Check the status of the SCIM bridge
If you’re not sure what the problem is, first check the SCIM bridge status page. You’ll see any problems the SCIM bridge has found, and you can download logs that contain detailed activity information.
In your browser, enter the address where you’ve configured the SCIM bridge (for example: https://scim.example.com) and authenticate using your OAuth bearer token.
If you lose your bearer token or session file
Your OAuth bearer token and scimsession file are cryptographically linked. If you lose either one, you’ll need to deactivate your current provisioning integration, then deploy the SCIM bridge again.
If you change the account details for your Provision Manager account
If you change the password, Secret Key, or email address for the account you created for provision management, you’ll need to deactivate your current provisioning integration, then deploy the SCIM bridge again.
If you use two-factor authentication and see the “AuthWrap failed to generateNewSession” log message
If you see “AuthWrap failed to generateNewSession” in the SCIM bridge log, and you use Duo or 1Password Advanced Protection to enforce two-factor authentication, turn off provisioning, then redeploy the SCIM bridge.
If you see the “Your current location or network is blocked by an account firewall rule” log message
If you see “Your current location or network is blocked by an account firewall rule” in the SCIM bridge log, change your firewall rules to allow the SCIM bridge to access your 1Password account.
If your SCIM bridge is deployed on a cloud provider, you may not be able to connect if you use the Anonymous IP rule to deny Cloud Providers. To allow access for the SCIM bridge if it has a static outbound IP address, add an IP rule to allow it. Otherwise, remove Cloud Providers from the Anonymous IP rule.
If you change a team member’s email address in your identity provider but they don’t get a confirmation email
If you change a team member’s email address in your identity provider but they don’t get a confirmation email, make sure the domain for the new email address is in the sign-up link allowed domains list on your Invitations page.
If the health monitoring service can’t contact the SCIM bridge
The health monitoring service for the 1Password SCIM bridge is provided by Checkly. You’ll need to make the SCIM bridge available to Checkly to use health monitoring.
If you’re not able to allow traffic from Checkly to access the SCIM bridge, you can turn off health monitoring from the provisioning settings page on 1Password.com.
If a team member doesn’t receive their automated provisioning invitation email
If a team member doesn’t receive their initial invitation email, and it isn’t being blocked by your email server’s spam filter, resend the invite. Then, make sure your identity provider is configured to create team members' email accounts before provisioning services to use them. If your identity provider is set to create email accounts at the same time as provisioning 1Password accounts, invites may not be delivered successfully.
If a team member is pending provision and can’t sign in
If a recently provisioned team member can’t sign in after creating their account password, it may be because the SCIM bridge was restarted after they were provisioned but before they were confirmed. Their status will be “Pending Provision”.
To resolve the issue, enter the address where you’ve configured the SCIM bridge (for example: https://scim.example.com) in your browser. Then authenticate using your OAuth bearer token, which will start the Provision Watcher service and automatically confirm them.
If you still need help
For more information about the SCIM bridge, contact your 1Password Business representative.
To get help and share feedback, join the discussion with the 1Password Support Community.