Migrate from 1Password SCIM Bridge to hosted provisioning

When you set up automated provisioning, 1Password SCIM Bridge connects your 1Password account with your identity provider so you can create and manage users and groups. You can simplify the connection by migrating to automated provisioning hosted by 1Password.

Automated provisioning hosted by 1Password currently supports Entra ID and Okta. To migrate your 1Password account to hosted provisioning, follow the steps below.

Überlegungen

When you migrate to hosted provisioning, consider the impact it will have on your account:

• Your team’s 1Password account will connect to a SCIM bridge hosted by 1Password.
• You’ll reconnect your identity provider to 1Password with a new SCIM URL and bearer token.
• You won’t be able to switch back to your own self-hosted SCIM bridge on the account. Hosted provisioning is designed differently than 1Password SCIM Bridge, and your account won’t be compatible with the self-hosted SCIM bridge after you migrate.
• The migration may take some time to complete. You can leave the page in the meantime.
• Hosted provisioning won’t manage groups that have the Recover Accounts or Manage All Groups permissions. This is a security feature to prevent provisioning from having account-wide cryptographic access.
• Users will be confirmed without a delay. With a self-hosted SCIM bridge, there is a 5-minute delay in user confirmation after they sign up, but with hosted provisioning, team members are provisioned immediately after they complete the confirmation flow. Hosted provisioning’s immediate confirmations are more secure than a SCIM bridge’s automated confirmations because the end-user proves their identity when they accept the invitation.

Limitations

There are also some limitations to consider:

• User management with 1Password CLI isn’t supported when hosted provisioning is turned on. Support will be added in the future.
• 1Password MSP accounts aren’t currently supported.

Requirements

When you’re ready to migrate to hosted provisioning, you’ll need to:

• Zu der Gruppe Eigentümer oder Administratoren in deinem 1Password Business-Konto gehören.
• Administratorberechtigungen in deinem Identitätsanbieter haben.
• Make sure all existing 1Password team member email address domains are in the allowed domains list. Public domains, such as gmail.com, aren’t currently supported.

Step 1: Switch to hosted provisioning in 1Password

1. Melde dich an, bei deinem Konto auf 1Password.com.
2. Select Integrations in the sidebar, then select Automated User Provisioning.
3. Select Switch to hosted provisioning, then select Start setup.
4. Select Set up hosted provisioning.
5. Save your credentials in 1Password in case you need them in the future, then select Next.
6. Leave this page open and continue to step 2.

Step 2: Update the integration in your identity provider

Entra ID

These steps were recorded in March 2026 and may have changed since. Refer to the Microsoft documentation for the most up-to-date steps.

Sign in to your account on the Microsoft Azure portal and follow these steps:

1. Wähle Microsoft Entra ID aus und dann in der Seitenleiste Unternehmensanwendungen  .
2. Select the 1Password EPM application.
3. Select Provisioning in the sidebar, then select the Get started tab and select Connect your application.
4. Fülle die folgenden Felder aus:
   • Tenant URL: Copy and paste your SCIM URL from the hosted provisioning setup page (not your 1Password account sign-in address). Do not include a trailing slash. For example: https://provisioning.1password.com/scim/v2.
   • Secret token: Copy and paste your bearer token from the hosted provisioning setup page.
5. Wähle Verbindung testen, dann Erstellen und warte einen Moment, bis die Verbindung hergestellt ist.

Okta

These steps were recorded in March 2026 and may have changed since. Refer to the Okta documentation for the most up-to-date steps.

Sign in to your account on Okta.com , select Admin in the top right, and follow these steps:

1. Select Applications > Applications in the sidebar.
2. Search for the 1Password provisioning application and select it.
3. Select the Provisioning tab, then select Integration.
4. Select Edit.
5. Fülle die folgenden Felder aus:
   • Base URL: Copy and paste your SCIM URL from the hosted provisioning setup page (not your 1Password account sign-in address). Do not include a trailing slash. For example: https://provisioning.1password.com/scim/v2.
   • API Token: Copy and paste your bearer token from the hosted provisioning setup page.
6. Select Test API Credentials. After it’s complete, select Save.
7. Go back to the hosted provisioning setup tab in 1Password and select Done.

Map the displayName attribute

After you set up the application, you’ll need to add mapping for the displayName attribute in Okta. This will make sure that user display names in 1Password are updated from Okta.

On the Provisioning tab, follow these steps:

1. Select Go to Profile Editor, then select Add Attribute.
2. Fill in the following fields:
   • Display name: Enter DisplayName.
   • Variable name: Enter displayName.
   • External namespace: Copy and paste the following: urn:ietf:params:scim:schemas:core:2.0:User
3. Select Save, then select Mappings.
4. Select the Okta User to 1Password … tab.
5. Map the displayName attribute to displayName.
6. Select Save Mappings > Apply updates.

Step 3: Decommission your SCIM Bridge

After you’ve migrated to hosted provisioning, you can decommission your SCIM Bridge and phase out the infrastructure you deployed it on.

Unterstützung erhalten

If you need to manage team members with 1Password CLI, you’ll need to turn off hosted provisioning. You’ll be able to use 1Password CLI and hosted provisioning together in the future.

Mehr erfahren

• About the security of automated provisioning (hosted by 1Password)

Freut mich, das zu hören! Wenn du etwas hinzufügen möchtest, zögere nicht, uns zu kontaktieren.

Tut mir leid, das zu hören. Bitte kontaktiere uns, wenn du uns mehr darüber erzählen möchtest.