Skip to main content
May 11, 2022
Question

SCIM bridge doesn't deprovision OneLogin users

  • May 11, 2022
  • 1 reply
  • 144 views

With the 1Password SCIM bridge v.2.3.1, deployed in GCP and using OneLogin as the IDP, we're seeing that new users are provisioned successfully but when users are suspended in OneLogin, this does not carry over to 1Password. The SCIM bridge status page is all green, and looking at the debug logs it seems like it sees the suspended user and attempts to delete but this doesn't actually happen. The 401 at the beginning of this snippet might also be relevant but I could use some help diagnosing what's going on. Thank you!


{"level":"debug","version":"2.3.1","build":"203011","application":"op-scim","component":"CertificateManager","domain":"x.x.x.x","time":"2022-05-10T19:05:14Z","message":"certificate manager obtained certificate"}
{"level":"debug","version":"2.3.1","build":"203011","application":"op-scim","component":"SCIMServer","request_id":"c9tbeqo6bdcnjevblq60","error":"failed to touch session: failed to DoEncrypted: Authorization: (401) (Unauthorized), You aren't authorized to perform this action.","time":"2022-05-10T19:05:15Z","message":"failed to verify session"}
{"level":"debug","version":"2.3.1","build":"203011","application":"op-scim","component":"SCIMServer","request_id":"c9tbeqo6bdcnjevblq60","idp":"OneLogin","time":"2022-05-10T19:05:15Z","message":"connected to IDP"}
{"level":"info","version":"2.3.1","build":"203011","application":"op-scim","component":"SCIMServer","request_id":"c9tbeqo6bdcnjevblq60","time":"2022-05-10T19:05:15Z","message":"generating new session"}
{"level":"info","version":"2.3.1","build":"203011","application":"op-scim","component":"SCIMServer","request_id":"c9tbeqo6bdcnjevblq60","time":"2022-05-10T19:05:15Z","message":"generated new session"}
{"level":"info","version":"2.3.1","build":"203011","application":"op-scim","component":"SCIMServer","request_id":"c9tbeqo6bdcnjevblq60","user":"MANQGK6LCZADLFFVWZD7YJKXAU","time":"2022-05-10T19:05:15Z","message":"suspended user"}
{"level":"info","version":"2.3.1","build":"203011","application":"op-scim","component":"SCIMServer","request_id":"c9tbeqo6bdcnjevblq60","remote_addr":"10.150.0.30","status":200,"duration":512.087624,"size":0,"method":"DELETE","path":"/Users/MANQGK6LCZADLFFVWZD7YJKXAU","time":"2022-05-10T19:05:15Z","message":"HTTP request"}


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

1 reply

ag_alice_t
1Password Employee
May 16, 2022

Hi @jchafin, apologies for the delay in response.

The 401 log line is a known red-herring. It does not affect the operation of the bridge, as you can see that bridge successfully generated new session a few lines later. That means the bridge successfully re-established a connection to our backend. We're looking to de-emphasize that unnecessarily-worrying warning message in a future release.

Beyond that, according to our logs and the user state in backend for that UUID, the user was indeed suspended by Automated User Provisioning at the exact timestamp listed in the logs you provided.

Could you elaborate on what you're seeing that doesn't line up with your expectations?