Setting up SCIM bridge with Okta

mjurczyk
mjurczyk
Community Member

Any idea what will happen to users that already exist in 1password? Will they need to change their password or 2FA?

Can you just select a group to provision?

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • @mjurczyk

    An existing 1Password user will be connected to their Okta user assuming they have the same associated email.

    You are able to choose what to provision when setting up Okta. You are able to assign the 1Password Application to a User, a Group, or some combination thereof.

    Graham

  • mjurczyk
    mjurczyk
    Community Member

    Thanks Graham

  • No trouble @mjurczyk

    If you run into any issue please post here or reach out to support@1password.com. If you mention SCIM, it will be redirected into our inbox.

  • mjurczyk
    mjurczyk
    Community Member

    @graham_1P

    I'm getting the error "Your account has an active Provision Manager, but its sign-in details could not be found in your Private vault. Contact the team member who set up provisioning to get the sign-in details." when creating the provisioning account. Do i need to recreate the user?

  • @mjurczyk

    It sounds like you are not signing in with the administrator account which first created the Provisioning Manager, or the login was deleted.

    Do you have access to that account? You can tell from looking at that user's private vault and looking for the Provisioning Manager credentials. You should never need to sign in as the Provisioning Manager but in case you do, its email, password, and secret key are placed into a login item in the administrator's private vault.

    If the record was deleted, then delete the Provisioning Manager user and restart the provisioning setup for the account.

    Let me know if that works,

    Graham

  • mjurczyk
    mjurczyk
    Community Member

    All set @graham_1P

    Do you guys have any idea of what it costs to run in AWS?

  • @mjurczyk

    I have no statistics handy, but you don't need a very powerful cpu or much storage to run the SCIM Bridge.

    The main service is almost completely stateless. The service stores very little beyond necessary things like your authentication credentials and TLS certificate which are stored in the redis instance. Furthermore you don't need incredibly high reliability, as the SCIM Bridge is only used while provisioning users, itself an occasional action. We do not recommend replicating the SCIM Bridge. One instance serves most use cases. Finally as the Bridge acts as an intermediary between 1Password and your identity provider, most error recovery can happen via the identity provider should downtown occur.

    Graham

  • mjurczyk
    mjurczyk
    Community Member

    hey graham im seeing some errors.....any shot you could help out

    Error: Incorrect attribute value type

    on ../../module_scim_app/app_asg_lc.tf line 3, in resource "aws_autoscaling_group" "asg":
    3: availability_zones = ["${var.az}"]

    Inappropriate value for attribute "availability_zones": element 0: string
    required.

    Error: Incorrect attribute value type

    on ../../module_scim_app/app_asg_lc.tf line 12, in resource "aws_autoscaling_group" "asg":
    12: vpc_zone_identifier = ["${var.private_subnets}"]

    Inappropriate value for attribute "vpc_zone_identifier": element 0: string
    required.

    Error: Incorrect attribute value type

    on ../../module_scim_app/app_lb.tf line 20, in resource "aws_lb" "app_alb":
    20: subnets = ["${var.public_subnets}"]

    Inappropriate value for attribute "subnets": element 0: string required.

  • mjurczyk
    mjurczyk
    Community Member
    edited October 2019

    @graham_1P ^ this is with terraform 12.14 and AWS

  • @mjurczyk

    Nothing jumps out at me. Are you following our SCIM Examples repository for terraform?

    https://github.com/1Password/scim-examples/tree/master/aws-terraform

    Graham

  • mjurczyk
    mjurczyk
    Community Member

    @graham_1P

    i'm getting this error on the docker container

    scim_1 | redicrypt: getting cert for key redicrypt/1-scim-1.example.net
    scim_1 | 2019/10/15 15:40:40 http: TLS handshake error from 54.89.52.11:24655: acme/autocert: host "1-scim-1.example.net" not configured in HostWhitelist

    and this when i try to test the api connection on Okta.

    Please review the form to correct the following error(s):

    Error authenticating: Received fatal alert: internal_error

  • mjurczyk
    mjurczyk
    Community Member
    edited October 2019

    scim_1 | redicrypt: getting cert for key redicrypt/1-scim-1.example.net
    scim_1 | 2019/10/15 15:40:40 http: TLS handshake error from 54.89.52.11:24655: acme/autocert: host "1-scim-1.example.net" not configured in HostWhitelist

    and this when i try to test the api connection on Okta.

    Please review the form to correct the following error(s):

    Error authenticating: Received fatal alert: internal_error

  • Hey @mjurczyk

    To clarify, you are no longer pursuing Terraform, and have moved to the Docker Compose deployment method, correct?

    In what infrastructure are you trying to deploy and test the SCIM Bridge?

    It appears you are attempting to use a testing domain alongside the LetsEncrypt autocert server, 1-scim-1.example.net, which we do not support. Either you need to use a domain under your control (EG: scim.mjurczyk.net) or run the bridge in an unsecure mode without TLS support. You can do the latter by removing the --letsencrypt-domain flag from the docker-compose.yml https://github.com/1Password/scim-examples/blob/master/docker/compose/docker-compose.yml#L11.

    To be clear, when running in production, a secured connection between your identity provider and the SCIM Bridge is required to protect your information. That can either be via the LetsEncrypt validated TLS certificate, or to have TLS connections terminated at your network infrastructure's load balancer.

    I can give more concrete recommendations with more information about how you are attempting to deploy the bridge. If any details are too sensitive for a forum, feel free to email support@1password.com mentioning the SCIM Bridge, and I can help you there.

This discussion has been closed.