1Password Business deployment
★★★★★ 4.7 CE

1Password Business Deployment Options & Rollout 2026

1Password runs as SaaS on AWS. Provisioning is managed for Entra and Okta or self-hosted SCIM for everyone else, and secrets reach code via the CLI.

1Password Business Deployment verdict

Verified today·7 sources checked

1Password is SaaS on AWS, so deployment is really two integration tracks.

One is identity provisioning. The other is developer-secrets automation.

How to roll it out

Treat 1Password as two projects you can sequence. Provisioning comes first. If you run Entra ID or Okta, managed provisioning skips the infrastructure entirely. Everyone else self-hosts the SCIM Bridge on GCP, DigitalOcean, Azure Container Apps or AWS. Point a public DNS record at it, then store the scimsession file and bearer token back inside 1Password. Connect the IdP to create, grant, revoke and suspend access. Sync managed groups carefully so you do not create duplicates, and leave the Provision Managers group empty. Unlock with SSO is configured separately from provisioning, so plan for both. Secrets come second. Developers adopt the CLI with op run and op:// references, which keeps plaintext out of the codebase. For automation and CI/CD, create scoped Service Accounts or self-host a Connect server, then use the GitHub Action, which masks any secret that reaches the logs. Wire the SSH agent where developers sign Git commits, and stream the Events API to your SIEM. One dependency needs watching. If the SCIM bridge goes offline, sync pauses until it returns, though nothing is lost. Rotate and guard every token, and drive all lifecycle changes from the IdP.

Honest limits
  • Provisioning splits by identity provider. Entra ID and Okta use managed provisioning, everyone else self-hosts the SCIM Bridge, and sign-in via SSO is set up separately.
  • Secrets stay out of code through op run and op:// references. Service Accounts and a Connect server cover automation and self-hosted access.
  • Operational risk centers on the SCIM bridge staying reachable, and on protecting the scimsession file, the bearer token, plus the service-account token that all grant account access.
Backend
1Password SaaS on AWS
Provisioning
SCIM bridge or managed (Entra/Okta)
Secrets
op run, Service Accounts, Connect
CI/CD
GitHub Actions, masked op:// refs
Audit
Events API to SIEM
View sources

This page covers how 1Password deploys and is administered. Its compliance posture and pricing live on their own pages.

Deploy 1Password Business: commands and config

What you run at each 1Password Business layer

LayerWhat you runNotes
Backend1Password SaaS on AWSAnti-DDoS; documented RTO and RPO
IdP provisioningSelf-hosted SCIM BridgeContainer on GCP, DigitalOcean, Azure or AWS
Managed provisioningEntra ID or OktaNo bridge to host
Secrets automationService Accounts or ConnectToken-based; Connect is a self-hosted REST server
Runtime secretsop run + secret referencesEnv vars for process duration, no plaintext on disk
Code accessGo, JavaScript, Python SDKsBiometric or service-account auth
AuditEvents API to your SIEMSign-in attempts, item usage, admin actions
ClientsApps + signed extensions1Password SSH agent for Git workflows

1Password Business connectors and integration surface

IntegrationTypeCapabilitiesSetup
Identity providers (SCIM)ProvisioningGoogle Workspace, JumpCloud · Entra ID, Okta · OneLogin, RipplingConnect via bridge
Bridge host platformsDeploy targetGCP, DigitalOcean · Azure Container Apps · AWS CloudFormationCustomer-hosted
Managed provisioningNo-host provisioningEntra ID, Okta · No SCIM bridge to host · Unlock with SSO (separate)Configure
Service AccountsAutomation authToken as env variable · Scoped vaults and Environments · Up to 100 accountsCreate
Connect ServerSelf-hosted secretsDocker or Kubernetes · REST API on port 8080 · Terraform, Vault, Ansible pluginsSelf-host
1Password CLIDeveloper secretsop run at runtime · Secret references op:// · Shell PluginsInstall
SDKsProgrammatic accessGo, JavaScript, Python · Item create, fetch, edit · Biometric or token authIntegrate
CI/CDPipeline secretsGitHub Actions, CircleCI, Jenkins · load-secrets-action with op:// refs · Automatic log maskingAdd action
SSH and GitDeveloper auth1Password SSH agent · Ed25519 or RSA keys · Git commit signingEnable
Events APIAudit to SIEMSign-in attempts · Item usage · Admin actionsConnect
Extended Access MgmtDevice trustZero trust beyond IAM · Device postureAdd-on

1Password Business rollout plan and risk points

  • Self-host preflight: a host platform plus a public DNS record (not needed on Azure Container Apps); setup hands you a scimsession file and bearer token that grant account access, so store them in 1Password.
  • A bridge outage pauses sync until it reconnects, but existing accounts are unaffected and there is no data-loss risk on redeploy.
  • Gotcha: never change a suspended member's email, or the bridge treats them as a new user on reactivation.
  • In CI, any secret printed to logs is auto-masked to three asterisks, cutting accidental exposure.

1Password Business Deployment FAQ

How is 1Password deployed for a business?

The backend is 1Password's own SaaS on AWS, so the enterprise work is provisioning and secrets automation. For provisioning, Entra ID and Okta customers use managed automated provisioning. Every other identity provider self-hosts the SCIM Bridge on a platform like GCP, DigitalOcean, Azure Container Apps or AWS. A public DNS record fronts it, and the IdP then manages users and groups. For secrets, you layer on the CLI, Service Accounts, a Connect server, the SDKs, plus the CI/CD action.

How do developers load secrets without putting them in code?

With the 1Password CLI. op run hands project secrets to a script or application as environment variables, and only for the life of that process, so nothing is hardcoded. Secrets are addressed by reference, like op://vault/item/field, in a .env file or a shared 1Password Environment. For automation, a Service Account token authenticates the CLI, and a self-hosted Connect server serves secrets over a REST API on port 8080.

Which identity providers and host platforms does 1Password support?

For provisioning, the supported identity providers are Google Workspace, JumpCloud, Microsoft Entra ID, Okta, OneLogin, plus Rippling. You can host the SCIM bridge on Google Cloud, DigitalOcean, Azure Container Apps, AWS with CloudFormation, or your own infrastructure. Entra ID and Okta customers skip the bridge entirely with managed provisioning. A public DNS record points to the bridge, except on Azure Container Apps, where it is not required.

How does 1Password fit into a CI/CD pipeline?

Through the Load Secrets from 1Password GitHub Action, with equivalents for CircleCI and Jenkins. You store a service-account token as a repository secret named OP_SERVICE_ACCOUNT_TOKEN, point environment variables at op:// references, and the action resolves them for later steps. Any secret value that reaches the logs is masked automatically and shown as three asterisks.

What happens if the SCIM bridge goes offline?

Syncing pauses, but nothing is lost. While the bridge is unreachable, information stops flowing between 1Password and your identity provider until it reconnects. Existing accounts keep working, and there is no data loss even if you redeploy the bridge. That is why you monitor bridge availability and guard the scimsession file and bearer token, which grant account access.

Sources & verification

Verified by ComparEdgeMethod: Vendor docs, official pages, and selected independent sources
SourceWhat was checkedLast checked
1Password TeamsOfficial product pageJuly 10, 2026
1Password Developer docsConnect Get StartedJuly 10, 2026
1Password Developer docsCLI Secrets Environment VariablesJuly 10, 2026
1Password Developer docsSdksJuly 10, 2026
1Password Developer docsEvents APIJuly 10, 2026
1Password Developer docsSsh Get StartedJuly 10, 2026
1Password Developer docsService Accounts Get StartedJuly 10, 2026

Every fact on this 1Password Business page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.