Issue with SCIM bridge Azure AD

Kennyties
Kennyties
Community Member

Hello all,

I have been trying to setup the SCIM bridge for Azure AD using Digital oceans. However I keep getting this error "There’s a problem with the SCIM bridge. Check its configuration and make sure it can connect to 1Password and your identity provider." And when I try to go to the SCIM domain that I created I receive an error that says incorrect bearer token. I have tried regenerating the bearer token and tried deactivating provisioning with no luck. Everytime I go to my SCIM domain I am asked to enter in the bearer token.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @Kennyties,

    When you regenerated your bearer token, did you also update your scimsession file in the SCIM Bridge? Next, sometimes when the UI says incorrect bearer token the SCIM Bridge logs tell us more, is there anything that stands out to you in the SCIM Bridge logs? If the SCIM Bridge logs just say incorrect bearer token, usually that does indicate there is a mismatch between the scimsession file on your SCIM Bridge and the bearer token you are entering.

    Let me know!
    Amanda

  • Kennyties
    Kennyties
    Community Member

    Hi @1P_Amanda how would I update the scimsession file? Can I view the logs if I can't log into the bridge?

  • Hi @Kennyties,

    The SCIM Bridge logs can be found by connecting to your cluster using the kubernetes cli, and then running kubectl get pods and then kubectl logs op-scim-bridge-<id> using the pod name from the results of the first command (you may need to specify the namespace for both commands). Unfortunately we don't have an easy way to update the scimsession file - you will have to delete your cluster and redeploy the SCIM Bridge (instructions here: https://support.1password.com/scim-deploy-digitalocean/)

    Hope this helps!
    Amanda

  • Kennyties
    Kennyties
    Community Member

    Hi @1P_Amanda,

    Thank you for the update. Your support team member mentioned the same thing. I was missing the step to delete the cluster.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the update @Kennyties. For confirmation, is everything working as expected now?

  • Kennyties
    Kennyties
    Community Member

    Hi @ag_ana,

    I am stuck on setting up the custom domain and having it redirect to the IP address. I keep getting the error that it can't verify the domain.

  • Hi @Kennyties,

    Do you have a DNS record for your SCIM Bridge url pointing to the IP address where your SCIM Bridge is deployed?

    Cheers!
    Amanda

  • Kennyties
    Kennyties
    Community Member

    Hi @1P_Amanda,

    I do. It may be that it just needs to be propagated.

  • Kennyties
    Kennyties
    Community Member

    No unfortunately not, every time I get to entering the bearer token it says its incorrect and the bridge shows an error.

  • Ah, so it sounds like you made it past the DNS issue, progress! Now is a good time to check the SCIM Bridge logs (I shared how earlier in this thread). When you enter the bearer token, see what the corresponding logs show and it will tell you if there's something specific wrong. Something to check is whether the bearer token matches the scimsession file on the SCIM Bridge (they are generated together and so you need to use the bearer token from the specific scimsession file). You might see a lot of "http: TLS handshake error from [ip]: EOF" messages, but those aren't the important ones - they're just from the Azure health checker making sure that the pod is active.

  • Kennyties
    Kennyties
    Community Member

    Thanks @1P_Amanda, I keep hitting road blocks on this and now I am back on the issue with DNS so I am not sure what is going on.

  • A required step is to go to the IP address in your browser, and verify the domain from there - have you done that?

  • Kennyties
    Kennyties
    Community Member

    Yes I have, it does not seem to want to propagate.

  • Sorry, I'm not sure I understand what you mean. If you run dig <domain> in a terminal, where is your SCIM bridge URL, does it point to the IP address you expect it to?

  • Kennyties
    Kennyties
    Community Member

    Yes, it is pointing to the IP address I expect and I have done an NS Lookup and it does show up but I am still getting the same issue.

  • Kennyties
    Kennyties
    Community Member

    Hi @1P_Amanda,

    I was able to get it to work but now I am getting a 403 forbidden issue when trying to access my 1password account. This may be related to my use of the CLI.

  • Kennyties
    Kennyties
    Community Member

    Hi @1P_Amanda
    Here is the current issue I am seeing, I installed the sccmsession file successfully but it did not recognize the generated token.
    {"detail":"handler not found","schemas":["urn:ietf:params:scim:api:messages:2.0:Error"]}

  • That might be because provisioning is turned off on your account, can you enable provisioning and try again?

  • Kennyties
    Kennyties
    Community Member

    Okay, I will go ahead and try that.

  • ag_ana
    ag_ana
    1Password Alumni

    Let us know how it goes :+1:

  • Kennyties
    Kennyties
    Community Member

    provisioning was turned on and I still ran into the issue

  • I think the best course of action here is to email support, reference this forum thread and ask to setup a call with a Customer Integrations Specialist, and we can help you out there.

    Cheers!
    Amanda

  • kurtd
    kurtd
    Community Member

    I feel like I'm running into similar issues. I'm on my second try to deploy the scim bridge on digitalocean. I was able to browse to the load balancer IP but after entering in my domain name, that's as far as I got this time. It never verified and when I go to digital ocean, I notice my load balancer and both droplets are down. My droplets kept going down the first time as well. Should that be happening?

  • kurtd
    kurtd
    Community Member

    My droplets are still down. What would cause that? All I did was the basic steps to set it up. How would I access the cli as mentioned above?

  • kurtd
    kurtd
    Community Member
    edited August 2021

    I hit restart on both of my droplets in my load balancer and it finally came online 10 minutes after that. I was then able to browse to the load balancer Ip, enter in my domain, save my token and session file. I then hit the install button and it's stuck at "installing... You should be redirected shortly. If not, try clicking this link."

  • kurtd
    kurtd
    Community Member

    I finally clicked "this link" and this is the error that appears

    {"detail":"Not found","schemas":["urn:ietf:params:scim:api:messages:2.0:Error"]}

    The first time I went through the install, it ended here as well.

  • @kurtd Hi there. What do you see when you go directly to the SCIM bridge URL? Sometimes the redirect can fail even though the installation of the scimsession file was successful, so I'm wondering if it didn't complete as expected. You should be seeing a Bearer Token input field if you go directly to the URL.

  • kurtd
    kurtd
    Community Member

    It does seem to have worked even with the redirect error. I ended up finishing the set up yesterday on Azure and it's still working today. I do get the Bearer Token screen and can log in now. Last time I ran through the set up it loaded as well but wouldn't accept my token. I think it's all working now, I've synced a few users and a couple groups. The set up felt a bit sketchy with the droplets going down and needing a reboot plus the redirect issue. Also, the Azure instructions are slightly dated but I was able to figure it out.

    Thanks

  • Excellent, glad to hear it!

    And thank you for bringing the documentation issue to our attention. We'll be sure to do a review of it in the near future.

    Feel free to reach out if you have any other issues with your integration.

    Alice

This discussion has been closed.