When you first set up 1Password Business, your team members use a Secret Key and account password to sign in to their accounts. With 1Password Unlock with SSO, you can allow them to sign in with their identity provider credentials instead.
1Password Business supports two types of integrations with identity providers, and each has its own benefits:
| Automated provisioning | Unlock with SSO | |
|---|---|---|
| Features | Automated user and group provisioning, role-based access control, and administrative workflows automation. | Team members can unlock 1Password with their identity provider credentials using the OpenID Connect (OIDC) protocol. |
| Methodology | Uses an API endpoint or SCIM bridge, which communicates with the 1Password servers using an encryption protocol called Secure Remote Password (SRP). | Uses a direct API integration with the 1Password servers. |
To set up these integrations, you’ll need to create separate applications for each one in your identity provider. Separate applications are required because each of the integrations serves different functions.
In this article, you can learn some best practices for planning your rollout of Unlock with SSO. If you want to manage users and groups from your identity provider, learn how to set up automated provisioning.
Plan your rollout
When you introduce Unlock with SSO to your team, prepare some communication strategies to let them know about the upcoming changes. Plan to do the rollout in stages to make sure users are informed and your IT team is ready to handle potential support requests. Before you start, learn about some of the other things to keep in mind below.
Owner accounts won’t unlock with SSO
In a 1Password Business account, people in the Owners group will always unlock 1Password with their account password. Owner accounts cannot be scoped for Unlock with SSO because if they lose access, vaults and items in the account may also be lost if there’s no one to recover them.
Tip
In the event of an identity provider outage, this limitation allows your team to maintain access to 1Password. Someone in the Owners group can sign in to 1Password and un-scope specific groups or the entire team from Unlock with SSO, which can temporarily switch them back to unlocking with an account password.
Owner accounts can be considered super-admins in a 1Password account and serve break-glass purposes in the context of Unlock with SSO and automated provisioning. They need to be set up and protected properly.
Interactions between automated provisioning and SSO
When you turn on Unlock with SSO, you’ll be able to choose who can sign in and unlock with SSO. The policy that you choose will determine how new users sign in, such as:
- Everyone or Everyone except: guests: All users in the Team Members group (the default group for new users) will unlock with SSO.
- Only groups you select: Automated provisioning is required to scope new users for SSO before they sign up. Each identity provider handles group management differently, so keep this in mind when planning your deployment. Changes to group membership also cannot happen at the same time as the user’s account is activated.
If users aren’t part of a group that unlocks with SSO, they’ll use a Secret Key and account password to sign in.
When you use Unlock with SSO alongside automated user provisioning, make sure attribute mappings are consistent between your provisioning application and your SSO application in your identity provider. For example, if you’ve configured your identity provider to send a certain attribute for user email addresses in 1Password, make sure your OIDC application is successfully sending that attribute as an OIDC claim.
Learn more about attribute mapping in the setup documentation for your identity provider.
Staging your rollout
As you plan the deployment of Unlock with SSO to your team, separate it into several stages:
- Test: Set up the integration yourself and make sure your IT support team understands the changes before you begin.
- Limited rollout: Start with one or two groups, ideally IT staff or developers, before rolling out to the whole organization. You can create a custom group for this purpose.
- Gather feedback: Give assigned groups one to two weeks with SSO, then collect feedback. If it’s positive, expand to more groups. Adjust settings as needed, such as Conditional Access policies in Microsoft Entra ID.
- Widen the rollout: Expand to remaining groups gradually so your IT team can keep up with questions along the way.
Tip
When you’re ready to begin, learn how to set up Unlock with SSO.
Learn more
- Unlock with SSO: under the hood
- About 1Password Unlock with SSO security
- Best practices for securing your 1Password Business account
Was this article helpful?
Glad to hear it! If you have anything you'd like to add, feel free to contact us.
Sorry to hear that. Please contact us if you'd like to provide more details.