Single Sign On Logins Vs Watchtower

Options
RyanPoirier
RyanPoirier
Community Member
in 1Password in the Browser

I've got a couple of separate logins for URLs that use either the same Enterprise SSO credentials, or a verification of them. For example, one url requires a "domain\username" while another only requires "username." both use the same root username and password. Another url of the same SSO requires an alias which links to "username" but if "username" is entered instead of the alias, the login will fail.

Watchtower reports these as reused passwords.

—Is there a way to link these logins so they are considered SSO logins which excuse the watchtower alert?

—if possible, also allows for the updating of the linked SSO password entries at the same time the other password entry is updated? (But not the username)

Grouping all urls inside the same login doesn't quite work for this case due to the variation on the username requirements. Manual user intervention would be required.

1Password Version: 7.2.3
Extension Version: 7.2.3
OS Version: macOS 10.14.5
Sync Type: 1Password Cloud

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    —Is there a way to link these logins so they are considered SSO logins which excuse the watchtower alert?

    @RyanPoirier: There is not a way to "link" them, but we're exploring ways to allow for dismissing specific notices -- without circumventing the security function of Watchtower.

    —if possible, also allows for the updating of the linked SSO password entries at the same time the other password entry is updated? (But not the username)

    Each item is individually encrypted, so they're each completely separate. That's important not only for security since your whole vault is not decrypted all at once, but also since you may need/want to move an item to another vault/account at some point.

    "Linking" as a concept is nice, but there are a lot of things that need to be considered.

    Grouping all urls inside the same login doesn't quite work for this case due to the variation on the username requirements. Manual user intervention would be required.

    Understood. Some people work around this by using a single Login item with multiple URLs and custom fields for additional usernames (for reference) while having the webpage save their username. I know that isn't going to work in all cases though, so we're looking into having an option to ignore individual Watchtower notices. Thanks for your feedback on this -- especially the specific examples!

This discussion has been closed.