Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Knowledge Base Article
Why SSO?
Let's start with an overview of the business value, key benefits, and security considerations of unlocking 1Password with Single Sign-On (SSO).
Identity provider integrations: SSO vs SCIM
1Password Business offers two types of integrations with identity providers:
- The SCIM bridge for automated user lifecycle management and role-based access control.
- Single Sign-on (SSO) using the OpenID
Connect (OIDC) protocol to let end-users unlock 1Password with their identity provider credentials. Configuring these integrations is done by setting up two distinct applications in most identity providers.
These integrations serve two different functions and interact with your 1Password tenant in distinct ways.
The 1Password SCIM bridge operates as an API endpoint to continue communicating with the 1Password servers via an encryption protocol (SRP).
Single Sign-on (SSO) uses a direct API integration with the Password servers to let an end user authenticate using their SSO credentials. This results in the local 1Password application being given authorization to unlock the local database.
Business value
Using a Single Sign-On (SSO) solution is a reasonable way to strengthen password security by simplifying account access. It does, however, have security limitations. When using SSO alone, many websites or applications may not be protected because they aren't compatible with the necessary authentication protocols. Password protects your company assets and resources when SSO can't.
Employees can use Password to create strong, unique passwords for apps and services that aren't covered by your identity provider. That gives you more comprehensive access and security, and the ability to safeguard secrets that aren't covered by your identity provider, like documents, secure notes, and SSH keys.
Unlock 1Password with Single Sign-On lets 1Password Business users sign in to their 1Password accounts using their identity provider credentials instead of their account password and Secret Key.
- Without Unlock with SSO, users sign in to their 1Password account on any device using their account password and Secret Key.
- With Unlock with SSO, users sign in to their Password account on their first trusted device using their identity provider credentials. Users then sign in to their Password account on a new device using their identity provider credentials and by entering a verification code sent to their trusted device.
ℹ️ With Unlock with SSO enabled, your Password login is now replaced by your identity provider login. While identity providers don't have Emergency Kits like 1Password does, a user can still store their identity provider password in ways similar to what we recommend for storing Emergency Kits.
We recommend users create a password for your identity provider that is random but memorable, eliminating the need to store the password anywhere other than in their memory. This is now the only password they need to remember. Password can generate memorable passwords by changing the password type from "random password" to "memorable password."
Key benefits
- Designed with a security-first approach to minimize risks and possible threats. Integrate with your identity provider to access 1Password using Single Sign-On with zero-knowledge and end-to-end encryption preserved. See the Security overview for more information.
- Secure access to passwords and sensitive information. Let employees use your identity provider to authenticate 1Password so they can access their vaults without the need for an account password. Take advantage of secure biometrics for more flexibility on how employees access vaults.
- Simple admin management. Use the setup wizard to set policies and roll out Unlock with SSO in just a few clicks.
Security overview
Unlock with SSO acts as an additional layer of identity-proofing on top of the existing 1Password security model. That model requires an account password and Secret Key to access and unlock your account. The account password is a secret that you remember and should only be stored in your brain.
Unlock with SSO works differently. Password first confirms that a team member has authenticated to their identity provider, then downloads the team member's encrypted credentials. The team member's device key, which is stored on each device set to Unlock with SSO, is used to decrypt the credentials and access their 1Password data. When this process is complete, Unlock with SSO works just like 1Password with traditional unlock.
Fundamentals of the Unlock with SSO security model:
- Zero-knowledge architecture and end-to-end encryption is maintained by the fact that decryption occurs on device. We still do not have access to the keys needed to decrypt a user's data.
- The trusted device model authorizes the initial device and new devices to securely access your 1Password Business account. This is fundamental to 1Password's end-to-end encryption, letting the new device sign in to your account and decrypt your Password data while keeping your secrets safe.
When you enter the verification code, Password securely transfers a credential bundle from your existing trusted device to the new device. The new device then uses the bundle to sign in to your 1Password account, register itself as a new trusted device, and encrypt the credential bundle with its own device key. This allows the new device to sign in to your account and decrypt your 1Password data independently while keeping your secrets safe. The trusted device enrollment process is not a form of multi-factor authentication, nor is it a replacement for existing device management programs your organization may have in place.
Learn more about the Unlock with SSO security model and the risk considerations.
Updated 10 days ago
No CommentsBe the first to comment
Related articles
After you complete your planning, configuration, and testing, it's time to roll out Unlock with SSO to the rest of your organization.
Provide internal change communication to end users
The end us...
10 days ago6Views
0likes
0Comments
I was wondering if enabling Google SSO will interfere with the SCIM bridge I have setup? Could I sync all the same data over with Google SSO and then remove the SCIM?
1Password Version: Not P...
5 months ago41Views
0likes
1Comment
Hello ,
I have a problem I want to set up authentication on 1 @ password with Azure AD SSO.
But I don't understand the procedure
1Password Version: Not Provided
Extension Version: Not Pr...
4 years ago4.3KViews
0likes
1Comment