op create user does not update Pending Invitations somehow?

we have been building out some employee facing automation using 1pass CLI

have just started sending new staff invitations using:
op create user

After setting up the provisioning group, the first invitation went out without error, but while the invited user shows up in our people list with status of invited, the invitation does not show up on the invitations tab under Pending Invitations in the web GUI

this inconsistency seems very strange & makes me think this user is in an invalid state - so hopefully everything works out - any ideas how to avoid this?


1Password Version: 1.9.0 CLI
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_yaronag_yaron

    Team Member

    Hey @paulpharr ,

    In short, provisioning invites are not regular invites, so they don’t show up on the invite page.

    In length, the provisioning process creates a temporary user, and then when the provisioning invite email is accepted, that user is transferred over to the end user. That allows us to do some neat things around group/vault management and permission settings prior to the enduser acting on the email.

    This contrasts to the regular invite process, where a user may be invited, but until they act on the email, they have no representation in our system. Therefore no actions can be taken on that user until they act on the email and create their user.

    You can think of a regular invite as a Just-In-Time provisioning, whereas IDP based provisioning works ahead of the end user

  • is it safe to assume the user experience is the same?

    In general I prefer the provisioning invites as you describe them & i think i have seen reference in your SCIM docs - can you recommend a good place to look for a deep dive into the details?

    What i'd really like is to be able to gain more control of the process so I could invite our new employees to securely connect to our 1pass through our Slack

    I can't do this for a few reasons - you have no CLI support for slack invites & our new employees are connected to 1pass before their first day & they are still slack guest accounts

    so i'd really like to be able to create their provisioning user silently and compose my own slack messaging that allows them to accept their invitation. Any chance that's almost easy?

  • ag_yaronag_yaron

    Team Member

    Hey @paulpharr ,
    Sorry for the delay in response times, I'm looking into this with the SCIM team.

    Hopefully I'll have some answers soon.

  • ag_yaronag_yaron

    Team Member

    Hey @paulpharr ,
    Thank you for your patience.

    Slack integration is not as easy and smooth as we'd like it to be yet so there's much to improve, but here are the relevant docs on the topic:

    To be clear, CLI/Slack are invite processes discrete from the SCIM bridge. As the former do not have a ServiceAccount/Provision Manager behind them, they do not create a transfer user like provisioning.
    If you want manageable users accounts before the users actually accept their invites, you will have to go through the bridge.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file