Deploy 1Password SCIM Bridge
The 1Password SCIM Bridge is a service that allows you to automate the management of users and groups in 1Password. This guide will walk you through deploying the SCIM Bridge for ECS environments.
Implementation
The implementation of this is fairly simple. We will generate credentials for the SCIM bridge in 1Password, store them in AWS SSM Parameter Store, deploy the SCIM bridge ECS service, and then finally connect your chosen identity provider.
1 Generate Credentials for your SCIM bridge in 1Password
The first step is to generate credentials for your SCIM bridge in 1Password. We will pass these credentials to Terraform and the ECS task definition to create the SCIM bridge.
- Log in to your 1Password account
- Click Integrations in the sidebar
- Select "Set up user provisioning"
- Choose "Custom"
- You should now see the SCIM bridge credentials. We will need the "scimsession" and "Bearer Token" for the next steps.
- Save these credentials in a secure location (such as 1Password) for future reference
- Store only the "scimsession" in AWS SSM Parameter Store. This will allow the ECS task definition to access the credentials securely. Then once the service is running, the server will ask for the bearer token to verify the connection, which we will enter at that time.
- Open the AWS Web Console - Navigate to the target account, such as
core-auto
, and target region, such asus-west-2
- Open "AWS System Manager" > "Parameter Store"
- Create a new Secure String parameter using the credentials you generated in the previous step:
/1password/scim/scimsession
There will be additional steps to complete the integration in 1Password, but first we need to deploy the SCIM bridge service.
2 Deploy the SCIM bridge ECS Service
The next step is to deploy the SCIM bridge ECS service. We will use Terraform to create the necessary resources with our existing ecs-service
component. Ensure you have the ecs-service
component and ecs
cluster before proceeding.
If you do not have ECS prerequisites, please see the ECS layer to create the necessary resources.
-
Create a new stack configuration for the SCIM bridge. The placement of this file will depend on your project structure. For example, you could create a new file such as
stacks/catalog/ecs-services/1password-scim-bridge.yaml
with the following content:import:
- catalog/terraform/services/defaults
components:
terraform:
1pass-scim:
metadata:
component: ecs-service
inherits:
- ecs-service/defaults
vars:
enabled: true
name: 1pass-scim
containers:
service:
name: op_scim_bridge
image: 1password/scim:v2.9.5
cpu: 128
memory: 512
essential: true
dependsOn:
- containerName: redis
condition: START
port_mappings:
- containerPort: 3002
hostPort: 3002
protocol: tcp
map_environment:
OP_REDIS_URL: redis://localhost:6379
OP_TLS_DOMAIN: ""
OP_CONFIRMATION_INTERVAL: "300"
map_secrets:
OP_SESSION: "1password/scim/scimsession"
log_configuration:
logDriver: awslogs
options: {}
redis:
name: redis
image: redis:latest
cpu: 128
memory: 512
essential: true
restart: always
port_mappings:
- containerPort: 6379
hostPort: 6379
protocol: tcp
map_environment:
REDIS_ARGS: "--maxmemory 256mb --maxmemory-policy volatile-lru"
log_configuration:
logDriver: awslogs
options: {} -
Confirm the
map_secrets
value forOP_SESSION
matches the AWS SSM Parameter Store path you created previously, an confirm they are in the same account and region as this ECS service component. -
Deploy the ECS service with Atmos:
atmos terraform apply 1pass-scim -s core-usw2-auto
3 Validate the Integration
After deploying the SCIM bridge ECS service, verify the service is running and accessible. Connect to the VPN (if deployed the ECS service is deployed with a private ALB), navigate to the SCIM bridge URL, and confirm the service is running.
For example, go to https://1pass-scim.platform.usw1.auto.core.acme-svc.com/
4 Connect your Identity Provider
Finally, connect your identity provider to the SCIM bridge. The SCIM bridge URL will be the URL you validated in the previous step. Follow the instructions in the 1Password SCIM Bridge documentation to connect your identity provider, using the Bearer Token you generated in the first step.