be permanent, and you can eventually set your whole team to unlock with SSO once some groups have successfully migrated.

3.1: Choose who will unlock with Google

Important

Users in the Owners group can’t unlock with Google and will continue to sign in to 1Password using their account password and Secret Key. This helps safeguard them from being locked out in the event that they can’t access their trusted devices and no one can recover them.

Learn more about implementing a recovery plan for your team.

By default, “People unlocking 1Password with an identity provider” is set to “No one”. This allows you to gradually migrate your team to unlock with Google. To specify which team members will unlock 1Password with Google, select one of the options:

  • No one: To turn off Unlock with Google, select No one.
  • Selected groups (recommended): Only the team members in groups you choose will sign in with Google. Learn how to use custom groups in 1Password Business.
  • Everyone except guests: All team members, except owners and guests, will sign in with Google. All existing users will be prompted to switch to Unlock with Google, and all new users will use their Google email address and password when joining 1Password. Guests and owners will sign in with an account password and Secret Key.
  • Everyone (not recommended): Guests and all team members, except owners, will sign in with Google. All existing users will be prompted to switch to Unlock with Google, and all new users will use their Google email address and password when joining 1Password.

3.2: Set a grace period

Team members who already have 1Password accounts will need to switch to unlock with Google. Specify the number of days before team members must switch. Consider the following when you set the grace period:

  • By default, the grace period is set to 5 days. It can be set to 1 to 30 days.
  • The grace period begins when an administrator adds a group after they choose the “Selected groups” option or when an administrator configures Unlock with Google for everyone on the team. You’ll see the grace period listed next to each group configured to unlock with Google.
  • If a team member belongs to more than one group, their grace period is determined by the first group set up with SSO, even if the grace periods are different for those groups.
  • If you add a user to a group with an expired grace period, you or another administrator will need to recover their account so they can set up unlock with SSO.
  • If you edit the length of the grace period, it’ll be prolonged or shortened from the original configuration date. The grace period count doesn’t reset to zero when updated.
  • If you plan to have more team members unlock with Google after initial configuration, it’s best to create a new custom group with its own grace period. This will make sure newly assigned team members won’t need their accounts recovered.

Important

If a team member doesn’t migrate to Unlock with Google before the end of the grace period, they’ll be signed out of 1Password on all their devices and must contact an administrator to recover their account. The team member will switch to unlock with Google during the recovery process.

Manage settings

To manage your settings, sign in to your account on 1Password.com, then select Policies in the sidebar and select Manage under Configure Identity Provider.

Configuration

To change your configuration with Google, select Edit Configuration, then follow the onscreen instructions to set up Unlock with SSO. You can only set up one identity provider to unlock with SSO. If you need to switch to a different one after setup, contact 1Password Support.

You can only save an identity provider configuration after you've successfully tested the connection. Changes won't be saved if you can't successfully authenticate with Google. This prevents you from losing access to 1Password.

People assignments and biometrics

Select Edit at the bottom of the settings page to change which users are assigned to unlock 1Password with Google.

  • To specify which team members will unlock 1Password with Google, select No one, Selected groups, Everyone except guests, or Everyone.

    "Selected groups" is recommended. Learn how to use custom groups in 1Password Business. To turn off Unlock with Google, select No one.

  • Specify the number of days before team members must switch to unlocking with Google.

    The default grace period is 5 days. If a team member doesn't migrate to Unlock with Google before the end of the grace period, they must contact their administrator to recover their account.

  • To allow team members to unlock with Touch ID, Face ID, Windows Hello, and other biometrics, select Allow people to unlock 1Password using biometrics. Specify the number of days or weeks before they’ll be asked to sign in to Google again.

    When biometric unlock is turned on, your team members can access 1Password while offline, until the time period specified. Vault access will be online-only after the elapsed period.

Select Review Changes to verify your choices, then select Save.

Next steps

To use Unlock with Google yourself, get started with Unlock 1Password with Google as a team member.

Learn how to unlock 1Password with Google on all of your devices and add additional trusted devices.

Tip

If your IT team has a policy that clears browsing data when a browser is closed, exclude your team’s sign-in address from that policy to make sure your team members won’t lose access to their trusted device.

You can also encourage your team to set up other trusted devices, like the 1Password desktop app, after they sign up or switch to unlock with SSO.

Get help

You can find your Application ID and OpenID configuration document URL on the overview page of the application you created in step 1.

If a team member is moved from a group that unlocks with Google to one that doesn’t, they’ll be prompted to create an account password and download their Emergency Kit.

Get help if you need to switch to a new identity provider after you set up Unlock with SSO.

Learn more

Published: