Required domains for SCIM bridge?

Options
VRDRF
VRDRF
Community Member
edited July 2023 in SCIM Bridge

Hello,
We are looking into two situations, one where we will host the SCIM bridge in Azure and one in GCP.
We are wondering if there is a complete list of required domains or ip ranges so that we can limit access to the scim bridge as much as possible.

Our IDP is Azure so Im guessing we need a set of domains from Azure side(or GCP side), the Kubernetes side and the 1Password side.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • hemal.g_1p
    hemal.g_1p
    Options

    Hi @VRDRF,

    Thanks for reaching out.
    "By limiting access to the Scim bridge as much as possible" I understand you wish to restrict internet-wide access and allow only from specific IPs.

    In that light I would say when you create and deploy the 1Password SCIM bridge its required to be deployed onto the public internet. It cannot have closed access so that both AzureAD (your Idp in this case) and your bridge's LetsEncrypt service will be able to reach the SCIM bridge. If you use a third party certification rather than LetsEncrypt and know the IP address to whitelist for AzureAD then this may be a possibility.

    The SCIM bridge allows your IdP to make calls to 1Password, by passing the calls from the IdP to your SCIM bridge and then your SCIM bridge to 1Password, without the IdP having access to your 1Password account directly by using your scimsession file and bearer token. This is why we highly recommend not sharing your scimsession file and bearer token with anyone that doesn't require it for your SCIM bridge.

    Further about "1Password", we do not make inbound connections to the SCIM bridge. Here I have linked an article which lists domains to whitelist for outbound calls from 1Password. I would recommend whitelisting these just to be sure everything runs smoothly:

    1Password Ports and Domains

    Regarding which IP addresses will need to whitelisted for AzureAD you need to reach their support to receive this information. Just to clarify, please don't block access until you have received the IP addresses from AzureAD.

    Additionally, if you would like to use our SCIM bridge health monitoring service you will also need to whitelist Checkly. If Checkly is not whitelisted then the health check will always fail:

    Checkly Whitelisting and Filtering Traffic

    I hope this clarified things. Feel free to ask anymore questions. Happy to assist!

This discussion has been closed.