Teams and Businesses

Deploy the 1Password SCIM bridge on Azure Kubernetes Service

Learn how to deploy the 1Password SCIM bridge on Azure Kubernetes Service, so you can integrate with your identity provider.

Tip

If you don’t use Azure Kubernetes Service, you can still automate provisioning in another deployment environment.

With 1Password Business, you can automate many common administrative tasks using the 1Password SCIM bridge. It uses the System for Cross-domain Identity Management (SCIM) protocol to connect 1Password with your existing identity provider, like Azure Active Directory or Okta.

Step 1: Prepare your 1Password account

Before you can deploy the 1Password SCIM bridge, you’ll need an OAuth bearer token and encrypted scimsession file. To securely generate them, click Get Started, sign in to your 1Password account, and follow the onscreen instructions.

Get Started

If you see “Generate New Credentials”, the setup process has already been completed. If you’ve lost your bearer token or session file or changed the sign-in details for the account shown, click Generate New Credentials.

After you complete the setup process, you’ll see:

  • Your scimsession file. It contains the credentials for your new Provision Manager account.
  • Your bearer token. It’s the key to decrypt your scimsession file.

Save them both in 1Password. You’ll need them to deploy the SCIM bridge and connect your identity provider. Learn how to save important files in 1Password.

Important

The bearer token and scimsession file combined can be used to sign in to your Provision Manager account. You’ll need to share the bearer token with your identity provider, but it’s important to never share it with anyone else. And never share your scimsession file with anyone at all.

Step 2: Prepare your local system

2.1: Install Docker

Deploying the SCIM bridge on Azure Kubernetes Service requires Kubernetes, which is included with Docker Desktop. On your local system, install Docker Desktop.

2.2: Install the Azure CLI

To manage your cluster on your local system, install the Azure CLI.

2.3: Clone the scim-examples repository

All the configuration files needed to deploy the SCIM bridge are available in the scim-examples repository on GitHub.

To clone the repository, open your terminal app, switch to the directory where you want to clone the repository, and run the following command:

git clone https://github.com/1Password/scim-examples.git

Step 3: Deploy the SCIM bridge

If you don’t already have a Microsoft account account, create one. Then follow these steps.

3.1: Start creating a Kubernetes cluster

The SCIM bridge must be deployed to a cluster. To create a cluster:

  1. Sign in to your account on the Microsoft Azure portal.  
  2. Click “Create a resource” in the sidebar and choose “Kubernetes service”.

3.2: Configure your cluster

Configure your cluster using the following options. For all other options, you can use the provided defaults or choose your preferred options.

Project details:

  • Resource group
    Choose one, or click “Create new” and enter “1Password”.

Cluster details:

  • Kubernetes cluster name
    Enter “SCIM”.

Primary node pool:

  • Node size
    The SCIM bridge only requires a “Standard B2s” VM size.
  • Node count
    The SCIM bridge only requires 1 node.
the Project Details page configured for the cluster

After you’ve configured your cluster, click “Review + create”. It may take a moment. When you see “Validation passed”, click “Create”.

When you see “Your deployment is complete”, continue to the next step.

3.3: Configure kubectl to connect to your Kubernetes cluster

Sign in to your Azure account:

az login

To configure kubectl to connect to your Kubernetes cluster, include your <resourcegroup> and <clustername> in the following command:

az aks get-credentials --resource-group=<resourcegroup> --name=<clustername>

The credentials are saved in $HOME/.kube/config, which is where kubectl will look for them.

3.4: Deploy Redis

The SCIM bridge requires a Redis instance for caching. To deploy Redis to your new cluster, switch to the scim-examples/kubernetes folder from the cloned repository and use the manifest files provided:

kubectl apply -f redis-deployment.yaml
kubectl apply -f redis-service.yaml

3.5: Create a Kubernetes secret

To create a Kubernetes secret containing your scimsession file, include the correct path to it in the following command. For example, if your scimsession file is in the current directory:

kubectl create secret generic scimsession --from-file=./scimsession

3.6: Deploy the SCIM bridge

To obtain a TLS certificate for the SCIM Bridge, edit op-scim-deployment.yaml and add your domain name to line 19 in the containers.args field. For example, if you’re using the subdomain scim on the domain example.com:

args: ["--session=/secret/scimsession", "--letsencrypt-domain=scim.example.com"]

To deploy the SCIM bridge:

kubectl apply -f op-scim-deployment.yaml
kubectl apply -f op-scim-service.yaml

3.7: Create the DNS record

Create a new DNS A record for your domain that points to the IP address of the load balancer, which was deployed in the previous step. To get the external IP address of the load balancer:

kubectl get services

It might take a few minutes for Azure to provide an external IP address to the load balancer. After you have one, you can use it to configure your DNS records.

To test the SCIM Bridge

To check that the DNS has propagated and the SCIM bridge is deployed successfully, visit the domain you configured in the previous step. You’ll see a 1Password SCIM Bridge Status page, which can be used to verify your OAuth bearer token.

To test the connection to 1Password, include your <bearertoken> and <domain> in the following command:

curl --header "Authorization: Bearer <bearertoken>" https://<domain>/scim/Users

A list of the users in your 1Password account will be returned.

Important

The SCIM bridge requires TLS to work. The SCIM bridge will automatically obtain a LetsEncypt certificate after DNS has propagated. Before you connect the SCIM bridge to your identify provider, make sure that you can connect to the SCIM bridge:

  • over a secured (HTTPS) connection
  • with a valid TLS certificate

Step 4: Connect your identity provider to the SCIM bridge

Because the 1Password SCIM bridge provides a SCIM 2.0-compatible web service that accepts OAuth bearer tokens for authorization, you can use it with a variety of identity providers.

Learn how to connect your identity provider:

Azure Active Directory

Okta

Get help

The 1Password SCIM bridge requires 1Password Business and a supported SCIM 2.0-compatible identity provider: Azure Active Directory or Okta.

If you lose your bearer token or session file

Your OAuth bearer token and scimsession file are cryptographically linked. If you lose either one, you’ll need to generate a new bearer token and session file. Then deploy the SCIM bridge again.

If you change the account details for your Provision Manager account

If you change the Master Password, Secret Key, or email address for the account you created for provision management, you’ll need to generate a new bearer token and session file. Then deploy the SCIM bridge again.

If a new version of the SCIM bridge is available

If you receive an email notification about a new version of the SCIM bridge, update it:

  1. Visit 1Password SCIM bridge on Docker Hub and note the tag with the most recent version number.
  2. Edit op-scim-deployment.yaml and update it with the version number you noted.

  3. Run the following command to apply the update:

    kubectl apply

If you still need help

For more information about the SCIM bridge, contact your 1Password Business representative. To get help and share feedback, join the discussion in the 1Password Support forum.

Published: