Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
1Password Hosted SCIM Bridge
I would love the option (even at a small added fee) for 1Password to host a SCIM Bridge rather than our customers being required to spin up additional infrastructure to add the bridge. As an MSSP/MSP providing 1Password to many of our customers, the management of so many SCIM bridges would likely be time consuming to manage. How are other MSSP/MSPs setting up SCIM Bridges for their multiple customers? Do you host a VM/computer for each customer and connect each one individually, or are you not using this capability? Curious to hear how the rest of the community is handling this.
How to update SCIM bridge in Entra
Started getting error messages from 1P and Entra that the SCIM bridge stopped working. The 1P admin panel says to update the SCIM bridge. Where do I actually enter those credentials in Entra? p.s. kudos to the engineer that figured out the copy/paste image in markdown! 1Password Version: 1Password for Windows 8.10.56 (81056028) Extension Version: 8.10.56.28 81056028, on STABLE channel OS Version: Win 11 26100.2605 Browser: Edge
Google Workspace suspended users not made inactive in 1Password
Our Google Workspace SCIM bridge was initially working, but at some point users who are suspended in Google Workspace stopped being inactivated in 1Password. Health checks are successful. Status for each service shows "connected". New users are provisioned. I do find the following error in the logs occasionally (some info redacted): { "time": "2024-12-03T14:31:52.567297803Z", "stream": "stdout", "_p": "F", "log": "2:31PM ERR failed to renew subscription error=\"retry: max execution times reached (3): Server: (failed to Subscribe), failed to WatchForReportsEvent for event sync: Server: (failed to reportsAPI.Activities.Watch), googleapi: Error 400: Invalid request: Event sync not found in manifest., invalid\" application=op-scim build=209073 component=SubscriptionRenewal hostname=[redacted] instance_id=[redacted] version=2.9.7", "kubernetes": { "pod_name": "op-scim-bridge-6748d55f96-8vk79", "namespace_name": "op-scim-bridge", "pod_id": "c0aefdea-b580-4a55-ba54-97dc7c6f95ac", "labels": { "app": "op-scim-bridge", "pod-template-hash": "6748d55f96" }, "host": "ip-172-20-147-56.ec2.internal", "container_name": "op-scim-bridge", "docker_id": "06e0c79868d4da30d4afd190ae737b69225582c8c8b3c6fbf3f4457727108f9a", "container_hash": "docker.io/1password/scim@sha256:d672c06ed2d8faa9e9bbe317324c4285970b0dbfbeca752d6ed2f34d93a8e0f7", "container_image": "docker.io/1password/scim:v2.9.7" } } 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided
Configuration persistence through restarts
Hello, I've deployed SCIM Bridge on Kubernetes with Google Workspace, it works fine. My deployment is based on https://github.com/1Password/scim-examples Recently, the Redis pod in the deployment failed, was destroyed, and a new pod was started. SCIM Bridge continued to work however I was notified that the "synced groups" that were selected in the UI were no longer selected. So, SCIM Bridge de-provisioned access for everyone in those groups. After we regained access and re-selected the synced groups, our users regained access. My questions are, why is it suggested to use a container deployment without any persistence for an application like this if there is configuration that should be retained? Why did we lose this configuration because of a restart in Redis? Is the application saving selections made in the UI in Redis? If so, shouldn't Redis data be persisted? How can I avoid this problem in the future? 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not ProvidedSCIM Azure UPN/Email
Hello! We have recently implemented a tiering model for servers/applications, and we are looking to do the same for 1Password. Having access codes associated with our regular account could pose a security risk. Accounts are provisioned with SCIM from Entra ID, but tiered accounts have a different email than their UPN. How can I send the invitation to a different email address? 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not ProvidedOkta SCIM Bridge Not Connecting even with Provisioning On.
Hi friends, I've been banging my head on this one since yesterday. We're on 1Password Business, and had a series of events that lead us here. User was left in Pending and did not get automatically confirmed. Attempted to use access logs on SCIM bridge but unable to get in as we didn't have our bearer token Attempted to regenerate tokens, but at the time didn't know how to update said tokens in SCIM bridge. Figured that we would spin a new GCP Kubernetes Cluster up and store the bearer token on a new integration Updated the DNS record for our scim provisioning site with the new Cluster external IP Disabled/rmoved the old Integration and removed it and was deferring for the new SCIM bridge. Turned on Provisioning Users and Groups on 1Password Admin for the Integration Unable to use the bearer token in Okta to complete as we get the re-occuring error: Error authenticating: No results for users returned” Turned off Provisioning Users and Groups, and noticed the Org users were suspended sometime during this process Managed to use 1Password CLI and a slapped together shell script to reactivate it automatically, but noticed some users were in a Recovery Pending state. I guess I'm hoping to get some help with these questions: What would I be missing with getting Okta working with the SCIM bridge What are the chances of going through the process to re-enabling this again that we encounter an org suspend event again? Thanks for taking the time to read this! 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided
SCIM Bridge sync bug
I have encountered a bug with a SCIM bridge hosted on Google Cloud. Context: We are using Google Workspace as our IDP. The SCIM bridge is hosted on Google Cloud. While setting up the latest version of SCIM bridge (2.9.6), I have encountered a bug with syncing users with Google Workspace. Bug: Whenever "Sync Groups" is pressed, the bridge will think for a few seconds and spit out a "Last Synced 0 (zero) users, 0 failed". The bridge is able to create groups, but will not sync any users inside the group, nor will it provision new users. The bug persists on version 2.9.5. All the credentials are current and permissions are triple checked to be working. Redeploying the bridge does not solve the issue. Downgrading to version 2.9.4 solves the issue. Please investigate. 1Password Version: 1Password for Mac 8.10.46 (81046023) Extension Version: 8.10.46.26 OS Version: MacOS 15.0 Browser: ChromeFeature request: System Administrator role
Current implementation of user/admin roles does not allow for integration management by any other user, except the owner of the account. For instance, as a systems administrator it is my job to manage the SCIM bridge and all adjacent systems in Google Workspace, however when something goes wrong, I have to go bother the owner (CEO) of the account to solve technical issues, as I have no permissions to do that. Would it be possible to implement a System Admin role in 1Password with access to the integrations, SSO and reports but without being able to see all the vaults in the organization as the Owner can? 1Password Version: 1Password for Mac 8.10.46 (81046023) Extension Version: 8.10.46.26 OS Version: MacOS 15.0 Browser: Chrome
