This release fixes pagination when importing with identity providers such as Okta, and adds support for disabling group membership caching.
New
Group membership cache expiry can be customized with the OP_GROUP_MEMBERSHIP_CACHE_PERIOD environment variable, in order to consistently report accurate memberships when using the CLI to manage groups. {4137}
Improvements
Operations such as "Add", "Remove", and "Replace" are now case-insensitive. {4179}
Fixed
TotalResults is now accurate, fixing a bug from v2.9.0 with Okta imports not working. {4051}
This patch release contains SCIM compliance and Google Workspace integration improvements and fixes, as well as strengthened security with better domain validation.
Improvements
Support SCIM-compliant Meta timestamps for users and groups. {4011, 4012}
Push notifications from Google Workspace are more resilient to error. {3247}
Fixed
Groups that fail to be retrieved during the Google Workspace sync will no longer cause accidental user suspensions. {3658}
Security
OP domain validation relies on an eTLD-capable URL parser. {4120}
This release surfaces rate limiting responses between the SCIM bridge and the 1Password servers, and enables the use of non-url safe characters for redis passwords through use of the OP_REDIS_PASSWORD or --redis-password.
Improvements
Return "HTTP 429 Too Many Requests" when the SCIM bridge is being rate limited. {3329}
Non-url safe characters are now accepted when using OP_REDIS_PASSWORD. {3905}
This is a patch release primarily to provide clear instructions when provisioning users with an invalid domain. For more information on allowed domains, visit https://support.1password.com/scim-update-allowed-domains.
Fixed
A clear error message is presented when provisioning or updating users with a domain not in the Allowed domains list. {3755}
Security
Update base distroless image to latest version. {3774}
This is a patch release to add additional protections against mass group deletions for Google Workspace.
Fixed
Implemented additional protections against mass group deletions due to incomplete Group responses from the Google Directory Admin API due to https://issuetracker.google.com/issues/295302751. {21934}
This release features DNS-01 support and the customisation of the user confirmation interval, plus multiple performance improvements to multiple endpoints. Also of note is the finding and solving of an error that could prevent Let's Encrypt from renewing the TLS certificates of long running bridges.
New
Allow Let's Encrypt challenges using the DNS-01 protocol. CloudFlare DNS, Azure DNS, and Google Cloud DNS are supported. {964}
Added the ability to set the frequency of automatic user confirmation. {3471}
Improvements
The PATCH /Groups and GET /Users endpoints operate much more quickly. {3485, 3473, 3416, 3412, 3461}
Logging of `scimsession` file handling is more detailed and precise. {3102}
The Google Workspace sync interval is reduced from 24 hours to 2 hours. {3509}
Fixed
Email changes will get cancelled if the original email is reset. {3248}
A configuration error will no longer result in Let's Encrypt certificates occasionally not renewing for long-lived bridges. {3422}
Initial session generation is limited for concurrent requests. {3504}
The group membership cache will only get built once upon startup. {3479}
Security
Update the base Distroless image to the most recent version. {3514}
This release introduces support for JumpCloud, plus other improvements
including support for an optional Kubernetes health check.
The health check can be enabled by setting the "OP_PING_SERVER" environment
variable, or including the "--ping-server" command line argument. This will
configure the SCIM bridge to listen to incoming "GET /ping" requests on port 80.
See the help documentation for more details.
New
JumpCloud is now an officially supported identity provider. {880}
Improvements
Further improvements to Let's Encrypt functionality and logging. {1643}
Users in the invited state can now be suspended. {1656}
Added support for an optional Kubernetes health check. {1425}
This release includes bug fixes, a security update and logging improvements.
Improvements
The ping, monitoring and health endpoints now only log at the debug level. {1369}
Status not found (404) responses are now logged at debug level. {1275}
Minor informational messages are now logged at the debug level. {1272}
Fixed
The SCIM bridge no longer duplicates the givenName/familyName fields if one is left empty. {1358}
Returns a 404 instead of a 302 on requests to the SCIM Challenge Server that are not ACME "http-01" challenges, overriding the default fallback behaviour of autocert. {1356}
Return an existing user on user create request if the user already exists. {1405}
Security
Narrowed the number of cipher suites available when using Let's Encrypt to enhance security. {1444}
This release resolves an issue where the field value would be printed to the logs when skipping unsupported operations.
In some cases the field value could contain Personally Identifiable Information (PII) such as a phone number.
The field value is now redacted in the log output for these cases.
Security
Redacted personal information from logs when skipping unsupported operations. {1349}
This release resolves an issue where a PATCH request containing only unsupported operations would result in an error.
Improvements
Reduced the number of steps necessary for acquiring a Let's Encrypt certificate in one-click installs (Google Cloud Marketplace, Digital Ocean). {1231}
Fixed
A request containing only skipped operations will no longer result in an error response. {1351}
This is a major release with many improvements, focusing on administrator usability with logging upgrades, Let’s Encrypt stability, and expanded identity provider sourced user modifications.
Additionally this release deprecates the five redis configuration parameters in favor of a single redis configuration string.
This release also introduces optional configuration parameters to enable logging structured JSON or logging with colorized text.
The default log output is still plain text without any colorization.
See the op-scim help text for more details.
New
Added ability to update user's preferred language. {974}
Introduced configuration option to output structured JSON logs. {1130}
Introduced configuration option to set log level to debug and include error stack traces. {1130}
Introduced configuration option to enable colorization of text output logs. {1130}
Enable modifying a user's email via a PATCH request on their userName. {855}
Introduced support for a Heroku-style redis configuration string in the form of the redis-url parameter. {1031}
Improvements
The SCIM Bridge more gracefully handles LetsEncrypt failures on the Web UI frontend, allowing the user to specify a new domain. {858}
Error reporting and accuracy has been greatly improved. {915}
Downgraded no session warning log from error to info to indicate that it is not a problem. {1013}
Report redis health on all interactions. {1092}
Replace logging library to improve debugging ability. {1130}
Warn logs are now either errors or info, and provide better information. {1130}
1Password user names default to SCIM user displayName over legal names. {747}
Setup flow error states are more obvious and user friendly. {1129}
Better validation of Let’s Encrypt certificate domains during setup flow and application startup. {1169}
Redirect to the address set for OP_DOMAIN during SCIM Bridge setup. {1039}
Added additional log line to help notify customers when the default port is being used for SCIM setup. {1198}
Moved HTTP logging to the debug level and set default log level to info. {1098}
TLS handshake errors logged by the Let's Encrypt challenge and SCIM setup servers are now logged at debug level to reduce noise in the log output. {1239}
Deprecated redis, redis-host, redis-port, redis-password, and redis-enable-ssl parameters and corresponding environment variables. {1243}
Security
Enforce constant time comparison of authentication tokens. Credit: Cure53. {1176}
This release contains feature improvements and minor fixes.
Improvements
The RFC 7643 Schema endpoint now produces schemas for Schemas, ResourceTypes, and ServiceProviderConfig, produces Meta information, and wraps responses in ListResponses.
Hitting the /ping route will no longer make noise in the logs.
Use preferred language before defaulting to english when a creating a new user. {930}
Updated log statements to all start with lowercase letters. {975}
Updated Dockerfile to have CMD and removed entrypoint from docker-compose files. {1012}
Fixed
The ServiceProviderConfig, ResourceTypes, and Schema endpoints now optionally support authenticated queries.
This release features a reworked frontend and IDP sourced email changes.
New
Admins can now initiate an email change in 1Password by updating the user's email or username in the identity provider.
SCIM Bridge web UI will display a notice when Advanced Protection Firewall is blocking access.
Improvements
Web UI code has undergone a general overhaul to make the experience more reliable.
Forming a new session and checking an existing authenticated session is faster.
The deprecated OP_SCIMSESSION environment variable is no longer available, use OP_SESSION to configure the bridge to use your scimsession file if it is not in the default location, or is being provided as a base64url string.
Fixed
SCIM Bridge web UI no longer requires reload to show correct health status.
Fixed an issue which was causing some user accounts to fail with Okta's Import Users functionality.
This release resolves an issue where caching on SCIM setup pages causing confusion for Chrome-based browser users and where users would sometimes have a trailing space in their name when imported.
Fixed
Users would sometimes have a trailing space in their name when imported.
Disabled caching on SCIM setup pages, resolving some issues primarily seen on Chrome-based browsers.
This release includes the ability for the SCIM bridge to identify which
Identity Provider it is connected to. This information will help us improve
provisioning capabilities in the future.
This release is functionally identical to the previous release, but uses an updated deployer configuration to fix a file permissions issue that arises when attempting to set up the SCIM bridge on Google Cloud Platform Marketplace.
Fixed
Google Cloud Marketplace deployments can now complete setup successfully.
This release improves the SCIM bridge's support for pagination in user list results as well as security improvements to one-click installations.
Improvements
Users are sorted by email address when startIndex and count are being requested.
Security
One-click setup flows now use an improved method of installing the scimsession file and prevents encrypted data from being included in logs. (credit Ron Chan)
This release allows administrators of the SCIM Bridge to view the health of the Bridge's components by visiting the SCIM status page, improves the performance of persistent logging in the case of a redis connection failure
and improves the user filtering capabilities.
New
Support for viewing health status of SCIM Bridge components
Improvements
Filtering of users now supports filter values with and without quotations
Fixed
Handling of retries and log messages produced from redis connection errors
This release includes better compatibility with the SCIM 2.0 specification, faster group patch endpoint and a SCIM Bridge health monitoring endpoint.
It also adds a fix for suspending the provision manager.
New
Support for OneLogin as an Identity Provider
Health monitoring service for the SCIM Bridge
Improvements
Better support for SCIM 2.0 including serialization of group operations
This release adds internal features to aid with speed and reliability. It also adds support for troubleshooting using persistent logs
New
Support for persistent logging. To check the SCIM Bridge logs, go to the configured SCIM server URL (e.g. scim.example.com), paste the Bearer Token, and select the log to download.