SCIM container on AWS ECS behind ALB

senthil

We are trying to run the SCIM container on ECS behind a loadbalancer.

• We are able to bring the container up and access the setup. The setup starts on 3002 port and as we login to 1password and install scimsession file, the setup server stops and restarts on some other port (8443). How to avoid that?
• As this is behind the load-balancer and we terminate TLS, we would not require to run LetsEncrypt setup within the container. How do we disable that?
• We were also wanting to generate the scimsession file and start the container with setting up OP_SESSION environment variable (cat scimsession | base64 | tr -d "\n"). But when we do that, the setup server does not seem to start on 3002.

Can we have more details instructions on running the SCIM container behind the loadbalancer?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

graham_1P

Hi @senthil,

Am I correct in assuming you are using docker compose to deploy the SCIM Bridge service into your EC2 instance?

When the SCIM server starts initially using :3002, that is because it is in 'setup' mode and using the unencrypted connection to establish where you want to deploy the SCIM Bridge, get the TLS cert using LetsEncrypt, and then it will restart on that domain using TLS and :8443.

What you want to do is absolutely possible. You must:

• Remove the --lets-encrypt-domain variable from the entrypoint arguments. Assuming docker compose is your deployment method, that would be to remove the second value from line 11 of your docker-compose.yml https://github.com/1Password/scim-examples/blob/master/docker/compose/docker-compose.yml#L11
• Inspect your generated SCIMSESSION file. Is there a value in the final field of domain? If so, remove it. Depending on how you generated the file will determine if that field is filled or not.
• Regenerate your scim.env file to repopulate OP_SESSION with the new value. You can either do this directly with the generate-env.sh script (https://github.com/1Password/scim-examples/blob/master/docker/compose/generate-env.sh) or using the deploy.sh script.

That should start the SCIM Bridge up as a local service on :3002 ready to be placed behind a load balancer. Note you can start the SCIM Bridge on any port given the --port argument in the docker-compose.yml.

Let me know how that works.

Graham

senthil

@graham_1P Thanks. That worked like a charm.

One more question.

Given this does not require the lets-encrypt callback, and our servers will use this container via internal VPC endpoint, does it require the container to be exposed to the public?

graham_1P

@senthil

No, I would not directly expose the container to the internet. I would proxy all traffic through your load balancer which also terminate TLS connections. The authentication to the SCIM Bridge service is through the OAUTH Bearer token method. If the connections are sent to the SCIM Bridge over the public internet without TLS, that bearer token in the header will be exposed.

At the end of the day, when the IDP makes a request to your domain, it must resolve to an IP which passes traffic to the SCIM Bridge service.

Graham

senthil

Yeah. The container will be behind load balancer and not exposed to internet.

Am talking about having the load balancer itself internal. Apart from our servers that can access via internal load balancer, does the setup expect to receive any public traffic from 1Password?

The container will have outgoing internet access to talk to 1Password.

senthil

Any thoughts? @graham_1P

graham_1P

Hey @senthil,

At the end of the day, the SCIM Bridge service will send and receive traffic to and from 1Password over the public internet, and send and receive traffic to and from your identity provider over the public internet.

How you want to route the traffic within your infrastructure to get it there is up to you.

To satisfy our requirements, a SCIM Bridge must be resolvable from a DNS record, support secured traffic, and reachable from our servers and those of the identity provider.

If you are looking for items to whitelist, take a look at our domain list: https://support.1password.com/ports-domains/

Graham

senthil

That helps. Thanks.

ag_ana

On behalf of Graham, you are welcome @senthil! If you have any other questions, please feel free to reach out anytime.

Have a wonderful day :)

Optichip

@senthil do you happen to have a Task Definition you can share?

senthil

Sure. Here you go. https://gist.github.com/siliconsenthil/8713b577030599b8c68757f28459e666

Optichip

Awesome! Thank you!

graham_1P

Thanks for sharing @senthil!

It is also useful to us to see how you use our software on platforms where we do not yet have a 1-click install product.