Single Sign-On (SSO) integration allows your team members to unlock 1Password using their existing corporate credentials instead of managing a separate 1Password account password. This guide covers configuring Unlock with SSO for 1Password Business with popular identity providers.
Prerequisites
Before you begin, ensure you have:
- 1Password Business subscription (SSO is not available on Teams plans)
- Owner or administrator access to your 1Password Business account
- Administrator access to your identity provider (Okta, Azure AD, etc.)
- Team members using 1Password 8 (SSO doesn't work with 1Password 7)
- Understanding of OIDC (OpenID Connect) protocol basics
Understanding Unlock with SSO
How It Works
1Password's Unlock with SSO uses the OpenID Connect (OIDC) protocol with:
- Authorization Code Flow with PKCE (Proof Key for Code Exchange)
- No client secrets stored in 1Password
- Secure token exchange between identity provider and 1Password
Important Limitations
| Limitation | Details |
|---|---|
| Owners cannot use SSO | Security measure to prevent lockout |
| Requires internet | Offline access via biometrics only |
| 1Password 8 required | Earlier versions not supported |
| OIDC only (currently) | SAML support planned |
| No automated provisioning | Use SCIM separately for user management |
Step 1: Prepare Your 1Password Account
Verify Account Requirements
- Sign in to 1Password.com as an owner
- Navigate to Settings > Sign-in & Security
- Verify your subscription includes SSO
- Note your 1Password sign-in address (e.g.,
yourcompany.1password.com)
Plan Your Rollout
Before enabling SSO:
- Identify a pilot group for testing
- Communicate the change to team members
- Prepare documentation for the new sign-in process
- Ensure IT support is ready to help with issues
Step 2: Configure Your Identity Provider
Configure SSO with Okta
Create the Application in Okta
- Sign in to Okta Admin Console at
admin.okta.com - Navigate to Applications > Applications
- Click Create App Integration
- Select OIDC - OpenID Connect as the sign-in method
- Select Native Application as the application type
- Click Next
Configure Application Settings
- App integration name: Enter "1Password" or similar
- Grant type: Select Authorization Code
- Sign-in redirect URIs: Add both:
https://YOUR_DOMAIN.1password.com/sso/oidc/redirectonepassword://sso/oidc/redirect
- Sign-out redirect URIs: Leave empty
- Controlled access: Select who can access the application
- Click Save
Configure Client Credentials
- After creation, go to the General tab
- Scroll to Client Credentials
- Change Client authentication to None
- Check Require PKCE as additional verification
- Click Save
Note Required Values
Record these values for 1Password configuration:
| Setting | Where to Find |
|---|---|
| Client ID | General tab > Client Credentials |
| Authorization Server URL | Usually https://your-domain.okta.com |
Assign Users
- Go to the Assignments tab
- Click Assign > Assign to People or Assign to Groups
- Select users who should use SSO
- Click Done
Important: Assign yourself first before configuring 1Password.
Configure SSO with Microsoft Entra ID (Azure AD)
Register the Application
- Sign in to Azure Portal at
portal.azure.com - Navigate to Microsoft Entra ID > App registrations
- Click New registration
- Configure:
- Name: "1Password"
- Supported account types: Accounts in this organizational directory only
- Redirect URI: Select "Public client/native" and add:
https://YOUR_DOMAIN.1password.com/sso/oidc/redirect
- Click Register
Add Additional Redirect URI
- Go to Authentication
- Under Platform configurations, click Add a platform
- Select Mobile and desktop applications
- Add:
onepassword://sso/oidc/redirect - Click Configure
Configure API Permissions
- Navigate to API permissions
- Verify Microsoft Graph > User.Read is present
- Click Grant admin consent if required
Note Required Values
| Setting | Where to Find |
|---|---|
| Application (client) ID | Overview page |
| Directory (tenant) ID | Overview page |
| Authorization endpoint | Endpoints > OAuth 2.0 authorization endpoint |
Configure SSO with OneLogin
- Sign in to OneLogin Admin Portal
- Navigate to Applications > Add App
- Search for "OpenId Connect" and select OpenId Connect (OIDC)
- Configure:
- Display Name: "1Password"
- Redirect URIs: Add both 1Password URIs
- Application Type: Native
- Note the Client ID and Issuer URL
- Assign users to the application
Configure SSO with Duo
- Sign in to Duo Admin Panel
- Navigate to Applications > Protect an Application
- Search for and select Generic OIDC Relying Party
- Configure redirect URIs and settings
- Note Client ID and Issuer URL
- Assign users via Duo groups
Step 3: Configure 1Password for SSO
Enable Unlock with SSO
- Sign in to 1Password.com as an owner
- Navigate to Settings > Sign-in & Security
- Find Unlock with SSO and click Set Up
- Click Get Started
Enter Identity Provider Details
- Display name: How SSO appears to users (e.g., "Sign in with Okta")
- Authorization endpoint: From your identity provider
- Okta:
https://your-domain.okta.com/oauth2/v1/authorize - Azure:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
- Okta:
- Token endpoint: From your identity provider
- Okta:
https://your-domain.okta.com/oauth2/v1/token - Azure:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
- Okta:
- Client ID: From your identity provider application
- Click Continue
Verify Configuration
- Click Sign in with [Your IDP] to test
- Complete authentication with your identity provider
- Verify you return to 1Password successfully
- Click Enable Unlock with SSO
Step 4: Configure Biometric Unlock for Offline Access
Since SSO requires internet, enable biometrics for offline scenarios:
- Navigate to Settings > Sign-in & Security
- Find Biometric unlock
- Enable Allow biometric unlock
- Set the re-authentication frequency:
- Every 14 days (recommended)
- Every 7 days
- Every day
Users will need to authenticate with SSO periodically, but can use biometrics between sessions.
Step 5: Roll Out to Team Members
Phase 1: Pilot Group
- Create a test group of 5-10 users
- Assign them to the identity provider application
- Have them test signing in with SSO
- Gather feedback and address issues
Phase 2: Department Rollout
- Roll out to one department at a time
- Provide training materials
- Monitor for issues
- Adjust configuration as needed
Phase 3: Organization-Wide
- Enable for all remaining users
- Send communication about the change
- Provide support resources
- Monitor adoption metrics
User Experience
After SSO is configured, team members will:
- Open 1Password app
- Click Sign in with [Your Identity Provider]
- Authenticate with their corporate credentials
- Be redirected back to 1Password, unlocked
Step 6: Configure SSO Policies (Optional)
Require SSO for All Members
To ensure everyone uses SSO:
- Navigate to Settings > Sign-in & Security
- Enable Require Unlock with SSO
- Users will no longer be able to use account passwords
Warning: Ensure all users are assigned in your identity provider before requiring SSO.
Configure Session Duration
Control how long SSO sessions remain valid:
- In your identity provider, adjust session policies
- Consider security vs. convenience trade-offs
- Typical settings: 8-12 hours for active sessions
Troubleshooting Common Issues
SSO Sign-In Fails
Solutions:
- Verify the user is assigned to the application in your IDP
- Check redirect URIs are correct (including
onepassword://) - Confirm PKCE is enabled (for Okta)
- Review identity provider logs for errors
User Locked Out
Solutions:
- Owners can still sign in with account password
- Check if user was removed from IDP application
- Use account recovery if needed
- Verify identity provider is operational
"Invalid Client" Error
Solutions:
- Verify Client ID is correct
- Check client authentication is set to "None" (public client)
- Confirm PKCE is required/enabled
- Regenerate client credentials if needed
Users Can't Access Offline
Solutions:
- Enable biometric unlock in 1Password settings
- Have users authenticate with SSO while online first
- Verify biometric unlock is enabled on user devices
Best Practices for SSO Security
Identity Provider Security
- Enable MFA in your identity provider
- Use conditional access policies where available
- Monitor for suspicious sign-in attempts
- Regularly review application assignments
1Password Configuration
- Keep account owners on password-based auth (required)
- Set appropriate session timeouts
- Enable biometric unlock for convenience
- Monitor sign-in activity in 1Password reports
Incident Response
Prepare for identity provider outages:
- Document the fallback process (account recovery)
- Ensure owners can still access the account
- Have identity provider support contacts ready
- Consider geographic redundancy for your IDP
Combining SSO with SCIM
For full identity provider integration:
| Feature | SSO | SCIM |
|---|---|---|
| User authentication | Yes | No |
| User provisioning | No | Yes |
| User suspension | No | Yes |
| Group sync | No | Yes |
| Requires separately | - | - |
Configure both for the best experience:
- SCIM handles user lifecycle (join/leave)
- SSO handles daily authentication
Next Steps
After configuring SSO:
- Set up SCIM: Automate user provisioning
- Configure policies: Establish password and access policies
- Enable Watchtower: Monitor credential security
- Create reports: Track SSO adoption and usage
- Document procedures: Update IT runbooks
Additional Resources
Need help with your SSO integration? Inventive HQ specializes in identity and access management, including 1Password SSO configuration, identity provider integration, and security policy implementation. Contact us for a free consultation.