Set up 1Password connector
Why does this connector look different from most others? Unlike most of the software ConductorOne integrates with, 1Password doesn’t expose APIs that can be used to connect the two systems. Additionally, 1Password data can only be gathered from unlocked vaults, which means that a user must unlock the vault and manually kick off the data collection process; a periodic automated data pull won’t work.
To work around these issues, ConductorOne’s 1Password Baton connector uses the 1Password CLI to interact with your vaults. Once the CLI is set up,
baton-1passworduses it to interact with your 1Password vaults. The connector will capture user and entitlement data in a file that you upload to ConductorOne.
Capabilities
| Resource | Sync | Provision |
|---|---|---|
| Accounts | ✅ | |
| Groups | ✅ | ✅ |
| Vaults | ✅ |
Available hosting methods
Choose the hosting method that best suits your needs:
| Method | Availability | Notes |
|---|---|---|
| Cloud-hosted | A built-in, no-code connector hosted by ConductorOne. | |
| Self-hosted | ✅ | The 1Password connector, hosted and run in your own environment. |
Set up a 1Password self-hosted connector
To complete this task, you’ll need:
- The Connector Administrator or Super Administrator role in ConductorOne
- 1Password 8 on a Families, Teams, Business, or Enterprise plan
- A 1Password vault
Step 1: Set up the 1Password CLI and locate your sign-in address
Install the 1Password CLI and make sure it is upgraded to the current version.
Locate your 1Password sign-in address by following the instructions in the 1Password docs. We’ll use this address in Step 2.
Step 2: Install and run baton-1password
Run the source commands shown below to install
baton-1password, substituting the sign-in address you looked up in Step 1 formyaddress.1password.com.source
go install github.com/conductorone/baton/cmd/baton@main go install github.com/conductorone/baton-1password/cmd/baton-1password@main BATON_ADDRESS=myaddress.1password.com baton-1password baton resources
Step 3: Configure the 1Password connector in ConductorOne
In ConductorOne, navigate to Connectors > Add connector.
Search for Baton and click Add.
Choose how to set up the new 1Password connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
Click Next.
In the Settings area of the page, click Edit.
Click Rotate to generate a new Client ID and Secret.
Carefully copy and save these credentials. We’ll use them in Step 2.
Step 4: Add credentials to your self-hosted connector
On the server or VM where your self-hosted connector is running, pass in the Client ID and Secret generated in Step 3 by running
--client-id <CLIENT ID> --client-secret <SECRET>.Run
baton-1password --helpto see the list of flags to be used when passing your credentials to the connector.The connector syncs current data, uploads it to ConductorOne, and prints a
Task complete!message when finished.Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the Baton connector to. The data should be found on the Resources and Accounts tabs, as appropriate.
That’s it! Your 1Password connector is now pulling access data into ConductorOne.