AzureAD - SCIM provisioning (without SCIM bridge container) - FEATURE REQUEST

+1 for this feature request

What about engineering a solution that would only sync verified tenant users and have that part not be part of the encryption key? I tried setting up Azure AD today and it's way too tedious. We need the option to "have it operate as others" for just Group/User SCIM.

Hi @devwit:

Thanks for sharing your feedback. The short version is that 1Password operates a little differently than most other SCIM-enabled applications.

What is the 1Password SCIM Bridge?

In short, your 1Password account can only be managed (which includes adding or removing users or groups, or assigning groups to users) if you have the encryption key for your 1Password data.

If your personal encryption key is stored on your device, how can 1Password and IdPs automatically carry out SCIM-related operations?

One of our strongest beliefs is that your encryption keys should never come anywhere close to our servers. We don't want the ability to decrypt your data. This is why the SCIM bridge exists. Because making changes to your 1Password account requires the ability to decrypt your data, it isn't possible for us to have something like your-company.scim.1password.com. If SCIM provisioning was implemented like that, 1Password (the company) would have the ability to decrypt your data.

Because of this, it's necessary to use 1Password SCIM Bridge. 1Password SCIM Bridge is hosted on your infrastructure (either a cloud provider like Google Cloud Platform, AWS, Azure or a server you control), and has decryption keys to manage users. This means that your identity provider can talk to the SCIM bridge, and treat it like any other SCIM-enabled application, without having to provide decryption keys to either your identity provider, or 1Password.

Let me know if that makes sense.

Jack