Feature request, SSO with Azure AD

Hello

As part of my going passwordless process, I wonder if it will be possible to integrate 1Password for Windows and 1PasswordX with my own Azure AD (coming with Microsoft 365 sub) for SSO? My aim is to not write master password again and again, and if possible even on initial installation 1P will take credentials from my Azure AD.


1Password Version: 7.4.767
Extension Version: 1.19.1
OS Version: Windows 10 1909
Sync Type: Not Provided

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @Naxterra!

    Can you please clarify how you are thinking about integrating 1Password with Azure exactly? Can you give us a specific example?

    Because every time you want to use 1Password to fill your credentials on a page, 1Password must be unlocked, there is no way to fill credentials is 1Password is locked. You need to either enter the Master Password or unlock it with Touch ID.

  • That's a tricksy one, @Naxterra. I strongly suspect this is something we could theoretically do, but probably wouldn't. I'll do my best to explain why, but if there's anything that doesn't make sense or that you don't follow, please ask questions. Ultimately, I'm probably not the best person to explain this in detail so depending on how deep a dive you want, I may need to call for help.

    With that said, this comes down to the difference between authentication and encryption, which is an interesting but often confusing distinction. Most of these services are authenticating you using your AD credentials. You're proving to the service that you are who you claim to be which doesn't necessarily require the actual password for that service. You've proven at some point that the possession of your AD credentials is a valid authenticator so if AD says you're you, that service is allowed to trust that and let you in even if you never provided the username and password specific to that service. With 1Password, you're decrypting data instead. Decrypting data doesn't require authenticating yourself at all. Instead, it requires the right key to allow 1Password to do the math and transform the data you have into something usable. So even though your AD credentials prove that you're you and you're entitled to access your data, 1Password is wholly incapable of unlocking that data without your Master Password. It doesn't know your Master Password and relies on you to provide.

    This means that the only way we could allow you to unlock with your AD credentials is by either persistently storing your encryption key in a manner that could be accessed using your AD credentials or by allowing AD to know your Master Password so that it could provide that Master Password to 1Password after authenticating you. This would definitely be convenient, but it would be terribly insecure. Imagine if your AD account were compromised. You could disconnect it from other services letting them know that your AD credentials no longer prove that you're you and those services would immediately stop allowing access to their data with those credentials. But we could not remove access to your Master Password or encryption key because we don't have either of those in the first place – they'd have to be stored locally. If the person who compromised your AD account was able to get their hands on a copy of your data encrypted with the key your AD credentials were able to access and save it along with the encryption key your AD credentials were protecting, they would have access to that specific dataset indefinitely. You'd need to change every password you stored in 1Password to protect yourself.

    You might reasonably ask why we'd store these things locally on your devices rather than storing them ourselves. After all, if they didn't exist locally, you could protect your 1Password account in the same way as others by simply cutting off access to our service. The thing is, that would leave us with access to the keys to unlock your data. Avoiding that is fairly fundamental to our security design. The idea is that we can't lose, misuse or abuse what we never have in the first place. By avoiding storage of any unencrypted data and never having your encryption key, we ensure that even if we all had our brains and bodies taken over by evil aliens bound and determined to steal our customers' data, the aliens would be incapable of doing so. We simply don't have the keys needed to allow for that. Or, more realistically, it serves to limit the types of data a rogue employee could access, and the data we could potentially compromise by screwing up (because hey, we're humans, we're probably going to screw up on occasion). We absolutely value your trust and work to cultivate it, but we don't feel you should have to trust us in order to know that your data is secure. It should be secure as a matter of course and we designed 1Password's security model on keeping that requirement to trust to an absolute minimum. After all, we could be the smartest, most well-meaning, and saintly folks on the planet but still make a mistake that exposes data or hire someone without realizing they were a bad actor. This ensures that if that happens, the only data of your they can access is fully encrypted and can only be unlocked using keys we never have. Bad actors can't steal what we don't have and we can't expose what we don't have by screwing something up so you're safe even though we're not perfect.

    I know that was a bit a novel, but hopefully it makes sense and helps you to understand why this isn't something we can reasonably do while living up to our standards of security and protection for your data. If you have any specific questions or need something clarified, though, let me know. I'll do my best to answer and if I can't, I'll find someone who can. :chuffed:

  • The companion extension would probably be my one best suggestion for that particular struggle, @Naxterra, and you're getting a bit deeper into the weeds than I'm probably qualified to tread on the AAD trust so I don't know that I can do you much better on my own. The companion extension should work fine with Chromium Edge (though you do need to enable "extensions from other stores" since we point to our Chrome extension rather than separately hosting on the Edge Store), but I know there are folks who far and away prefer 1Password X so that still leaves the concern of which is most usable for you.

    Ultimately, I think the genuine solution to this will be (eventual) integration between 1Password X and the desktop app, but I don't want to ignore your comments on AAD so I've asked one of our security team to pop in and discuss that in more depth. It is a Canadian holiday today (beyond being a bit late for us North Americans anyway), so you might not hear from them until tomorrow, but I'll be sure to give them a poke when I'm in tomorrow if they don't hop in earlier. :chuffed:
    +

  • Lars
    Lars
    1Password Alumni

    @Naxterra - sorry it's taken so long to respond to you here. It's been partly because I don't have a lot to add to bundtkate's already excellent replies. Over the years, we've considered various ways to accelerate or ease the use of 1Password including integration with other services, but this is a bridge we're just not willing to cross, as things stand now. In order to accomplish what you're asking for, we would need to give Azure access to your Master Password and Secret Key -- these are how your data is decrypted, and try as we might (and have!) there isn't any way around that, which means we're just not going to be doing it, at least the way things stand currently.

    I'm sorry if that's not the answer you were hoping to hear, but that remains - for now - the one we're sticking with: we will not put ourselves in a position where we are able to know your Master Password or Secret Key, let alone share them with other authentication-based mechanisms. If a way to do that securely in the future arises, we'll certainly look into it. But for now, no.

  • It's no trouble at all, @Naxterra, and I'm sorry we don't have better news for you. Hopefully, we'll see some movement forward on desktop app integration for 1Password X on Windows in the near future so you can at least rely on Windows Hello to better limit having to type your Master Password. I know that's only addressing one request among many, but it sounds like the biggie so I've got my fingers crossed it gets things most of the way towards your perfect solution. :+1:

  • UTA_Aiman
    UTA_Aiman
    Community Member
    edited July 2020

    Hi @bundtkate , Hi @Lars ,

    Actually I'd like to add my voice on behalf of my organization to @Naxterra
    I wonder if there's a way that it's possibly to store the secret key somewhere inside my directory to enable SSO federation, I have very high doubts about getting my azure directory compromised and I'd prefer for Azure to be the ultimate bearer.

    Thanks,
    Aiman

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @UTA_Aiman! Have you already looked into our SCIM bridge option? That's the only way to connect Azure and 1P, but it's mostly for account management/provisioning. If what you're looking for is a way to store your personal Master Password and Secret Key within Azure and use that system's authentication to perform tasks like filling credentials, we don't currently have that - and likely won't - for the reasons Kate listed above.

  • kurtd
    kurtd
    Community Member

    I was thinking about adding many more users to our business account but it would be real nice if we could integrate Azure AD SAML SSO so they don't need to have a second password. I noticed some competitors have the feature...

  • Lars
    Lars
    1Password Alumni

    @kurtd - did you have a chance to read bundtkate's explanation of the issue above, or my follow-up clarification?

  • kurtd
    kurtd
    Community Member

    Saw that but still wanted to add my vote for this feature. Even the SCIM only option seems to require third party software.

  • The SCIM Bridge does require an identity provider, @kurtd, but that identity provider never has access to your users' 1Password credentials which is the key difference with SSO. In order to support SSO for 1Password itself, your credentials would still need to be vaulted somewhere outside of 1Password since the typical trust relationship SSO relies on to avoid that doesn't work in an encryption environment. I'll not repeat myself or Lars on the whys or wherefores, but that's where things stand at the moment. Absent some significant change in the mechanism by which SSO works, I don't see us changing that even with many votes in its favor. Some of our competitors do offer it and I'm sure that makes them a preference for some folks who might otherwise have gone with us, but we are willing to accept that. We each have different philosophies and in the long term I think that's a net positive for our collective customers as it allows them to choose the solution that works best for them based on their priorities.

    Of course, we appreciate that y'all are interested in this and will continue tracking that interest. If something changes in the future, we may change our minds, too. But, as it stands, the only honest answer here is that this is highly unlikely to be a feature we offer anytime soon and I feel it's important we're clear on that subject so that you can make the best decision for your own needs, even if that isn't us. :chuffed:

  • kurtd
    kurtd
    Community Member

    Is there any progress on this? I must say 1password is still my favorite app and the one I use but both lastpass and keeper can connect to AzureAD without any third party software. Not sure how it all works on the back end but the user experience is good.

  • Greg
    Greg
    1Password Alumni

    Hi @kurtd,

    There is nothing new that we can share at this point. I don't believe that we have plans implementing this particular feature for reasons that Kate and Lars listed above. If this changes, I am sure this change will be communicated though our official channels.

    If you have other questions, we will be happy to answer them, as always. Thanks! :+1:

    ++
    Greg

  • itpro
    itpro
    Community Member

    LastPass has this functionality, so it is possible and presumably they are doing it securely. Is there implementation something you deem to be not secure enough for your standards and thus don’t do something similar? I’d love to see you’re company out out more info comparing and contrasting yourself to the competition in a detailed manner. If LastPass implementation has flaws, take them to task for it and gain some customers in the process. I think this type of competition would be very healthy in this industry as it would keep each company honest and on their toes. All good for consumer security.

    https://support.logmeininc.com/lastpass/help/how-do-i-set-up-federation-services-for-my-lastpass-enterprise-account-using-azure-active-directory

  • Hey @itpro 👋

    We generally like to keep our cards close to the vest, so it's not really like us to divulge our internal decision making processes for why we've opted to not implement SSO with Azure AD into 1Password.

    As Greg mentioned in his prior post, if this changes moving forward, we will be sure to update folks here and it will be communicated though our official channels.

This discussion has been closed.