With 1Password Business and Unlock with SSO, you can connect your identity provider with your 1Password account so your team members can sign in to 1Password with their identity provider username and password instead of their account password and Secret Key.
When you set up Unlock with SSO, you’ll follow these steps:
- Review the considerations for how SSO will affect your team.
- Review the requirements you’ll need before you configure anything.
- Plan your rollout with best practices before you connect your identity provider.
- Connect your identity provider and set up Unlock with SSO.
Step 1: Review considerations
Before you set up Unlock with SSO, consider the impact that it will have on your team:
- Unlock with SSO is an authentication method only. To manage users in 1Password from your identity provider, set up automated provisioning.
- Unlock with SSO is only available using the OpenID Connect (OIDC) protocol. It uses Authorization Code Flow with Proof Key for Code Exchange (PKCE). For all identity providers except Microsoft Entra ID, you’ll set up a public app for the integration.
- Your team will need to use 1Password 8. You can’t sign in to 1Password 7 with SSO.
- Unlock with SSO in the 1Password apps is only available with an Internet connection. You can allow unlock with biometrics to give your team members offline access.
- People in the Owners group can’t unlock 1Password with SSO. This prevents them being locked out of the account or losing any data. We are investigating other long-term options.
- 1Password uses your encrypted credentials and device key to unlock with SSO, simplifying the enrollment process and eliminating the need for an account password. Learn more about Unlock 1Password with SSO security.
- You can only set up one identity provider to unlock with SSO.
- Existing team members need to unlock 1Password with their account password and Secret Key before switching to Unlock with SSO. Account recoveries will be needed for any users without their sign-in details. Team members will be prompted to sign in with SSO during the recovery process.
- Unlock with SSO is not currently compatible with exporting data. Your team administrator can turn off Unlock with SSO for your account to allow you to export.
Step 2: Review requirements
When you’re ready to set up Unlock with SSO, you’ll need to:
- Be in the Owners or Administrators group in your 1Password Business account.
- Use the same email address to sign in to both 1Password and your identity provider.
- Have administrator privileges in your identity provider.
- Make sure the 1Password browser extension, 1Password CLI, and 1Password apps are up to date on your team members’ devices.
Step 3: Plan your rollout
Before you start the setup, plan how you’ll introduce Unlock with SSO to your team. Learn how to plan your rollout of 1Password Unlock with SSO.
If you automate provisioning, learn about the best practices for using automated provisioning.
Step 4: Set up Unlock with SSO
After you’ve reviewed the considerations, met the requirements, and planned your rollout, configure Unlock with SSO for your identity provider:
If your team uses a different identity provider, let your sales representative or Customer Success Manager know so we can consider support for it in the future.
Get help
If you’re having trouble setting up Unlock with SSO for your organization, learn how to troubleshoot your configuration.
If you’re having trouble signing in to or unlocking 1Password with SSO after you’ve configured it, learn how to troubleshoot Unlock with SSO.
Learn more
- About 1Password Business
- Best practices for using 1Password Unlock with SSO
- About 1Password Unlock with SSO security
- Manage team policies in 1Password Business
- Unlock with SSO: under the hood
Was this article helpful?
Glad to hear it! If you have anything you'd like to add, feel free to contact us.
Sorry to hear that. Please contact us if you'd like to provide more details.