Integrate with 1Password
Support level: Community
What is 1Password?
1Password is a password management tool that simplifies the process of creating, storing, and sharing passwords. It allows you to create strong, unique passwords, securely store them in a vault, and automatically fill them in when needed.
Preparation
The following placeholders are used in this guide:
authentik.companyis the FQDN of the authentik installation.your-domain.1password.comis your 1Password sign-in address. If your account uses another region or the enterprise region, replace it with your full sign-in address, such asyour-domain.1password.ca,your-domain.1password.eu, oryour-domain.ent.1password.com.scim-bridge.companyis the FQDN of the 1Password SCIM Bridge (optional).
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
authentik configuration
To support the integration of 1Password with authentik, you need to create an application/provider pair in authentik.
Create an application and provider in authentik
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- Choose a Provider type: select OAuth2/OpenID Connect as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set Client Type to
Public. - Note the Client ID and slug values because they will be required later.
- Add two
Strictredirect URIs and set them tohttps://your-domain.1password.com/sso/oidc/redirect/andonepassword://sso/oidc/redirect. - Select any available Signing Key.
- Set Client Type to
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page. If you add a SCIM provider as a backchannel provider later, only users who can view this application are synchronized.
-
Click Submit to save the new application and provider.
1Password configuration
- Log in to the 1Password dashboard as an administrator.
- In the sidebar, click Policies.
- Under Single sign-on, click Manage policies.
- Select Other as the identity provider.
- Set the following values:
- Client ID: paste the Client ID from authentik.
- Well-known URL:
https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration
- Click Next, then click Next again. The redirect URIs were already configured in authentik.
- Click Test connection to validate the configuration.
- After the test completes successfully, click Save.
Configuration verification
To verify that authentik is properly integrated with 1Password, first sign out of your account. Then, open 1Password, enter an email address that's configured to unlock with SSO in 1Password, and click Sign in with authentik. You will be redirected to authentik for authentication before being sent back to 1Password.
Automated user provisioning (optional)
You can optionally configure automated user provisioning from authentik to 1Password. This allows you to create users and groups, manage access, and suspend users in 1Password with authentik.
To support automated user provisioning, you need to deploy the 1Password SCIM Bridge, create a group and SCIM provider in authentik, and add the SCIM provider as a backchannel provider for the 1Password application. For more information, see the 1Password SCIM Bridge Documentation.
Set up automated user provisioning in authentik
Create a user group
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Directory > Groups and click Create.
- Set a name for the group (e.g.
1Password Users), and click Create. - Click the name of the newly created group and navigate to the Users tab.
- Click Add existing user, select the users that need 1Password access, and click Add.
Create a SCIM provider
-
Log in to authentik as an admin and open the authentik Admin interface.
-
Navigate to Applications > Providers and click Create.
- Choose a Provider type: select SCIM Provider as the provider type.
- Configure the Provider: provide a name (e.g.
1password-scim), and the following required configurations.- URL:
https://scim-bridge.company/scim - Token: paste the bearer token from your 1Password SCIM Bridge deployment.
- Group Filter: select the groups that should be provisioned to 1Password.
- URL:
-
Click Finish to save the new provider.
Add the SCIM provider to the 1Password application
- Navigate to Applications > Applications and click the Edit icon of the 1Password application.
- In the Backchannel Providers field, select the SCIM provider that you created.
- Click Update.
- Ensure that the users who should be provisioned to 1Password can access the application. If you created the
1Password Usersgroup above, add it as a binding for the application.
Set up automated user provisioning in 1Password
- Log in to the 1Password dashboard as an administrator.
- Click Integrations in the sidebar.
- Choose your identity provider from the User Provisioning section, then follow the 1Password setup flow to deploy the SCIM Bridge and generate the bearer token.
- After the SCIM Bridge is deployed, select the groups you want to sync in the Managed Groups section.
Verify automated user provisioning
Open the SCIM provider in authentik. In the Schedules section, click the play icon for the SCIM sync schedule. After the sync completes, confirm that the user is provisioned in 1Password.
1Password requires the SCIM Bridge to be reachable from authentik and the 1Password service. DNS and hosting setup for the SCIM Bridge are outside the scope of this guide.