With 1Password Business, you can automate many common administrative tasks using the System for Cross-domain Identity Management (SCIM) bridge. It’s SCIM 2.0 compatible and works with your existing identity provider, like Azure Active Directory or Okta, so you can:
- Create users and groups, including automated account confirmation
- Grant and revoke access to groups
- Suspend and delete users
Set up the SCIM bridge
Before you can deploy the 1Password SCIM bridge, you’ll need an OAuth bearer token and an encrypted
scimsession file. To protect your bearer token and
scimsession file, clone the scim-examples repository and run the setup script to generate them locally on your own system.
Step 1: Install Docker
The SCIM bridge setup process requires Docker. On your local system, install Docker.
Step 2: Clone the scim-examples repository
All of the scripts and configuration files needed to set up and deploy the SCIM bridge are available in the scim-examples repository on GitHub.
To clone the repository, open your terminal app, switch to the directory where you want to clone the repository, and run the following command:
git clone https://github.com/1Password/scim-examples.git
Step 3: Run the setup script
To begin the setup process, run the included setup script:
The SCIM bridge will create a group called “Provision Managers”, give it the required permissions for provisioning, and create a new user account in that group.
Make sure you have a separate email address (or an email alias) to use for the new user account. You can’t reuse the email address that you use for your administrator account.
This setup process will:
- Ask you to sign in to your administrator account
- Create the provision managers group and the provision manager account
- Set up the provision manager account
- Generate your bearer token and session file
From now on, the provision manager account can be used with the SCIM bridge to provision people.
scimsession file contains the encrypted credentials for the account you created for provision management. The bearer token and
scimsession file combined can be used to sign in to that account. You’ll need to share the bearer token with your identity provider, but it’s important to never share it with anyone else. And never share your
scimsession file with anyone at all.
Deploy the SCIM bridge
To make sure the SCIM bridge is secure and accessible, configure your deployment environment:
- Restrict access to
scimsessionto the user running the SCIM bridge. Read-only access is sufficient.
- Use encrypted storage to secure
- Deploy DNS across the infrastructure to reference Redis and the bridge endpoint by fully qualified domain name (FQDN).
- Configure an API gateway, proxy, or load balancer to terminate TLS for the bridge endpoint.
- If the SCIM bridge is deployed behind a load balancer, configure it with a private subnet that allows incoming connections from the load balancer on port 3002.
The SCIM bridge writes to standard output (
stdout) for easy log collection.
Connect your identity provider to the SCIM bridge
Because the 1Password SCIM bridge provides a SCIM 2.0-compatible web service that accepts OAuth bearer tokens for authorization, you can use it with a variety of identity providers.
Connect to the TLS-secured API gateway, proxy, or load balancer where you’ve configured the SCIM bridge (for example:
https://scim.example.com) and authenticate using your OAuth bearer token.
The 1Password SCIM bridge requires:
- 1Password Business
a deployment environment with:
- an API gateway, proxy, or load balancer with TLS support
- Docker or Kubernetes
- a Redis cache
- 128 MB of RAM
- 100 MB of available storage
a supported SCIM 2.0-compatible identity provider: Azure Active Directory or Okta
If the provision management account details have changed
If you change the Master Password, Secret Key, or email address for the account you created for provision management, you’ll need to generate a new bearer token and session file.
If a new version of the SCIM bridge is available
If you receive an email notification about a new version of the SCIM bridge, update it:
- Visit 1Password SCIM bridge on Docker Hub and note the tag with the most recent version number.
Edit your YAML configuration file and update it with the version number you noted:
Deployment environment Edit this YAML file Docker
Run one of the following commands to apply the update:
Deployment environment Run this command Docker Compose
docker stack deploy
If you still need help
For more information about the SCIM bridge, contact your 1Password Business representative. To get help and share feedback, join the discussion in the 1Password Support forum.