Active Directory sync - disabling users in AD

MikeStackhouse
MikeStackhouse
Community Member

We've got AD syncing with 1Pass using SCIM Bridge on GCP. If we disable users in our AD (terminate employees), will that disable them in 1Password as well?

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:active directory delete

Comments

  • Hi @MikeStackhouse,

    Yes that change will propagate to 1Password.

    Under the hood what is happening is that you have the 1Password application in AD, and any user assigned to that application will have a corresponding account in 1Password. When you either directly remove an assignment or deactivate (block sign-in) of a user which is assigned to the application, Azure AD sends us a request to change the active field of the user to false. Once we receive such a request, that user in 1Password is suspended.

    Graham

  • MikeStackhouse
    MikeStackhouse
    Community Member

    Great. Thanks, Graham

  • ag_ana
    ag_ana
    1Password Alumni

    On behalf of Graham, you are welcome @MikeStackhouse!

    If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

  • bcharboneau
    bcharboneau
    Community Member
    edited December 2020

    How long should it take to disable/suspend a user once disabled in Azure AD?

  • ag_alice_t
    edited December 2020

    @bcharboneau Azure AD has a delay of about 20-40 minutes when pushing to any integration linked to it. This is a specifically a limitation of Azure AD, and not with the SCIM bridge itself.

    I hope this answers your question.

  • bcharboneau
    bcharboneau
    Community Member

    @ag_alice_t yes that makes perfect sense. Is it at all possible to remove users from 1 password manually or via API that were provisioned through scim bridge? just curious as management is asking me for ways to increase speed of access removal for terminated users. We often have less than 30 min to complete the task.

  • @bcharboneau You should check in with the Azure Active Directory team. We process the requests as soon as we receive them. Unless you want to hand craft every SCIM request (aka replicating what Azure AD does manually) leveraging Azure AD is your best bet.

    Just to be clear, 20-40m is what we have found in our experience. Your experience may differ. You can find the stated poll time in your Azure AD 1Password Provisioning App under Provisioning -> Statistics to Date -> Provisioning Interval.

    For example:

  • bcharboneau
    bcharboneau
    Community Member

    @graham_1P That is not what I was asking in terms of speeding up the process. I was asking if it is possible to disable users who were provisioned with Azure AD, using the 1Password API.

    eg. we could script:
    1. Disable User in Azure AD
    2. Disable User in 1Password via API.

    We have scripts that disable users for other services. I just want to make sure if we could use the API to do this or if 1Password API will not disable provisioned accounts when it is not through the provisioning service.

  • @bcharboneau

    Yes, you can disable users directly via sending requests to the SCIM Bridge. However it is a decent amount of effort, especially for a large number of deprovisioning events. You may have more long term success reducing the polling interval on Azure AD.

    Everything that follows is in accordance with RFC 7644. If you are having trouble, the RFC document is the canonical source for SCIM actions, and we try to follow it to the letter. Additionally $BEARER is your given OAuth Bearer token to authenticate to the 1Password SCIM Bridge.

    To replicate the deactivation you can do the following:

    Get the UUID of the user in question ($USER_UUID) with something like:
    curl -X GET -H "Authorization: Bearer $BEARER" https://scim.company.com/Users?filter=userName%20sw%20jon

    Additional filtering details can be found here: https://tools.ietf.org/html/rfc7644#section-3.4.2.2

    PATCH the active field of the User to false. This will trigger a deletion of an invited user, or a suspension of an active user.

    curl -X PATCH -H "Authorization: Bearer $YOUR_TOKEN" -d @suspend_body.json https://scim.company.com/Users/$USER_UUID

    where suspend_body.json is: {"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"replace","value":{"active":false}}]}.

    At that point, your user on 1Password will be suspended.

    As a word of caution, this may cause issues with Azure AD. 1Password is strictly downstream of Azure AD, and so you may see failures on Azure AD as the states are now out of sync. (EG: Trying to add a deleted user to a group) In that case, the 1Password application on Azure AD will most likely be quarantined and require intervention.

    Let me know if that answers your question and what further questions you have.

    Graham

  • bcharboneau
    bcharboneau
    Community Member

    Thanks that helps a lot.

  • You're welcome. Let us know how else we can help!

    Graham

This discussion has been closed.