Skip to main content

Deploy 1Password SCIM Bridge

The 1Password SCIM Bridge is a service that allows you to automate the management of users and groups in 1Password. This guide will walk you through deploying the SCIM Bridge for ECS environments.

Implementation

The implementation of this is fairly simple. We will generate credentials for the SCIM bridge in 1Password, store them in AWS SSM Parameter Store, deploy the SCIM bridge ECS service, and then finally connect your chosen identity provider.

1 Generate Credentials for your SCIM bridge in 1Password

The first step is to generate credentials for your SCIM bridge in 1Password. We will pass these credentials to Terraform and the ECS task definition to create the SCIM bridge.

  1. Log in to your 1Password account
  2. Click Integrations in the sidebar
  3. Select "Set up user provisioning"
  4. Choose "Custom"
  5. You should now see the SCIM bridge credentials. We will need the "scimsession" and "Bearer Token" for the next steps.
  6. Save these credentials in a secure location (such as 1Password) for future reference
  7. Store only the "scimsession" in AWS SSM Parameter Store. This will allow the ECS task definition to access the credentials securely. Then once the service is running, the server will ask for the bearer token to verify the connection, which we will enter at that time.
  • Open the AWS Web Console - Navigate to the target account, such as core-auto, and target region, such as us-west-2
  • Open "AWS System Manager" > "Parameter Store"
  • Create a new Secure String parameter using the credentials you generated in the previous step: /1password/scim/scimsession

There will be additional steps to complete the integration in 1Password, but first we need to deploy the SCIM bridge service.

2 Deploy the SCIM bridge ECS Service

The next step is to deploy the SCIM bridge ECS service. We will use Terraform to create the necessary resources with our existing ecs-service component. Ensure you have the ecs-service component and ecs cluster before proceeding.

If you do not have ECS prerequisites, please see the ECS layer to create the necessary resources.

  1. Create a new stack configuration for the SCIM bridge. The placement of this file will depend on your project structure. For example, you could create a new file such as stacks/catalog/ecs-services/1password-scim-bridge.yaml with the following content:

    import:
    - catalog/terraform/services/defaults

    components:
    terraform:
    1pass-scim:
    metadata:
    component: ecs-service
    inherits:
    - ecs-service/defaults
    vars:
    enabled: true
    name: 1pass-scim
    containers:
    service:
    name: op_scim_bridge
    image: 1password/scim:v2.9.5
    cpu: 128
    memory: 512
    essential: true
    dependsOn:
    - containerName: redis
    condition: START
    port_mappings:
    - containerPort: 3002
    hostPort: 3002
    protocol: tcp
    map_environment:
    OP_REDIS_URL: redis://localhost:6379
    OP_TLS_DOMAIN: ""
    OP_CONFIRMATION_INTERVAL: "300"
    map_secrets:
    OP_SESSION: "1password/scim/scimsession"
    log_configuration:
    logDriver: awslogs
    options: {}
    redis:
    name: redis
    image: redis:latest
    cpu: 128
    memory: 512
    essential: true
    restart: always
    port_mappings:
    - containerPort: 6379
    hostPort: 6379
    protocol: tcp
    map_environment:
    REDIS_ARGS: "--maxmemory 256mb --maxmemory-policy volatile-lru"
    log_configuration:
    logDriver: awslogs
    options: {}
  2. Confirm the map_secrets value for OP_SESSION matches the AWS SSM Parameter Store path you created previously, an confirm they are in the same account and region as this ECS service component.

  3. Deploy the ECS service with Atmos:

    atmos terraform apply 1pass-scim -s core-usw2-auto

3 Validate the Integration

After deploying the SCIM bridge ECS service, verify the service is running and accessible. Connect to the VPN (if deployed the ECS service is deployed with a private ALB), navigate to the SCIM bridge URL, and confirm the service is running.

For example, go to https://1pass-scim.platform.usw1.auto.core.acme-svc.com/

4 Connect your Identity Provider

Finally, connect your identity provider to the SCIM bridge. The SCIM bridge URL will be the URL you validated in the previous step. Follow the instructions in the 1Password SCIM Bridge documentation to connect your identity provider, using the Bearer Token you generated in the first step.