Teams and Businesses

Connect Okta to 1Password SCIM Bridge

Learn how to set up and use 1Password SCIM Bridge to integrate with Okta.

the Okta logo

With 1Password Business, you can integrate 1Password with Okta to automate many common administrative tasks:

Provision

  • Create users: Assigned users and groups will be provisioned to 1Password.

    To sync groups from your directory to 1Password, use Push Groups.

  • Update user attributes: Changing user attributes in your directory will change the mapped attributes in 1Password.
  • Deactivate users: Deactivating a user or disabling the user’s access to 1Password in Okta will suspend the user in 1Password.

Import

  • Import users and groups: Existing 1Password users and groups will be imported and can be linked to existing Okta objects.

Manage groups

  • Push Groups: Use Push Groups to sync groups from your directory to 1Password or manage existing 1Password groups in Okta.

    To provision users to 1Password, use Okta group assignments.

To get started, sign in to your account on Okta.com  , click Admin in the top right, and follow these steps.

Before you begin

Before you can integrate 1Password with Okta, you’ll need to:

Step 1: Add the 1Password Business application to Okta

To add the 1Password Business application to Okta:

  1. Click Applications, then click Add Application.
  2. Find 1Password Business in the list and click Add.
  3. Choose the region for your 1Password account, then enter the beginning of your sign-in address (for example: acme) and click Next.
  4. Choose Bookmark-only from the sign on methods and click Done.

You’ll see the details of the application you just created.

Setup settings for the 1Password Business application in Okta

Step 2: Configure the application

On the 1Password Business application details page, click Provisioning. Then follow these steps.

2.1: Set up API integration

  1. Click Configure API Integration, then turn on Enable API Integration.

  2. Enter your Base URL and API Token.

    Base URL: the URL of your SCIM bridge (not your 1Password account sign-in address). For example: https://scim.example.com

    If you don’t know your URL, make sure you’ve set up and deployed the SCIM bridge.

    API Token: the bearer token for your SCIM bridge

    Learn what to do if you don’t have your bearer token.

  3. Click Save.

The Integration settings for Provisioning with Enable API Integration turned on

If you see "Error authenticating" when you set up the integration, open your Integrations page on 1Password.com and make sure provisioning is turned on.

2.2: Set up provisioning to 1Password

Click Assignments and assign the users and groups you want to provision to 1Password. Then follow these steps:

  1. Click Provisioning and choose To App in the sidebar.
  2. Click Edit and turn on these options:
    • Create Users
    • Update User Attributes
    • Deactivate Users
  3. If you want to customize the attribute mappings, refer to the default mappings below.
  4. Click Save.
The To App settings for Provisioning with Create Users, Update User Attributes, and Deactivate Users turned on

Next steps

When you turn on provisioning, existing 1Password users will be linked to Okta users if their email address matches. If their email address is different, they’ll be invited to 1Password again, so make sure any affected team members update their email address before you turn on provisioning.

If you have existing groups in 1Password that you want to sync with Okta, add them to the groups managed by provisioning:

  1. Sign in to your account on 1Password.com.
  2. Choose Integrations in the sidebar and choose Automated User Provisioning.
  3. Choose Manage in the Managed Groups section, then select the groups to sync.

If you’ve previously used 1Password SCIM Bridge, make sure to select any groups that were already synced with Okta. This will prevent problems syncing with your identity provider, including duplicate groups.

Manage your settings

To turn off synchronization, click Active and choose Deactivate.

To change the region to match your 1Password account, click General, then change Region Type.

Learn more on the Okta Help Center. 

Get help

If users and groups aren’t being provisioned, make sure provisioning is turned on in your 1Password account:

  1. Sign in to your account on 1Password.com.
  2. Choose Integrations in the sidebar.
  3. Choose Automated User Provisioning.
  4. Make sure Provisioning users & groups is turned on.

Appendix: Attribute mappings

The following are the default attribute mappings for the 1Password Business application in Okta:

1Password attributeOkta attributeDescription
userNameOkta usernameThe team member’s username and email address.
givenNamefirstNameTheir first name.
familyNamelastNameTheir surname.

Learn how to map Okta attributes to app attributes in the Profile Editor. 

Still need help?

If this article didn't answer your question, contact 1Password Support.

Published: