Google Workspace scim bridge not updating
Hi, I've got a current email support request in that is not being updated, so I'm hoping someone from the community may be able to help us out.
We are in a position where our scim bridge has failed to update any changes to groups or add new users from Google Workspace for a few weeks.
I initially thought it was due to a particular group, but I've deleted and recreated that group and am still unable to make any changes. I have removed and re-added the group which wasn't able to initially update from the "managed groups" list in the 1P integrations page.
I've also disabled and re-enabled provisioning in 1P.
What's weird is that the Health check in the Integrations page in 1Password is showing as healthy. All the components in Kubernetes engine in Google are green (although it's still showing "some components are pending").
If I hit sync manually in the scim bridge, it shows "0 groups synced, 0 failed" but no changes are made.
Our scim logs are showing:
{"level":"error","version":"2.8.2","build":"208021","application":"op-scim","component":"SubscriptionRenewal","error":"retry: max execution times reached (3): Server: (failed to Subscribe), failed to WatchForReportsEvent: Server: (failed to reportsAPI.Activities.Watch), googleapi: Error 400: Invalid request: Event sync not found in manifest., invalid","time":"2023-08-10T18:51:35Z","message":"failed to renew subscription"}
{"level":"error","version":"2.8.2","build":"208021","application":"op-scim","request_id":"(hidden)","error":"b5Group is nil","group-id":"","time":"2023-08-10T19:11:54Z","message":"failed to PopulateMembershipSyncContext"}
{"level":"error","version":"2.8.2","build":"208021","application":"op-scim","request_id":"(hidden)","error":"Server: (failed to PopulateMembers), b5Group is nil","time":"2023-08-10T19:11:54Z","message":"failed to SyncGroups"}
{"level":"error","version":"2.8.2","build":"208021","application":"op-scim","component":"CertificateManager","error":"certificate is not allowed for server name *.*.*.* (hidden): certificate for '*.*.*.*' is not managed","domain":"*.*.*.*","time":"2023-08-10T19:50:52Z","message":"certificate manager error while getting certificate"}
{"level":"error","version":"2.8.2","build":"208021","application":"op-scim","component":"CertificateManager","error":"certificate is not allowed for server name *.*.*.*: certificate for '*.*.*.*' is not managed","domain":"*.*.*.*","time":"2023-08-10T19:50:53Z","message":"certificate manager error while getting certificate"}
{"level":"error","version":"2.8.2","build":"208021","application":"op-scim","request_id":"(hidden)","time":"2023-08-10T19:51:00Z","message":"cached session is empty"}
{"level":"error","version":"2.8.2","build":"208021","application":"op-scim","request_id":"(hidden)","error":"session tokens do not match","time":"2023-08-10T19:51:12Z","message":"invalid session"}
The hidden IP is the public facing IP for the scim bridge.
I get what appears to be a valid response from the following certificate check:
gcloud container clusters describe cluster-1 --region=europe-central2-a --format "value(masterAuth.clusterCaCertificate)" | base64 -d > /tmp/ca.crt
curl -s -X GET "${APISERVER}/api/v1/namespaces" --header "Authorization: Bearer $TOKEN" --cacert /tmp/ca.crt
with each section giving the following result:
"status": {
"phase": "Active"
}
I'm a little nervous to regenerate credentials as I'm not sure if it will disrupt our current users' access.
Any help or troubleshooting step you can give would be greatly appreciated. This issue has been happening for over two weeks now, and it's becoming a big issue for us.
Many thanks!
Chris
1Password Version: Current
Extension Version: Any
OS Version: Any
Browser: Any
Comments
-
Hi Chris,
This appears to be related to another bug that will be addressed in an upcoming hotfix. Hopefully by the end of the week, the fix for this should be released to our community in version
2.8.3.Cheers,
Dan
0
