I have an issue for integration of 1password between okta

halilbozan
halilbozan
Community Member

I set up 1password scim bridge to integrating okta. Scim bridge working properly only when I publicly 443 ports everywhere on our firewall rules. When I get port 443 to VPN(behind NAT ips). I see connected properly from our scim domain. But 1password monitoring shows an error.

I see only this error on the scim bridge logs
7:27AM INF failed to verify session error="failed to touch session: failed to DoEncrypted: Authorization: (401) (Unauthorized), You aren't authorized to perform this action." application=op-scim component=SCIMServer


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Ubuntu 20.04
Sync Type: on cloud

Comments

  • DJ_1P
    DJ_1P
    1Password Alumni

    Hi @halilbozan

    You may need to make the health monitoring service available to your SCIM bridge instance. You can check out the documentation here.

    Let us know if this helps.

  • halilbozan
    halilbozan
    Community Member
    edited August 2021

    I set up with docker and I look docker logs at the instance, I can't see anything. Is there any restriction with okta between 1password? I see the same error above when I access your link. I would like to open only our private network in our security group.

  • Chas_1P
    edited August 2021

    Hi @halilbozan,

    Thank you for your response!

    We use Checkly as a third party service for our health monitoring feature, so in order for it to work properly you would need to allow Checkly traffic to the SCIM bridge, which may include making a whitelist for their IP ranges, as you can read about here. This perhaps could be the issue you're experiencing with the health monitoring error, as it seems like your SCIM bridge is working and authenticating correctly.

    Can you explain a little more what you are trying to accomplish with your security groups that you mentioned? Are you using AWS as your cloud provider? Are you using LetsEncrypt, or perhaps terminating TLS at a load balancer? Are you only locking down ports or IP ranges too?

    Looking forward to assisting you further!

    Chas

  • halilbozan
    halilbozan
    Community Member

    Hi,

    • I am using AWS
    • I am using LetsEncrypt

    You can see above everything looks right, but there is an error on the 1password integrations page. My security group opened everywhere for now. Otherwise, I have the error above(if only accessible from my private VPC - Natgateways IPs). But, I am wanna open only my AWS client VPC - Natgateway IPs.

  • Hello @halilbozan!

    The status page you're seeing shows that the SCIM bridge is healthy, which is good! I would first like to mention that enabling health monitoring is completely optional - if you don't want to open up to allow Checkly access to your SCIM bridge, you don't have to. Going to that status page tells you the same information, you just need to seek it out as opposed to getting an email if it goes down for some reason.

    Your IdP needs access to your SCIM bridge in order to send requests to it, and the SCIM bridge needs to be able to send the requests through to 1Password. If you want monitoring on your account, Checkly also needs to be able to access your SCIM bridge. Those are the only access requirements, so if you allow outbound traffic and whitelist Okta and Checkly IP addresses, you should be able to restrict any other access. That being said, the bearer token is required in order to do anything with the SCIM bridge, so even if you leave some ports open to the internet it is still secured by TLS and the bearer token.

    Please let me know if you have any further questions!

    Amanda

  • halilbozan
    halilbozan
    Community Member

    Actually, I don't want to use Checkly. How do I access the 1password IPs? my instance is in the frankfurt region. I passed okta ips but anything doesn't change. I guess I need 1password ips.

  • You shouldn't need 1Password IP addresses - the information only flows one way, from the SCIM bridge to 1Password, so as long as you allow outbound communication from the SCIM bridge that shouldn't be an issue.

    Can I get some clarification on the behaviour you're seeing? You seem to have the SCIM bridge up and running and are able to access it from a browser. Since you don't want Checkly then you can disable monitoring on the 1Password integrations page. When you enter your SCIM bridge URL and bearer token in Okta, does it successfully authenticate?

    Cheers!
    Amanda

  • halilbozan
    halilbozan
    Community Member
    edited September 2021

    Thanks, Amanda we disabled monitoring and integration looks healthy. But when we try to authenticate 1password with okta, it asks me the secret and master password. So it is not authenticated. What may be the reason for the authentication problem?

  • Are you referring to SSO? If so, we currently do not support SSO due to our end-to-end encryption model.

    Let me know if you have any other questions!
    Amanda

  • halilbozan
    halilbozan
    Community Member

    Okay, But You have documentation that is https://support.1password.com/scim-okta/ it said to possible.

  • We support user and group provisioning from Okta, but not Single sign-on.

    Cheers!
    Amanda

  • halilbozan
    halilbozan
    Community Member
    edited September 2021

    Thanks for your support Amanda.

  • ag_ana
    ag_ana
    1Password Alumni

    On behalf of Amanda, you are very welcome @halilbozan! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

This discussion has been closed.