With 1Password Business and Unlock with SSO, you can connect your identity provider with your 1Password account so your team members can sign in to 1Password with their identity provider username and password instead of their account password and Secret Key.
When you set up Unlock with SSO, you can:
- Specify which groups will unlock 1Password with SSO.
- Set a grace period for team members to migrate to Unlock with SSO.
- Allow team members to unlock 1Password with biometrics.
Before you begin
Before you set up Unlock with SSO, consider the impact that it will have on your team:
- Unlock with SSO is an authentication method only. To automate provisioning, use 1Password SCIM Bridge.
- Unlock with SSO is only available using the OpenID Connect (OIDC) protocol. It uses Authorization Code Flow with Proof Key for Code Exchange (PKCE). You’ll need to set up a public app for the integration, and a client secret is not stored or supported by 1Password.
- Your team will need to use 1Password 8. You can’t sign in to 1Password 7 with SSO.
- Unlock with SSO in the 1Password apps is only available with an Internet connection. You can allow unlock with biometrics to give your team members offline access.
- People in the Owners group can’t unlock 1Password with SSO. This prevents them being locked out of the account or losing any data. We are investigating other long-term options.
- 1Password uses your encrypted credentials and device key to unlock with SSO, simplifying the enrollment process and eliminating the need for an account password. Learn more about Unlock 1Password with SSO security.
- You can only set up one identity provider to unlock with SSO.
When you’re ready to set up Unlock with SSO, you’ll need to:
- Be in the Administrators group in your 1Password Business account.
- Use the same email address to sign in to both 1Password and your identity provider.
- Have administrator privileges in your identity provider.
Set up Unlock with SSO
Learn how to configure Unlock with SSO for your identity provider:
If your team uses a different identity provider, let your sales representative or Customer Success Manager know so we can consider support for it in the future.
If you automate provisioning with 1Password SCIM Bridge, do not change a suspended team member’s email address. Some identity providers don’t sync email changes for suspended users. If you reactivate a suspended team member after changing their email address, the SCIM bridge may treat them as a new user. This will cause issues when they try to unlock with SSO.
If you need to switch to a different identity provider after you set up Unlock with SSO:
- Sign in to your account on 1Password.com.
- Click Policies in the sidebar, then click Manage under Configure Identity Provider.
- Click Edit Configuration.
- Follow the steps to set up Unlock with SSO for your identity provider.