Integrations

Upgrade your provisioning integration

To upgrade your provisioning integration, you’ll need to deactivate your current provisioning setup, redeploy 1Password SCIM Bridge, and then reconnect your identity provider.

Step 1: Upgrade your provisioning setup

  1. Sign in to your account on 1Password.com, click Settings in the sidebar and click Provisioning.
  2. Click Upgrade Now and enter your 1Password account password to turn off provisioning.
  3. Choose your identity provider from the Integrations Directory.
  4. Save your new scimsession file and bearer token in 1Password, then click Next.
  5. Choose the account you currently use for provisioning and click Transfer Groups. Your groups will be managed by the new provisioning integration. The current provision manager account will be suspended and will still be accessible under People.

    If you skip this step, you will need to manually add your groups to User Provisioning > Managed Groups.

After you’ve updated to the provisioning integration, you’re ready to update the scimsession file on the SCIM bridge.

Tip

To prevent confusion in the future, delete your old scimsession file and bearer token. They’re no longer valid.

Step 2: Update the scimsession file

AWS Fargate

Terraform

In the directory where you saved your Terraform deployment files:

  1. Replace your old scimsesssion file with the new one.
  2. Verify the configuration with terraform plan, then run terraform apply.

Then reconnect your identity provider.

AWS Management Console

  1. Sign in to the AWS Management Console, then go to Secrets Manager  .
  2. Select your scimsession secret for 1Password from the list of secrets.
  3. In the “Secret value” section, choose Retrieve secret value. Then choose Plaintext and click Edit.
  4. Encode the new scimsession file with Base64url encoding, then copy it and enter it into the scimsession secret value.
  5. Click Save, then restart your scim-bridge container.

Then reconnect your identity provider.

Docker

If you followed the instructions from the scim-examples repository on GitHub to deploy the SCIM bridge, find the directory where your SCIM environment variable file (scim.env) is located.

Move the new scimsession file to the same folder as the scim.env file, then follow the steps for Docker Compose or Docker Swarm.

Docker Compose

  1. Prepare the session variable:

     SESSION=$(cat ./scimsession | base64 | tr -d "\n")

  2. Save the session variable to the scim.env file:

     sed -i '' -e "s/OP_SESSION=$/OP_SESSION=$SESSION/" ./scim.env

  3. Redeploy the SCIM bridge:

     docker-compose -f docker-compose.yml up --build -d

Then reconnect your identity provider.

Docker Swarm

  1. Delete the current Docker secret:

     docker secret delete scimsession

  2. Create a new Docker secret with your new scimsession file:

     cat ./scimsession | docker secret create scimsession -

  3. Scale the service to make sure the SCIM bridge is using the new scimsession file:

     docker service scale op-scim-bridge=0 && sleep 3 && docker service scale op-scim-bridge=1

Then reconnect your identity provider.

Google Cloud Platform

Use the Cloud Shell on Google Cloud Platform to update the scimsession file in place:

  1. Visit the list of Clusters on Google Cloud Platform  and click the cluster you use for the SCIM bridge.

  2. Click Connect and choose Run in Cloud Shell.

  3. Allow any API permissions, then press Return to connect to the cluster.

  4. Open the new scimsession file in a text editor and copy the entire contents to the clipboard.

  5. In the Cloud Shell window, save the scimsession file to the cluster.

    Run this command, replacing SESSIONFILE with the contents of the scimsession file:

     echo 'SESSIONFILE' > ./scimsession

  6. Set up Let’s Encrypt.

    Run this command, replacing scim.example.com with the address for your SCIM bridge:

     kubectl set env deployment/op-scim-bridge OP_TLS_DOMAIN=scim.example.com

  7. Update the image for the SCIM bridge.

     kubectl set image deployment/op-scim-bridge op-scim-bridge=1password/scim:v2.0.0 --record

    Change “v2.0.0” in the command to the latest version.

  8. Notify Google Cloud Platform of the update:

     kubectl patch applications.app.k8s.io op-scim-bridge-1 -p='[{"op":"replace", "path":"/spec/descriptor/version", "value":"2.0.0"}]' --type='json'

    Change “2.0.0” in the command to the latest version.

  9. Copy the new scimsession file to the SCIM bridge:

     kubectl cp ./scimsession $(kubectl get pods | awk '$1 ~ /op-scim-bridge/ && 1 != /deployer/ {print $1}'):/home/scimuser/scimsession

  10. Scale the pod to make sure the SCIM bridge is using the new scimsession file:

    kubectl scale deploy op-scim-bridge --replicas=0 && sleep 3 && kubectl scale deploy op-scim-bridge --replicas=1

Then reconnect your identity provider.

Kubernetes

If you followed the instructions from the scim-examples repository on GitHub to deploy the SCIM bridge, run the following commands on the Kubernetes cluster where the SCIM bridge is located.

  1. Delete the current Kubernetes secret:

     kubectl delete secret scimsession

  2. Create a new secret from the new scimsession file. In the same directory as the file:

     kubectl create secret generic scimsession --from-file=./scimsession

  3. Scale the pod to make sure the SCIM bridge is using the new scimsession file:

     kubectl scale deploy op-scim-bridge --replicas=0 && sleep 3 && kubectl scale deploy op-scim-bridge --replicas=1

    If you set up the SCIM bridge before October 2020, change op-scim-bridge to op-scim in this command.

Then reconnect your identity provider.

Step 3: Reconnect your identity provider

Microsoft Entra ID

On the 1Password Business application details page:

  1. Click Provisioning in the sidebar, then click Edit Provisioning.
  2. Click Admin Credentials and replace the Secret Token with your new OAuth bearer token.
  3. Click Test Connection, then click Save if the test is successful and close the page.
  4. From the Provisioning page, click Restart Provisioning, then click OK. The SCIM bridge will begin provisioning again soon.

JumpCloud

On the 1Password Business application configuration panel:

  1. Click Identity Management.
  2. Turn off Enable management of User Groups and Group Membership in this application.
  3. Enter the URL of your SCIM bridge and your new OAuth bearer token, then click Activate.
  4. Turn on Enable management of User Groups and Group Membership in this application again, then click Save.

Okta

On the 1Password Business application details page:

  1. Click Provisioning, then click Integration and click Edit.
  2. Replace the API Token with your new OAuth bearer token. Click Test API Credentials, then click Save if the test is successful.

OneLogin

On the 1Password Business application settings page:

  1. Click Configuration.
  2. Replace the SCIM Bearer Token with your new OAuth bearer token, then click Save.

Rippling

On the 1Password application details page:

  1. Click Settings, then from the Sync section, click the link to update your credentials.
  2. Click Modify Setup. Add your new scimsession file and replace the 1Password bearer token with your new OAuth bearer token, then click Upload.

Get help

Get help with 1Password SCIM Bridge, like if you lose your bearer token or session file, or if you use two-factor authentication.

For more information about upgrading to the provisioning integration, contact your 1Password Business representative. To get help and share feedback, join the discussion with the 1Password Support Community.

Learn more

Published: