1Password SCIM Bridge

Release Notes

Show betas

2.9.3 (build #209031) – released 2024-04-19

This release contains an update to packages built with golang to address CVE-2023-45288.

Security

Update Go package versions to address CVE-2023-45288. {4061}

2.9.1 (build #209011) – released 2024-03-20

This release contains bug fixes and improvements, including retrying failed user suspensions due to deadlocks.

Fixed

GET /Users requests now return the correct number of total results when a filter is applied. {3272}
The Google Workspace integration will no longer suspend guest users. {2712}
Archiving users in Google Workspace will now suspend them in 1Password. {3946}
Failed user suspensions due to server errors are automatically retried. {4017}

2.9.0 (build #209002) – released 2024-01-12

This release primarily adds support for arm64 architectures plus improvements to logging and error responses.

New

Docker images now support arm64 architectures. {3885}

Improvements

Logs now include the hostname and a unique instance_id for easier identification in deployments with multiple replicas. {3842}
Return a more detailed and appropriate response when failing to reactivate users. {3878}
URL validators for Google Workspace configurations now provide more actionable error messages. {2872}
Improved clarity and accuracy of Google Workspace group tables member count. {2873}

Fixed

Changing a group name will now succeed on retry when there is missing data in the redis cache. {3817}
OP_REDIS_ENABLE_SSL now functions as expected. {3915}

2.8.5 (build #208051) – released 2023-12-19

This release surfaces rate limiting responses between the SCIM bridge and the 1Password servers, and enables the use of non-url safe characters for redis passwords through use of the OP_REDIS_PASSWORD or --redis-password.

Improvements

Return "HTTP 429 Too Many Requests" when the SCIM bridge is being rate limited. {3329}
Non-url safe characters are now accepted when using OP_REDIS_PASSWORD. {3905}

2.8.4 (build #208041) – released 2023-09-20

This is a patch release primarily to provide clear instructions when provisioning users with an invalid domain. For more information on allowed domains, visit https://support.1password.com/scim-update-allowed-domains.

Fixed

A clear error message is presented when provisioning or updating users with a domain not in the Allowed domains list. {3755}

Security

Update base distroless image to latest version. {3774}

2.8.3 (build #208031) – released 2023-08-18

This is a patch release to add additional protections against mass group deletions for Google Workspace.

Fixed

Implemented additional protections against mass group deletions due to incomplete Group responses from the Google Directory Admin API due to https://issuetracker.google.com/issues/295302751. {21934}

2.8.2 (build #208021) – released 2023-07-14

This is a patch release, primarily to address Google Workspace issues.

Improvements

The Google Workspace interval sync now runs every hour. {3657}
Added additional basic CLI tools to the minimal base image. {3539}

Fixed

Google Workspace integration now chooses the correct preferred language. {3408}
Google Workspace integration will no longer accidentally suspend users during a sync if a critical prior operation has failed. {3658}
AzureAD will now correctly update a user's display name when accompanied by other name fields. {2880}

Security

Update base distroless image to latest version. {3661}

2.8.1 (build #208012) – released 2023-05-08

This is a patch release to address a web client login bug for Google Workspace customers.

Fixed

The web client will no longer occasionally fail to log in for Google Workspace customers. {3544}

2.8.0 (build #208001) – released 2023-04-21

This release features DNS-01 support and the customisation of the user confirmation interval, plus multiple performance improvements to multiple endpoints. Also of note is the finding and solving of an error that could prevent Let's Encrypt from renewing the TLS certificates of long running bridges.

New

Allow Let's Encrypt challenges using the DNS-01 protocol. CloudFlare DNS, Azure DNS, and Google Cloud DNS are supported. {964}
Added the ability to set the frequency of automatic user confirmation. {3471}

Improvements

The PATCH /Groups and GET /Users endpoints operate much more quickly. {3485, 3473, 3416, 3412, 3461}
Logging of `scimsession` file handling is more detailed and precise. {3102}
The Google Workspace sync interval is reduced from 24 hours to 2 hours. {3509}

Fixed

Email changes will get cancelled if the original email is reset. {3248}
A configuration error will no longer result in Let's Encrypt certificates occasionally not renewing for long-lived bridges. {3422}
Initial session generation is limited for concurrent requests. {3504}
The group membership cache will only get built once upon startup. {3479}

Security

Update the base Distroless image to the most recent version. {3514}

2.7.4 (build #207041) – released 2023-02-24

This release contains a security update, as well as a couple of fixes and improvements.

New

A SCIM bridge can now use an externally provided certificate and key file for TLS functionality. {2052}

Improvements

PATCH /Groups and GET /Users endpoints have improved performance due to a longer cache expiry period for group memberships. {3133}

Fixed

A Bridge initialization issue will no longer cause Workspace user suspensions. {3337}

Security

Update the base Distroless image to the most recent version. {3395}

2.7.3 (build #207031) – released 2023-01-19

This release moves the 1Password SCIM bridge to a Distroless base image.

Fixed

Google Workspace "Edit Configuration" panel will no longer be hidden, regardless of configuration method. {3333}

Security

SCIM bridge images now utilize a static Distroless base image to reduce false positives when scanned with container security tools. {3306}

2.7.2 (build #207021) – released 2023-01-06

This release contains a few fixes and improvements, most notably a fix for a Google Workspace issue that was causing frequent sync failures.

Improvements

SCIM routes will now return a 499 status code to identity providers when clients close connections. {2648}
Disabled Workspace configuration panel when Workspace is setup with env vars. {3258}

Fixed

Google Workspace sync will no longer fail due to an invalid session. {3018}

Security

Update the base Debian image to the most recent patch of 11.5-slim. {3303}

2.7.1 (build #207011) – released 2022-12-12

This release contains a few fixes and improvements.

Improvements

Return much quicker from a GET /Users call with a limit parameter. {3269}

Fixed

The confirmation watcher will no longer terminate on startup when Provisioning is disabled. {3271}
The 2.7.0 changelog now reflects the Debian version instead of the date of patch retrieval. {3270}

2.7.0 (build #207001) – released 2022-11-28

This release features vastly improved provisioning speed improvements among other bug fixes and improvements.

New

Added Trace-level debugging. {2958}

Improvements

Improved the robustness of and added increased logging to the Let's Encrypt certificate manager. {2958}
The GET /Users route is more performant with a large number of groups. {3131}
User provisioning operations are more performant. {3087}
User confirmations and PATCH group operations are more performant. {3137}
Create group operations are more performant. {3160}

Fixed

Email changes will now be cancelled if the user is returned to their original email. {1680}
The SCIM bridge will no longer periodically fail to connect to 1Password due to a file permission issue. {3088}
The PUT /User route will no longer occasionally return an attribute error while processing language changes. {1718}

Security

Update the base Debian image to the most recent patch of 11.5-slim. {3195}

2.6.2 (build #206022) – released 2022-09-30

This is the first post-release Google Workspace integration patch. It contains a number of minor Google Workspace oriented improvements and bugfixes.

Improvements

A link to support documentation has been added to the Google Workspace configuration page on the bridge UI. {2710}
Added support for searching Google Workspace groups from the bridge UI. {2713}
Google Workspace sync can now be manually performed with the Sync Groups button. {2727}

Fixed

Re-creating an existing user now consistently returns the correct activation state. {2649}
Google Workspace groups can now be recreated and re-synced in 1Password after being deleted. {2804}
Google Workspace user provisioning is now email case-insensitive. {2859}

Security

The 1Password SCIM bridge now uses Debian 11.5-slim. {2890}

2.6.0 (build #206001) – released 2022-08-25

This release introduces full Google Workspace provisioning support.

New

Full Google Workspace provisioning support. {865}

Improvements

Support for a Google Workspace multi-domain configuration. {2623}

Fixed

Users that are suspended upon creation in Google Workspace will also be suspended in 1Password. {2408}
Server health reports no longer persist after switching to and from Google Workspace. {2520}
Ignore conflicting 1Password guest users while using the Google Workspace integration. {2712}
More than 200 Google Workspace groups can now be retrieved by the bridge UI. {2716}

2.5.1 (build #205011) – released 2022-08-11

This release includes a several bug fixes and improvements, as well as a security update.

Improvements

Improved error clarity when attempting to deprovision the last remaining owner of an account. {2672}
User account activation in group memberships can now be changed through Google Workspace push notifications. {2684}

Fixed

Relaxed OP_DOMAIN restrictions to accept values without a scheme. {2647}
Google Workspace group operations on more than 200 users now function correctly. {2678}
Changed Google Workspace group emails are now detected during sync. {2552}
Adding suspended users to configured Google Workspace groups will no longer invite them to 1Password. {2631}

Security

Update Debian packages for the Docker release images. {2694}

2.5.0 (build #205001) – released 2022-07-11

This release features an updated and modernised SCIM bridge UI, alongside a variety of bug fixes, security patches, and other improvements.

This release also features group support for Google Workspace. Google Workspace is currently in a closed beta.

New

Google Workspace Group support. {865}
The SCIM bridge UI has a new, fresh look. {2407}

Improvements

Updated the Workspace API scope to read only. {2445}
Session timeout in the web UI has been increased to ten minutes. {2618}

Fixed

Return the correct error code when an email change is blocked due to domain restrictions. {1725}
Modifying users without changing the email no longer creates noise in the logs. {1714}
Remove duplicate group IDs in group operation logs. {2248}
Filtering by email is now enabled on user queries. {1859}
Domain restrictions will no longer fail when not provided a scheme. {1846}

Security

Improved validation of server parameters in SRP process. Credits to Cure53. {2442}
The web UI session token is now fully cleared from the cache when logging out. {2510}

2.4.1 (build #204011) – released 2022-06-14

This release contains a security fix and addresses vulnerabilities in the Docker image.

Security

Fixed potential timing attack on frontend session protected routes. {2507}
Updated Debian packages for the Docker release images. {2516}

2.4.0 (build #204002) – released 2022-05-26

This release contains improvements to the bridge web UI, a security patch, and a crawling robots rule.

This release also features a closed beta for the Google Workspace integration.

New

Google Workspace User support. {865}

Improvements

SCIM bridge web client status page now shows version number. {1613}
The SCIM bridge web list of logs is now collapsible. {2173}
Group routes are no longer rate limited. {2479}

Fixed

Added crawling robots rule to disallowed crawling and indexing. {2205}

Security

Improved validation of server parameters in SRP process. Credits to Cure53. {2442}

2.3.1 (build #203011) – released 2022-02-17

This release adds metric access for Prometheus in addition to improving the processing of user transitions.

New

Add GET /metrics endpoint to access metrics provided by Prometheus. {1822}

Improvements

Improved clarity of Let's Encrypt domain input field on setup page. {1767}
Upgrade library used for Let's Encrypt functionality to improve reliability. {1947}

Fixed

Include the correct Content-Type header for JSON error responses. {1858}
When a user confirmation throws an error the bridge will now properly process the rest of the queue. {1819}
Users will no longer occasionally get stuck in the initial provisioning state. {1653}

2.3.0 (build #203004) – released 2021-11-25

This release introduces support for JumpCloud, plus other improvements including support for an optional Kubernetes health check.

The health check can be enabled by setting the "OP_PING_SERVER" environment variable, or including the "--ping-server" command line argument. This will configure the SCIM bridge to listen to incoming "GET /ping" requests on port 80. See the help documentation for more details.

New

JumpCloud is now an officially supported identity provider. {880}

Improvements

Further improvements to Let's Encrypt functionality and logging. {1643}
Users in the invited state can now be suspended. {1656}
Added support for an optional Kubernetes health check. {1425}

2.2.1 (build #202011) – released 2021-10-20

This release contains a couple of bug fixes.

Fixed

Store user group memberships in cache to reduce the need to perform a lookup on each request. {1642}
ProvisionWatcher component no longer incorrectly reports health state as 'unknown' when it is actually 'healthy'. {1227}

2.2.0 (build #202001) – released 2021-10-07

This release contains a few bug fixes, a security recommendation and improvements to Let's Encrypt certificate generation.

Improvements

Moved to TLS-ALPN-01 challenge for Let's Encrypt, and improved Let's Encrypt reliability. {858}
Bumped base image to Debian 11.x Bullseye. {1526}
Improved appearance of logs for fatal errors. {1626}

Fixed

Fixed an issue where Okta Push Groups would not have updated names reflected in 1Password. {1582}
A panic could occur when patching or deleting protected groups. {1593}
Group memberships are now correctly represented on data imports from 1Password by the identity provider. {1114}
Make email change requests case-insensitive. {1458}

Security

Changed bearer token field on status login page to be a password input. {1614}

2.1.2 (build #201022) – released 2021-09-07

This release contains a few bug fixes and a security recommendation.

Fixed

Ensure a user's 1Password username matches their Identity Provider's username provided it's an email. {1426}
Get Group returns correctly when a group is no longer managed through automated provisioning. {1456}

Security

Add recommended security headers. Credit: Cure53. {1463}

2.1.0 (build #201001) – released 2021-07-05

This release includes bug fixes, a security update and logging improvements.

Improvements

The ping, monitoring and health endpoints now only log at the debug level. {1369}
Status not found (404) responses are now logged at debug level. {1275}
Minor informational messages are now logged at the debug level. {1272}

Fixed

The SCIM bridge no longer duplicates the givenName/familyName fields if one is left empty. {1358}
Returns a 404 instead of a 302 on requests to the SCIM Challenge Server that are not ACME "http-01" challenges, overriding the default fallback behaviour of autocert. {1356}
Return an existing user on user create request if the user already exists. {1405}

Security

Narrowed the number of cipher suites available when using Let's Encrypt to enhance security. {1444}

2.0.2 (build #200021) – released 2021-05-17

This release resolves an issue where the field value would be printed to the logs when skipping unsupported operations. In some cases the field value could contain Personally Identifiable Information (PII) such as a phone number. The field value is now redacted in the log output for these cases.

Security

Redacted personal information from logs when skipping unsupported operations. {1349}

2.0.1 (build #200011) – released 2021-05-06

This release resolves an issue where a PATCH request containing only unsupported operations would result in an error.

Improvements

Reduced the number of steps necessary for acquiring a Let's Encrypt certificate in one-click installs (Google Cloud Marketplace, Digital Ocean). {1231}

Fixed

A request containing only skipped operations will no longer result in an error response. {1351}

2.0.0 (build #200004) – released 2021-03-31

This is a major release with many improvements, focusing on administrator usability with logging upgrades, Let’s Encrypt stability, and expanded identity provider sourced user modifications. Additionally this release deprecates the five redis configuration parameters in favor of a single redis configuration string. This release also introduces optional configuration parameters to enable logging structured JSON or logging with colorized text. The default log output is still plain text without any colorization. See the op-scim help text for more details.

New

Added ability to update user's preferred language. {974}
Introduced configuration option to output structured JSON logs. {1130}
Introduced configuration option to set log level to debug and include error stack traces. {1130}
Introduced configuration option to enable colorization of text output logs. {1130}
Enable modifying a user's email via a PATCH request on their userName. {855}
Introduced support for a Heroku-style redis configuration string in the form of the redis-url parameter. {1031}

Improvements

The SCIM Bridge more gracefully handles LetsEncrypt failures on the Web UI frontend, allowing the user to specify a new domain. {858}
Error reporting and accuracy has been greatly improved. {915}
Downgraded no session warning log from error to info to indicate that it is not a problem. {1013}
Report redis health on all interactions. {1092}
Replace logging library to improve debugging ability. {1130}
Warn logs are now either errors or info, and provide better information. {1130}
1Password user names default to SCIM user displayName over legal names. {747}
Setup flow error states are more obvious and user friendly. {1129}
Better validation of Let’s Encrypt certificate domains during setup flow and application startup. {1169}
Redirect to the address set for OP_DOMAIN during SCIM Bridge setup. {1039}
Added additional log line to help notify customers when the default port is being used for SCIM setup. {1198}
Moved HTTP logging to the debug level and set default log level to info. {1098}
TLS handshake errors logged by the Let's Encrypt challenge and SCIM setup servers are now logged at debug level to reduce noise in the log output. {1239}
Deprecated redis, redis-host, redis-port, redis-password, and redis-enable-ssl parameters and corresponding environment variables. {1243}

Security

Enforce constant time comparison of authentication tokens. Credit: Cure53. {1176}

1.6.2 (build #106021) – released 2021-02-05

This release is a security patch release.

Security

Improve validation on logs files request. (CVE-2021-26905) {1138}

1.6.1 (build #106012) – released 2020-12-04

This release contains feature improvements and minor fixes.

Improvements

The RFC 7643 Schema endpoint now produces schemas for Schemas, ResourceTypes, and ServiceProviderConfig, produces Meta information, and wraps responses in ListResponses.
Hitting the /ping route will no longer make noise in the logs.
Use preferred language before defaulting to english when a creating a new user. {930}
Updated log statements to all start with lowercase letters. {975}
Updated Dockerfile to have CMD and removed entrypoint from docker-compose files. {1012}

Fixed

The ServiceProviderConfig, ResourceTypes, and Schema endpoints now optionally support authenticated queries.

1.6.0 (build #106001) – released 2020-09-22

This release features a reworked frontend and IDP sourced email changes.

New

Admins can now initiate an email change in 1Password by updating the user's email or username in the identity provider.
SCIM Bridge web UI will display a notice when Advanced Protection Firewall is blocking access.

Improvements

Web UI code has undergone a general overhaul to make the experience more reliable.
Forming a new session and checking an existing authenticated session is faster.
The deprecated OP_SCIMSESSION environment variable is no longer available, use OP_SESSION to configure the bridge to use your scimsession file if it is not in the default location, or is being provided as a base64url string.

Fixed

SCIM Bridge web UI no longer requires reload to show correct health status.
Fixed an issue which was causing some user accounts to fail with Okta's Import Users functionality.

1.5.0 (build #105001) – released 2020-09-01

This release primarily features internal changes to improve compatibility with 1Password.com.

Improvements

The IDP classifier is now less sensitive to unidentified IDPs.

Fixed

Setting all groups to Provisioning Groups via the `Manage All Groups` permission works as expected.

1.4.4 (build #104041) – released 2020-07-29

This release resolves an issue where caching on SCIM setup pages causing confusion for Chrome-based browser users and where users would sometimes have a trailing space in their name when imported.

Fixed

Users would sometimes have a trailing space in their name when imported.
Disabled caching on SCIM setup pages, resolving some issues primarily seen on Chrome-based browsers.

1.4.3 (build #104031) – released 2020-07-10

This release includes the ability for the SCIM bridge to identify which Identity Provider it is connected to. This information will help us improve provisioning capabilities in the future.

New

IDP Identification on the SCIM Bridge.

Improvements

Upgrade base image to Debian 10.x ("Buster")

1.4.2 (build #104021) – released 2020-06-17

This release is functionally identical to the previous release, but uses an updated deployer configuration to fix a file permissions issue that arises when attempting to set up the SCIM bridge on Google Cloud Platform Marketplace.

Fixed

Google Cloud Marketplace deployments can now complete setup successfully.

1.4.1 (build #104011) – released 2020-06-02

This release improves the SCIM bridge's support for pagination in user list results as well as security improvements to one-click installations.

Improvements

Users are sorted by email address when startIndex and count are being requested.

Security

One-click setup flows now use an improved method of installing the scimsession file and prevents encrypted data from being included in logs. (credit Ron Chan)

1.4.0 (build #104001) – released 2020-05-14

This release adds support for automatic lookup of supported SCIM resources per RFC 7643 Sections 5, 6, and 7.

New

Service Provider Config, ResourceTypes, and Schema endpoints
Added support for Rippling as an Identity Provider

Improvements

Handling of conflicting DisplayName with First and Last Name from Azure Active Directory.
Higher quality SCIM Status Page icons

Fixed

Provisioning polling messages are more user friendly
Domain Restrictions now handle trailing characters correctly

1.3.1 (build #103011) – released 2020-03-18

This release introduces enforcement of a minimum TLS version of 1.2 alongside a number of stability and performance improvements.

Improvements

Enforced Minimum TLS Version of 1.2
Default log expiry has been extended to 3 days

Fixed

Handling of error printing in some specific user actions
Panics on PATCH operations when a user is operated on after removal.
Redis Cache connection pool could be exhausted under heavy load

1.3.0 (build #103002) – released 2020-01-14

This release allows administrators of the SCIM Bridge to view the health of the Bridge's components by visiting the SCIM status page, improves the performance of persistent logging in the case of a redis connection failure and improves the user filtering capabilities.

New

Support for viewing health status of SCIM Bridge components

Improvements

Filtering of users now supports filter values with and without quotations

Fixed

Handling of retries and log messages produced from redis connection errors

1.2.1 (build #102011) – released 2019-12-17

This release better handles requests to create a user when a conflict exists

Fixed

Handling of requests to create user when a conflict exists

1.2.0 (build #102002) – released 2019-12-05

This release includes better compatibility with the SCIM 2.0 specification, faster group patch endpoint and a SCIM Bridge health monitoring endpoint. It also adds a fix for suspending the provision manager.

New

Support for OneLogin as an Identity Provider
Health monitoring service for the SCIM Bridge

Improvements

Better support for SCIM 2.0 including serialization of group operations
Faster bulk group PATCH endpoint

Fixed

Suspend provision manager error

1.1.2 (build #101021) – released 2019-11-14

This release fixes the issue of group updates failing for large groups

Fixed

Updating a group with many members will now work as expected

1.1.1 (build #101011) – released 2019-10-16

This release brings ACMEv2 support to the SCIM bridge for future-proofed certificate issuance.

Improvements

Support for ACMEv2 certificate issuance

1.1.0 (build #101001) – released 2019-09-30

This release adds internal features to aid with speed and reliability. It also adds support for troubleshooting using persistent logs

New

Support for persistent logging. To check the SCIM Bridge logs, go to the configured SCIM server URL (e.g. scim.example.com), paste the Bearer Token, and select the log to download.

Improvements

Speed and reliability

1.0.0 (build #100101) – released 2019-07-17

This is a major release of the 1Password SCIM bridge with stability and ease of setup improvements.

Improvements

Testing and integration reliability
Easy setup using the SCIM bridge web interface