The most reliable way to connect a password manager to SSO and Active Directory in 2026 is to use 1Password with its built-in SCIM bridge and SAML 2.0 integration — it syncs AD users automatically, enforces group-based vault access, and supports both Okta and Azure AD as identity providers without requiring a separate middleware server.
What You'll Accomplish — and Why It Matters
Manually managing password manager accounts alongside Active Directory is a provisioning nightmare: new hires get vault access days late, offboarding leaves orphaned credentials, and IT spends hours reconciling group membership. This guide walks you through provisioning 1Password Business via your Active Directory environment using Azure AD (Entra ID) as the SAML/SCIM bridge. When you're done, AD group membership will automatically grant or revoke vault access, and employees will sign into 1Password with their existing corporate credentials — no second password required.
If you're evaluating broader enterprise options first, our Best Enterprise Password Manager Review (2026) compares eight platforms side by side.
Prerequisites — What You'll Need
- 1Password Business account (trial or paid; $7.99/user/mo billed annually, 10-seat minimum)
- Azure Active Directory / Microsoft Entra ID (any tier; P1 or P2 required for group-based assignment of enterprise apps)
- Global Administrator or Application Administrator role in Azure AD
- 1Password account owner or administrator permissions
- A server or container host for the 1Password SCIM bridge (Docker 20.10+, or a Linux VM running Ubuntu 22.04 LTS / Debian 12)
- OpenSSL installed on the SCIM bridge host (for generating a bearer token)
- Outbound HTTPS (port 443) from the SCIM bridge host to
scim.1password.com - Your Azure AD tenant ID and client secret ready (generated during app registration)
Step 1: Create the Enterprise Application in Azure AD
In the Azure portal, navigate to Azure Active Directory → Enterprise Applications → New Application → Create your own application. Name it "1Password SCIM" and select "Integrate any other application you don't find in the gallery".
Once created, go to Single sign-on → SAML. You'll need two values from 1Password before you can finish this screen, so leave it open and proceed to Step 2.
Gotcha: Do not assign users yet. Assign groups in Step 4 after provisioning is configured, or you'll trigger SCIM calls before the bridge is running and generate 401 errors in the Azure provisioning log.
Step 2: Generate Your 1Password SCIM Bridge Credentials
Log into your 1Password Business account at my.1password.com. Go to Integrations → Directory → Azure Active Directory → Set Up SCIM Bridge.
1Password will generate two artifacts:
- A
scimsessionfile — download and store it securely; you'll mount it into the Docker container. - A bearer token — copy it to a password manager vault (ironic but necessary) or a secrets manager. You won't be able to retrieve it again after this screen.
Expected output: A confirmation screen reading "Your SCIM bridge credentials have been generated." If you see "A SCIM bridge is already configured", an existing bridge exists — you must delete it before generating new credentials.
Step 3: Deploy the 1Password SCIM Bridge Container
SSH into your Docker host. Create a working directory and drop the scimsession file there:
mkdir ~/op-scim && mv ~/scimsession ~/op-scim/
cd ~/op-scim
Pull and run the official SCIM bridge image:
docker run -d \
--name op-scim-bridge \
--restart unless-stopped \
-p 3002:3002 \
-v $(pwd)/scimsession:/home/opuser/.op/scimsession \
-e OP_SESSION=/home/opuser/.op/scimsession \
1password/scim:v2.9
Verify the container is healthy:
docker logs op-scim-bridge --tail 20
Expected output: "SCIM bridge started on port 3002" with no error lines. If you see "failed to decrypt scimsession", the file was corrupted during transfer — re-download from 1Password and retry.
Gotcha: Azure AD's SCIM provisioning service requires a publicly reachable HTTPS endpoint. Put the container behind an nginx reverse proxy with a valid TLS certificate (Let's Encrypt works fine) before proceeding. Self-signed certs will cause Azure provisioning to fail with a TLS handshake error.
Step 4: Configure Azure AD Provisioning to Point at Your Bridge
Back in the Azure portal, open your "1Password SCIM" enterprise app and go to Provisioning → Automatic.
- Tenant URL:
https://your-scim-bridge-domain.example.com/scim/v2 - Secret Token: paste the bearer token from Step 2
Click Test Connection. Azure should return "The supplied credentials are authorized to enable provisioning."
Under Mappings, verify that userPrincipalName maps to userName and mail maps to emails[type eq "work"].value. These are the two attributes 1Password requires; all others are optional.
Under Settings, set Scope to "Sync only assigned users and groups", then go to Users and Groups and assign the AD security groups you want to sync.
Set provisioning to On and save. The first sync cycle runs within 40 minutes.
Step 5: Configure SAML SSO in Azure AD
Return to Single sign-on → SAML in the enterprise app. Fill in:
- Identifier (Entity ID):
https://my.1password.com/sso/saml/metadata/ - Reply URL (ACS URL):
https://my.1password.com/sso/saml/callback
Both values are shown in 1Password under Integrations → Single Sign-On. Download the Federation Metadata XML from Azure and upload it into 1Password's SSO configuration screen.
In 1Password, set "Require SSO for all members" if you want to enforce that no one can bypass corporate credentials. Leave it off during testing.
Expected output: Clicking Test in Azure returns a green checkmark and displays a SAML assertion with your test user's email.
Verification — Confirm the Integration Works End to End
- Provisioning check: In
my.1password.com → People, you should see AD group members listed with status "Active", not "Invited". SCIM-provisioned users skip the invitation email. - SSO check: Open a private browser window, go to
my.1password.com, enter a synced user's email, and confirm you're redirected to your Azure AD login page rather than a 1Password password prompt. - Deprovisioning check: Remove a test user from the assigned AD group in Azure. Within 40 minutes (or trigger an on-demand sync), that user should appear as "Suspended" in 1Password — their vault access is revoked but their items are retained per 1Password's data-retention policy.
Recommended Tools for This Integration
1Password — Best Overall for Azure AD + SSO
1Password Business costs $7.99/user/mo billed annually (10-seat minimum). The Teams tier at $4.99/user/mo does not include SSO or SCIM — you need Business or above. Enterprise pricing starts at $11.99/user/mo and adds custom security policies, dedicated onboarding, and a custom retention period for audit logs.
Encryption: AES-256-GCM for vault data, with PBKDF2-SHA256 key derivation. The SCIM bridge communicates over TLS 1.2+. MFA methods include TOTP authenticator apps, WebAuthn/FIDO2 hardware keys (YubiKey 5 series, Google Titan), Duo push, and 1Password's own Duo integration. Headquartered in Toronto, Canada; operates under Canadian privacy law with SOC 2 Type II certification (audited by Schellman, 2024). Supported platforms: Windows 10/11, macOS 13+, iOS 16+, Android 10+, Linux (Debian/RPM packages), Chrome, Firefox, Edge, Safari, Brave.
The honest limitation: the SCIM bridge is self-hosted, meaning you own the infrastructure and uptime. Teams without a DevOps function may find managing a Docker container a friction point. 1Password does offer a hosted SCIM bridge option in beta as of Q1 2026, but it's not yet GA for all Business accounts.
Try 1Password — most complete Azure AD + SCIM integration for mid-market and enterprise teams.
Keeper Security — Best for On-Premises AD Without a Cloud IdP
If your Active Directory is on-premises and you haven't moved to Azure AD or another cloud IdP, Keeper Security is the more practical choice. Keeper's AD Bridge agent runs as a Windows service directly on your domain controller or a member server, syncing users and groups without any cloud identity provider in the middle.
Keeper Security Business costs $4.99/user/mo billed annually (5-seat minimum). The Enterprise tier — required for AD Bridge, SSO, and advanced reporting — costs $6.25/user/mo billed annually (5-seat minimum). Public pricing tops out there; larger volume agreements require contacting sales, but the $6.25 per-seat figure is publicly listed on Keeper's pricing page.
Encryption: AES-256 at rest, TLS 1.3 in transit. Key derivation uses PBKDF2-SHA512. MFA: TOTP, WebAuthn/FIDO2, RSA SecurID, DUO push, SMS (not recommended for high-security environments). Headquartered in Chicago, Illinois, USA; subject to US data-protection law. SOC 2 Type II audited (2024). Supported platforms: Windows 10/11, macOS 12+, iOS 15+, Android 9+, Linux, Chrome, Firefox, Edge, Safari.
Honest limitation: Keeper's vault UI is less polished than 1Password's, and the AD Bridge requires a Windows host — it won't run on Linux.
Try Keeper Security — the right call for on-premises AD environments that haven't migrated to a cloud IdP.
For teams with compliance requirements beyond standard IT, see our Best Password Manager for Healthcare & HIPAA Compliance in 2026 — both 1Password and Keeper appear there with HIPAA-specific configuration notes.
Troubleshooting
Error: "401 Unauthorized" in Azure AD provisioning logs
The bearer token is wrong or expired. In 1Password, go to Integrations → Directory, delete the existing SCIM bridge configuration, and generate fresh credentials. Update the Secret Token field in Azure AD provisioning and test the connection again.
Error: "TLS certificate verify failed" when Azure tests the SCIM bridge connection
Azure AD's provisioning service rejects self-signed certificates. Your SCIM bridge endpoint must have a certificate from a public CA. Use Certbot with Let's Encrypt (certbot --nginx -d your-domain.example.com) and restart nginx. Azure will retry automatically on the next sync cycle.
Error: "failed to decrypt scimsession" in Docker logs
The scimsession file was base64-encoded or corrupted during SCP/SFTP transfer. Re-download it directly from 1Password's SCIM bridge setup screen, use scp -P 22 with binary mode, and verify the MD5 hash matches before restarting the container.
Users provisioned but showing as "Invited" instead of "Active" in 1Password
This means SCIM created the account but the user still received an invitation email and hasn't accepted it. Check that your Azure AD attribute mapping for emails[type eq "work"].value is populated — an empty email field causes 1Password to fall back to the invitation flow instead of silent provisioning.
SAML login redirects loop — user sent back to Azure AD repeatedly without logging in
The Entity ID or ACS URL in Azure doesn't match what 1Password expects. Copy the exact strings from 1Password → Integrations → Single Sign-On — even a trailing slash difference breaks SAML assertion validation. Also confirm your 1Password team domain hasn't changed (it does if you rename the team).
FAQ
Does 1Password SSO with Active Directory eliminate the Master Password entirely?
Yes, but with an important caveat. When SSO is enforced on a 1Password Business account, employees authenticate with their corporate identity provider credentials (Azure AD, Okta, etc.) rather than a standalone 1Password Master Password. However, 1Password still uses a locally derived encryption key — the account Secret Key — to decrypt vault data. This key is tied to the device and is not transmitted to 1Password servers. SSO controls access to the account; encryption of vault data remains end-to-end. Users do not type a Master Password at daily login, but the cryptographic key material still exists on-device.
What's the difference between SCIM provisioning and SAML SSO in this context?
SAML SSO controls authentication — it determines how a user proves their identity when logging in (via corporate credentials instead of a 1Password password). SCIM provisioning controls authorization and lifecycle — it automatically creates, updates, and deactivates 1Password accounts based on group membership in Active Directory. You can configure SAML without SCIM (users log in with SSO but are added manually), but configuring SCIM without SAML produces automated provisioning with no single-sign-on benefit. For a complete AD integration, you need both.
Which Active Directory environments does Keeper Security's AD Bridge support?
Keeper Security's AD Bridge supports Windows Server 2012 R2, 2016, 2019, and 2022 running Active Directory Domain Services. It also works with Azure Active Directory (Entra ID) and hybrid AD environments where on-premises AD is synced to Azure via Azure AD Connect. The bridge agent runs as a Windows service and communicates outbound over port 443 to Keeper's cloud. It does not require inbound firewall rules. OpenLDAP and other non-Microsoft LDAP directories are not supported by the AD Bridge — those environments should use Keeper's SCIM endpoint instead.
Can I use NordPass or Dashlane for SSO and Active Directory integration?
NordPass Business ($4.99/user/mo billed annually, 5-seat minimum) supports SAML 2.0 SSO and basic SCIM provisioning, making it compatible with Azure AD. However, as of mid-2026, NordPass's SCIM implementation does not support group-based vault access policies — it provisions users but not group-to-vault mappings. Dashlane Business ($8.00/user/mo billed annually, no stated minimum) supports SAML SSO and SCIM with Azure AD and Okta and does include group-based provisioning. Neither platform offers an on-premises AD connector comparable to Keeper's AD Bridge, making them less suitable for environments without a cloud identity provider.
**How long does the initial SCIM sync