Learn how to deploy 1Password SCIM Bridge on the Azure Container Apps service.
This deployment consists of two containers: One for the SCIM bridge and another for Redis. There's also an ingress for the SCIM bridge container. There are a few benefits to deploying 1Password SCIM Bridge on Azure Container Apps:
- Low cost: For standard deployments, the service will host your SCIM bridge for ~$16 USD/month (as of January 2024). Container Apps pricing is variable based on activity, and you can learn more on Microsoft's pricing page.
- Automatic DNS record management: You don't need to manage a DNS record. Azure Container Apps automatically provides a unique one for your SCIM bridge domain.
- Automatic TLS certificate management: Azure Container Apps automatically handles TLS certificate management on your behalf.
- Multiple deployment options: The SCIM bridge can be deployed directly to Azure from the Portal using this guide or via the Azure Shell or command line tools in your local terminal using the support guide. If you're using a custom deployment, cloning this repository is recommended.
Before you begin, complete the necessary preparation steps to deploy 1Password SCIM Bridge. You'll also need an Azure account with permission to create a Container App.
Note
If you don't have an Azure account, you can sign up for a free trial with starting credit: https://azure.microsoft.com/free/
- Sign in to the Azure Portal and go to the Container Apps page.
- Click Create, then fill out the following fields:
- Resource group: Choose an existing Resource Group or create a new one.
- Container app name: Enter a name you'd like to use, such as
op-scim-con-app. - Region: Choose the region you prefer.
- Container App Environment: Choose an existing Container App environment or create a new one with the information in step 1.1.
- If you didn't create a new Container App Environment, continue to step 1.2.
If you choose to create a new Container App Environment, give it a name that makes sense for your organization, such as op-scim-con-app-env. Then adjust the following:
- Environment type: Choose Consumption only.
- Zone Redundancy: Choose Disabled.
After you adjust these options, click Create.
- On the Create Container App page, click Next: Container >.
- Deselect Use quickstart image, then adjust the following:
- Name: Enter
op-scim-redis. - Image source: Choose Docker Hub or other registries.
- Image and tag: Enter
redis. - CPU and Memory: Choose 0.25 CPU cores, 0.5 Gi memory.
- Command override: Enter
redis-server, --maxmemory 256mb, --maxmemory-policy volatile-lru, --save ""
- Name: Enter
- Click Review + create at the bottom of the page. When the page loads, click Create.
After the deployment is complete, click Go to resource, then continue to step 2.
- Choose Secrets from the Settings section in the sidebar.
- Click Add, then enter
scimsessionin the Key field. - Paste the plain-text contents of the
scimessionfile into the Value field. - Choose Add, then wait until the secret is created.
- Choose Add > App container.
- Adjust the following:
- Name: Enter
op-scim-bridge. - Image source: Choose Docker Hub or other registries.
- Image and tag: Enter
1password/scim:v2.9.4. - CPU cores: Enter
0.25 - Memory (Gi): Enter
0.5.
- Name: Enter
- Choose "Volume mounts", then click "Create new volume" below Secrets. Adjust the following:
- Volume type: Choose Secret.
- Name: Enter
credentials. - Mount all secrets: should already be selected, but select it if is not.
- Click Add to save the volume specification. You should see the new
credentialsvolume listed under "Volume name". - Enter
/home/opuser/.opin the Mount path field for this volume. - Click Create.
- Wait for the notification that the revision deployment was successful, then choose Ingress from the Settings section in the sidebar.
- Select Enabled to allow and configure ingress. Adjust the following:
- Ingress traffic: Choose Accepting traffic from anywhere.
- Client certificate mode: Choose Ignore.
- Target port: Enter
3002.
- Click Save.
To test if your SCIM bridge is online, choose Overview in your application's sidebar, then click your Application Url link. This is your SCIM bridge URL. Sign in using your bearer token to verify that your SCIM bridge is connected to your 1Password account.
To finish setting up automated user provisioning, connect your identity provider to the SCIM bridge.
Follow the steps in this section to connect your SCIM bridge to Google Workspace.
Connect Google Workspace using the Azure Portal
Follow the steps to create a Google service account, key, and API client.
- Download the
workspace-settings.jsonfile from this repo. - Edit the following in this file:
- Actor: Enter the email address of the Google Workspace administrator for the service account.
- Bridge Address: Enter your SCIM bridge domain. This is the Application URL for your Container App, found on the overview page (not your 1Password account sign-in address). For example:
https://op-scim-bridge.example.eastus.azurecontainerapps.io.
- Save the file.
- Open the Azure Portal and go to the Container Apps page.
- Choose Secrets from the Settings section in the sidebar.
- Open the key file generated by Google for your service account you saved to your computer in 6.1.
- Click Add to create a secret for the credentials file, then fill out the following fields:
- Key: Enter
workspace-credentials. - Value: Copy the entire contents of the key file. Paste it into this field.
- Key: Enter
- Click Add, then wait until the secret is created.
- Open the settings file you edited in 6.2.
- Click Add to create another secret for the settings file, then fill out the following fields:
- Key: Enter
workspace-settings. - Value: Copy the entire contents of the settings file. Paste it into this field.
- Key: Enter
- Click Add, then wait until the secret is created.
- Choose Containers from the Application section in the sidebar.
- Click Edit and deploy
- Choose Volumes.
- Click on the credentials volume listed to edit the volume.
- Deselect Mount all secrets.
- Under Select individual secrets to mount, you should see all three secrets that you created. Add
.jsonto the File path for each of the Google Workspace secrets:- workspace-credentials:
workspace-credentials.json - workspace-settings:
workspace-settings.json
- workspace-credentials:
- Click Save, then click Create.
Connect Google Workspace using the Azure Cloud Shell or AZ CLI
To connect Google Workspace using the Azure Cloud Shell or AZ CLI, follow the steps in our Advanced guide.
Tip
Check for 1Password SCIM Bridge updates on the SCIM bridge releases notes website.
- Within your deployed 1Password SCIM Bridge Container App in the Azure Container Apps Portal, select Containers from the sidebar.
- Click Edit and deploy.
- Select the checkbox next to your op-scim-bridge container, then choose Edit.
- Change the version number 2.9.4 in the Image and Tag field, 1password/scim:v2.9.4 to match the latest version from our SCIM bridge releases notes website.
- Select Save.
- Select Create to deploy a new revision using the updated image.
- Enter your SCIM bridge URL in a browser and sign in with your bearer token.
- Check the top left-hand side of the page to verify you're running the updated version of the SCIM bridge.
After you sign in to your SCIM bridge, the Automated User Provisioning page in your 1Password account will also update with the latest access time and SCIM bridge version.
The pod for 1Password SCIM Bridge should be vertically scaled if you provision a large number of users or groups. These are our default resource specifications and recommended configurations for provisioning at scale:
| Volume | Number of users | CPU | memory |
|---|---|---|---|
| Default | <1,000 | 0.25 | 0.5Gi |
| High | 1,000–5,000 | 0.5 | 1.0Gi |
| Very high | >5,000 | 1.0 | 1.0Gi |
If you're provisioning more than 1,000 users, update the resources assigned to the SCIM bridge container to follow these recommendations. The resources specified for the Redis container don't need to be adjusted. Steps can be found on our Advanced guide on how to update your resources.
Tip
For more advanced tips follow the Customize your Deployment, or Get Help section in our Advanced guide.
To use a new scimsession credentials file for your SCIM bridge, replace the secret in your Container App:
Replace your `scimsession` secret using the Azure Portal
- Open the Azure Portal and go to the Container Apps page.
- Choose Secrets from the Settings section in the sidebar.
- Edit the scimsession secret and paste the entire contents of your new
scimsessionfile. - Select the checkbox and click Save.
- Choose the Revisions from the Application section in the sidebar.
- Click your current active revision and choose Restart in the details pane.
- Enter your SCIM bridge URL in another browser tab or window and sign in using your new bearer token to test your SCIM bridge.
- Update your identity provider configuration with the new bearer token.
Replace your scimsession secret using the Azure Cloud Shell or AZ CLI
Using the Azure Cloud Shell or AZ CLI, follow the steps in our Advanced guide.