Tip
If you currently use 1Password SCIM Bridge, learn how to migrate to hosted provisioning.
With 1Password Business, you can automate many common administrative tasks by connecting your identity provider with your 1Password account. When you set up automated provisioning with your identity provider, you can:
- Create users and groups, including automated account confirmation.
- Grant and revoke access to groups.
- Suspend users.
Automated provisioning doesn’t include single sign-on (SSO). If you want to allow your users to sign in to 1Password using your identity provider, learn how to set up Unlock with SSO.
Try it yourself
Explore our interactive demo to see how 1Password hosted provisioning setup works.
Considerations
When you set up automated provisioning, consider the impact it will have on your account:
- You won’t be able to use a self-hosted SCIM bridge on the account in the future. Hosted provisioning is designed differently than 1Password SCIM Bridge, and your account won’t be compatible with the self-hosted SCIM bridge.
- Hosted provisioning won’t manage groups that have the Recover Accounts or Manage All Groups permissions. This is a security feature to prevent automated provisioning from having account-wide cryptographic access.
- Users will be confirmed without a delay. Hosted provisioning has immediate confirmations so the end-user proves their identity when they accept the invitation.
Limitations
There are also some limitations to consider:
- 1Password MSP accounts aren’t currently supported.
- Credentials for hosted provisioning can’t be regenerated or rotated so they don’t expire. If the bearer token is compromised or needs to be refreshed, you’ll need to turn off hosted provisioning and set it up again. This will be addressed in the future.
Connect your identity provider
To set up automated user provisioning and connect your identity provider to your 1Password account, choose your identity provider:
Next steps
After you set up automated provisioning:
- Team members won’t be able to change their email addresses themselves. You’ll need to change their email addresses in your identity provider first, then they’ll be updated in 1Password. Team members will receive an email to confirm the change. Learn how to change a team member’s email address.
- You can suspend team members in 1Password by deprovisioning them in your identity provider. You can still permanently delete their account on 1Password.com.
- A Provision Managers group will be created. In most cases, no one should be added to this group. Group members can access the Employee vaults of provisioned users until they set up their account.
Tip
Learn about best practices for using automated provisioning.
Get help
If you change a team member’s email address in your identity provider, 1Password will email the team member and ask them to accept the change. If you’re changing the domain of the email address, make sure to update your allowed domains list. Emails associated with 1Password team members must be associated with a functioning inbox.
Do not change a suspended team member’s email address. Some identity providers don’t sync email changes for suspended users. If you reactivate a suspended team member after changing their email address, 1Password will treat them as a new user.
To get more help or share feedback, contact 1Password Business Support or join the discussion with the 1Password Support Community.
Learn more
- About 1Password Business
- About the security of automated provisioning (hosted by 1Password)
- About the Provision Managers group
Was this article helpful?
Glad to hear it! If you have anything you'd like to add, feel free to contact us.
Sorry to hear that. Please contact us if you'd like to provide more details.