Teams and Businesses

Automate provisioning in 1Password Business using SCIM

Learn how to set up and use the 1Password SCIM bridge to integrate with your identity provider.

Tip

There’s an easier way to install the SCIM bridge. Use the one-click install options available for Google Cloud Platform or DigitalOcean Kubernetes Service instead.

With 1Password Business, you can automate many common administrative tasks using the 1Password SCIM bridge. It uses the System for Cross-domain Identity Management (SCIM) protocol to connect 1Password with your existing identity provider, like Azure Active Directory, Okta, OneLogin, or Rippling, so you can:

  • Create users and groups, including automated account confirmation
  • Grant and revoke access to groups
  • Suspend deprovisioned users

You’ll set up and deploy the SCIM bridge on a server in your own environment, so the encryption keys for your account are only available to you and no one else. To set up and deploy the SCIM bridge, you’ll need:

  • administrative access in 1Password Business
  • a DNS record to allow for encrypted (HTTPS) communication to the SCIM bridge
  • a deployment environment with:
    • a publicly accessible static IP address
    • access to port 443 and 80 to enable LetsEncrypt or a gateway with TLS termination
    • Docker or Kubernetes
    • 128 MB of RAM and 100 MB of available storage

Then follow the steps below.

Step 1: Prepare your 1Password account

Important

If you’ve already been using 1Password Business, make sure the email addresses and group names in your 1Password account are identical to those in your identity provider.

  • If anyone is using a different email address in 1Password, ask them to change it.
  • If you have existing groups in 1Password that you want to sync with groups in your identity provider, adjust the group names in 1Password.

Before you can deploy the 1Password SCIM bridge, you’ll need an OAuth bearer token and encrypted scimsession file. To securely generate them, click Get Started, sign in to your 1Password account, and follow the onscreen instructions.

Get Started

If you see “Generate New Credentials”, the setup process has already been completed. If you’ve lost your bearer token or session file or changed the sign-in details for the account shown, click Generate New Credentials.

After you complete the setup process, you’ll see:

  • Your scimsession file. It contains the credentials for your new Provision Manager account.
  • Your bearer token. It’s the key to decrypt your scimsession file.

Save them both in 1Password. You’ll need them to deploy the SCIM bridge and connect your identity provider. Learn how to save important files in 1Password.

Important

The bearer token and scimsession file combined can be used to sign in to your Provision Manager account. You’ll need to share the bearer token with your identity provider, but it’s important to never share it with anyone else. And never share your scimsession file with anyone at all.

If you have existing 1Password groups you want to sync

  1. Sign in to your account on 1Password.com and click Groups in the sidebar.
  2. Select a group, then click Manage in the People section.
  3. Select the Provision Manager and click Update Group Members.
  4. Click next to the Provision Manager and choose Manager.

Step 2: Deploy the SCIM bridge

To make sure the SCIM bridge is secure and accessible, configure your deployment environment:

  • Use encrypted storage to secure the scimsession file at rest.
  • If you’re not using LetsEncrypt, configure an API gateway, proxy, or load balancer to terminate TLS for the SCIM bridge.
  • If you deploy the SCIM bridge behind a load balancer, configure it with a private subnet that allows incoming connections from the load balancer on port 3002.

The SCIM bridge writes to standard output (stdout) for easy log collection.

User Guide

Learn how to deploy the SCIM bridge in your environment:

Azure Kubernetes Service

Kubernetes

Docker

AWS with Terraform

Step 3: Connect your identity provider to the SCIM bridge

Because the 1Password SCIM bridge provides a SCIM 2.0-compatible web service that accepts OAuth bearer tokens for authorization, you can use it with a variety of identity providers.

User Guide

Learn how to connect your identity provider:

Azure Active Directory

Okta

OneLogin

Rippling

Get help

If your SCIM bridge goes offline or becomes unreachable, information between 1Password and your identity provider will stop syncing until it reconnects. Existing accounts and information won’t be affected. There’s no risk of data loss, even if you have to redeploy the SCIM bridge.

Get help with the SCIM bridge, like if you lose your bearer token or session file, or if you use two-factor authentication.

For more information about the SCIM bridge, contact your 1Password Business representative. To get help and share feedback, join the discussion in the 1Password Support forum.

Learn more

Published: