Signing back into the Community for the first time? You'll need to reset your password to access your account.  Find out more.

Knowledge Base Article

Rollout plan

Align on your rollout goals and stakeholders

What do you hope to accomplish with your rollout of Unlock 1Password with SSO? For example, your goal might simply be to validate that Unlock with SSO works for your company use cases in a certain amount of time. Pinpoint how to monitor and measure your success, and the Password team can help you track against your goals.

With a firm understanding of your goals, engage your internal stakeholders. Consider adding stakeholders to the table below to get started:

SO: Sign-off on the rollout, R: Review project and provide input, I: Informed of this project

Name

Role

Project Ownership

Enter name and email

IT Support Manager

A representative from the IT support organization who can provide input from an admin and help desk perspective.

SO

Enter name and email

Security Owner

A representative from the security team that can sign off that the plan will meet the security requirements of your organization.

SO

Enter name and email

Enter role

Enter ownership

Ensure each stakeholder has the appropriate access to the Policies tab in Password to access the Unlock with Identity Provider configuration page. By default, admins and owners have access to the page, which is required to complete an SSO integration.

Consider your implementation approach

Once Unlock 1Password with SSO is enabled, it will be required for enrolled users. Users who are required to sign in with SSO will get an email once your configuration is saved. The email will prompt your team to connect their 1Password accounts with your identity provider.

A user who has not yet linked their 1Password account to their identity provider will be prompted to link them at their next login, or if they're already logged in, they'll see a sign-in page when they try to access their vaults or items. If not planned and communicated clearly, your rollout could cause confusion and disruption for your team members. Consider these best practices:

1. Plan which users will be unlocking 1Password with SSO.

  • If you're just getting started with 1Password and would like all users to Unlock 1Password with SSO from day one, we recommend configuring your settings to enroll everyone but guests. All existing users will be prompted to switch to Unlock with SSO, and all new users will use their identity provider username and password when joining Password.
  • If you're migrating from traditional 1Password unlock (account password and Secret Key) to Unlock 1Password with SSO, we recommend taking a phased approach to rolling out by selectively enabling and testing specific groups of users at a time. This will allow you to identify and solve any roadblocks with minimal impact and make training smoother for your employees.

2. Consider whether or not you want users to be able to access data stored in 1Password while offline.

  • Enabling biometrics for Unlock with SSO allows users to authenticate to 1Password using biometrics, giving them access to their vaults and data even if they're offline. If you choose not to enable biometrics, users will only be able to unlock 1Password with SSO when they are online to make the connection to your identity provider.

3. Determine your grace period.

  • Users who already have 1Password accounts will need to switch to Unlock with SSO. You have the option to specify a grace period, or the number of days before users must make the switch. The default is 5 days, but you have the option to set it to 1 to 30 days. Review these considerations when determining a grace period.

4. Plan to deploy the 1Password desktop application.

  • The most common scenario we see for users who need account recovery in 1Password is when they only have a single trusted device set up, or they clear the cache of the browser where they first signed into 1Password. This is primarily a result of our trusted device security model. To avoid this, we recommend deploying the Password desktop application to all users and enrolling the application as a new trusted device. If a second trusted device is set up, users will be able to retrieve a trusted device verification code to re-enroll an additional device that may have been deauthorized. Learn more about implementing a recovery plan for your team.

5. Communicate frequently with users ahead of time.

  • While SSO can simplify signing in to Password, change management is always a challenge. Be sure to let them know why you're making this change and how it will benefit them. The internal change communication templates in the roll out section below is a good place to start.

Timeline

Tracking your rollout plan is an important aspect of your project success. Consider creating a task list for your rollout to monitor and schedule your timelines and key stakeholders to help keep everyone on track.

Updated 6 days ago
No CommentsBe the first to comment
Related articles
I've recently encountered an issue when storing a passkey for a service that required at least L1 FIDO certification for the used security key. Microsoft's Windows Hello itself meets this requirem...
2 years ago