Setting up SCIM bridge with Okta

mjurczyk

Any idea what will happen to users that already exist in 1password? Will they need to change their password or 2FA?

Can you just select a group to provision?

Thanks!

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

graham_1P

@mjurczyk

An existing 1Password user will be connected to their Okta user assuming they have the same associated email.

You are able to choose what to provision when setting up Okta. You are able to assign the 1Password Application to a User, a Group, or some combination thereof.

Graham

mjurczyk

Thanks Graham

graham_1P

No trouble @mjurczyk

If you run into any issue please post here or reach out to support@1password.com. If you mention SCIM, it will be redirected into our inbox.

mjurczyk

@graham_1P

I'm getting the error "Your account has an active Provision Manager, but its sign-in details could not be found in your Private vault. Contact the team member who set up provisioning to get the sign-in details." when creating the provisioning account. Do i need to recreate the user?

graham_1P

@mjurczyk

It sounds like you are not signing in with the administrator account which first created the Provisioning Manager, or the login was deleted.

Do you have access to that account? You can tell from looking at that user's private vault and looking for the Provisioning Manager credentials. You should never need to sign in as the Provisioning Manager but in case you do, its email, password, and secret key are placed into a login item in the administrator's private vault.

If the record was deleted, then delete the Provisioning Manager user and restart the provisioning setup for the account.

Let me know if that works,

Graham

mjurczyk

All set @graham_1P

Do you guys have any idea of what it costs to run in AWS?

graham_1P

@mjurczyk

I have no statistics handy, but you don't need a very powerful cpu or much storage to run the SCIM Bridge.

The main service is almost completely stateless. The service stores very little beyond necessary things like your authentication credentials and TLS certificate which are stored in the redis instance. Furthermore you don't need incredibly high reliability, as the SCIM Bridge is only used while provisioning users, itself an occasional action. We do not recommend replicating the SCIM Bridge. One instance serves most use cases. Finally as the Bridge acts as an intermediary between 1Password and your identity provider, most error recovery can happen via the identity provider should downtown occur.

Graham

mjurczyk

hey graham im seeing some errors.....any shot you could help out

Error: Incorrect attribute value type

on ../../module_scim_app/app_asg_lc.tf line 3, in resource "aws_autoscaling_group" "asg":
3: availability_zones = ["${var.az}"]

Inappropriate value for attribute "availability_zones": element 0: string
required.

Error: Incorrect attribute value type

on ../../module_scim_app/app_asg_lc.tf line 12, in resource "aws_autoscaling_group" "asg":
12: vpc_zone_identifier = ["${var.private_subnets}"]

Inappropriate value for attribute "vpc_zone_identifier": element 0: string
required.

Error: Incorrect attribute value type

on ../../module_scim_app/app_lb.tf line 20, in resource "aws_lb" "app_alb":
20: subnets = ["${var.public_subnets}"]

Inappropriate value for attribute "subnets": element 0: string required.

mjurczyk

@graham_1P ^ this is with terraform 12.14 and AWS

graham_1P

@mjurczyk

Nothing jumps out at me. Are you following our SCIM Examples repository for terraform?

https://github.com/1Password/scim-examples/tree/master/aws-terraform

Graham

mjurczyk

@graham_1P

i'm getting this error on the docker container

scim_1 | redicrypt: getting cert for key redicrypt/1-scim-1.example.net
scim_1 | 2019/10/15 15:40:40 http: TLS handshake error from 54.89.52.11:24655: acme/autocert: host "1-scim-1.example.net" not configured in HostWhitelist

and this when i try to test the api connection on Okta.

Please review the form to correct the following error(s):

Error authenticating: Received fatal alert: internal_error

mjurczyk

scim_1 | redicrypt: getting cert for key redicrypt/1-scim-1.example.net
scim_1 | 2019/10/15 15:40:40 http: TLS handshake error from 54.89.52.11:24655: acme/autocert: host "1-scim-1.example.net" not configured in HostWhitelist

and this when i try to test the api connection on Okta.

Please review the form to correct the following error(s):

Error authenticating: Received fatal alert: internal_error

graham_1P

Hey @mjurczyk

To clarify, you are no longer pursuing Terraform, and have moved to the Docker Compose deployment method, correct?

In what infrastructure are you trying to deploy and test the SCIM Bridge?

It appears you are attempting to use a testing domain alongside the LetsEncrypt autocert server, 1-scim-1.example.net, which we do not support. Either you need to use a domain under your control (EG: scim.mjurczyk.net) or run the bridge in an unsecure mode without TLS support. You can do the latter by removing the --letsencrypt-domain flag from the docker-compose.yml https://github.com/1Password/scim-examples/blob/master/docker/compose/docker-compose.yml#L11.

To be clear, when running in production, a secured connection between your identity provider and the SCIM Bridge is required to protect your information. That can either be via the LetsEncrypt validated TLS certificate, or to have TLS connections terminated at your network infrastructure's load balancer.

I can give more concrete recommendations with more information about how you are attempting to deploy the bridge. If any details are too sensitive for a forum, feel free to email support@1password.com mentioning the SCIM Bridge, and I can help you there.