Teams and Businesses

Deploy the 1Password SCIM bridge on Google Cloud Platform

Learn how to deploy the 1Password SCIM bridge on Google Cloud Platform, so you can integrate with your identity provider.

Tip

If you don’t use Google Cloud Platform, you can still automate provisioning in another deployment environment.

With 1Password Business, you can automate many common administrative tasks using the 1Password SCIM bridge. It uses the System for Cross-domain Identity Management (SCIM) protocol to connect 1Password with your existing identity provider, like Azure Active Directory or Okta.

Step 1: Deploy the SCIM bridge on Google Cloud Platform

If you don’t already have a Google Cloud Platform account, create one. Then follow these steps.

1.1: Create a project

The SCIM bridge must be deployed within a project. To create a project:

  1. Visit the Manage resources page and click Create Project.
  2. Enter a Project Name. If you’re part of an organization, choose it.

    If you can’t choose your organization, contact your Google Cloud Platform organization administrator.

  3. Click Create.

After the project has been created, you can configure the SCIM bridge.

1.2: Configure the SCIM bridge

Visit 1Password SCIM bridge on Google Cloud Platform Marketplace and click Configure. If prompted, choose the project you created above.

If you see “‘Kubernetes Engine Admin’ role is required”, ignore it. The message will go away after you create a cluster.

Configure the SCIM bridge and click Deploy:

  • Cluster
    Choose one or click “Create a new cluster”. If you create a new cluster, refresh the page after it has been created.
  • Namespace
    Use the provided default. Or if you have an existing application in the cluster, create a new namespace called “1password”.
  • App instance name
    Use the provided default.
  • 1Password sign-in address
    Your 1Password sign-in address. For example: example.1password.com
the configuration page for the SCIM bridge

After the SCIM bridge is deployed, you’ll see its application details.

1.3: Set up the SCIM bridge

In the “SCIM bridge info” section of the application details, the “1Password SCIM bridge public IP” begins with 10 (for example, 10.11.255.255), which is a private IP address.

Refresh the page until the IP address changes to a public IP, one that doesn’t begin with 10. Then click the public IP address. You’ll see the 1Password SCIM Bridge Setup page.

the application details page with the 1Password SCIM bridge public IP highlighted

Step 2: Connect the SCIM bridge to your 1Password account

Before you can connect the SCIM bridge to your 1Password account, you’ll need to configure a DNS record to point your domain to the 1Password SCIM bridge public IP. For example: https://scim.example.com. Then follow these steps.

2.1: Sign in to your 1Password account

On the 1Password SCIM Bridge Setup page:

  1. Enter the domain name you configured for the SCIM bridge to verify it.
  2. Click Sign In and follow the onscreen instructions.

If you see "Generate New Credentials", the setup process has already been completed. If you've lost your bearer token or session file or changed the sign-in details for the account shown, click Generate New Credentials.

1Password SCIM Bridge Status

2.2: Authenticate with the SCIM bridge

After you complete the setup process, you’ll see:

  • Your scimsession file. It contains the credentials for your new Provision Manager account.
  • Your bearer token. It’s the key to decrypt your scimsession file.
  1. Save them both in 1Password. You’ll need your bearer token to connect your identity provider to the SCIM bridge. Your scimsession file will be installed automatically, but it’s a good idea to have a backup. Learn how to save important files in 1Password.
  2. Click “Install on <yourdomain>”. You’ll see the 1Password SCIM Bridge Status page.
  3. Enter your OAuth bearer token and click Verify.

Important

The bearer token and scimsession file combined can be used to sign in to your Provision Manager account. You’ll need to share the bearer token with your identity provider, but it’s important to never share it with anyone else. And never share your scimsession file with anyone at all.

2.3: Configure a static IP address

When you first deploy the 1Password SCIM bridge, an ephemeral IP address is assigned to it. This address is not guaranteed to remain constant, which may interrupt your automated provisioning.

To use the SCIM bridge without interruption, promote the “1Password SCIM bridge public IP” to a static IP address. Learn how to configure a static IP address.  

Step 3: Connect your identity provider to the SCIM bridge

Because the 1Password SCIM bridge provides a SCIM 2.0-compatible web service that accepts OAuth bearer tokens for authorization, you can use it with a variety of identity providers.

Connect to the TLS-secured API gateway, proxy, or load balancer where you’ve configured the SCIM bridge (for example: https://scim.example.com) and authenticate using your OAuth bearer token.

Learn how to connect your identity provider:

Azure Active Directory

Okta

Get help

The 1Password SCIM bridge requires 1Password Business and a supported SCIM 2.0-compatible identity provider: Azure Active Directory or Okta.

If you lose your bearer token or session file

Your OAuth bearer token and scimsession file are cryptographically linked. If you lose either one, you’ll need to generate a new bearer token and session file. Then deploy the SCIM bridge again.

If you change the account details for your Provision Manager account

If you change the Master Password, Secret Key, or email address for the account you created for provision management, you’ll need to generate a new bearer token and session file. Then deploy the SCIM bridge again.

If a new version of the SCIM bridge is available

If you receive an email notification about a new version of the SCIM bridge, learn how to update the 1Password SCIM bridge on Google Cloud Platform.

If you still need help

For more information about the SCIM bridge, contact your 1Password Business representative. To get help and share feedback, join the discussion in the 1Password Support forum.

Published: