1Password SCIM Bridge

SCIM bridge for 1Password user provisioning from Google Workspace

The 1Password SCIM Bridge enables automated user provisioning between Google Workspace and 1Password, synchronising user accounts and group memberships.

ArgoCD Resource

Property	Value
Kind	`Application`
Name	`onepassword-scim-bridge`
Namespace	`argocd`
Destination Namespace	`onepassword`
Project	`infra-services`
Source Type	Helm
Chart	`op-scim-bridge`
Chart Version	`2.11.9`
File Path	`k8s/infra-services/argocd/overlays/infra-platform-cluster/apps/onepassword-scim-bridge.yaml`

Application Definition

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: onepassword-scim-bridge
  namespace: argocd
  labels:
    cluster: 'infra-platform-mgmt'
    environment: 'prod'
  annotations:
    notifications.argoproj.io/subscribe.on-app-synced.slack: platform-infra-notifications
    notifications.argoproj.io/subscribe.on-app-outofsync.slack: platform-infra-notifications
    notifications.argoproj.io/subscribe.on-app-sync-failed.slack: platform-infra-notifications
    notifications.argoproj.io/subscribe.on-app-degraded.slack: platform-infra-notifications
spec:
  syncPolicy:
    automated:
      prune: true
    syncOptions:
      - ServerSideApply=true
  destination:
    namespace: onepassword
    server: https://kubernetes.default.svc
  project: infra-services
  source:
    chart: op-scim-bridge
    repoURL: https://1password.github.io/op-scim-helm
    targetRevision: '2.11.9'
    helm:
      valuesObject:
        # ... (see full values below)

Helm Values

The Application uses inline Helm values in the valuesObject:

Core Settings

Setting	Value	Purpose
`fullnameOverride`	`onepassword-scim-bridge`	Resource naming
`scim.domain`	`titanbay.1password.eu`	1Password domain
`service.type`	`ClusterIP`	Internal service only

SCIM Configuration

Setting	Value	Purpose
`scim.credentials.secrets.enabled`	`true`	Use Kubernetes secrets
`scim.credentials.secrets.googleWorkspace`	`true`	Google Workspace integration
`scim.credentials.secrets.create`	`false`	Secret managed externally
`scim.config.redisURL`	`redis://onepassword-scim-bridge-redis-master:6379`	Redis connection
`scim.config.debug`	`true`	Debug logging enabled

Redis Configuration

Setting	Value	Purpose
`redis.enabled`	`true`	Deploy Redis alongside
`redis.architecture`	`standalone`	Single Redis instance
`redis.auth.enabled`	`false`	No authentication

Resource Limits

Component	CPU Request	Memory Request	CPU Limit	Memory Limit
SCIM Bridge	125m	256M	250m	512M
Redis	125m	256M	250m	512M

How to Update

Upgrading the Chart

Update targetRevision in apps/onepassword-scim-bridge.yaml
Review the 1Password SCIM Bridge changelog
Commit and push to main

Modifying Configuration

Edit the valuesObject in apps/onepassword-scim-bridge.yaml
Commit and push to main

Secrets Management

The SCIM bridge requires credentials stored in a Kubernetes Secret. The secret is managed externally (not created by the Helm chart).

Required secret contents:

Key	Purpose
SCIM bearer token	Authentication with 1Password
Google Workspace credentials	Service account for user sync

Sync Options

The Application uses ServerSideApply=true to handle complex resource merging from the Helm chart.

Notifications

The Application sends Slack notifications to #platform-infra-notifications for:

Sync success
Out of sync detection
Sync failures
Degraded health

Last modified January 19, 2026: docs: add ArgoCD managed services (#1932) (2efa8f20)