Teams and business

Configure Unlock 1Password with Okta

Learn how to set up 1Password to unlock with Okta.

With 1Password Business, you can bring single sign-on (SSO) authentication to your team members by connecting Okta with 1Password using Unlock with SSO.

Unlock with SSO doesn’t include automated provisioning. If you want to create users and groups, manage access, and suspend 1Password users with your identity provider, learn how to automate provisioning using SCIM.

Before you begin

Before you begin, review the considerations and requirements for Unlock with SSO.

These steps were recorded in April 2024 and may have changed since. Refer to the Okta Help Center documentation  for the most up-to-date steps.

Step 1: Add the 1Password Business application to Okta

To get started, sign in to your account on Okta.com  , click Admin in the top right, and follow these steps to set up the app integration:

  1. In the Admin Console, go to Applications > Applications.
  2. Click Create App Integration.
  3. Select OIDC - OpenID Connect as the sign-in method.
  4. Select Native Application as the application type.
  5. Click Next.
  6. Give the app a name, such as “1Password SSO”.
  7. Leave the sign-in redirect URIs as-is. You’ll fill them out with your 1Password details later.
  8. Choose the assignments you’d like to use.
  9. Click Save.

After you’ve created the app integration, copy your Client ID from the Client Credentials section on the application page. Then continue to the next step to configure Unlock with SSO in your 1Password account.

Step 2: Configure Unlock with SSO

Important

The changes you make below won’t be saved until you successfully authenticate with Okta. This prevents you from losing access to 1Password.

2.1: Set up Unlock with SSO

  1. Open a new browser tab or window and sign in to your account on 1Password.com.
  2. Click Policies in the sidebar.
  3. Click Manage under Configure Identity Provider.
  4. Follow the onscreen instructions to set up Unlock with SSO.
    • When you’re asked for your Client ID, paste the one you copied at the end of Step 1.
    • Refer to your Okta documentation to find your Okta well-known URL. It may follow one of the following formats: YOUR_OKTA_DOMAIN.okta.com/.well-known/openid-configuration or YOUR_OKTA_DOMAIN.okta.com/oauth2/default/.well-known/openid-configuration
  5. When you reach the “Set up redirects” page, continue to step 2.2.

2.2: Configure the Okta application

Go back to the application you created in Okta. Click the General tab, then click Edit in the General Settings section and add the following:

  • Logo: Upload a logo to associate with the integration (optional).
  • Grant type: Choose Authorization Code.
  • Sign-in redirect URIs:
    • Copy the first URI from the “Set up redirects” page. This redirect allows users to sign in from their browser.
    • Copy the second URI from the “Set up redirects” page. Okta will send the authentication response and ID token for the user’s sign-in request to this URI, and it allow users to sign in from the 1Password apps.
  • Sign-out redirect URIs: These are not used by 1Password, so remove any that were set by default.

When you’re finished, click Save. You’ll be redirected to the settings page for the app integration.

2.3: Edit assignments and settings

If you make any changes to your 1Password Unlock with SSO configuration after initial setup, you’ll also need to update the OIDC settings of your Okta application integration.

Assignments:

Important

You must first assign yourself to the Okta application you just created before you can configure Unlock with SSO in 1Password.

The email address you use to sign in to 1Password must match the email address you use to sign in to Okta.

  1. Select the Assignments tab, and click Assign > Assign to People.
  2. Search for the email address associated with your 1Password admin account and click Assign.
  3. Confirm the user information, then click Save and Go Back.
  4. Click Done.

Client Credentials:

Select the General tab, and click Edit to change any of the listed options.

This section has the Client ID and Client authentication information for your app integration. You can edit the authentication type:

  • Client authentication: Select None. This option requires the use of a Proof Key for Code Exchange (PKCE) for additional verification. PKCE makes sure that the access token can be redeemed only by the client that requested it.
  • Proof Key for Code Exchange (PKCE): Check Require PKCE as additional verification.

Click Save to commit your Client Credentials changes.

General Settings:

Select the General tab, and click Edit to change any of the listed options.

  • Application:
    • App integration name: You can edit the name you provided when creating the app integration.
    • Grant type: You can edit the grant type you provided when creating the app integration.
  • Login:
    • Sign-in redirect URIs: You can edit the URI you provided when creating the app integration. Copy the URI from the Configure Identity Provider page. It will use the following format, depending on the region your account is in: https://YOUR_DOMAIN.1password.com/sso/oidc/redirect and onepassword://sso/oidc/redirect.

Click Save to commit your General Settings changes.

2.4: Required claims

1Password requires sub, name, and email claims from Okta. With Okta’s default settings, no action is required on your part. By default, Okta provides a subject claim, and name and email are mapped automatically.

If needed, you can map Okta attributes to 1Password app attributes in the Profile Editor. 

2.5: Test the connection

Once you’ve configured your settings, go back to the Configure Identity Provider page and test the connection. You’ll be directed to Okta to sign in, then redirected to 1Password to sign in. This verifies connectivity between 1Password and Okta.

Step 3: Specify which team members will unlock 1Password with Okta and set a grace period

Important

Existing team members need to sign in to 1Password with their account password and Secret Key before switching to Unlock with SSO. If your organization has turned off Emergency Kits or has a browser cache clearing policy, this could result in mass recoveries needed for users who don’t have their sign-in details.

Team members will prompted to sign in with SSO during the recovery process.

After you configure Unlock with SSO, you’ll be redirected to the settings page in your 1Password account. Before you configure your settings, you’ll need to create groups for the team members who will unlock 1Password with Okta:

  1. Create a custom group.

    Give the group a descriptive name, like "Okta SSO", for clarity.

  2. Add team members to the group.

    If you plan to invite additional team members to test Unlock with Okta at a later date, create a new custom group for each additional set of testers.

The group(s) you create don’t have to be permanent, and you can eventually set your whole team to unlock with SSO once some groups have successfully migrated.

3.1: Choose who will unlock with Okta

Important

Users in the owners group can’t unlock with Okta and will continue to sign in to 1Password using their account password and Secret Key. This helps safeguard them from being locked out in the event that they can’t access their linked apps and browsers and no one can recover them.

Learn more about implementing a recovery plan for your team.

By default, “People unlocking 1Password with an identity provider” is set to “No one”. This allows you to gradually migrate your team to unlock with Okta. To specify which team members will unlock 1Password with Okta, select one of the options:

  • No one: To turn off Unlock with Okta, select No one.
  • Only groups you select: Only the team members in groups you choose will sign in with Okta. Learn how to use custom groups in 1Password Business.
  • Everyone except: groups you exclude: All team members, except owners and groups you choose to exclude, will sign in with Okta. Existing users in this scope will be prompted to switch to Unlock with Okta. New users, except those in excluded groups, will use their Okta username and password when joining 1Password. Owners will sign in with an account password and Secret Key.
  • Everyone except: guests: All team members, except owners and guests, will sign in with Okta. All existing users will be prompted to switch to Unlock with Okta, and all new users will use their Okta username and password when joining 1Password. Guests and owners will sign in with an account password and Secret Key.
  • Everyone: Guests and all team members, except owners, will sign in with Okta. All existing users will be prompted to switch to Unlock with Okta, and all new users will use their Okta username and password when joining 1Password.

3.2: Set a grace period

Team members who already have 1Password accounts will need to switch to unlock with Okta. Specify the number of days before team members must switch. Consider the following when you set the grace period:

  • By default, the grace period is set to 5 days. It can be set to 1 to 30 days.
  • The grace period begins when an administrator adds a group after they choose the Only groups you select option or when an administrator configures Unlock with Okta for everyone on the team. You’ll see the grace period listed next to each group configured to unlock with Okta.
  • If a team member belongs to more than one group, their grace period is determined by the first group set up with SSO, even if the grace periods are different for those groups.
  • If you add a team member who hasn’t set up unlock with SSO to a group with an expired grace period, you or another administrator will need to recover their account so they can sign in again using SSO.
  • If you edit the length of the grace period, it’ll be prolonged or shortened from the original date you configured the group to unlock with SSO.
  • If you need to configure more team members to unlock with Okta after the initial setup, create a new custom group with an active grace period. This will make sure newly assigned team members won’t need their accounts recovered.

Important

If a team member doesn’t migrate to Unlock with Okta before the end of the grace period, they won’t be able to sign in to their account on their devices and must contact an administrator to recover their account. The team member will switch to unlock with Okta during the recovery process.

Optional: Add a 1Password tile to your team’s Okta Dashboard

For the time being, the Unlock with SSO integration for 1Password won’t be included in the Okta App Catalog.

If you’d like to add a 1Password tile to your team members' Okta Dashboards, refer to the Okta Help Center guide to create a Bookmark App integration. 

You’ll be asked for a URL. Enter <YOURSUBDOMAIN>.1password.com/signin/.

Manage settings

To manage your settings, sign in to your account on 1Password.com, then select Policies in the sidebar and select Manage under Configure Identity Provider.

Configuration

To change your configuration with Okta, select Edit Configuration, then follow the onscreen instructions to set up Unlock with SSO. You can only set up one identity provider to unlock with SSO.

You can only save an identity provider configuration after you've successfully tested the connection. Changes won't be saved if you can't successfully authenticate with Okta. This prevents you from losing access to 1Password.

People assignments and biometrics

Select Edit at the bottom of the settings page to change which users are assigned to unlock 1Password with Okta.

  • To specify which team members will unlock 1Password with Okta, choose an option in the Who can unlock 1Password with an identity provider section.

    "Only groups you select" is recommended. Learn how to use custom groups in 1Password Business. To turn off Unlock with SSO, select No one.

  • Specify the number of days before team members must switch to unlocking with Okta.

    The default grace period is 5 days. If a team member doesn't migrate to Unlock with Okta before the end of the grace period, they must contact their administrator to recover their account.

  • To allow team members to unlock with Touch ID, Face ID, Windows Hello, and other biometrics, select Allow people to unlock 1Password using biometrics. Specify the number of days or weeks before they’ll be asked to sign in to Okta again.

    When biometric unlock is turned on, your team members can access 1Password while offline, until the time period specified. Vault access will be online-only after the elapsed period.

Select Review Changes to verify your choices, then select Save.

Next steps

To use Unlock with Okta yourself, get started with Unlock 1Password with Okta as a team member.

Learn how to unlock 1Password with Okta on all of your devices and link additional apps and browsers to your account.

Tip

If your IT team has a policy that clears browsing data when a browser is closed, exclude your team’s sign-in address from that policy to make sure your team members won’t lose access to their linked browsers.

You can also encourage your team to link other apps and browsers to their accounts, like the 1Password desktop app, after they sign up or switch to unlock with SSO.

Get help

You can find your Client ID in the Okta Admin Console.

Refer to your Okta documentation to find your Okta well-known URL. It may follow one of the following formats: YOUR_OKTA_DOMAIN.okta.com/.well-known/openid-configuration or YOUR_OKTA_DOMAIN.okta.com/oauth2/default/.well-known/openid-configuration. The format may be different if you have a custom authorization server.

If a team member is moved from a group that unlocks with Okta to one that doesn’t, they’ll be prompted to create an account password and download their Emergency Kit.

Get help if you need to switch to a new identity provider after you set up Unlock with SSO.

Learn more


Published: