integration of csim bridge

aluio

We are checking the integration of csim bridge with Azure AD idp
from your real life experience what are the concerns if:

• csim bridge goes down? (how it affect the company users? vault data?)
• what is the data flow that need to be allow to the bridge (443/tcp incoming idp, outgoing 1pass?)
• any other concerns?

If you use business license
do we have 1 vault for the company or 1 for each user?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

ScottS1P

Hello @aluio,

Thanks for asking about Automating provisioning in 1Password Business using SCIM. It's my pleasure to discuss this with you today.

from your real life experience what are the concerns if:

• csim bridge goes down? (how it affect the company users? vault data?)

The SCIM bridge only impacts the provisioning of team members within an account, as well as group membership. If the bridge is offline, those who are already members of the account can continue to use it without interruption, but actions taken within the identity provider (Azure), such as suspending a team member or changing the groups they are in will not happen automatically until the SCIM bridge is back online. Similarly, new invitations to join the account will not go out when a team member is added to the identity provider or relevant groups, until the SCIM bridge is back online.

There is no impact to vault data.

Most identity providers will queue changes for some time, so if the SCIM bridge is down temporarily, actions which could not be completed before will be sent again.

• what is the data flow that need to be allow to the bridge (443/tcp incoming idp, outgoing 1pass?)

This may vary depending on how the SCIM bridge is deployed. Our sample Docker compose deployment requires ports 80, 443, and 3002 to be opened, whereas the sample for Docker swarm only needs port 443. I also believe the sample requiring port 80 may be out of date, and that this port is no longer needed in most cases.

While port based firewall rules may make sense, it's difficult to limit the IP addresses which can communicate to/from the SCIM bridge. 1Password does not provide a list of set IP addresses for our servers, as they are subject to change at any time. I believe the same is true of Azure, or that they have too many possible IP address ranges to practically limit.

Some other things to keep in mind:

• 1Password servers never connect to the SCIM bridge. All traffic flows from the bridge to 1Password.
• 1Password uses LetsEncrypt by default for TLS certificates. You may need to provide your own TLS certificate if you wish to block all IPs as LetsEncrypt does not publish the list of IPs where they may connect from when verifying a certificate can be generated for your domain.
• The SCIM bridge can use Checkly for health monitoring. All of their IPs would need to be allowed as well, but they use AWS so it would potentially require you to allow all of the AWS IP ranges.

• any other concerns?

Nothing comes to mind, but you may wish to email BusinessSupport@1Password.com to discuss your specific deployment needs with our support team.

If you use business license do we have 1 vault for the company or 1 for each user?

With 1Password Business, every team member is given their own private vault to store information that they alone use, which no one else needs access to. The account can also have multiple shared vaults, which allow team members and groups in the account to share information that multiple people should be able to access.

If you haven't seen it yet, check out our Create, share, and manage vaults in your team support article. It shows the process to share create and share a vault, and outlines the permissions available in 1Password Business.

I hope this information helps. Be sure to let me know if you have any further questions.