1Password SCIM Bridge

Upgrade your provisioning integration

To upgrade your provisioning integration, you’ll need to deactivate your current provisioning setup, redeploy 1Password SCIM Bridge, and then reconnect your identity provider.

Step 1: Upgrade your provisioning setup

  1. Sign in to your account on 1Password.com, select Settings in the sidebar, then select Provisioning.
  2. Select Upgrade Now and enter your 1Password account password to turn off provisioning.
  3. Choose your identity provider from the Integrations Directory.
  4. Save your new scimsession file and bearer token in 1Password, then select Next.
  5. Select the account you currently use for provisioning, then select Transfer Groups. Your groups will be managed by the new provisioning integration. The current provision manager account will be suspended and will still be accessible under People.

    If you skip this step, you will need to manually add your groups to User Provisioning > Managed Groups.

After you’ve updated to the provisioning integration, you’re ready to update the scimsession file on the SCIM bridge.

Tip

To prevent confusion in the future, delete your old scimsession file and bearer token. They’re no longer valid.

Step 2: Update the scimsession file

AWS Fargate

Terraform

In the directory where you saved your Terraform deployment files:

  1. Replace your old scimsesssion file with the new one.
  2. Verify the configuration with terraform plan, then run terraform apply.

Then reconnect your identity provider.

AWS Management Console

  1. Sign in to the AWS Management Console, then go to Secrets Manager  .
  2. Select your scimsession secret for 1Password from the list of secrets.
  3. In the “Secret value” section, select Retrieve secret value. Then select Plaintext, then select Edit.
  4. Encode the new scimsession file with Base64url encoding, then copy it and enter it into the scimsession secret value.
  5. Select Save, then restart your scim-bridge container.

Then reconnect your identity provider.

Docker

If you followed the instructions from the scim-examples repository on GitHub to deploy the SCIM bridge, find the directory where your SCIM environment variable file (scim.env) is located.

Move the new scimsession file to the same folder as the scim.env file, then follow the steps for Docker Compose or Docker Swarm.

Docker Compose

  1. Prepare the session variable:

     SESSION=$(cat ./scimsession | base64 | tr -d "\n")

  2. Save the session variable to the scim.env file:

     sed -i '' -e "s/OP_SESSION=$/OP_SESSION=$SESSION/" ./scim.env

  3. Redeploy the SCIM bridge:

     docker-compose -f docker-compose.yml up --build -d

Then reconnect your identity provider.

Docker Swarm

  1. Delete the current Docker secret:

     docker secret delete scimsession

  2. Create a new Docker secret with your new scimsession file:

     cat ./scimsession | docker secret create scimsession -

  3. Scale the service to make sure the SCIM bridge is using the new scimsession file:

     docker service scale op-scim-bridge=0 && sleep 3 && docker service scale op-scim-bridge=1

Then reconnect your identity provider.

Google Cloud Platform

Use the Cloud Shell on Google Cloud Platform to update the scimsession file in place:

  1. Visit the list of Clusters on Google Cloud Platform  , then select the cluster you use for the SCIM bridge.

  2. Select Connect, then select Run in Cloud Shell.

  3. Allow any API permissions, then press Return to connect to the cluster.

  4. Open the new scimsession file in a text editor and copy the entire contents to the clipboard.

  5. In the Cloud Shell window, save the scimsession file to the cluster.

    Run this command, replacing SESSIONFILE with the contents of the scimsession file:

     echo 'SESSIONFILE' > ./scimsession

  6. Set up Let’s Encrypt.

    Run this command, replacing scim.example.com with the address for your SCIM bridge:

     kubectl set env deployment/op-scim-bridge OP_TLS_DOMAIN=scim.example.com

  7. Update the image for the SCIM bridge.

     kubectl set image deployment/op-scim-bridge op-scim-bridge=1password/scim:v2.0.0 --record

    Change “v2.0.0” in the command to the latest version.

  8. Notify Google Cloud Platform of the update:

     kubectl patch applications.app.k8s.io op-scim-bridge-1 -p='[{"op":"replace", "path":"/spec/descriptor/version", "value":"2.0.0"}]' --type='json'

    Change “2.0.0” in the command to the latest version.

  9. Copy the new scimsession file to the SCIM bridge:

     kubectl cp ./scimsession $(kubectl get pods | awk '$1 ~ /op-scim-bridge/ && 1 != /deployer/ {print $1}'):/home/scimuser/scimsession

  10. Scale the pod to make sure the SCIM bridge is using the new scimsession file:

    kubectl scale deploy op-scim-bridge --replicas=0 && sleep 3 && kubectl scale deploy op-scim-bridge --replicas=1

Then reconnect your identity provider.

Kubernetes

If you followed the instructions from the scim-examples repository on GitHub to deploy the SCIM bridge, run the following commands on the Kubernetes cluster where the SCIM bridge is located.

  1. Delete the current Kubernetes secret:

     kubectl delete secret scimsession

  2. Create a new secret from the new scimsession file. In the same directory as the file:

     kubectl create secret generic scimsession --from-file=./scimsession

  3. Scale the pod to make sure the SCIM bridge is using the new scimsession file:

     kubectl scale deploy op-scim-bridge --replicas=0 && sleep 3 && kubectl scale deploy op-scim-bridge --replicas=1

    If you set up the SCIM bridge before October 2020, change op-scim-bridge to op-scim in this command.

Then reconnect your identity provider.

Step 3: Reconnect your identity provider

Microsoft Entra ID

On the 1Password Business application details page:

  1. Select Provisioning in the sidebar, then select Edit Provisioning.
  2. Select Admin Credentials and replace the Secret Token with your new OAuth bearer token.
  3. Select Test Connection, then select Save if the test is successful and close the page.
  4. From the Provisioning page, select Restart Provisioning, then select OK. The SCIM bridge will begin provisioning again soon.

JumpCloud

On the 1Password Business application configuration panel:

  1. Select Identity Management.
  2. Turn off Enable management of User Groups and Group Membership in this application.
  3. Enter the URL of your SCIM bridge and your new OAuth bearer token, then select Activate.
  4. Turn on Enable management of User Groups and Group Membership in this application again, then select Save.

Okta

On the 1Password Business application details page:

  1. Select Provisioning, then select Integration. Select Edit.
  2. Replace the API Token with your new OAuth bearer token. Select Test API Credentials, then select Save if the test is successful.

OneLogin

On the 1Password Business application settings page:

  1. Select Configuration.
  2. Replace the SCIM Bearer Token with your new OAuth bearer token, then select Save.

Rippling

On the 1Password application details page:

  1. Select Settings, then from the Sync section, select the link to update your credentials.
  2. Select Modify Setup. Add your new scimsession file and replace the 1Password bearer token with your new OAuth bearer token, then select Upload.

Get help

Get help with 1Password SCIM Bridge, like if you lose your bearer token or session file, or if you use two-factor authentication.

For more information about upgrading to the provisioning integration, contact your 1Password Business representative. To get help and share feedback, join the discussion with the 1Password Support Community.

Learn more

Published: