Active Directory integration

antialias
antialias
Community Member
edited April 2018 in Business and Teams

Is there a written tutorial for setting up 1Password for Business to integrate with Active Directory? We just subscribed and this is the first step we wish to complete before inviting our company’s users to the solution.


1Password Version: 6.8.8 (688001)
_Extension Version:
Not Provided
OS Version: Mac OS X
_Sync Type:
Not Provided
Referrer: forum-search:scim directory

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2018

    @antialias: Yep! That sounds like a good plan. It's something we help with on a case-by-case basis since every company's setup is different. Definitely reach out via email at business@1password.com for more details. :)

  • khughes
    khughes
    Community Member
    edited June 2018

    Hi @brenty: We really want to use 1Password but are not feeling the love or support of Active Directory (on-premise, not Azure Active Directory - a different product) which is a deal breaker in our environment. Would you please help us understand why the insistence on an SCIM manged by the customer?

    We would rather not have to setup an run an SCIM and if so, would hope that whatever software and example instructions would be provided, especially considering the added cost of the Business package.

    Business support got back to me and suggested some customers have written their own sync tool, pointing to the new command line options but I must admit for the cost I would expect the tooling to be in place. It's the "small" things like AD integration that could easily push us back to LastPass and we would certainly prefer not to go that route.

    Please help us understand this and why it was decided to go this route?

  • Hi @khughes,

    I can try to answer that for you.

    We do support ActiveDirectory. In fact it's what we ourselves are using to automatically provision and deprovision users for some of our 1Password accounts. We only support Azure ActiveDirectory though, as it's the only version of ActiveDirectory that supports the SCIM protocol. I would love to see Microsoft add SCIM support to their on-prem version. SCIM is a really great protocol and I think it simplifies things greatly (I can go into detail about why I think that way but for the time being I won't bore you with those details)

    The decision to use what we call the 1Password SCIM bridge was really an easy one. I'll explain. Operations in 1Password are nearly always encryption based. For example when a new user is created, encryption keys need to be generated for this user. When you add a user to a group, you're not just associating a user to a group, you're sharing the group's encryption key with the user by taking the group's private key and encrypting it with the user's public key. By making operations based on encryption we've built a system that is much stronger than would otherwise exist. This is good, but the only way that it can actually be secure is for the 1Password server to never actually have a copy of those encryption keys. The encryption keys are yours, and your security is based on our never having access to them. That leads to an interesting problem... if 1Password operations require encryption keys, and the server can't have the encryption keys, then who's doing the work? The answer needs to be "something else." That something else is the 1Password SCIM bridge. With the 1Password SCIM bridge, you provide it credentials for a user on your account, through which it will obtain all encryption keys it needs to perform all of the operations it needs to do. Then it exposes a SCIM 2.0 endpoint that systems like Azure ActiveDirectory or Okta can interact with to send the SCIM commands to do provisioning. The SCIM bridge will translate the SCIM commands to 1Password operations using the encryption keys it has, and then forwards those along to the 1Password server.

    With the 1Password SCIM bridge you get the convenience of automated provisioning without needing to give up any control over your data. Your keys are your business and we don't want them, nor should you want us to have them.

    I hope that helps explain things. I'm more than happy to answer whatever questions you may have about our SCIM bridge.

    Rick

This discussion has been closed.