Deploy 1Password SCIM Bridge on Azure Kubernetes Service

Tip

If you don’t use Azure Kubernetes Service, you can still automate provisioning with Azure Container Apps or another deployment environment.

A diagram showing the connection of identity providers to 1Password SCIM Bridge to 1Password servers.

With 1Password Business, you can automate many common administrative tasks using 1Password SCIM Bridge. It uses the System for Cross-domain Identity Management (SCIM) protocol to connect 1Password with your existing identity provider, like Google Workspace, JumpCloud, Microsoft Entra ID, Okta, OneLogin, or Rippling.

Schritt 1: Füge deinem 1Password-Konto Provisioning hinzu

Before you can deploy 1Password SCIM Bridge, you’ll need to add the provisioning integration and get credentials for it. Click Get Started, sign in to your 1Password account, and follow the onscreen instructions.

Get Started

If you see the details for an existing provisioning integration, you’ll need to deactivate it first. Click More Actions and choose Deactivate Provisioning.

After you complete the setup process, you’ll get a scimsession file and bearer token. Save them both in 1Password and save the scimsession file to your computer. You’ll need these to deploy the SCIM bridge and connect your identity provider.

Wichtig

The bearer token and scimsession file you receive during setup can be used together to access information from your 1Password account. You’ll need to share the bearer token with your identity provider, but it’s important to never share it with anyone else. And never share your scimsession file with anyone at all.

Schritt 2: Erstelle und konfiguriere den Kubernetes-Cluster

2.1: Sammle Informationen über deine Umgebung

Sign in to your account on the Microsoft Azure portal.
Click the Cloud Shell in the top right.
Erhalte eine Liste deiner Azure-Abonnements:
```
 az account list -o table
```
Find a subscription you’d like to use for the SCIM bridge deployment, then make note of its Name or SubscriptionID.
Erhalte eine Liste der verfügbaren Standorte in deinem Azure-Konto:
```
 az account list-locations -o table
```
Find your preferred server location (region) for the deployment and make note of its Name, such as eastus.
Choose an existing resource group or create a new one.
- Um eine Liste der vorhandenen Ressourcengruppen zu erhalten:
```
  az group list -o table
```
- So erstellst du eine neue Ressourcengruppe:
```
  az group create --name <desiredName> --location <locationName>
```
Make note of the name of the resource group you want to use for the deployment.

Nachdem du diese Schritte abgeschlossen hast, solltest du die folgenden Details haben:

Subscription Name or SubscriptionID.
Location (region).
Resource group name.

2.2: Erstelle den Cluster

The SCIM bridge must be deployed to an Azure Kubernetes Service cluster. To create the Azure Kubernetes Service cluster you’ll deploy the SCIM bridge to, copy the relevant command for your shell to a text editor and change the <placeholders> to the values you noted in step 2.1.

Bash:

az aks create -n op-scim \
	--enable-cluster-autoscaler \
	--node-count 1 \
	--min-count 1 \
	--max-count 3 \
	--node-vm-size Standard_B2s \
	--load-balancer-sku basic \
	--node-osdisk-size 32 \
	--resource-group <resourceGroupName> \
	--generate-ssh-keys

PowerShell:

az aks create -n op-scim `
	--enable-cluster-autoscaler `
	--node-count 1 `
	--min-count 1 `
	--max-count 3 `
	--node-vm-size Standard_B2s `
	--load-balancer-sku basic `
	--node-osdisk-size 32 `
	--resource-group <resourceGroupName> `
	--generate-ssh-keys

After you edit the command for your deployment, run it in the Cloud Shell. It may take a few minutes for Azure to create your cluster.

When you see a shell notification that the cluster has been created, continue to the next step.

Schritt 3: Einrichten und Bereitstellen der 1Password SCIM Bridge

Tip

If you manage more than 1,000 team members, refer to the resource recommendations appendix on GitHub to customize your deployment for your needs.

3.1: Verbinde dich mit deinem Kubernetes-Cluster

Open the Kubernetes Services Page.
Click the name of the cluster you just created. If you kept the name in the template above, it will be called op-scim.
Click Connect at the top of the page, then click Open Cloud Shell to connect to the cluster.
If you already have the Cloud Shell open, run the Set the cluster subscription and Download cluster credentials commands listed in the Connect pane.

3.2: Clone the scim-examples repository

All the configuration files you need to deploy the SCIM bridge are available in the scim-examples repository on GitHub.

Wechsle in das Verzeichnis, in dem du das Repository klonen möchtest, und führe dann den folgenden Befehl aus:

git clone https://github.com/1Password/scim-examples.git

Wechsle zum Kubernetes-Verzeichnis im geklonten Repository:

cd scim-examples/kubernetes

3.3: Upload your `scimsession` file

Before you create the Kubernetes Secret, upload your scimsession file to the Cloud Shell:

Click the Upload/Download files button and choose Upload.
Find the scimsession file that you saved to your computer and choose it.
Make note of the upload destination, then click Complete.

The Upload/Download files button in Azure Cloud Shell

3.4: Das Kubernetes Secret erstellen

Führe den folgenden Befehl aus, um das Kubernetes Secret zu erstellen:

Bash:

  kubectl create secret generic scimsession --from-file=scimsession=/home/$USER/scimsession

PowerShell:

  kubectl create secret generic scimsession --from-file=scimsession=/home/$Env:USER/scimsession

3.5: 1Password SCIM Bridge bereitstellen

1Password SCIM Bridge verwendet eine Redis-Instanz, um dein Let’s Encrypt TLS-Zertifikat zu speichern und zwischenzuspeichern. Stelle die Konfiguration, 1Password SCIM Bridge, Redis und den Load Balancer mit dem folgenden Befehl bereit:

kubectl apply -f .

3.6: Erstelle den DNS-Eintrag

1Password SCIM Bridge erfordert einen öffentlichen DNS-Eintrag auf einer von dir verwalteten Domain. Bevor du den DNS-Eintrag erstellst, besorge dir die externe IP-Adresse des Load Balancers:

kubectl get services

If you don’t see the IP address in the External IP column, wait a few minutes and try again.

Add an A record that points to the public IP address for the load balancer. For example, if your domain is example.com, use scim.example.com.

Tip

All SCIM bridge traffic uses port 443. If you use Azure Firewall or are restricting ingress to 1Password SCIM Bridge, open port 443 for your Azure Kubernetes cluster. Let’s Encrypt requires ingress on port 443 to renew the TLS certificate every 60 days.

3.7: Konfigurieren und Aktivieren von Let's Encrypt

1Password SCIM Bridge uses a TLS certificate provided by Let’s Encrypt to secure communication with your identity provider.

Setze den vollqualifizierten Domainnamen (FQDN) basierend auf dem DNS-Eintrag, den du im letzten Schritt erstellt hast (zum Beispiel: scim.example.com) als Wert für OP_TLS_DOMAIN:

kubectl set env deploy/op-scim-bridge OP_TLS_DOMAIN=scim.example.com

Step 4: Test your SCIM bridge

Wichtig

Bevor du die SCIM-Bridge mit deinem Identitätsanbieter verbindest, stelle sicher, dass du dich mit der SCIM-Bridge verbinden kannst:

über eine gesicherte (HTTPS) Verbindung
mit einem gültigen TLS-Zertifikat

To check that the DNS has propagated and the SCIM bridge is deployed successfully, visit the domain you configured in the previous step in your browser. You’ll see a 1Password SCIM Bridge status page. Enter your OAuth bearer token to verify it’s correct.

Use your bearer token and domain (for example: scim.example.com) to test the connection to 1Password:

curl --header "Authorization: Bearer <bearer_token>" https://<domain>/scim/Users

If you see a list of the users in your 1Password account, your SCIM bridge is deployed correctly.

Schritt 5: Verbinde deinen Identitätsanbieter mit der SCIM-Bridge

Wichtig

If you’ve already been using 1Password Business, make sure the email addresses and group names in your 1Password account are identical to those in your identity provider.

If anyone is using a different email address in 1Password, ask them to change it.
If you have existing groups in 1Password that you want to sync with groups in your identity provider, adjust the group names in 1Password.

Because 1Password SCIM Bridge provides a SCIM 2.0-compatible web service that accepts OAuth bearer tokens for authorization, you can use it with a variety of identity providers.