Teams and Businesses

Deploy the 1Password SCIM bridge on Azure Kubernetes Service

Learn how to deploy the 1Password SCIM bridge on Azure Kubernetes Service, so you can integrate with your identity provider.

Tip

If you don’t use Azure Kubernetes Service, you can still automate provisioning in another deployment environment.

With 1Password Business, you can automate many common administrative tasks using the 1Password SCIM bridge. It uses the System for Cross-domain Identity Management (SCIM) protocol to connect 1Password with your existing identity provider, like Azure Active Directory, Okta, OneLogin, or Rippling.

Step 1: Prepare your 1Password account

Important

If you’ve already been using 1Password Business, make sure the email addresses and group names in your 1Password account are identical to those in your identity provider.

  • If anyone is using a different email address in 1Password, ask them to change it.
  • If you have existing groups in 1Password that you want to sync with groups in your identity provider, adjust the group names in 1Password.

Before you can deploy the 1Password SCIM bridge, you’ll need an OAuth bearer token and encrypted scimsession file. To securely generate them, click Get Started, sign in to your 1Password account, and follow the onscreen instructions.

Get Started

If you see “Generate New Credentials”, the setup process has already been completed. If you’ve lost your bearer token or session file or changed the sign-in details for the account shown, click Generate New Credentials.

After you complete the setup process, you’ll see:

  • Your scimsession file. It contains the credentials for your new Provision Manager account.
  • Your bearer token. It’s the key to decrypt your scimsession file.

Save them both in 1Password. You’ll need them to deploy the SCIM bridge and connect your identity provider. Learn how to save important files in 1Password.

Important

The bearer token and scimsession file combined can be used to sign in to your Provision Manager account. You’ll need to share the bearer token with your identity provider, but it’s important to never share it with anyone else. And never share your scimsession file with anyone at all.

If you have existing 1Password groups you want to sync

  1. Sign in to your account on 1Password.com and click Groups in the sidebar.
  2. Select a group, then click Manage in the People section.
  3. Select the Provision Manager and click Update Group Members.
  4. Click next to the Provision Manager and choose Manager.

Step 2: Prepare your local system

2.1: Get the Kubernetes command-line tools

Before you can deploy the SCIM bridge on Azure Kubernetes Service, you’ll need to install Docker Desktop  to get the Kubernetes command-line tools.

2.2: Install the Azure CLI

To manage your cluster on your local system, install the Azure CLI  .

2.3: Clone the scim-examples repository

All the configuration files you need to deploy the SCIM bridge are available in the scim-examples repository on GitHub.

To clone the repository, open your terminal app, switch to the directory where you want to clone the repository, and run the following command:

git clone https://github.com/1Password/scim-examples.git

Step 3: Deploy the SCIM bridge

If you don’t already have a Microsoft account  , create one. Then follow these steps.

3.1: Start creating a Kubernetes cluster

The SCIM bridge must be deployed to a cluster. To create a cluster:

  1. Sign in to your account on the Microsoft Azure portal.  
  2. Click “Create a resource” and choose “Kubernetes service”.

3.2: Configure your cluster

Configure your cluster using the following options. For all other options, you can use the provided defaults or choose your preferred options.

Project details:

  • Resource group
    Choose one, or click “Create new” and enter “1Password”.

Cluster details:

  • Kubernetes cluster name
    Enter “SCIM”.

Primary node pool:

  • Node size
    The SCIM bridge only requires a “Standard B2s” VM size.
  • Node count
    The SCIM bridge only requires 1 node.
the Project Details page configured for the cluster

After you’ve configured your cluster, click “Review + create”. It may take a moment. When you see “Validation passed”, click “Create”.

When you see “Your deployment is complete”, continue to the next step.

3.3: Configure kubectl to connect to your Kubernetes cluster

Sign in to your Azure account:

az login

Then, using the resource group and cluster name you set in the previous step, get the credentials for kubectl to use:

az aks get-credentials --resource-group=<resource_group> --name=<cluster_name>

3.4: Set up Let’s Encrypt

The SCIM bridge uses an SSL certificate provided by Let’s Encrypt to secure communication with 1Password and your identity provider. Edit op-scim-config.yaml to set the domain name for the certificate.

Enter the fully qualified domain name (FQDN) you plan to use for your SCIM bridge (for example: scim.example.com) as the value for OP_LETSENCRYPT_DOMAIN.

Save the file, then apply it to your Kubernetes cluster:

kubectl apply -f op-scim-config.yaml

3.5: Create a Kubernetes secret

To create a Kubernetes secret containing your scimsession file, include the path to it in the following command. For example, if your scimsession file is in the current directory:

kubectl create secret generic scimsession --from-file=./scimsession

3.6: Deploy Redis

The SCIM bridge uses a Redis instance to store and cache your Let’s Encrypt SSL certificate. To deploy Redis to your new cluster:

kubectl apply -f redis-deployment.yaml
kubectl apply -f redis-service.yaml

3.7: Deploy the SCIM bridge and load balancer

To deploy the SCIM bridge and load balancer:

kubectl apply -f op-scim-deployment.yaml
kubectl apply -f op-scim-service.yaml

If you use Azure Firewall, open ports 80 and 443 for your Azure Kubernetes cluster. The Let’s Encrypt service uses port 80 to renew the SSL certificate every 60 days. All other SCIM bridge traffic uses port 443.

3.8: Create the DNS record

To get the external IP address of the load balancer:

kubectl describe service/op-scim-bridge | grep "LoadBalancer Ingress"

If you don’t see the IP address, wait a few minutes and try again.

Add an A record to the DNS entry for your domain that points to the IP address for the load balancer.

Step 4: Test the SCIM bridge

Important

Before you connect the SCIM bridge to your identity provider, make sure that you can connect to the SCIM bridge:

  • over a secured (HTTPS) connection
  • with a valid TLS certificate

To check that the DNS has propagated and the SCIM bridge is deployed successfully, visit the domain you configured in the previous step in your browser. You’ll see a 1Password SCIM Bridge Status page. Enter your OAuth bearer token to verify it’s correct.

Use your bearer token and domain (for example: scim.example.com) to test the connection to 1Password:

curl --header "Authorization: Bearer <bearer_token>" https://<domain>/scim/Users

If you see a list of the users in your 1Password account, your SCIM bridge is deployed correctly.

Step 5: Connect your identity provider to the SCIM bridge

Because the 1Password SCIM bridge provides a SCIM 2.0-compatible web service that accepts OAuth bearer tokens for authorization, you can use it with a variety of identity providers.

User Guide

Learn how to connect your identity provider:

Azure Active Directory

Okta

OneLogin

Rippling

Get help

Get help with the SCIM bridge, like if you lose your bearer token or session file, or if you use two-factor authentication.

For more information about the SCIM bridge, contact your 1Password Business representative. To get help and share feedback, join the discussion with the 1Password Support Community.

Learn more

Published: