SCIM Bridge Setup
Hello,
I am trying to set up the scim bridge through docker-compose and the server is in a private subnet and it's not publicly exposable. When I configure it to the DNS, I get the below error.
solving challenge: scim-bridge.integrate-events.com: [scim-bridge.integrate-events.com] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for scim-bridge.integrate-events.com; no valid AAAA records found for scim-bridge.integrate-events.com
Please do let me know
Whether we can setup scim bridge between 1password to okta in the private subnet or if it needs to be set up only in a public subnet.
If we are going with a load balancer setup what is the path which we need to set in the health check?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hi @bathrinarayanan ,
Thanks for reaching out.
Based on the error you've provided, it sounds like there's an issue with TLS.Are you using the Let's Encrypt certificate management built into the SCIM bridge to handle the TLS certificate or are you bringing your own certificate? A couple thoughts:
If you are using your own TLS certificate, have you set the "OP_LETSENCRYPT_DOMAIN" variable in scim.env to an empty string and configured "OP_PORT" to listen for traffic on the correct port for your networking environment. Your SCIM bridge will listen on port 3002 by default (or another port specified using the OP_PORT environment variable) for unencrypted traffic redirected from the the TLS endpoint. See the brief documentation on our GitHub repo
If you are using the Let's Encrypt features built into the SCIM bridge to handle TLS and manage the certificate, Let's Encrypt needs to perform handshakes with the SCIM bridge's certificate manager component to handle the initial certificate issuance and subsequent renewals. Let's Encrypt uses dynamic IP addresses for this, make sure your firewall rules are not blocking port 443.
You can definitely host Scim bridge in private subnet with the Load balancer in a public subnet.
Feel free to share anymore queries/concerns around the same.0 -
Hello @hemal.g_1p Thanks for the inputs I have used using the Lets Encrypt certificate method and it was working as expected when the server is in a public subnet am facing this issue when the server is in a private subnet so if I use a load balancer for a privately hosted server and the load balancer is in public it's failing in health check. May I know what is the health check path we need to define in the loadbalancer ?
0 -
@hemal.g_1p Can you help me out on this what is the exact health check path when we are going with Loadbalancer ?
0 -
Hi there,
You can activate the SCIM bridge health monitoring from your 1Password account as follows:
1. Go to your configured integration, Click on the Manage option for the Health Monitoring section.
2. Toggle the activation on for Health Monitoring.
3. Enter the DNS address of you SCIM bridge:
It would be the URL that refers to the DNS record for your chosen domain, that is pointing to the IP address of your load balancer.
4. Save the change.0 -
Hi @hemal.g_1p I am not looking for that health check am looking for the health check in the load balancer in aws ?
0 -
My apology, I didn't follow your question right.
I would like to be aware of your deployment-method details to understand what problem you're facing (however feel free to reach us at support@1password.com with your scim-logs for thorough assistance)Have you already set ingress firewall rule in place given the information we discussed above?
Could you confirm the path in AWS health monitoring spec ? the Terraform plan would likely have aws_lb_target_group.op_scim_bridge.health_check.path = "/". That value should be updated to "/app" and as its present here.0