Teams and Businesses

Configure Unlock 1Password with SSO using OpenID Connect

Learn how to set up 1Password to unlock with SSO using OpenID Connect (OIDC).

With 1Password Business, you can bring single sign-on (SSO) authentication to your team members by connecting your identity provider with 1Password using Unlock with SSO and OpenID Connect (OIDC).

Unlock with SSO doesn’t include automated provisioning. If you want to create users and groups, manage access, and suspend 1Password users with your identity provider, learn how to automate provisioning using SCIM.

Before you begin

Before you begin, review the considerations and requirements for Unlock with SSO.

Step 1: Add a 1Password application to your identity provider

Before you can set up Unlock with SSO in 1Password, you’ll need to create an app integration in your identity provider. Some potential identity providers you can use include:

If your identity provider isn’t listed, consult the provider’s documentation to learn how to create an OpenID Connect app integration. 1Password only supports OpenID Connect-compliant identity providers.

When your identity provider asks you to enter your application redirect URIs, continue to step 2.

Step 2: Configure Unlock with SSO

Important

The changes you make below won’t be saved until you successfully authenticate with your identity provider. This prevents you from losing access to 1Password.

  1. Open a new browser tab or window and sign in to your account on 1Password.com.
  2. Click Policies in sidebar, then click Manage under Configure Identity Provider.
  3. Choose Other from the list of identity providers and click Next.
  4. Select your identity provider, then fill out the fields with its configuration information.

    If your identity provider isn't listed, choose Other.

  5. Click Next and copy the redirect URIs to the OIDC app integration you created in step 1.

    If you need help finding where to enter the URIs in your identity provider, consult your identity provider's documentation.

2.1: Configure required scopes and claims

1Password requires sub, name, and email claims from your identity provider. When a team member first signs in with SSO, their 1Password email must match the email claim from their sign-in. 1Password stores the sub claim to map future sign-ins from the identity provider to the same team member in 1Password.

Important

The sub claim is expected to be a unique value that never changes in your identity provider.

1Password also requests the email, profile, and openid scopes during the authentication request. Your identity provider is expected to interpret these scopes.

For details on configuring scopes and claims, consult your identity provider’s documentation. Learn more about OpenID Connect implementation.

2.2: Test the connection

After you’ve configured your settings, go back to the Unlock 1Password with Identity Provider page and test the connection. You’ll be taken to your identity provider to sign in, then redirected back to 1Password.

Step 3: Specify which team members will unlock 1Password with SSO and set a grace period

After you configure Unlock with SSO, you’ll be redirected to the settings page in your 1Password account. Before you configure your settings, you’ll need to create groups for the team members who will unlock 1Password with SSO:

  1. Create a custom group.

    Give the group a descriptive name, like "SSO", for clarity.

  2. Add team members to the group.

    If you plan to invite additional team members to test Unlock with SSO at a later date, create a new custom group for each additional set of testers.

The group(s) you create don’t have to be permanent, and you can eventually set your whole team to unlock with SSO once some groups have successfully migrated.

3.1: Choose who will unlock with SSO

Important

Users in the owners group can’t unlock with SSO and will continue to sign in to 1Password using their account password and Secret Key. This helps safeguard them from being locked out in the event that they can’t access their trusted devices and no one can recover them.

Learn more about implementing a recovery plan for your team.

By default, “People unlocking 1Password with an identity provider” is set to “No one”. This allows you to gradually migrate your team to unlock with SSO. To specify which team members will unlock 1Password with SSO, select one of the options:

  • No one: To turn off Unlock with SSO, select No one.
  • Selected groups (recommended): Only the team members in groups you choose will sign in with SSO. Learn how to use custom groups in 1Password Business.
  • Everyone except guests: All team members, except owners and guests, will sign in with your identity provider. All existing users will be prompted to switch to Unlock with SSO, and all new users will use their identity provider username and password when joining 1Password. Guests and owners will sign in with an account password and Secret Key.
  • Everyone (not recommended): Guests and all team members, except owners, will sign in with your identity provider. All existing users will be prompted to switch to Unlock with SSO, and all new users will use their identity provider username and password when joining 1Password.

3.2: Set a grace period

Team members who already have 1Password accounts will need to switch to unlock with SSO. Specify the number of days before team members must switch. Consider the following when you set the grace period:

  • By default, the grace period is set to 5 days. It can be set to 1 to 30 days.
  • The grace period begins when an administrator adds a group after they choose the Selected groups option or when an administrator configures Unlock with SSO for everyone on the team. You’ll see the grace period listed next to each group configured to unlock with SSO.
  • If a team member belongs to more than one group, their grace period is determined by the first group set up with SSO, even if the grace periods are different for those groups.
  • If you add a team member who hasn’t set up unlock with SSO to a group with an expired grace period, you or another administrator will need to recover their account so they can sign in again using SSO.
  • If you edit the length of the grace period, it’ll be prolonged or shortened from the original date you configured the group to unlock with SSO.
  • If you need to configure more team members to unlock with SSO after the initial setup, create a new custom group with an active grace period. This will make sure newly assigned team members won’t need their accounts recovered.

Important

If a team member doesn’t migrate to Unlock with SSO before the end of the grace period, they won’t be able to sign in to their account on their devices and must contact an administrator to recover their account. The team member will switch to unlock with SSO during the recovery process.

Manage settings

To manage your settings, sign in to your account on 1Password.com, then click Policies in the sidebar. Click Manage under Configure Identity Provider.

Configuration

To change your configuration with your identity provider, click Edit Configuration, then follow the onscreen instructions to set up Unlock with SSO. You can only set up one identity provider to unlock with SSO.

You can only save an identity provider configuration after you've successfully tested the connection. Changes won't be saved if you can't successfully authenticate with your identity provider. This prevents you from losing access to 1Password.

People assignments and biometrics

Click Edit at the bottom of the settings page to change which users are assigned to unlock 1Password with SSO.

  • To specify which team members will unlock 1Password with SSO, select No one, Selected groups, Everyone except guests, or Everyone.

    "Selected groups" is recommended. Learn how to use custom groups in 1Password Business. To turn off Unlock with SSO, select No one.

  • Specify the number of days before team members must switch to unlocking with SSO.

    The default grace period is 5 days. If a team member doesn't migrate to Unlock with SSO before the end of the grace period, they must contact their administrator to recover their account.

  • To allow team members to unlock with Touch ID, Face ID, Windows Hello, and other biometrics, select Allow people to unlock 1Password using biometrics. Specify the number of days or weeks before they’ll be asked to sign in to your identity provider again.

    When biometric unlock is turned on, your team members can access 1Password while offline, until the time period specified. Vault access will be online-only after the elapsed period.

Click Review Changes to verify your choices, then click Save.

Next steps

To use Unlock with SSO yourself, get started with Unlock 1Password with SSO as a team member.

Learn how to unlock 1Password with SSO on all of your devices and add additional trusted devices.

Tip

If your IT team has a policy that clears browsing data when a browser is closed, exclude your team’s sign-in address from that policy to make sure your team members won’t lose access to their trusted device.

You can also encourage your team to set up other trusted devices, like the 1Password desktop app, after they sign up or switch to unlock with SSO.

Get help

Refer to your identity provider documentation to find your OpenID Connect well-known URL. It may follow one of the following formats: YOUR_DOMAIN.identity-provider.com/.well-known/openid-configuration or YOUR_DOMAIN.identity-provider.com/oauth2/default/.well-known/openid-configuration.

If a team member is moved from a group that unlocks with SSO to one that doesn’t, they’ll be prompted to create an account password and download their Emergency Kit.

If you change a user’s email address in your identity provider and they can no longer sign in with SSO, suspend and reactivate their account in 1Password.

Get help if you need to switch to a new identity provider after you set up Unlock with SSO.

Learn more

Still need help?

If this article didn't answer your question, contact 1Password Support.

Published: