Hello! We recently set up a 1Password SCIM Bridge on Google Cloud Platform (GCP) through marketplace. It had been working fine up until today, when the bearer token no longer worked. The error we're getting is: Error occured when logging in. failed to create session We have health monitoring turned on, and the status is good and actively checking. However, new users being added to a managed group aren't being added to 1Password and, as mentioned, we also can't login to the SCIM bridge to look at logs/syncs. 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser:_ Not Provided

Hi huyngo, my apologies for the late response. I'm Laz, a developer on the SCIM bridge. Its very unusual for the bearer token to suddenly stop working. Are you the only administrator of the account? If not, its possible that someone else went onto the account and accidentally invalidated / regenerated the bearer token. Regardless, if you go into the integration page you are able to regenerate a new bearer token and then configure it on your IdP and then swap out the token on the bridge. Sorry to hear that this has happened to you! I wish I could offer more direct advise, but as you said its hard to determine anything 100% without seeing the logs

We've also encountered this a couple times now, running 2.6.2. The first time this happened, I ended up performing a complete redeploy on GCP to get this working again with Google Workspace. This has now happened again. This usually manifests first when I noticed that group changes haven't synced correctly to 1Password, then I attempt to sign into the SCIM bridge to manually sync things, except that I cannot because of this "failed to create session" error. I'm now attempting to regenerate credentials. Could you provide documentation on the specific steps you mentioned: "and then configure it on your IdP and then swap out the token on the bridge"?

After some more digging into this and speaking to colleagues there may be an alternative, simpler workaround (until we get in a permanent fix for this, of course). If you are able go into the bridge UI and disable Workspace (this can be done by removing your credentials file or configuration), then re-enable it by replacing the same data it will cause the Workspace server to restart and likely fix the issue. If this doesn't work, the specific documentation can be found in the https://support.1password.com/scim-troubleshooting/ guide. Hope this helps!

@"laz.h_1P" For what it's worth, when in this state, it's not possible to sign into the SCIM bridge at all. I ended up removing and recreating the cluster and redeploying the SCIM bridge to get things working again—I'm getting pretty good at it due to this issue. Do you anticipate a fix to this issue so that we can reliably use the SCIM bridge going forward? It's hard to justify paying the ongoing expense of a cluster that sits unused an not syncing our users and groups after some unpredictable period of time.

timchambers I'm very sorry to hear about the continual problems we're having. There's a clear issue with our current deployment and we are working to get a permanent fix release ASAP. There is something that we suspect is causing this issue related to filesystem permissions. Since I can't see your logs, its impossible for me to be 100% certain that this is the same problem. Regardless, you can try this fix below: ``` Upgrade to 2.6.2 (if you need to) kubectl set image deploy/op-scim-bridge-1 op-scim-bridge-1=1password/scim:v2.6.2 Patch initContainer command args kubectl patch deploy/op-scim-bridge-1 -p='{"spec":{"template":{"spec":{"initContainers":[{"name":"opuser-home-permissions","args":["mkdir -p /home/opuser/.op && chown -R 999 /home/opuser && chmod 700 /home/opuser && chmod 700 /home/opuser/.op && umask 177 /home/opuser/.op"]}]}}}}' Change existing config file permissions kubectl exec -it deploy/op-scim-bridge-1 -c op-scim-bridge-1 -- chmod 600 /home/opuser/.op/config ``` If after running the commands, you're still having trouble with the SCIM bridge, download your SCIM bridge logs following the instructions here (doesn't require your bearer token): https://support.1password.com/cs/scim-logs/ Attach them in a message to mailto:businesssupport@1password.com, and my colleagues will be able to take a closer look. We're currently tracking this problem for other customers and would love to give direct help as it will also help us permanently resolve the issue faster. Thanks a ton for your patience, and our apologies again for the broken version.

Unable to login to SCIM Bridge [GCP]

16 Replies

Jack_P_1P
1Password Team
3 years ago
Hi @tnam10:

Thanks for emailing everything in! We'll be in touch soon, so keep an eye out.

Jack
Former Member
3 years ago
Hey Jack_P_1P ,

I'm having a similar issue to the post above. The Bridge logs show the error as:
{"level":"error","version":"2.7.0","build":"207001","application":"op-scim","request_id":"ces89eq03vucv0bl270g","error":"Server: (failed to GetCurrentUserWithGroupMemberships), Wrapped: (failed to Account.GetInfo), session is no longer valid, or missing credentials to authenticate","time":"2023-01-06T21:28:51Z","message":"failed to SyncGroups"}

I set up our Bridge SCIM configuration using GCP this morning and was successful (or so I thought). After about 10-20 min it would stop syncing. Following @huyngo advice, I also deleted/recreated the JSON key, which got it working again for another 30 min or so before it stopped syncing with the same error. Could you please assist me with this?

I sent an email to mailto:businesssupport@1password.com and included the Bridge logs, GCP logs as well as a link to this page (+ my username) just now.

Thank you for the help!

Tenzin
Former Member
3 years ago
Jack_P_1P Thank you! Going to upgrade now. Incidentally, we lost access to the SCIM bridge dashboard again (says the bearer token is no longer valid), so perfect opportunity to upgrade. I'll update if anything looks off afterwards.
Jack_P_1P
1Password Team
3 years ago
Hi @chravtacque:

Version 2.7.0 of 1Password SCIM Bridge contains the fix for the issue my colleague Laz referred to earlier. Let me know if you're still having trouble with the SCIM bridge, and I'll be able to take a closer look.

Jack
Former Member
3 years ago
Jack_P_1P Any ideas when the new release will be available?
Jack_P_1P
1Password Team
3 years ago
Hi @huyngo:

You're very welcome! We're investigating this behavior, so please do reach out directly if you run into trouble again so we can take a closer look.

Jack
Former Member
3 years ago
Jack_P_1P Ahh, thanks for the quick response, Jack! We managed to fix it by going into the scim bridge, then deleting the credentials json and reuploading after looking through the logs and seeing this error:
{"level":"error","version":"2.6.2","build":"206022","application":"op-scim","request_id":"cdmnvg4hhkfl5rpsrnkg","error":"Server: (failed to GetCurrentUserWithGroupMemberships), Wrapped: (failed to Account.GetInfo), session is no longer valid, or missing credentials to authenticate","time":"2022-11-18T23:13:59Z","message":"failed to SyncGroups"}

We figured that deleting/readding the JSON would trigger a session refresh and it did. Not sure if sessions should be refreshed automatically or not, but we'll just periodically refresh it manually/whenever the problem shows up again.
Jack_P_1P
1Password Team
3 years ago
Hi @huyngo:

In that case, reaching out to us directly via businesssupport@1password.com would be your best bet. Include logs from your SCIM bridge, and we'll be able to take a closer look.

https://support.1password.com/cs/scim-logs/

Jack
Former Member
3 years ago
Hi, sorry for the late response! Thanks for following up. We ended up doing the same thing as timchambers, completely redeployed a new cluster and scim bridge.

Right now we're running into a problem where we can still log into the scim bridge and everything looks fine, but user provisioning isn't happening in 1Password. The scim bridge is working, and health monitoring for the Google Workspace integration is good, but the managed groups aren't provisioning new users.

@"laz.h_1P" any advice on this?
Former Member
3 years ago
Hi @chravtacque,

Thanks for writing in. Sorry to hear that you are also experiencing this issue. For now, the best that I can suggest is the temporary workaround as you found. We have identified the root issue and will be including a permanent fix in the next release. Thank you for your continued patience

Forum Discussion

Unable to login to SCIM Bridge [GCP]

16 Replies

Featured discussions

September at 1Password: Browser versions, enhanced security, and new integrations

Recent discussions

op completion zsh hangs forever

1Password CLI vulnerability?

Support for SSH Certificates (2024)

Please make the CLI examples more secure

macOS 26 beta browser extension very slow to open