Check the status of 1Password SCIM Bridge
If you’re not sure what the problem is, first check your 1Password SCIM Bridge status page. You’ll see any problems the SCIM bridge has found, and you can download logs that contain detailed activity information.
In your browser, enter the address where you’ve configured the SCIM bridge (for example: https://scim.example.com) and authenticate using your OAuth bearer token. Check the Status section to make sure everything shows “Connected”.
If a team member is pending and can’t sign in
If a recently provisioned team member can’t sign in after creating their account, it may be because the SCIM bridge was restarted after they were provisioned, but before they were confirmed. Their status on your account’s People page will be “Pending”. The SCIM bridge automatically confirms pending users every five minutes, after which they should receive an email letting them know they’ve been confirmed.
If more than five minutes have passed and the team member is still pending, check the status of your SCIM bridge. This will start the Provision Watcher service if it isn’t running and automatically confirm the team member.
If you lose your bearer token or session file
Your SCIM bridge bearer token and scimsession file are cryptographically linked. If you lose either one, visit the Integrations page and click Regenerate Credentials. Then update the scimsession file in your SCIM bridge deployment and update the bearer token in your identity provider’s settings.
If you can’t test the connection to your identity provider
If the connection test to your identity provider fails, make sure provisioning is turned on in your 1Password account:
- Sign in to your account on 1Password.com.
- Choose Integrations in the sidebar.
- Choose Automated User Provisioning.
- Make sure Provisioning users & groups is turned on.
If you use two-factor authentication and see the “AuthWrap failed to generateNewSession” log message
If you see “AuthWrap failed to generateNewSession” in the SCIM bridge log, and you use Duo or enforce two-factor authentication, turn off provisioning, then follow the steps to redeploy the SCIM bridge.
If you see the “Your current location or network is blocked by an account firewall rule” log message
If you see “Your current location or network is blocked by an account firewall rule” in the SCIM bridge log, change your firewall rules to allow the SCIM bridge to access your 1Password account.
If your SCIM bridge is deployed on a cloud provider, you may not be able to connect if you use the Anonymous IP rule to deny Cloud Providers. To allow access for the SCIM bridge if it has a static outbound IP address, add an IP rule to allow it. Otherwise, remove Cloud Providers from the Anonymous IP rule.
If you change a team member’s email address in your identity provider but they don’t get a confirmation email
If you change a team member’s email address in your identity provider but they don’t get a confirmation email, make sure the domain for the new email address is in the sign-up link allowed domains list on your Invitations page.
If the health monitoring service can’t contact the SCIM bridge
The health monitoring service for 1Password SCIM Bridge is provided by Checkly. You’ll need to make the SCIM bridge available to Checkly to use health monitoring.
If you’re not able to allow traffic from Checkly to access the SCIM bridge, you can turn off health monitoring from the provisioning settings page on 1Password.com.
If a team member doesn’t receive their automated provisioning invitation email
If a team member doesn’t receive their initial invitation email, and it isn’t being blocked by your email server’s spam filter, make sure your identity provider is configured to create team members' email accounts before provisioning services to them. Future automated emails from 1Password, including attempts to resend an invitation, may not be delivered successfully if an initial invitation is sent to an inactive email account.
To find out if team members' email accounts are configured before services are provisioned, contact your identity provider.
If you think an invitation was sent to a team member before their email account was created, and you’ve already tried to resend it, contact 1Password Support for help.
If you still need help
To get more help with the SCIM bridge or share feedback, contact 1Password Business Support or join the discussion with the 1Password Support Community.
If you have questions about how your identity provider is configured, contact their support team for help. You can include 1Password Business Support in correspondence with your identity provider if you have questions related to the SCIM bridge.
Learn more
- Update 1Password SCIM Bridge
- Update allowed domains in 1Password Business when provisioning using SCIM
Was this article helpful?
Glad to hear it! If you have anything you'd like to add, feel free to contact us.
Sorry to hear that. Please contact us if you'd like to provide more details.