Supporting SSO and 2FA across Multiple entries
Hi, i have been able to find a lot of historic discussions on "linking passwords" or "referencing other items" across the forums but nothing specifically around SSO and 2FA.
As SSO (specifically Azure AD) is being used more and more for authentication (including 2fa challenge) its appropriate for this to be created as a login entry into 1password (eg: M365 Azure AD) For this example lets assume it only includes the microsoft login url, username, password, 2fa.
Other web applications use Azure AD as their authentication mechanism - specifically within corporate. Often (not always) each web application has a different username instead of the email address for Azure AD (maybe its firstname.lastname, or FirstnameFirstLetterFullLastName etc...) but relies on the Azure AD Password and 2fa challenge to auth.
How can i have multiple login entries, with each web url being unique, and if required - different usernames, but reference/link the M365 Azure AD password and 2fa.
A work around could be just to create independent logins with the same details - but upon changing credentials this will be a nightmare to update each one when you change your AzureAD password.
On the surface it appears simple (which im sure as hell its not!) when you create a login, you have the option to get questioned "do you want to use another entries password" and similarly when creating 2fa. You dont want this as a default behaviour - but a way of linking fields would be fantastic!
Thanks
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
Hello @DRPau,
Thanks for asking about using 1Password to sign into multiple websites which share the same credentials. It's my pleasure to assist you with this today.
First, I'd like to point out that you, and anyone else reading this, should be very careful in this situation. If all of these services actually rely on the same credentials, this advice is be okay, but if you are actually signing into different services which can have their own unique credentials, do that instead. Never reuse passwords if you can help it.
Now, let's assume there are two internal services which are both backed by some kind of identity provider, such that they automatically share an account password and two-factor authentication codes. Any change to either service also updates the other. Let's also assume that there are two different login pages, and similar but different usernames for each service.
Service A: service_a.internal.example.com
Username: WendyAppleseedService B: service_b.internal.example.com
Username: Wendy.Appleseed@example.comIn this situation, the best choice is to create a single 1Password login item. Leave the username blank, but fill in the password, one time password, and both web addresses. Then add custom fields for both of the usernames. I've created a demo item and included a screenshot below.
When you visit either site, 1Password would offer to fill in the password and two-factor authentication code, but you'll need to manually copy and paste in the correct username. Any change you make to the shared credentials will automatically be available for the other, since it's only a single 1Password login item. If necessary, you can continue adding additional websites and user names to the login item, just be sure to give them clear labels.
I hope this information helps. Be sure to let me know if you have any questions!
Scott Swezey
Customer Support Specialist @ 1PasswordServer status | Support hub | Release notes | Passkeys
Get a free 1Password Families membership when you use 1Password Business.0 -
@ScottS1P really appreciate your assistance. I can see the workaround and how this may work and apprecaite the detailed response. Unfortunately it still seems a little "clicky" due to having to select different details etc but thanks for your clear explanation.
I hope, in time, 1password may look at implementing the ability to link to a "master identity provider" where it will use that identification credentials, unless it has an override (like a username being filled out).
Cheers
D0