This deployment example describes how to deploy 1Password SCIM bridge as an app on DigitalOcean's App Platform service using 1Password CLI, the DigitalOcean command line interface (doctl), and the DigitalOcean 1Password Shell Plugin.
The app consists of two resources: a service for the SCIM bridge container and an internal service for Redis.
README.md: the document that you are reading. 👋😃op-scim-bridge.yaml: an App Platform app spec for 1Password SCIM bridge templated with secret references to load secrets from your 1Password account.
Deploying 1Password SCIM bridge on App Platform comes with a few benefits:
- For standard deployments, App Platform will host your SCIM bridge for a predictable cost of $10 USD/month (at the time of last review).
- You do not need to manage a DNS record. DigitalOcean automatically provides a unique URL for your SCIM bridge.
- App Platform automatically handles TLS certificate management on your behalf to ensure a secure connection from your identity provider.
- You will deploy 1Password SCIM bridge directly to DigitalOcean from your local terminal. There is no requirement to clone this repository for this deployment.
- A 1Password account with an active 1Password Business subscription or trial
Note
Try 1Password Business free for 14 days: https://start.1password.com/sign-up/business
- A DigitalOcean account with available quota for two droplets
Note
If you don't have a DigitalOcean account, you can # for a free trial with starting credit: https://try.digitalocean.com/freetrialoffer/
- A Mac or Linux terminal with Bash, Zsh, or Fish
Install the following on your Mac or Linux machine:
- 1Password 8 for Mac or Linux
- 1Password CLI 2.9.0 or later
doctlNote
Only Step 1: Install doctl in the
doctlinstallation guide is required for this step.
If you haven't already done so, add your 1Password account and connect 1Password CLI to your desktop app, then configure the DigitalOcean shell plugin:
- Add your 1Password account to 1Password 8 for Mac or Linux.
- Connect 1Password CLI to the 1Password app.
- Create a DigitalOcean personal access token with both read and write scopes.
- Configure the DigitalOcean shell plugin. Choose
Import into 1Password…to save your DigitalOcean personal access token in your 1Password account and authenticatedoctl.
Your terminal should now authenticate doctl using the access token stored in your 1Password account (you do not need to run doctl auth init). You can confirm by retrieving your account details:
doctl account get- # to your account on 1Password.com.
- Create a vault to store your 1Password SCIM bridge credentials. This guide assumes the vault is named
op-scimby default, but you can change it to something else if you like.Note
💻 You have to # at 1Password.com to set up automated provisioning, but you can create a vault from any 1Password app, including 1Password CLI, for example:
op vault create "op-scim" --description "1Password SCIM bridge credentials" --icon id-card
- Click Integrations in the sidebar.
- Choose your identity provider from the User Provisioning section.
- Choose "Custom deployment".
- Use the "Save in 1Password" buttons for both the
scimsessionfile and bearer token to save them as items in your 1Password account. Save each in theop-scimvault (or the chosen name for the vault created above). Use the supplied name for these items (or make a note of their names if you choose your own).
The scimsession credentials will be saved as an environment variable in App Platform that DigitalOcean automatically encrypts on your behalf. These credentials have to be Base64-encoded to pass them into the environment, but they're saved as a file in your 1Password item.
Use 1Password CLI to read the file using its secret reference, encode the credentials, and store them as a new field in the "scimession file" item saved in your 1Password account:
op item edit "scimsession file" --vault "op-scim" base64_encoded=$(op read "op://op-scim/scimsession file/scimsession" | base64 | tr -d "\n")Note
If you used a different vault or item name for your SCIM bridge credentials, replace
op-scimandscimsession filewith the respective name(s) you chose.
Stream the app spec template from this repository, use op inject to load in the Base64-encoded scimesssion credentials from your 1Password account, then pipe the output into doctl to deploy 1Password SCIM bridge.
For example, with curl:
curl -s https://raw.githubusercontent.com/1Password/scim-examples/master/beta/do-app-platform-op-cli/op-scim-bridge.yaml | op inject | doctl apps create --spec - --wait1Password SCIM bridge deploys with a live URL output to the terminal (found under the Default Ingress column). Use your bearer token with the URL to test the connection to 1Password. For example:
curl --header "Authorization: Bearer $(op read op://${VAULT:-op-scim}/${ITEM:-"bearer token"}/credential)" https://op-scim-bridge-example.ondigitalocean.app/UsersYou can also access your SCIM bridge by visting the URL in your web browser. # with the bearer token saved in your 1Password account.
If you chose your own name for the vault and items where you saved your SCIM bridge credentials, you can override the defaults using the VAULT and ITEM variables in the secret references. For example:
curl -s https://raw.githubusercontent.com/1Password/scim-examples/master/beta/do-app-platform-op-cli/op-scim-bridge.yaml | VAULT="vault name" ITEM="item name" op inject | doctl apps create --spec - --waitThe latest version of 1Password SCIM bridge is posted on our Release Notes website, where you can find details about the latest changes. The most recent version should also be pinned in op-scim-bridge.yaml, so you can update using the same command as above with the --upsert parameter:
curl -s https://raw.githubusercontent.com/1Password/scim-examples/master/beta/do-app-platform-op-cli/op-scim-bridge.yaml | op inject | doctl apps create --spec - --wait --upsertYou can optionally propose the raw app spec template to verify the cost before deploying to DigitalOcean:
curl -s https://raw.githubusercontent.com/1Password/scim-examples/master/beta/do-app-platform-op-cli/op-scim-bridge.yaml | doctl apps propose --spec -Notes for future improvements to this deployment example:
- Add instructions for vertically scaling SCIM bridge for large-scale deployments
- Enable Google Workspace credentials to be automatically injected with deployment
- Document workaround for deploying from a Windows terminal