Tip
New to 1Password or just joined your team? Get started with Unlock with Okta.
With 1Password Business and Unlock with SSO, you can connect your identity provider with your 1Password account so that team members sign in to 1Password with their Okta username and password instead of their account password and Secret Key.
When you set up Unlock with Okta, you can:
- Specify which groups will unlock 1Password with Okta.
- Set a grace period for team members to migrate to Unlock with Okta.
- Allow team members to unlock 1Password with biometrics.
Limitations
Unlock 1Password with SSO functionality has some limitations at launch. Additional platforms, identity providers, and protocols will be available in the future.
- Unlock with Okta is an authentication method only. For automated provisioning, set up 1Password SCIM Bridge.
- Unlock with SSO is only available using the OpenID Connect (OIDC) protocol.
- Unlock with Okta requires 1Password 8. You can’t sign in to 1Password 7 with Okta.
- 1Password owners can’t unlock 1Password with Okta.
Let your sales representative or account manager know if your team’s identity provider isn’t currently supported and you’re interested in unlocking 1Password with SSO.
Requirements
To set up and configure Unlock 1Password with Okta, you must:
- Be an administrator of your 1Password account.
- Use the same email address to sign in to both 1Password and Okta.
- Have Application Administrator and Group Administrator privileges in Okta.
Next steps
Administrators: Configure Unlock 1Password with Okta for your 1Password Business account.
Team members: If your team is using Okta to unlock 1Password, get started with Unlock 1Password with Okta.
Learn more
Using Unlock with Okta
Does Unlock with Okta replace the account password and Secret Key?
Yes. If Unlock with Okta is active, team members won’t use an account password, Secret Key, or Emergency Kit.
Can multiple identity providers be active at the same time?
No. Only one identity provider can be active at a time.
What happens if I don’t switch to Unlock with Okta before the end of the grace period?
If you don’t switch to Unlock with Okta before the end of the grace period, you’ll be signed out of 1Password on all your devices. You’ll need to contact your 1Password administrator to recover your account.
What happens to my other devices when I switch to Unlock 1Password with Okta?
When you switch to Unlock with Okta, you’ll be signed out of all your other devices. You’ll have to set up additional trusted devices.
What happens if I’m signed in to multiple accounts on one device?
Unlock with Okta will only unlock your business account. For example, if you have a family account, you’ll continue to use your account password and Secret Key to unlock that account, even if your business account unlocks with Okta.
Security
1Password uses your encrypted credentials and device key to unlock with SSO, simplifying the enrollment process and eliminating the need for an account password. Learn more about Unlock 1Password with SSO security.
Can I store my Okta password in 1Password?
You shouldn’t rely on 1Password to store your Okta password. Your Okta password should be random but memorable, eliminating the need to store the password anywhere other than in your memory.
With Unlock with SSO, your Okta username and password replaces your 1Password username and account password. This is now the only password you need to remember. Because you’ll use your Okta password to unlock 1Password, you won’t be able to unlock 1Password unless you know it.
What happens if my device is lost or stolen?
You, or a 1Password administrator, can remove a lost or stolen device from your account. Administrators can also initiate account recovery if needed, and you can set up additional trusted devices.
Can I use multi-factor authentication alongside Unlock with Okta?
When using Okta to unlock 1Password, Okta handles any multi-factor authentication instead of 1Password. If your organization’s Okta configuration requires multi-factor authentication, you’ll be asked to use multi-factor authentication when unlocking 1Password.
Does Unlock with Okta support offline access and unlocking with biometrics?
Yes. 1Password administrators can allow team members to unlock 1Password using biometrics by selecting the option on the Unlock 1Password with SSO settings page. Administrators can specify how long offline access is allowed before team members must re-authenticate with Okta.
When active, team members can access the information they’ve saved in 1Password when their device is offline by using cached credentials obtained after a prior successful Unlock with Okta session.
User management
Does Unlock with Okta also handle automated provisioning?
No. 1Password SCIM Bridge is still the solution for automated provisioning and can be used alongside Unlock with Okta. You can use Unlock with Okta with manual provisioning if your organization doesn’t use 1Password SCIM Bridge.
Can I stop using Unlock with Okta?
1Password administrators determine which team members unlock 1Password with Okta. If team members are moved to a group that isn’t set to unlock with Okta, they’ll go through the account recovery process. They’ll choose a new account password, get a new Secret Key, and save their Emergency Kit.
1Password administrators can turn off Unlock with Okta for all team members if they select “No one” on the Unlock with SSO settings page.
Can administrators turn on Unlock with Okta for only certain team members?
Yes. Unlock with Okta permissions are set at the group level. While administrators can’t turn Unlock with Okta on for a specific team member, they can designate which groups will use Okta to unlock 1Password.
Can administrators and owners unlock 1Password with Okta?
Administrators can unlock with Okta, but owners can’t.
You can set any group to unlock with Okta, including custom groups that contain administrators. Owners are the exception and can’t be set to Unlock with Okta.
Business account owners are required to keep using an account password and Secret Key to unlock their 1Password accounts. This prevents them being locked out of the account or losing any data. We are investigating other long-term options.
Get help
Get help if you’re having trouble unlocking 1Password with Okta.
Learn about the Unlock 1Password with SSO security model.