How does the onboarding look like for users provisioned by SCIM

jan222
jan222
Community Member
edited September 2020 in SCIM Bridge

Couldn't find any docs or screenshots on how the onboarding will work for those users. Can you explain a bit how it works?

Specifically:

  • You don't provide SAML login, users still need to create a new password to 1password currently, right?
  • Can I disable the prompt for downloading the Secret key? This is a security nightmare in enterprise environments. Those docs end up on the peoples desktop folders, trash bins or worse in the printer room....

Cheers,

Jan


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

ref: dev/projects/customer-feature-requests#325

Comments

  • graham_1P
    edited March 2021

    Hi @jan222,

    The user provisioned into 1Password will get an email with the subject Join $Company on 1Password. The email details that your company is using 1Password, and there is a link to Join your team which leads a user to a page where they accept their invite. There they will choose their master password and await approval. Either this can be done manually by an administrator, or automatically by the SCIM Bridge which approves accepted invites every 5 minutes. After approval, the users can log in. This event is marked by a Welcome to 1Password email.

    In short, yes they will need to create a master password for 1Password. However let me explain why:

    We cannot support SAML as we are an encryption based product rather than an authentication based product. For that reason, your users must always be in possession of their encryption credentials. In the SAML case, even if we got authenticated credentials from an identity provider, we would only be able to provide useless encrypted blobs to your users; they would still need their encryption keys to decrypt the items and make the useable. The secret key is one component of their encryption key. When combined locally on a device with their master password and email, we can derive a user's encryption key and locally decrypt the downloaded encrypted items for use. For that reason it is important the users are able to access their secret key and master password.

    That being said, they are able to access their Secret Key in their profile on any of the apps, and can have their account recovered by an administrator if they lose access to all their devices. You make a good point. I've filed a feature request for you to remove the Emergency Kit download prompt for Business customers.

    Let me know what follow up questions you have.

    Graham

    ref: dev/projects/customer-feature-requests#325

  • jan222
    jan222
    Community Member

    Hi Graham,

    I totally understand the difference between SAML authentication and the need for a password / secret key as encryption key.

    I was just wondering if this also applies for enterprise environments where apparently our company (so in the end 1password) has a master key to recover all accounts in case people loose their login-password and or secret key.
    Or how do you decrypt the user's passwords in a recovery process?

    Speaking about SAML, maybe as an idea, the scim bridge could act as a proxy for the SAML IdP and add a user encryption key to the SAML response. This would of course need a persistent storage on the SCIM side with all users and their encryption keys.

    I've filed a feature request for you to remove the Emergency Kit download prompt for Business customers.

    Thanks a lot for that, this is really our security bottleneck in 1password usage I would says.

    Jan

  • Hi @jan222,

    Yes, password creation and secret key generation applies on all accounts, and recovery applies to all accounts above individual.

    To talk about recovery, in short whenever a vault is created, a copy of the vault key is encrypted with the public key of the recovery group, allowing members of the recovery group to access all of the vaults. This is leveraged to restore access to a user by restoring their access to their vaults through the recovery process. For an in depth overview of how account recovery works I would recommend you take a look at our Security Whitepaper. The recovery process is detailed on pages 38-43. https://1password.com/files/1Password-White-Paper.pdf

    Thanks for the SAML idea! We have had some thoughts along those lines of how we may be able to support SAML in the future. For now, it is not anywhere on the development roadmap, but it is a consideration we revisit every so often.

    Graham

This discussion has been closed.