If you don’t use DigitalOcean, you can still automate provisioning in another deployment environment.
Step 1: Deploy the SCIM bridge on DigitalOcean
If you’ve already been using 1Password Business, make sure the email addresses and group names in your 1Password account are identical to those in your identity provider.
- If anyone is using a different email address in 1Password, ask them to change it.
- If you have existing groups in 1Password that you want to sync with groups in your identity provider, adjust the group names in 1Password.
If you don’t already have a DigitalOcean account, create one. Then follow these steps.
1.1: Create a cluster
The SCIM bridge must be deployed within a cluster. To create a cluster:
- Visit 1Password SCIM bridge on DigitalOcean Marketplace and click “Create 1Password SCIM bridge”.
- Configure your cluster using the provided defaults or choose your preferred options.
- Scroll to the bottom and click Create Cluster.
Your cluster is now provisioning. After a few minutes, you’ll receive an email from DigitalOcean confirming that your load balancer is ready.
1.2: Set up the SCIM bridge
After your load balancer is ready:
Click Networking in the sidebar and choose Load Balancers. You’ll see the IP address for your load balancer.
Click the IP address to copy it.
Paste the IP address in your web browser’s address bar and press Return.
You’ll see the 1Password SCIM Bridge Setup page.
Step 2: Connect the SCIM bridge to your 1Password account
Before you can connect the SCIM bridge to your 1Password account, you’ll need to configure a DNS record to point your domain to the IP address of your load balancer. For example:
https://scim.example.com. Then follow these steps.
2.1: Sign in to your 1Password account
On the 1Password SCIM Bridge Setup page:
- Enter the domain name you configured for your load balancer to verify it.
- Click Sign In and follow the onscreen instructions.
If you see “Generate New Credentials”, the setup process has already been completed. If you’ve lost your bearer token or session file or changed the sign-in details for the account shown, click Generate New Credentials.
2.2: Authenticate with the SCIM bridge
After you complete the setup process, you’ll see:
scimsessionfile. It contains the credentials for your new Provision Manager account.
- Your bearer token. It’s the key to decrypt your
- Save them both in 1Password. You’ll need your bearer token to connect your identity provider to the SCIM bridge. Your
scimsessionfile will be installed automatically, but it’s a good idea to have a backup. Learn how to save important files in 1Password.
- Click “Install on <yourdomain>”. You’ll see the 1Password SCIM Bridge Status page.
- Enter your OAuth bearer token and click Verify.
The bearer token and
scimsession file combined can be used to sign in to your Provision Manager account. You’ll need to share the bearer token with your identity provider, but it’s important to never share it with anyone else. And never share your
scimsession file with anyone at all.
If you have existing 1Password groups you want to sync
- Sign in to your account on 1Password.com and click Groups in the sidebar.
- Select a group, then click Manage in the People section.
- Select the Provision Manager and click Update Group Members.
- Click next to the Provision Manager and choose Manager.
Step 3: Connect your identity provider to the SCIM bridge
Because the 1Password SCIM bridge provides a SCIM 2.0-compatible web service that accepts OAuth bearer tokens for authorization, you can use it with a variety of identity providers.
Connect to the load balancer where you’ve configured the SCIM bridge (for example:
https://scim.example.com) and authenticate using your OAuth bearer token.
Learn how to connect your identity provider:
The 1Password SCIM bridge requires 1Password Business and a supported SCIM 2.0-compatible identity provider: Azure Active Directory or Okta.
If you lose your bearer token or session file
Your OAuth bearer token and
scimsession file are cryptographically linked. If you lose either one, you’ll need to generate a new bearer token and session file. Then deploy the SCIM bridge again.
If you change the account details for your Provision Manager account
If you change the Master Password, Secret Key, or email address for the account you created for provision management, you’ll need to generate a new bearer token and session file. Then deploy the SCIM bridge again.
If you still need help
For more information about the SCIM bridge, contact your 1Password Business representative. To get help and share feedback, join the discussion in the 1Password Support forum.