Nailing the Security Audit with RRCU

ConductorOne docs

Set up 1Password connector

ConductorOne provides identity governance and just-in-time provisioning for 1Password. Integrate your 1Password instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests.

Why does this connector look different from most others? Unlike most of the software ConductorOne integrates with, 1Password doesn’t expose APIs that can be used to connect the two systems. Additionally, 1Password data can only be gathered from unlocked vaults, which means that a user must unlock the vault and manually kick off the data collection process; a periodic automated data pull won’t work.

To work around these issues, ConductorOne’s 1Password Baton connector uses the 1Password CLI to interact with your vaults. Once the CLI is set up, baton-1password uses it to interact with your 1Password vaults. The connector will capture user and entitlement data in a file that you upload to ConductorOne.

Capabilities

  • Sync user identities from 1Password to ConductorOne

  • Resources supported:

    • Accounts
    • Groups
    • Vaults
  • Provisioning supported:

    • Groups

Integrate your 1Password instance

This connector requires use of 1Password 8 on a Families, Teams, Business, or Enterprise plan. Before you begin, make sure you have a vault set up.

Step 1: Set up the 1Password CLI and locate your sign-in address

  1. Install the 1Password CLI and make sure it is upgraded to the current version.

  2. Locate your 1Password sign-in address by following the instructions in the 1Password docs. We’ll use this address in Step 2.

Step 2: Install baton-1password and generate a .c1z file

  1. Run the brew or source commands shown below to install baton-1password, substituting the sign-in address you looked up in Step 1 for myaddress.1password.com.

    brew

    brew install conductorone/baton/baton conductorone/baton/baton-1password
    baton-1password
    baton resources
    

    source

    go install github.com/conductorone/baton/cmd/baton@main
    go install github.com/conductorone/baton-1password/cmd/baton-1password@main
    
    BATON_ADDRESS=myaddress.1password.com baton-1password
    baton resources
    

Each installation method includes a baton-1password command. This command runs the sync on the connector and stores the gathered data in a sync.c1z file. In the next step, you’ll upload this file to ConductorOne.

Step 3: Upload 1Password data to ConductorOne

This task requires the Connector Administrator or Super Administrator role in ConductorOne.

  1. In ConductorOne, navigate to an existing application you wish to add the connector data to, or create a new application.

    • To create a new application, follow the steps in Create custom applications.

    • To use an existing application, click Applications. On the Managed apps tab, select the application’s name from the list.

  2. On the application’s page, scroll down to the Connectors area of the page.

  3. Click Import app data and select From file.

  4. Click Choose file and select the sync.c1z file generated in Step 2.

Once the upload is complete, ConductorOne adds the information pulled from the connector about accounts, groups, roles, resources, and grants (as relevant) to the application.

To update information in ConductorOne: Re-run the baton-1password command, generate a new sync.c1z file, and re-upload the file to ConductorOne using the process above.