This example describes how to deploy 1Password SCIM Bridge using AWS CloudFormation on Amazon Elastic Container Service (ECS) with AWS Fargate.
README.md: the document that you are reading. 👋😃op-scim-bridge.yaml: a CloudFormation template for 1Password SCIM Bridge.
The included template can be used to deploy 1Password SCIM Bridge as a stack using the AWS CloudFormation console or the AWS Command Line Interface (AWS CLI). The CloudFormation template will create and configure the following resources in your AWS account:
- a VPC (with a
10.0.0.0/16CIDR block by default) - 2 public subnets (each with
/20CIDR blocks within this range), spanned across two availability zones in the current or selected region - an internet gateway
- an Application Load Balancer (ALB)
- an ECS task with associated container definitions for 1Password SCIM Bridge and the requred Redis cache
- an ECS service and ECS cluster for the above task
- a target group targeting the SCIM bridge container
- 2 security groups to restrict traffic to and from the ALB and the ECS cluster, respectively
- an AWS Certificate Manager (ACM) TLS certificate for the ALB
- 2 Route 53 DNS records:
- for the domain name of your SCIM bridge (e.g.
scim.example.com) - to validate the requested ACM certificate
- for the domain name of your SCIM bridge (e.g.
- AWS Secrets Manager secrets to store credentials and configuration for your SCIM bridge
- a CloudWatch log group to capture logs
- required IAM roles
This template is a working example to be used as a base for your SCIM bridge deployment and may need to be customized to meet your specific requirements.
- A 1Password account with an active 1Password Business subscription or trial
Note
👀 Try 1Password Business free for 14 days: https://start.1password.com/sign-up/business
- An AWS account with the permissions and available quota to create and manage the described resources
- AWS CLI (if you want to manage the deployment using a terminal or script).
Before deploying 1Password SCIM Bridge, consult the Preparation Guide in this repository. Since this CloudFormation template will create all necessary resources, you do not need to seperately create a DNS record for your SCIM bridge, nor use its certificate manager component to create and manage a TLS certificate.
-
Clone this repository and switch to this directory:
git clone https://github.com/1Password/scim-examples.git cd ./scim-examples/beta/aws-ecsfargate-cfnor, download the template file
op-scim-bridge.yamlto a working directory on your computer. -
Follow the steps in Automate provisioning in 1Password Business using SCIM to generate credentials for your SCIM bridge.
-
Save the
scimsessioncredentials file and the associated bearer token as items in your 1Password account. -
Download the
scimsessionfile to the same working directory.
Create a stack for your SCIM bridge in the AWS CloudFormation console or using AWS CLI:
For a GUI deployment, you can create a stack in the CloudFormation console.
- Create a stack with new resources:
- In the "Specify template" section, choose "Upload a template file".
- Click "↑ Choose file" and upload the
op-scim-bridge.yamlfile from the working directory on your computer. - Click Next.
- Specify stack details. Use the following options (for everything else, use the provided defaults or your own preferences):
- Type
op-scim-bridgein the "Stack name" field. CloudFormation will use the stack name (or a truncated version where needed) as a prefix when naming the created AWS resources.Note
📄 We use
op-scim-bridgeas a shorthand for 1Password SCIM Bridge throughout our examples and supporting documentation, but the choice is arbitrary. - Select the Route 53 hosted zone for DNS records.
- Replace
scim.example.comwith a domain name for your SCIM bridge that is in the domain of this hosted zone. - Open the
scimsessionfile from your working directory in a text editor. Select all text in the file and copy it to your clipboard. Paste the contents into thescimessionfield (it will be masked on input). - If you are connecting to Google Workspace:
- Create a service account, key, and API client.
- Save the Google Workspace service account key file to the working directory. Open the file in a text editor, select all text in the file, and copy it to your clipboard.
- In the Workspace configuration section, fill these fields:
Service account key: the contents of the key file (from your clipboard)Actor: the email address of an administrator in Google Workspace that the service account is acting on behalf of.
- Click Next.
- Type
- Configure stack options:
- Click "Add new tag" to add any tags you require to all supported resources in the stack.
- Review the options, using the provided defaults or your own options as required or preferred. Click Next.
- Review the stack configuration. When you're finished, click "I acknowledge that AWS CloudFormation might create IAM resources." below Capabilities, then click Submit.
The console will display the stack status as ℹ️ CREATE_IN_PROGRESS during the deployment. The stack is expected to take several minutes to create (generally a bit more than 5 minutes when this document was last updated). After the stack is created, the status will change to ✅ CREATE_COMPLETE.
You can alternatively deploy 1Password SCIM Bridge with a single AWS CLI command.
Example command:
aws cloudformation deploy --template-file ./op-scim-bridge.yaml \
--capabilities CAPABILITY_IAM \
--parameter-overrides \
Route53HostedZoneID=Z2ABCDEF123456 \
DomainName=scim.example.com \
scimsession=$(cat ./scimsession) \
# WorkspaceCredentials=$(cat ./workspace-credentials.json) \
# [email protected] \
# VPCCIDR=10.0.0.0/16 \
# ProvisioningVolume=high \
# --tags \
# Key1=Value1 \
# Key2=Value2 \
--stack-name op-scim-bridgeEdit the example above as follows before running the command from the working directory:
-
Replace
Z2ABCDEF123456with the ID of the Route 53 hosted zone for DNS records. -
Replace
scim.example.comwith a domain name for your SCIM bridge that is in the domain of this hosted zone. -
If you saved your
scimsessionfile as an item in your 1Password account, you can use 1Password CLI to pass this value instead of saving to and reading from the working directory.For example:
# ... scimsession=$(op read "op://Private/scimsession file/scimsession") \ # ...
-
If you are connecting to Google Workspace:
-
Save the Google Workspace service account key file.
-
Uncomment the parameter overrides for Google Workspace and set each value:
WorkspaceCredentials: the contents of the key file; replace./workspace-credentials.jsonwith the path to the key file to read it from the working directory.WorkspaceActor: the email address of an administrator in Google Workspace that the service account is acting on behalf of.
For example:
# ... WorkspaceCredentials=$(cat ./workspace-344418-6ab4742aa21b.json) \ [email protected] \ # ...
-
Uncomment the appropriate lines as needed to adjust the CIDR block for the VPC, the scale of the deployment based on its provisoning volume, and add tags as key-value pairs to apply to all supported resources in the stack.
-
If you prefer, set the value for
--stack-nameto choose your own (for example,--stack-name your-stack-name). CloudFormation will use the stack name (or a truncated version where needed) as a prefix when naming the created AWS resources.Note
📄 We use
op-scim-bridgeas a shorthand for 1Password SCIM Bridge throughout our examples and supporting documentation, but the choice is arbitrary.
After you run the command, you should see:
Waiting for changeset to be created.. Waiting for stack create/update to complete
More detailed information is available in the CloudFormation console. A success message will be returned when the stack is created, for example:
Successfully created/updated stack - op-scim-bridge
A clickable link of the URL for your SCIM bridge is available in the Outputs tab of the CloudFormation console (for example, https://scim.example.com). You can sign in to this URL with the bearer token for your SCIM bridge to test the connection, view status information, or retrieve logs.
Example command:
curl --header "Authorization: Bearer mF_9.B5f-4.1JqM" https://scim.example.com/UsersReplace mF_9.B5f-4.1JqM with your bearer token and scim.example.com with the domain name of your SCIM bridge in the example above.
Note
💻 If you saved your bearer token as an item in your 1Password account, you can use 1Password CLI to pass the bearer token instead of writing it out in the console. For example:
--header "Authorization: Bearer $(op read "op://Private/bearer token/credential")"
Example JSON response
{ "Resources": [ { "active": true, "displayName": "Eggs Ample", "emails": [ { "primary": true, "type": "", "value": "[email protected]" } ], "externalId": "", "groups": [ { "value": "f7eqriu7ht27mq5zmm63gf2dhq", "ref": "https://scim.example.com/Groups/f7eqriu7ht27mq5zmm63gf2dhq" } ], "id": "FECPUMYBHZB2PB6K4WKM4Q2HAU", "meta": { "created": "", "lastModified": "", "location": "", "resourceType": "User", "version": "" }, "name": { "familyName": "Ample", "formatted": "Eggs Ample", "givenName": "Eggs", "honorificPrefix": "", "honorificSuffix": "", "middleName": "" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "userName": "[email protected]" }, ... ] }
Use your SCIM bridge URL and bearer token to connect your identity provider to 1Password SCIM Bridge.
If you are integrating with Google Workspace, sign in to your SCIM bridge URL using your bearer token and set up provisioning to 1Password.
To update to the latest version of 1Password SCIM Bridge, update your stack with a new value for the SCIMBridgeVersion parameter. You can use the AWS console or AWS CLI. Use the latest template from this repository (op-scim-bridge.yaml) and update the value of the "1Password SCIM Bridge version" parameter (SCIMBridgeVersion). Use the existing values for everything else.
Example command:
aws cloudformation deploy \
--template-file ./op-scim-bridge.yaml \
--stack-name op-scim-bridge \
--capabilities CAPABILITY_IAM \
--parameter-overrides SCIMBridgeVersion=v2.9.1Note
Our 1Password SCIM Bridge release notes page does not include
vin each release version, but this character must be included in the value of theSCIMBridgeVersionparameter to match the corresponding image tag in Docker Hub:
- ✅
v2.9.1- ❌
2.9.1