It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
Help with 1Password SSO Unlock Across Multiple Desktops
Hi, I’m looking for some assistance with 1Password in a small office environment (around 45–50 desktops) that runs Hybrid AD. We’ve enabled Unlock with SSO, and it works fine on a user’s first works...
1P_Dave
Moderator
ModeratorHello ComplianceBBS! 👋
Thanks for the question! If your users need to sign in to 1Password on a new device when using SSO, they’ll need to use the 1Password app on an existing device to transfer the encryption key. You can read more here :
The requirement to transfer the encryption key from an existing device is fundamental to 1Password's end-to-end encryption that ensures that no one, not your identity provider or 1Password itself, can ever access your organization's information.
Are you using a VDI (Virtual Desktop Infrastructure) environment for these employees? If you are then have you looked into creating a roaming profile that will persist the user's 1Password data as they move from one workstation to another?
If you persist 1Password data for your users for their user profile then they wouldn't need to setup 1Password again when they sign in on a new workstation using their roaming profile: Use 1Password in a virtual desktop environment
-Dave
We have the same problem and 1password does not have a solution.
Perhaps 1password could consider integrating with native operating system tools like OneDrive? That would make the entire process much less painful.
Another option would be to configure something in the 1password portal, allowing devices to auto authenticate for the next "15 minutes" when coming from a known IP address.- 1P_Dave
Thanks for the reply. Unlike other services, 1Password's security doesn't just rely on authentication but on encryption. The encryption key needs to be transferred to the device that you're using from an existing device in order for the 1Password app to be able to decrypt your data into a readable and usable form.
Can you tell me a little more about how you deploy 1Password across your organization? Have you considered using roaming profiles like I described in my previous post? I look forward to hearing from you.
-Dave
Hi Dave,
We use Microsoft 365 with Entra joined Windows 10/11 computers, using SSO with Entra ID for 1password authentication.
1password is deployed via Intune via command line MSI install (MANAGED_UPDATE=1 MANAGED_INSTALL=1)Roaming profiles is a legacy technology which assumes one or more local Active Directory environment(s) with access to common file share(s).
Since we have multiple locations and remote workers, so we opted for the more modern approach, all computers are joined to Entra ID (not to Active Directory).
We already utilize "Known Folder Move" which leverages OneDrive/SharePoint to sync "Desktop", "Documents", "Pictures", but that does not capture the AppData folder and its subfolders.
https://learn.microsoft.com/en-us/sharepoint/redirect-known-folders
Instead of roaming profiles, does / could 1password support synchronization of the encryption key(s) using Enterprise State Roaming?
https://learn.microsoft.com/en-us/entra/identity/devices/enterprise-state-roaming-enable
