Skip to main content
Sponsor @cloudposse

Deploy 1Password SCIM Bridge

The 1Password SCIM Bridge is a service that allows you to automate the management of users and groups in 1Password. This guide will walk you through deploying the SCIM Bridge for ECS environments.

Implementation

The implementation of this is fairly simple. We will generate credentials for the SCIM bridge in 1Password, store them in AWS SSM Parameter Store, deploy the SCIM bridge ECS service, and then finally connect your chosen identity provider.

1 Generate Credentials for your SCIM bridge in 1Password

The first step is to generate credentials for your SCIM bridge in 1Password. We will pass these credentials to Terraform and the ECS task definition to create the SCIM bridge.

  1. Log in to your 1Password account
  2. Click Integrations in the sidebar
  3. Select "Set up user provisioning"
  4. Choose "Custom"
  5. You should now see the SCIM bridge credentials. We will need the "scimsession" and "Bearer Token" for the next steps.
  6. Save these credentials in a secure location (such as 1Password) for future reference
  7. Store only the "scimsession" in AWS SSM Parameter Store. This will allow the ECS task definition to access the credentials securely. Then once the service is running, the server will ask for the bearer token to verify the connection, which we will enter at that time.
  • Open the AWS Web Console - Navigate to the target account, such as core-auto, and target region, such as us-west-2
  • Open "AWS System Manager" > "Parameter Store"
  • Create a new Secure String parameter using the credentials you generated in the previous step: /1password/scim/scimsession

There will be additional steps to complete the integration in 1Password, but first we need to deploy the SCIM bridge service.

2 Deploy the SCIM bridge ECS Service

The next step is to deploy the SCIM bridge ECS service. We will use Terraform to create the necessary resources with our existing ecs-service component. Ensure you have the ecs-service component and ecs cluster before proceeding.

If you do not have ECS prerequisites, please see the ECS layer to create the necessary resources.

  1. Create a new stack configuration for the SCIM bridge. The placement of this file will depend on your project structure. For example, you could create a new file such as stacks/catalog/ecs-services/1password-scim-bridge.yaml with the following content:

    import:
      - catalog/terraform/services/defaults

    components:
      terraform:
        1pass-scim:
          metadata:
            component: ecs-service
            inherits:
              - ecs-service/defaults
          vars:
            enabled: true
            name: 1pass-scim
            containers:
              service:
                name: op_scim_bridge
                image: 1password/scim:v2.9.5
                cpu: 128
                memory: 512
                essential: true
                dependsOn:
                  - containerName: redis
                    condition: START
                port_mappings:
                  - containerPort: 3002
                    hostPort: 3002
                    protocol: tcp
                map_environment:
                  OP_REDIS_URL: redis://localhost:6379
                  OP_TLS_DOMAIN: ""
                  OP_CONFIRMATION_INTERVAL: "300"
                map_secrets:
                  OP_SESSION: "1password/scim/scimsession"
                log_configuration:
                  logDriver: awslogs
                  options: {}
              redis:
                name: redis
                image: redis:latest
                cpu: 128
                memory: 512
                essential: true
                restart: always
                port_mappings:
                  - containerPort: 6379
                    hostPort: 6379
                    protocol: tcp
                map_environment:
                  REDIS_ARGS: "--maxmemory 256mb --maxmemory-policy volatile-lru"
                log_configuration:
                  logDriver: awslogs
                  options: {}

  2. Confirm the map_secrets value for OP_SESSION matches the AWS SSM Parameter Store path you created previously, an confirm they are in the same account and region as this ECS service component.

  3. Deploy the ECS service with Atmos:

    atmos terraform apply 1pass-scim -s core-usw2-auto

3 Validate the Integration

After deploying the SCIM bridge ECS service, verify the service is running and accessible. Connect to the VPN (if deployed the ECS service is deployed with a private ALB), navigate to the SCIM bridge URL, and confirm the service is running.

For example, go to https://1pass-scim.platform.usw1.auto.core.acme-svc.com/

4 Connect your Identity Provider

Finally, connect your identity provider to the SCIM bridge. The SCIM bridge URL will be the URL you validated in the previous step. Follow the instructions in the 1Password SCIM Bridge documentation to connect your identity provider, using the Bearer Token you generated in the first step.