
1Password Business Deployment Options & Rollout 2026
1Password runs as SaaS on AWS. Provisioning is managed for Entra and Okta or self-hosted SCIM for everyone else, and secrets reach code via the CLI.
1Password Business Deployment verdict
1Password is SaaS on AWS, so deployment is really two integration tracks.
One is identity provisioning. The other is developer-secrets automation.
Treat 1Password as two projects you can sequence. Provisioning comes first. If you run Entra ID or Okta, managed provisioning skips the infrastructure entirely. Everyone else self-hosts the SCIM Bridge on GCP, DigitalOcean, Azure Container Apps or AWS. Point a public DNS record at it, then store the scimsession file and bearer token back inside 1Password. Connect the IdP to create, grant, revoke and suspend access. Sync managed groups carefully so you do not create duplicates, and leave the Provision Managers group empty. Unlock with SSO is configured separately from provisioning, so plan for both. Secrets come second. Developers adopt the CLI with op run and op:// references, which keeps plaintext out of the codebase. For automation and CI/CD, create scoped Service Accounts or self-host a Connect server, then use the GitHub Action, which masks any secret that reaches the logs. Wire the SSH agent where developers sign Git commits, and stream the Events API to your SIEM. One dependency needs watching. If the SCIM bridge goes offline, sync pauses until it returns, though nothing is lost. Rotate and guard every token, and drive all lifecycle changes from the IdP.
- Provisioning splits by identity provider. Entra ID and Okta use managed provisioning, everyone else self-hosts the SCIM Bridge, and sign-in via SSO is set up separately.
- Secrets stay out of code through op run and op:// references. Service Accounts and a Connect server cover automation and self-hosted access.
- Operational risk centers on the SCIM bridge staying reachable, and on protecting the scimsession file, the bearer token, plus the service-account token that all grant account access.
- Backend
- 1Password SaaS on AWS
- Provisioning
- SCIM bridge or managed (Entra/Okta)
- Secrets
- op run, Service Accounts, Connect
- CI/CD
- GitHub Actions, masked op:// refs
- Audit
- Events API to SIEM
This page covers how 1Password deploys and is administered. Its compliance posture and pricing live on their own pages.
Deploy 1Password Business: commands and config
Install the CLI and authenticate through the desktop app with Touch ID or Windows Hello, so no API key sits on disk.
brew install 1password-cli
op vault list- Connect exposes a REST API on port 8080; SDKs cover Go, JavaScript and Python
- Every token grants account access, store it in 1Password and rotate it
- CI logs auto-mask any printed secret to ***
Real 1Password Business commands from the official docs. Pick a task to see what it does, then copy the command.
What you run at each 1Password Business layer
| Layer | What you run | Notes |
|---|---|---|
| Backend | 1Password SaaS on AWS | Anti-DDoS; documented RTO and RPO |
| IdP provisioning | Self-hosted SCIM Bridge | Container on GCP, DigitalOcean, Azure or AWS |
| Managed provisioning | Entra ID or Okta | No bridge to host |
| Secrets automation | Service Accounts or Connect | Token-based; Connect is a self-hosted REST server |
| Runtime secrets | op run + secret references | Env vars for process duration, no plaintext on disk |
| Code access | Go, JavaScript, Python SDKs | Biometric or service-account auth |
| Audit | Events API to your SIEM | Sign-in attempts, item usage, admin actions |
| Clients | Apps + signed extensions | 1Password SSH agent for Git workflows |
1Password Business connectors and integration surface
| Integration | Type | Capabilities | Setup |
|---|---|---|---|
| Identity providers (SCIM) | Provisioning | Google Workspace, JumpCloud · Entra ID, Okta · OneLogin, Rippling | Connect via bridge |
| Bridge host platforms | Deploy target | GCP, DigitalOcean · Azure Container Apps · AWS CloudFormation | Customer-hosted |
| Managed provisioning | No-host provisioning | Entra ID, Okta · No SCIM bridge to host · Unlock with SSO (separate) | Configure |
| Service Accounts | Automation auth | Token as env variable · Scoped vaults and Environments · Up to 100 accounts | Create |
| Connect Server | Self-hosted secrets | Docker or Kubernetes · REST API on port 8080 · Terraform, Vault, Ansible plugins | Self-host |
| 1Password CLI | Developer secrets | op run at runtime · Secret references op:// · Shell Plugins | Install |
| SDKs | Programmatic access | Go, JavaScript, Python · Item create, fetch, edit · Biometric or token auth | Integrate |
| CI/CD | Pipeline secrets | GitHub Actions, CircleCI, Jenkins · load-secrets-action with op:// refs · Automatic log masking | Add action |
| SSH and Git | Developer auth | 1Password SSH agent · Ed25519 or RSA keys · Git commit signing | Enable |
| Events API | Audit to SIEM | Sign-in attempts · Item usage · Admin actions | Connect |
| Extended Access Mgmt | Device trust | Zero trust beyond IAM · Device posture | Add-on |
1Password Business rollout plan and risk points
- Self-host preflight: a host platform plus a public DNS record (not needed on Azure Container Apps); setup hands you a scimsession file and bearer token that grant account access, so store them in 1Password.
- A bridge outage pauses sync until it reconnects, but existing accounts are unaffected and there is no data-loss risk on redeploy.
- Gotcha: never change a suspended member's email, or the bridge treats them as a new user on reactivation.
- In CI, any secret printed to logs is auto-masked to three asterisks, cutting accidental exposure.
1Password Business Deployment FAQ
How is 1Password deployed for a business?
The backend is 1Password's own SaaS on AWS, so the enterprise work is provisioning and secrets automation. For provisioning, Entra ID and Okta customers use managed automated provisioning. Every other identity provider self-hosts the SCIM Bridge on a platform like GCP, DigitalOcean, Azure Container Apps or AWS. A public DNS record fronts it, and the IdP then manages users and groups. For secrets, you layer on the CLI, Service Accounts, a Connect server, the SDKs, plus the CI/CD action.
How do developers load secrets without putting them in code?
With the 1Password CLI. op run hands project secrets to a script or application as environment variables, and only for the life of that process, so nothing is hardcoded. Secrets are addressed by reference, like op://vault/item/field, in a .env file or a shared 1Password Environment. For automation, a Service Account token authenticates the CLI, and a self-hosted Connect server serves secrets over a REST API on port 8080.
Which identity providers and host platforms does 1Password support?
For provisioning, the supported identity providers are Google Workspace, JumpCloud, Microsoft Entra ID, Okta, OneLogin, plus Rippling. You can host the SCIM bridge on Google Cloud, DigitalOcean, Azure Container Apps, AWS with CloudFormation, or your own infrastructure. Entra ID and Okta customers skip the bridge entirely with managed provisioning. A public DNS record points to the bridge, except on Azure Container Apps, where it is not required.
How does 1Password fit into a CI/CD pipeline?
Through the Load Secrets from 1Password GitHub Action, with equivalents for CircleCI and Jenkins. You store a service-account token as a repository secret named OP_SERVICE_ACCOUNT_TOKEN, point environment variables at op:// references, and the action resolves them for later steps. Any secret value that reaches the logs is masked automatically and shown as three asterisks.
What happens if the SCIM bridge goes offline?
Syncing pauses, but nothing is lost. While the bridge is unreachable, information stops flowing between 1Password and your identity provider until it reconnects. Existing accounts keep working, and there is no data loss even if you redeploy the bridge. That is why you monitor bridge availability and guard the scimsession file and bearer token, which grant account access.
Sources & verification
| Source | What was checked | Last checked |
|---|---|---|
| 1Password Teams | Official product page | July 10, 2026 |
| 1Password Developer docs | Connect Get Started | July 10, 2026 |
| 1Password Developer docs | CLI Secrets Environment Variables | July 10, 2026 |
| 1Password Developer docs | Sdks | July 10, 2026 |
| 1Password Developer docs | Events API | July 10, 2026 |
| 1Password Developer docs | Ssh Get Started | July 10, 2026 |
| 1Password Developer docs | Service Accounts Get Started | July 10, 2026 |
Every fact on this 1Password Business page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.
Explore 1Password Business
Every page on 1Password Business in one place, you are on deployment.
Snapshot, score and verdict
Frameworks covered and what a security review will ask
You are here
Every tier and the entry price
Compared and ranked vs peers
Price and feature change history
Browse the full Identity & Access Management category
