Issue with SCIM bridge Azure AD

Hello all,

I have been trying to setup the SCIM bridge for Azure AD using Digital oceans. However I keep getting this error "There’s a problem with the SCIM bridge. Check its configuration and make sure it can connect to 1Password and your identity provider." And when I try to go to the SCIM domain that I created I receive an error that says incorrect bearer token. I have tried regenerating the bearer token and tried deactivating provisioning with no luck. Everytime I go to my SCIM domain I am asked to enter in the bearer token.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • 1P_Amanda1P_Amanda

    Team Member

    Hi @Kennyties,

    When you regenerated your bearer token, did you also update your scimsession file in the SCIM Bridge? Next, sometimes when the UI says incorrect bearer token the SCIM Bridge logs tell us more, is there anything that stands out to you in the SCIM Bridge logs? If the SCIM Bridge logs just say incorrect bearer token, usually that does indicate there is a mismatch between the scimsession file on your SCIM Bridge and the bearer token you are entering.

    Let me know!
    Amanda

  • Hi @1P_Amanda how would I update the scimsession file? Can I view the logs if I can't log into the bridge?

  • 1P_Amanda1P_Amanda

    Team Member

    Hi @Kennyties,

    The SCIM Bridge logs can be found by connecting to your cluster using the kubernetes cli, and then running kubectl get pods and then kubectl logs op-scim-bridge-<id> using the pod name from the results of the first command (you may need to specify the namespace for both commands). Unfortunately we don't have an easy way to update the scimsession file - you will have to delete your cluster and redeploy the SCIM Bridge (instructions here: https://support.1password.com/scim-deploy-digitalocean/)

    Hope this helps!
    Amanda

  • Hi @1P_Amanda,

    Thank you for the update. Your support team member mentioned the same thing. I was missing the step to delete the cluster.

  • ag_anaag_ana

    Team Member

    Thank you for the update @Kennyties. For confirmation, is everything working as expected now?

  • Hi @ag_ana,

    I am stuck on setting up the custom domain and having it redirect to the IP address. I keep getting the error that it can't verify the domain.

  • 1P_Amanda1P_Amanda

    Team Member

    Hi @Kennyties,

    Do you have a DNS record for your SCIM Bridge url pointing to the IP address where your SCIM Bridge is deployed?

    Cheers!
    Amanda

  • Hi @1P_Amanda,

    I do. It may be that it just needs to be propagated.

  • 1P_Amanda1P_Amanda

    Team Member

    @Kennyties - Any luck?

  • No unfortunately not, every time I get to entering the bearer token it says its incorrect and the bridge shows an error.

  • 1P_Amanda1P_Amanda

    Team Member

    Ah, so it sounds like you made it past the DNS issue, progress! Now is a good time to check the SCIM Bridge logs (I shared how earlier in this thread). When you enter the bearer token, see what the corresponding logs show and it will tell you if there's something specific wrong. Something to check is whether the bearer token matches the scimsession file on the SCIM Bridge (they are generated together and so you need to use the bearer token from the specific scimsession file). You might see a lot of "http: TLS handshake error from [ip]: EOF" messages, but those aren't the important ones - they're just from the Azure health checker making sure that the pod is active.

  • Thanks @1P_Amanda, I keep hitting road blocks on this and now I am back on the issue with DNS so I am not sure what is going on.

  • 1P_Amanda1P_Amanda

    Team Member

    A required step is to go to the IP address in your browser, and verify the domain from there - have you done that?

  • Yes I have, it does not seem to want to propagate.

  • 1P_Amanda1P_Amanda

    Team Member

    Sorry, I'm not sure I understand what you mean. If you run dig <domain> in a terminal, where is your SCIM bridge URL, does it point to the IP address you expect it to?

  • Yes, it is pointing to the IP address I expect and I have done an NS Lookup and it does show up but I am still getting the same issue.

  • Hi @1P_Amanda,

    I was able to get it to work but now I am getting a 403 forbidden issue when trying to access my 1password account. This may be related to my use of the CLI.

  • Hi @1P_Amanda
    Here is the current issue I am seeing, I installed the sccmsession file successfully but it did not recognize the generated token.
    {"detail":"handler not found","schemas":["urn:ietf:params:scim:api:messages:2.0:Error"]}

  • 1P_Amanda1P_Amanda

    Team Member

    That might be because provisioning is turned off on your account, can you enable provisioning and try again?

  • Okay, I will go ahead and try that.

  • ag_anaag_ana

    Team Member

    Let us know how it goes :+1:

  • provisioning was turned on and I still ran into the issue

  • 1P_Amanda1P_Amanda

    Team Member

    I think the best course of action here is to email support, reference this forum thread and ask to setup a call with a Customer Integrations Specialist, and we can help you out there.

    Cheers!
    Amanda

  • kurtdkurtd Junior Member

    I feel like I'm running into similar issues. I'm on my second try to deploy the scim bridge on digitalocean. I was able to browse to the load balancer IP but after entering in my domain name, that's as far as I got this time. It never verified and when I go to digital ocean, I notice my load balancer and both droplets are down. My droplets kept going down the first time as well. Should that be happening?

  • kurtdkurtd Junior Member

    My droplets are still down. What would cause that? All I did was the basic steps to set it up. How would I access the cli as mentioned above?

  • kurtdkurtd Junior Member
    edited August 24

    I hit restart on both of my droplets in my load balancer and it finally came online 10 minutes after that. I was then able to browse to the load balancer Ip, enter in my domain, save my token and session file. I then hit the install button and it's stuck at "installing... You should be redirected shortly. If not, try clicking this link."

  • kurtdkurtd Junior Member

    I finally clicked "this link" and this is the error that appears

    {"detail":"Not found","schemas":["urn:ietf:params:scim:api:messages:2.0:Error"]}

    The first time I went through the install, it ended here as well.

  • ag_alice_tag_alice_t

    Team Member

    @kurtd Hi there. What do you see when you go directly to the SCIM bridge URL? Sometimes the redirect can fail even though the installation of the scimsession file was successful, so I'm wondering if it didn't complete as expected. You should be seeing a Bearer Token input field if you go directly to the URL.

  • kurtdkurtd Junior Member

    It does seem to have worked even with the redirect error. I ended up finishing the set up yesterday on Azure and it's still working today. I do get the Bearer Token screen and can log in now. Last time I ran through the set up it loaded as well but wouldn't accept my token. I think it's all working now, I've synced a few users and a couple groups. The set up felt a bit sketchy with the droplets going down and needing a reboot plus the redirect issue. Also, the Azure instructions are slightly dated but I was able to figure it out.

    Thanks

  • ag_alice_tag_alice_t

    Team Member

    Excellent, glad to hear it!

    And thank you for bringing the documentation issue to our attention. We'll be sure to do a review of it in the near future.

    Feel free to reach out if you have any other issues with your integration.

    Alice

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file