Businesses

Administrators: Get started with 1Password Unlock with Okta

Learn how to set up 1Password to unlock with Okta.

Important

This feature is only available to beta participants.

With 1Password Business, you can bring single sign-on (SSO) authentication to your team members by connecting Okta with 1Password using Unlock with Identity Provider.

Before you begin

Before you can set up Unlock with Identity Provider, you’ll need:

  • To be an administrator in your 1Password Business account.
  • Application Administrator and Group Administrator privileges in Okta.

When you have these prerequisites, follow the steps below.

Step 1: Add the 1Password Business application to Okta

To get started, sign in to your account on Okta.com  , click Admin in the top right, and follow these steps.

These steps were recorded in July 2022 and may have changed since. Refer to the Okta Help Center documentation  for the most up-to-date steps.

1.1: Launch the Wizard

  1. In the Admin Console, go to Applications > Applications.
  2. Click Create App Integration.
  3. Select OIDC - OpenID Connect as the sign-in method.
  4. Select Native Application as the application type.
  5. Click Next.
Setup settings for the 1Password application in Okta

1.2: Configure initial settings

In General Settings:

  • App integration name: Specify a name for your app integration.
  • Logo: Upload a logo to associate with the integration (optional).
  • Grant type: Choose Authorization Code.
  • Sign-in redirect URIs: Copy the URI from the Unlock 1Password with Identity Provider setup page. It will follow the following format: https://YOUR_DOMAIN.1password.com/sso/oidc/redirect. Okta will send the authentication response and ID token for the user’s sign-in request to this URI.
  • Sign-out redirect URIs: Copy the URI from the Unlock 1Password with Identity Provider setup page. It will follow the following format: https://YOUR_DOMAIN.1password.com/sso/oidc/redirect. After your application contacts Okta to close the user session, Okta will redirect the user to this URI.

In Assignments

  • Controlled access: Select “Skip group assignment for now” and create the app without assigning a group. You can adjust this later.

Click Save. You’ll be redirected to the settings page for the app integration.

1.3: Edit assignments and settings

If you make any changes to your 1Password Unlock with Identity Provider configuration after initial setup, you’ll also need to update the OIDC settings of your Okta application integration.

Assignments

Important

You must first assign yourself to the Okta application you just created before you can configure Unlock with Identity Provider in 1Password.

The email address you assign to the application in Okta must match the email address you’re using as a 1Password administrator.

  1. Select the Assignments tab, and click Assign > Assign to People.
  2. Search for the email address associated with your 1Password admin account and click Assign.
  3. Confirm the user information, then click Save and Go Back.
  4. Click Done.

Client Credentials Select the General tab, and click Edit to change any of the listed options.

This section has the Client ID and Client authentication information for your app integration. You can edit the authentication type:

  • Client authentication: Select None. This option requires the use of a Proof Key for Code Exchange (PKCE) for additional verification. PKCE makes sure that the access token can be redeemed only by the client that requested it.
  • Proof Key for Code Exchange (PKCE): Check “Require PKCE as additional verification”.

Click Save to commit your Client Credentials changes.

General Settings Select the General tab, and click Edit to change any of the listed options.

  • Application:
    • App integration name: You can edit the name you provided when creating the app integration.
    • Grant type: You can edit the grant type you provided when creating the app integration.
  • Login:
    • Sign-in redirect URIs: You can edit the URI you provided when creating the app integration. Copy the URI from the Unlock 1Password with Identity Provider setup page. It will follow the following format: https://YOUR_DOMAIN.1password.com/sso/oidc/redirect.
    • Sign-out redirect URIs: You can edit the URI you provided when creating the app integration. Copy the URI from the Unlock 1Password with Identity Provider setup page. It will follow the following format: https://YOUR_DOMAIN.1password.com/sso/oidc/redirect.
    • Initiate login URI: Optional. Include a URI to have Okta initiate the sign-in flow. When Okta redirects to this endpoint, the client is triggered to send an authorize request.

Click Save to commit your General Settings changes.

Step 2: Configure Unlock with Identity Provider

You can only save an identity provider configuration after successfully testing the connection. Changes won’t be saved if you can’t successfully authenticate with Okta. This prevents locking yourself out of 1Password.

  1. Sign in to your account on 1Password.com.
  2. Click Security in the sidebar.
  3. Click Unlock with Identity Provider.
  4. Follow the onscreen instructions to set up Unlock with Identity Provider.
  5. Test your connection. You’ll be directed to Okta to sign in, then redirected to 1Password to sign in. This verifies connectivity between 1Passsword and Okta.

    Be sure that you're signing in to Okta and 1Password with the same email address.

  6. Click Save.
Setup Unlock with Identity Provider on 1Password.com

Step 3: Specify which team members will unlock 1Password with Okta and set a grace period

After configuring Unlock with Identity Provider you’ll be redirected to the settings page.

3.1 People unlocking 1Password with an identity provider

By default, “People unlocking 1Password with an identity provider” is set to “No one”. To specify which team members will unlock 1Password with Okta, select one of the options:

“No one”

To turn off Unlock with Okta, select “No one”.

Specify team members in settings

Only the team members in groups you choose will sign in with Okta. Learn how to use custom groups in 1Password Business.

  1. Choose “Selected groups” under “People unlocking 1Password with an identity provider”, then click Select Groups.
  2. Select the groups you want to unlock 1Password with Okta and click Update Groups.

    You'll see the number of people in the groups you selected.

“Everyone except guests”

All team members will sign in with Okta. Guests will use a password and Secret Key.

“Everyone”

Guests and all team members will sign in with Okta. All existing users will be prompted to switch to Unlock with Okta, and all new users will use their Okta username and password when joining 1Password.

3.2 Set a grace period

Team members who already have 1Password accounts will need to switch to unlocking with Okta. Specify the number of days or login attempts before team members must switch to unlocking with Okta, and how often they should be reminded to migrate. We recommend setting the grace period to 30 days.

Important

If a team member doesn’t migrate to Unlock with Okta before the end of the grace period, they’ll be signed out of all their devices and must contact their 1Password administrator to recover their account.

Manage settings

To manage your settings, sign in to your account on 1Password.com, then click Security in the sidebar and choose Unlock 1Password with Identity Provider.

  • To change your configuration with Okta, click Edit Configuration. Follow the onscreen instructions to set up Unlock with Identity Provider.

    You can only save an identity provider configuration after successfully testing the connection. Changes won't be saved if you can't successfully authenticate with Okta. This prevents locking yourself out of 1Password.

  • To specify which team members will unlock 1Password with Okta, select “No one”, “Selected groups”, “Everyone except guests”, or “Everyone”.

    "Selected groups" is recommended. Learn how to use custom groups in 1Password Business. To turn off Unlock with Okta, select "No one"

  • Specify the number of days or login attempts before team members must switch to unlocking with Okta.

    We recommend setting the grace period to 30 days. If a team member doesn't migrate to Unlock with Okta before the end of the grace period, they must contact their administrator to recover their account.

  • To allow team members to unlock with Touch ID, Face ID, Windows Hello, and other biometrics, select “Allow people to unlock 1Password using biometrics”. Specify the number of days or login attempts before they’ll be asked to sign in to Okta again.

    When biometric unlock is turned on, your team members can access 1Password while offline, until the time period specified. Vault access will be online-only after the elapsed period.

Click Review Changes to verify your choices, then click Save.

Get help

You can find your Client ID in the Okta Admin Console.

If a team member is moved from a group that unlocks with Okta to one that doesn’t, they’ll be prompted to create an account password and download their Emergency Kit.

Learn more

Published: