Teams and Businesses

Automate provisioning in 1Password Business using SCIM

Learn how to set up and use the 1Password SCIM bridge to integrate with your identity provider.

Tip

If you’re already using the 1Password SCIM bridge with a Provision Manager account, follow the steps to upgrade your provisioning integration.

With 1Password Business, you can automate many common administrative tasks using the 1Password SCIM bridge. It uses the System for Cross-domain Identity Management (SCIM) protocol to connect 1Password with your existing identity provider, like Azure Active Directory, Okta, OneLogin, or Rippling, so you can:

  • Create users and groups, including automated account confirmation
  • Grant and revoke access to groups
  • Suspend deprovisioned users

You’ll set up and deploy the SCIM bridge on a server in your own environment, so the encryption keys for your account are only available to you and no one else. To set up and deploy the SCIM bridge, you’ll need administrative access in 1Password Business.

Step 1: Prepare your 1Password account

If you’ve already been using 1Password Business, make sure the email addresses and group names in your 1Password account are identical to those in your identity provider:

  • If anyone is using a different email address in 1Password, ask them to change it.
  • If you have existing groups in 1Password that you want to sync with groups in your identity provider, adjust the group names in 1Password.

Step 2: Deploy the SCIM bridge

Before you can start provisioning, you’ll need to set up and deploy the SCIM bridge. Sign in to your 1Password account, click Integrations in the sidebar, and choose your identity provider. You can use these identity providers:

If you see the details for an existing provisioning integration, you’ll need to deactivate it first. Click More Actions and choose Deactivate Provisioning.

Important

The bearer token and scimsession file you receive during setup can be used together to access information from your 1Password account. You’ll need to share the bearer token with your identity provider, but it’s important to never share it with anyone else. And never share your scimsession file with anyone at all.

Step 3: Set up managed groups

After you’ve connected your identity provider, click View Details in the setup assistant or click Integrations in the sidebar and choose Manage.

On the provisioning details page, click Manage in the Managed Groups section, then select the groups to sync with your identity provider.

If you’ve previously used the SCIM bridge, make sure to select any groups that were already synced with your identity provider. This will prevent problems syncing with your identity provider, including duplicate groups.

Get help

If you want to use health monitoring and you set up the SCIM bridge before December 17, 2020, you’ll need to deploy the SCIM bridge again.

If your SCIM bridge goes offline or becomes unreachable, information between 1Password and your identity provider will stop syncing until it reconnects. Existing accounts and information won’t be affected. There’s no risk of data loss, even if you have to redeploy the SCIM bridge.

If you change a team member’s email address in your identity provider, 1Password will email the team member and ask them to accept the change. If you’re changing the domain of the email address, make sure the new domain is in the sign-up link allowed domains list on your Invitations page.

Get help with the SCIM bridge, like if you lose your bearer token or session file.

For more information about the SCIM bridge, contact your 1Password Business representative. To get help and share feedback, join the discussion with the 1Password Support Community.

Learn more

Published: