With 1Password Business and Unlock with SSO, you can connect your identity provider with your 1Password account so your team members can sign in to 1Password with their identity provider username and password instead of their account password and Secret Key.
When you set up Unlock with SSO, you can:
- Specify which groups will unlock 1Password with SSO.
- Set a grace period for team members to migrate to Unlock with SSO.
- Allow team members to unlock 1Password with biometrics.
Review the considerations and requirements below, then learn how to set up Unlock with SSO.
Considerations
Before you set up Unlock with SSO, consider the impact that it will have on your team:
- Unlock with SSO is an authentication method only. To automate provisioning, use 1Password SCIM Bridge.
- Unlock with SSO is only available using the OpenID Connect (OIDC) protocol. It uses Authorization Code Flow with Proof Key for Code Exchange (PKCE). For all identity providers except Microsoft Entra ID, you’ll need to set up a public app for the integration, and a client secret is not stored or supported by 1Password.
- Your team will need to use 1Password 8. You can’t sign in to 1Password 7 with SSO.
- Unlock with SSO in the 1Password apps is only available with an Internet connection. You can allow unlock with biometrics to give your team members offline access.
- People in the Owners group can’t unlock 1Password with SSO. This prevents them being locked out of the account or losing any data. We are investigating other long-term options.
- 1Password uses your encrypted credentials and device key to unlock with SSO, simplifying the enrollment process and eliminating the need for an account password. Learn more about Unlock 1Password with SSO security.
- You can only set up one identity provider to unlock with SSO.
- Team members need to unlock 1Password with their account password and Secret Key before switching to Unlock with SSO. Account recoveries will be needed for any users without their sign-in details. Team members will be prompted to sign in with SSO during the recovery process.
Requirements
When you’re ready to set up Unlock with SSO, you’ll need to:
- Be in the Owners or Administrators group in your 1Password Business account.
- Use the same email address to sign in to both 1Password and your identity provider.
- Have administrator privileges in your identity provider.
- Make sure team members have the following versions installed on their computers and mobile devices:
- 1Password browser extension
- 1Password 8 for iOS or Android
- 1Password 8 for Mac, Windows, or Linux
- 1Password CLI (optional)
Set up Unlock with SSO
After you have the requirements, learn how to configure Unlock with SSO for your identity provider:
If your team uses a different identity provider, let your sales representative or Customer Success Manager know so we can consider support for it in the future.
Get help
Get help if you’re having trouble unlocking 1Password with SSO.
If you automate provisioning with 1Password SCIM Bridge, do not change a suspended team member’s email address. Some identity providers don’t sync email changes for suspended users. If you reactivate a suspended team member after changing their email address, the SCIM bridge may treat them as a new user. This will cause issues when they try to unlock with SSO.
If you need to switch to a different identity provider after you set up Unlock with SSO:
- Sign in to your account on 1Password.com.
- Click Policies in the sidebar, then click Manage under Configure Identity Provider.
- Click Edit Configuration.
- Follow the steps to set up Unlock with SSO for your identity provider.
If one of your team members continues to use 1Password 7 after you add them to a group that unlocks with SSO, the data in the app may become out of sync with their account. To resolve this issue:
- Temporarily remove the team member from the group that unlocks with SSO.
- Ask them to unlock 1Password 7 so their data syncs.
- Ask them to upgrade to 1Password 8.
- Add them back to a group that unlocks with SSO.