SCIM container on AWS ECS behind ALB

senthil
senthil
Community Member

We are trying to run the SCIM container on ECS behind a loadbalancer.

  • We are able to bring the container up and access the setup. The setup starts on 3002 port and as we login to 1password and install scimsession file, the setup server stops and restarts on some other port (8443). How to avoid that?
  • As this is behind the load-balancer and we terminate TLS, we would not require to run LetsEncrypt setup within the container. How do we disable that?
  • We were also wanting to generate the scimsession file and start the container with setting up OP_SESSION environment variable (cat scimsession | base64 | tr -d "\n"). But when we do that, the setup server does not seem to start on 3002.

Can we have more details instructions on running the SCIM container behind the loadbalancer?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @senthil,

    Am I correct in assuming you are using docker compose to deploy the SCIM Bridge service into your EC2 instance?

    When the SCIM server starts initially using :3002, that is because it is in 'setup' mode and using the unencrypted connection to establish where you want to deploy the SCIM Bridge, get the TLS cert using LetsEncrypt, and then it will restart on that domain using TLS and :8443.

    What you want to do is absolutely possible. You must:

    That should start the SCIM Bridge up as a local service on :3002 ready to be placed behind a load balancer. Note you can start the SCIM Bridge on any port given the --port argument in the docker-compose.yml.

    Let me know how that works.

    Graham

  • senthil
    senthil
    Community Member

    @graham_1P Thanks. That worked like a charm.

    One more question.

    Given this does not require the lets-encrypt callback, and our servers will use this container via internal VPC endpoint, does it require the container to be exposed to the public?

  • @senthil

    No, I would not directly expose the container to the internet. I would proxy all traffic through your load balancer which also terminate TLS connections. The authentication to the SCIM Bridge service is through the OAUTH Bearer token method. If the connections are sent to the SCIM Bridge over the public internet without TLS, that bearer token in the header will be exposed.

    At the end of the day, when the IDP makes a request to your domain, it must resolve to an IP which passes traffic to the SCIM Bridge service.

    Graham

  • senthil
    senthil
    Community Member

    Yeah. The container will be behind load balancer and not exposed to internet.

    Am talking about having the load balancer itself internal. Apart from our servers that can access via internal load balancer, does the setup expect to receive any public traffic from 1Password?

    The container will have outgoing internet access to talk to 1Password.

  • senthil
    senthil
    Community Member

    Any thoughts? @graham_1P

  • Hey @senthil,

    At the end of the day, the SCIM Bridge service will send and receive traffic to and from 1Password over the public internet, and send and receive traffic to and from your identity provider over the public internet.

    How you want to route the traffic within your infrastructure to get it there is up to you.

    To satisfy our requirements, a SCIM Bridge must be resolvable from a DNS record, support secured traffic, and reachable from our servers and those of the identity provider.

    If you are looking for items to whitelist, take a look at our domain list: https://support.1password.com/ports-domains/

    Graham

  • senthil
    senthil
    Community Member

    That helps. Thanks.

  • ag_ana
    ag_ana
    1Password Alumni

    On behalf of Graham, you are welcome @senthil! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

  • Optichip
    Optichip
    Community Member

    @senthil do you happen to have a Task Definition you can share?

  • Optichip
    Optichip
    Community Member

    Awesome! Thank you!

  • Thanks for sharing @senthil!

    It is also useful to us to see how you use our software on platforms where we do not yet have a 1-click install product.

This discussion has been closed.