When you first set up 1Password Business, your team members use a Secret Key and account password to sign in to their accounts. With 1Password Unlock with SSO, you can allow them to sign in with their identity provider credentials instead.
1Password Business supports two types of integrations with identity providers, and each has its own benefits:
1Password Business supports two types of integrations with identity providers, and each has its own benefits:
| Automated provisioning | Unlock with SSO | |
|---|---|---|
| Features | Automated user and group provisioning, role-based access control, and administrative workflows automation. | Team members can unlock 1Password with their identity provider credentials using the OpenID Connect (OIDC) protocol. |
| Methodology | Uses an API endpoint or SCIM bridge, which communicates with the 1Password servers using an encryption protocol called Secure Remote Password (SRP). | Uses a direct API integration with the 1Password servers. |
To set up these integrations, you’ll need to create separate applications for each one in your identity provider. Separate applications are required because each of the integrations serves different functions.
In this article, you can learn some best practices for planning your rollout of Unlock with SSO. If you want to manage users and groups from your identity provider, learn how to set up automated provisioning.
Plan your rollout
When you introduce Unlock with SSO to your team, prepare some communication strategies to let them know about the upcoming changes. Plan to do the rollout in stages to make sure users are informed and your IT team is ready to handle potential support requests. Before you start, learn about some of the other things to keep in mind below.
Owner accounts won’t unlock with SSO
In a 1Password Business account, people in the Owners group will always unlock 1Password with their account password. Owner accounts cannot be scoped for Unlock with SSO because if they lose access, vaults and items in the account may also be lost if there’s no one to recover them.
Tip
In the event of an identity provider outage, this limitation allows your team to maintain access to 1Password. Someone in the Owners group can sign in to 1Password and un-scope specific groups or the entire team from Unlock with SSO, which can temporarily switch them back to unlocking with an account password.
Owner accounts can be considered super-admins in a 1Password account and serve break-glass purposes in the context of Unlock with SSO and automated provisioning. They need to be set up and protected properly.
Interactions between automated provisioning and SSO
When you turn on Unlock with SSO, you’ll be able to choose who can sign in and unlock with SSO. The policy that you choose will determine how new users sign in, such as:
- Everyone or Everyone except: guests: All users in the Team Members group (the default group for new users) will unlock with SSO.
- Only groups you select: Automated provisioning is required to scope new users for SSO before they sign up. Each identity provider handles group management differently, so keep this in mind when planning your deployment. Changes to group membership also cannot happen at the same time as the user’s account is activated.
If users aren’t part of a group that unlocks with SSO, they’ll use a Secret Key and account password to sign in.
When you use Unlock with SSO alongside automated user provisioning, make sure attribute mappings are consistent between your provisioning application and your SSO application in your identity provider. For example, if you’ve configured your identity provider to send a certain attribute for user email addresses in 1Password, make sure your OIDC application is successfully sending that attribute as an OIDC claim.
Learn more about attribute mapping in the setup documentation for your identity provider.
Staging your rollout
As you plan the deployment of Unlock with SSO to your team, separate it into several stages:
- Test: When you first set up the integration, test it yourself and make sure your IT support team understands the changes you’ll be making to the account so they can help when needed.
- Perform a limited rollout: Consider one or two groups who can test the new unlock method before you roll it out to your entire organization. This can be your IT department, developers, and other users who are more technical. You can even create a custom group for this project.
- Gather feedback: Ask the groups who’ve been using SSO for feedback about their experiences during a one- to two-week period. If the feedback is positive, grant other groups access, and continue until all the groups have successfully migrated. As you go, you may need to adjust special settings, such as Conditional Access policies in Microsoft Entra ID, which may only allow users to sign in from various environments or locations.
- Widen the rollout: Continue to expand the rollout to new groups. If you have hundreds or thousands of users, roll out Unlock with SSO slowly to make sure that your IT support team can keep up with questions or issues that come up along the way.
Tip
When you’re ready to begin, learn how to set up Unlock with SSO.
Learn more
- Unlock with SSO: under the hood
- About 1Password Unlock with SSO security
- Best practices for securing your 1Password Business account
Was this article helpful?
Glad to hear it! If you have anything you'd like to add, feel free to contact us.
Sorry to hear that. Please contact us if you'd like to provide more details.