With 1Password Business, you can bring single sign-on (SSO) authentication to your team members by connecting JumpCloud with 1Password using Unlock with SSO.
Unlock with SSO doesn’t include automated provisioning. If you want to create users and groups, manage access, and suspend 1Password users with your identity provider, learn how to automate provisioning using SCIM.
Before you begin
Before you can set up Unlock with SSO, you’ll need to:
- Be an administrator in your 1Password Business account. Owners currently cannot unlock with SSO.
- Have the appropriate JumpCloud administrator access to create new applications.
After you have these prerequisites, follow the steps below.
These steps were recorded in August 2023 and may have changed since. Refer to the JumpCloud documentation for the most up-to-date steps.
Step 1: Add the 1Password SSO application to JumpCloud
1.1: Create the application
To get started, sign in to the JumpCloud Admin Portal and follow these steps:
- In the sidebar, choose User Authentication > SSO Applications, then click Add New Application.
- Type “OIDC” in the search field and choose Custom OIDC App, then click Next.
- Enter a name for your application in the Display Label field and optionally add a logo.
- Click Next, then choose Configure Application.
- In the SSO tab, fill out the following fields:
- Redirect URIs:
- Copy and paste
https://YOUR_DOMAIN.1password.com/sso/oidc/redirect/, then change the domain placeholder to your sign-in address. If your 1Password account is in a different region, change .com to .ca or .eu accordingly.
- Copy and paste
onepassword://sso/oidc/redirect. This allows your team members to sign in to the 1Password apps with SSO.
- Copy and paste
- Client Authentication Type: Choose Public (None PKCE).
- Login URL: Enter enter your sign-in address.
- Redirect URIs:
- Continue to the next step to map attributes.
1.2: Add attribute mappings and user groups
In the Attribute Mapping section when you create the app, add the following mappings:
|Service Provider Attribute Name
|JumpCloud Attribute Name
After you add these mappings:
- Click User Groups and make sure the groups you want to sign in to 1Password with SSO are selected.
- Click Activate in the bottom right. You’ll see the application’s details.
- Copy the Client ID and continue to the next step.
Step 2: Configure Unlock with SSO
The changes you make below won’t be saved until you successfully authenticate with JumpCloud. This prevents you from locking yourself out of 1Password.
- Open a new browser tab or window and sign in to your account on 1Password.com.
- Click Policies in the sidebar, then choose Unlock 1Password with Identity Provider.
- Choose Other from the list of identity providers and click Next.
- Select JumpCloud from list, then fill out its information:
- Paste the Client ID from your JumpCloud application page.
- Paste the following for the well-known URL:
- Click Next and test the connection. You’ll be directed to JumpCloud to sign in, then returned to 1Password. This verifies connectivity between 1Password and JumpCloud.
Step 3: Specify which team members will unlock 1Password with JumpCloud and set a grace period
After you configure Unlock with SSO, you’ll be redirected to the settings page in your 1Password account. Before you configure your settings, you’ll need to create groups for the team members who will unlock 1Password with JumpCloud:
- Create a custom group.
Give the group a descriptive name, like "JumpCloud SSO", for clarity.
- Add team members to the group.
If you plan to invite additional team members to test Unlock with JumpCloud at a later date, create a new custom group for each additional set of testers.
The group(s) you create don’t have to be permanent, and you can eventually set your whole team to unlock with SSO once some groups have successfully migrated.
3.1: Choose who will unlock with JumpCloud
Users in the Owners group can’t unlock with JumpCloud and will continue to sign in to 1Password using their account password and Secret Key. This helps safeguard them from being locked out in the event that they can’t access their trusted devices and no one can recover them.
Learn more about implementing a recovery plan for your team.
By default, “People unlocking 1Password with an identity provider” is set to “No one”. This allows you to gradually migrate your team to unlock with JumpCloud. To specify which team members will unlock 1Password with JumpCloud, select one of the options:
- No one: To turn off Unlock with JumpCloud, select No one.
- Selected groups (recommended): Only the team members in groups you choose will sign in with JumpCloud. Learn how to use custom groups in 1Password Business.
- Everyone except guests: All team members, except owners and guests, will sign in with JumpCloud. All existing users will be prompted to switch to Unlock with JumpCloud, and all new users will use their JumpCloud username and password when joining 1Password. Guests and owners will sign in with an account password and Secret Key.
- Everyone (not recommended): Guests and all team members, except owners, will sign in with JumpCloud. All existing users will be prompted to switch to Unlock with JumpCloud, and all new users will use their JumpCloud username and password when joining 1Password.
3.2: Set a grace period
Team members who already have 1Password accounts will need to switch to unlock with JumpCloud. Specify the number of days before team members must switch. Consider the following when you set the grace period:
- By default, the grace period is set to 5 days. It can be set to 1 to 30 days.
- The grace period begins when an administrator adds a group after they choose the Selected groups option or when an administrator configures Unlock with JumpCloud for everyone on the team. You’ll see the grace period listed next to each group configured to unlock with JumpCloud.
- If a team member belongs to more than one group, their grace period is determined by the first group set up with SSO, even if the grace periods are different for those groups.
- If you add a user to a group with an expired grace period, you or another administrator will need to recover their account so they can set up unlock with SSO.
- If you edit the length of the grace period, it will be prolonged or shortened from the original configuration date. The grace period count doesn’t reset to zero when updated.
- If you plan to have more team members unlock with JumpCloud after initial configuration, it’s best to create a new custom group with its own grace period. This will make sure newly assigned team members won’t need their accounts recovered.
If a team member doesn’t migrate to Unlock with JumpCloud before the end of the grace period, they’ll be signed out of all their devices and must contact an administrator to recover their account.
To manage your settings, sign in to your account on 1Password.com, then click Policies in the sidebar and choose Unlock 1Password with Identity Provider.
To change your configuration with JumpCloud, click Edit Configuration, then follow the onscreen instructions to set up Unlock with SSO. You can only set up one identity provider to unlock with SSO.
You can only save an identity provider configuration after you've successfully tested the connection. Changes won't be saved if you can't successfully authenticate with JumpCloud. This prevents locking yourself out of 1Password.
People assignments and biometrics
Click Edit at the bottom of the settings page to change which users are assigned to unlock 1Password with JumpCloud.
- To specify which team members will unlock 1Password with JumpCloud, select No one, Selected groups, Everyone except guests, or Everyone.
"Selected groups" is recommended. Learn how to use custom groups in 1Password Business. To turn off Unlock with JumpCloud, select No one.
- Specify the number of days before team members must switch to unlocking with JumpCloud.
The default grace period is 5 days. If a team member doesn't migrate to Unlock with JumpCloud before the end of the grace period, they must contact their administrator to recover their account.
- To allow team members to unlock with Touch ID, Face ID, Windows Hello, and other biometrics, select Allow people to unlock 1Password using biometrics. Specify the number of days or weeks before they’ll be asked to sign in to JumpCloud again.
When biometric unlock is turned on, your team members can access 1Password while offline, until the time period specified. Vault access will be online-only after the elapsed period.
Click Review Changes to verify your choices, then click Save.
To use Unlock with JumpCloud yourself, get started with Unlock 1Password with JumpCloud as a team member.
If your IT team has a policy that clears browsing data when a browser is closed, exclude your team’s sign-in address from that policy to make sure your team members won’t lose access to their trusted device.
You can also encourage your team to set up other trusted devices, like the 1Password desktop app, after they sign up or switch to unlock with SSO.
You can find your Client ID on the application details you created in step 1.
If a team member is moved from a group that unlocks with JumpCloud to one that doesn’t, they’ll be prompted to create an account password and download their Emergency Kit.