AzureAD - SCIM provisioning (without SCIM bridge container) - FEATURE REQUEST

devwit
devwit
Community Member
edited April 2023 in SCIM Bridge

We would prefer not to have to manage the SCIM bridge container.

Most SCIM-enabled applications allow SCIM provisioning via AzureAD's built-in integration.

This only requires a SCIM token and the URL for the application's API endpoint:
- https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups

Is this feature on the roadmap for future release? If not, please let me know the correct channel to officially submitting a new feature request.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • Hi @devwit:

    Thanks for sharing your feedback. The short version is that 1Password operates a little differently than most other SCIM-enabled applications.

    What is the 1Password SCIM Bridge?

    In short, your 1Password account can only be managed (which includes adding or removing users or groups, or assigning groups to users) if you have the encryption key for your 1Password data.

    If your personal encryption key is stored on your device, how can 1Password and IdPs automatically carry out SCIM-related operations?

    One of our strongest beliefs is that your encryption keys should never come anywhere close to our servers. We don't want the ability to decrypt your data. This is why the SCIM bridge exists. Because making changes to your 1Password account requires the ability to decrypt your data, it isn't possible for us to have something like your-company.scim.1password.com. If SCIM provisioning was implemented like that, 1Password (the company) would have the ability to decrypt your data.

    Because of this, it's necessary to use 1Password SCIM Bridge. 1Password SCIM Bridge is hosted on your infrastructure (either a cloud provider like Google Cloud Platform, AWS, Azure or a server you control), and has decryption keys to manage users. This means that your identity provider can talk to the SCIM bridge, and treat it like any other SCIM-enabled application, without having to provide decryption keys to either your identity provider, or 1Password.

    Let me know if that makes sense.

    Jack

  • En1
    En1
    Community Member

    What about engineering a solution that would only sync verified tenant users and have that part not be part of the encryption key? I tried setting up Azure AD today and it's way too tedious. We need the option to "have it operate as others" for just Group/User SCIM.

This discussion has been closed.