Teams and Businesses

Automate provisioning in 1Password Business using SCIM

Learn how to integrate 1Password with your identity provider to automate provisioning.

A diagram showing the connection of identity providers to 1Password SCIM Bridge to 1Password servers.

With 1Password Business, you can automate many common administrative tasks by connecting your identity provider with your 1Password account using 1Password SCIM Bridge. When you set up automated provisioning with your identity provider, you can:

  • Create users and groups, including automated account confirmation
  • Grant and revoke access to groups
  • Suspend users

Automated provisioning doesn’t include single sign-on (SSO). If you want to allow your users to sign in to 1Password using your identity provider, learn how to set up Unlock with SSO.

Read More

Learn why you need to host your own SCIM bridge to connect your identity provider to 1Password.

Before you begin

Before you can set up automated provisioning, you’ll need:

  • An administrator in your 1Password Business account.
  • Administrative access to a supported identity provider: Google Workspace, JumpCloud, Microsoft Entra ID, Okta, OneLogin, or Rippling.
  • A platform to deploy 1Password SCIM Bridge on, such as Google Cloud Platform, DigitalOcean, or your own infrastructure (using the 1Password SCIM Bridge deployment examples ).
  • A public DNS record to point to the location of your SCIM bridge. For example, scim.example.com. This is not required when you deploy to Azure Container Apps.

When you have these prerequisites, follow the steps below.

Step 1: Set up and deploy 1Password SCIM Bridge

Before you can start provisioning, you’ll need to set up and deploy 1Password SCIM Bridge:

  1. Sign in to your account on 1Password.com.
  2. Click Integrations in the sidebar.
  3. Choose your identity provider from the User Provisioning section.
  4. Follow the onscreen instructions to generate credentials for your SCIM bridge.
  5. Deploy your SCIM bridge.
  6. Optional: If you have existing custom groups, set up managed groups.

You can also choose your identity provider from this list to get started on 1Password.com:

If you see the details for an existing provisioning integration, you’ll need to deactivate it first. Click More Actions and choose Deactivate Provisioning.

Important

The bearer token and scimsession file generated during setup can be used to access information from your 1Password account. Save these credentials in your 1Password account and never share them with anyone who shouldn’t have access to provisioning.

Step 2 (Optional): Set up managed groups

If you have custom groups in your 1Password account, you can sync them with groups in your directory. After you’ve deployed the SCIM bridge:

  1. Click View Details in the setup assistant or click Integrations in the sidebar and choose Manage.
  2. On the provisioning details page, click Manage in the Managed Groups section.
  3. Select the groups you want to sync with your identity provider and click Save.

If you’ve previously used the SCIM bridge, make sure to select any groups that were already synced with your identity provider. This will prevent problems syncing with your identity provider, including duplicate groups.

Step 3: Connect your identity provider

To finish setting up automated user provisioning, connect your identity provider to the SCIM bridge. Learn how to connect your identity provider:

Get help

If your SCIM bridge goes offline or becomes unreachable, information between 1Password and your identity provider will stop syncing until it reconnects. Existing accounts and information won’t be affected. There’s no risk of data loss, even if you have to redeploy the SCIM bridge.

If you change a team member’s email address in your identity provider, 1Password will email the team member and ask them to accept the change. If you’re changing the domain of the email address, make sure the new domain is in the sign-up link allowed domains list on your Invitations page.

Do not change a suspended team member’s email address. Some identity providers don’t sync email changes for suspended users. If you reactivate a suspended team member after changing their email address, the SCIM bridge will treat them as a new user.

Get help with the SCIM bridge, like if you lose your bearer token or session file.

To get more help or share feedback, contact 1Password Business Support or join the discussion with the 1Password Support Community.

Learn more

Still need help?

If this article didn't answer your question, contact 1Password Support.

Published: