The 1Password SCIM Bridge is the self-hosted component that connects your identity provider to 1Password when you use automated provisioning with SCIM. This article focuses on deploying and operating the bridge safely.
For guidance on groups, inviting users, deprovisioning, and other practices that apply to every automated provisioning setup, including hosted provisioning, read best practices for using automated provisioning.
1Password Business supports two types of integrations with identity providers, and each has its own benefits:
| Automated provisioning | Unlock with SSO | |
|---|---|---|
| Features | Automated user and group provisioning, role-based access control, and administrative workflows automation. | Team members can unlock 1Password with their identity provider credentials using the OpenID Connect (OIDC) protocol. |
| Methodology | Uses an API endpoint or SCIM bridge, which communicates with the 1Password servers using an encryption protocol called Secure Remote Password (SRP). | Uses a direct API integration with the 1Password servers. |
If you want to allow your team to unlock 1Password with their identity provider credentials, learn about the best practices for using 1Password Unlock with SSO.
Set up and deploy your SCIM bridge
The SCIM bridge doesn’t change your account until you assign 1Password to users in your identity provider. Plan a phased rollout with a test user or group before you add your whole organization.
Important
If you use Google Workspace as your identity provider, you’ll need to add all the team members who already exist in your 1Password account. Any existing users who aren’t provisioned will be suspended, so take this into consideration when planning your deployment.
Learn more about automated provisioning with Google Workspace.
As you plan the deployment, consider the people in your organization that you’ll need to involve:
- Identity provider team: Use the app inside your identity provider to provision users and groups as part of their daily administrative tasks.
- Infrastructure team: Deploy 1Password SCIM Bridge to a cloud platform or on-premises virtual machine. They’ll need to note where the SCIM bridge is deployed and update it when new versions are available.
Manage and secure your SCIM bridge
Make sure your scimsession file and bearer token are kept safe. We recommend storing them in 1Password. If you accidentally lose or expose these secrets, make sure you regenerate them, then update the scimsession file in your SCIM bridge and the bearer token in the identity provider application.
Turn on health monitoring to receive an email if your SCIM bridge is offline. This uses a third-party service called Checkly to ping your SCIM bridge occasionally. If you turn on health monitoring, verify if you need to add or change any firewall rules to make sure Checkly can connect to your SCIM bridge.
To change who gets notified when your SCIM bridge is offline, choose Manage in the Notifications section and enter an email address you’d like to receive notifications.
Learn more
- Best practices for using automated provisioning
- Automate provisioning in 1Password Business using SCIM
- Best practices for securing your 1Password Business account
Was this article helpful?
Glad to hear it! If you have anything you'd like to add, feel free to contact us.
Sorry to hear that. Please contact us if you'd like to provide more details.