If you use 1Password Business with Google Workspace, you know the drill: user accounts should be created, updated, and deactivated automatically. 1Password offers a SCIM Bridge for this — a small server that mediates between your identity provider and 1Password. The official recommendation? Azure, AWS, or Google Cloud. The cost? Easily 30 euros or more per month. But there’s a better way.
What Is the SCIM Bridge?
The 1Password SCIM Bridge is a container-based service that implements the SCIM protocol (System for Cross-domain Identity Management). It synchronizes users and groups between an identity provider — in my case Google Workspace — and 1Password Business. New employees automatically get a 1Password account, departing ones are deactivated.
The service consists of two containers:
- SCIM Bridge — the actual API, including TLS termination via Let’s Encrypt
- Redis — an ephemeral in-memory cache
That’s all it takes.
Why Not Just Use Azure?
I originally had the SCIM Bridge running on Azure Container Apps. It works, but the costs are completely disproportionate to the workload. The bridge processes a handful of API calls per day — that’s not a workload that justifies a cloud platform.
A rough calculation for Azure Container Apps (Consumption Plan, always-on with 0.5 vCPU and 1 GB RAM):
| Item | Calculation | Cost/Month |
|---|---|---|
| vCPU | (1,296,000 − 180,000 free) × $0.000024/s | ~$26.80 |
| Memory | (2,592,000 − 360,000 free) × $0.000003/s | ~$6.70 |
| Total |
On top of that come managed environment costs and a few cents for requests. In practice, you end up at 30 to 40 euros per month — for a service that essentially does nothing but wait for requests.
The Alternative: Hetzner Cloud
A Hetzner Cloud server of type CAX11 (ARM64) costs €3.79 per month and offers:
- 2 Ampere Altra vCPUs
- 4 GB RAM
- 40 GB SSD
- 20 TB traffic
That’s more than enough for the SCIM Bridge — and the server could host additional lightweight services on the side.
Setup in 10 Minutes
1. Prepare the Server
Create a CAX11 on Hetzner Cloud (Debian 13, Docker pre-installed or install afterward). Open port 443 in the firewall. Set a DNS A record pointing to the server IP — important: no Cloudflare proxy, DNS-only.
2. Create the Files
mkdir -p /docker/scim-bridge/data
cd /docker/scim-bridgeThe docker-compose.yml:
services:
scim-bridge:
image: 1password/scim:latest
container_name: op-scim-bridge
restart: unless-stopped
ports:
- "443:8443"
- "80:8080"
environment:
- OP_DOMAIN=mycompany.1password.com
- OP_TLS_DOMAIN=scim.mydomain.com
- OP_REDIS_URL=redis://redis:6379
volumes:
- ./data/scimsession:/home/opuser/.op/scimsession:ro
- ./data/workspace-credentials.json:/home/opuser/.op/workspace-credentials.json:ro
- ./data/workspace-settings.json:/home/opuser/.op/workspace-settings.json:ro
depends_on:
- redis
redis:
image: redis:latest
container_name: op-scim-redis
restart: unless-stopped
command: redis-server --maxmemory 256mb --maxmemory-policy volatile-lru --save ''3. Place the Secrets
Three files need to be placed under data/:
scimsession— the encrypted session file from the 1Password SCIM setupworkspace-credentials.json— the Google Workspace service account keyworkspace-settings.json— actor email and bridge address
The workspace-settings.json looks like this:
{
"actor": "[email protected]",
"bridgeAddress": "https://scim.mydomain.com"
}Crucially, the files must be owned by the container user:
chown 999:999 data/*4. Start It Up
docker compose up -dThe SCIM Bridge automatically obtains a Let’s Encrypt certificate on the first TLS handshake. After a few seconds, the service is reachable:
curl -s https://scim.mydomain.com/health
# {"detail":"401 (Unauthorized)","schemas":["urn:ietf:params:scim:api:messages:2.0:Error"]}The 401 response is correct — without a bearer token, there’s no access.
Updates
docker compose pull && docker compose up -dThe 1password/scim:latest image is regularly updated by 1Password. A pull and recreate is all it takes.
Cost Comparison
| Azure Container Apps | Hetzner CAX11 | |
|---|---|---|
| Compute | ~€31/month | €3.79/month |
| TLS | Managed certificate (included) | Let’s Encrypt (included) |
| Traffic | Pay-per-use | 20 TB included |
| Additional services | Separate workload | Possible on the same VM |
| Annual cost | ~€370 | ~€45 |
The savings amount to roughly €325 per year — a factor of 8.
Conclusion
The 1Password SCIM Bridge is a lightweight service. It doesn’t need a Kubernetes cluster, a container platform, or a managed service. Two Docker containers on a small ARM64 VM are perfectly sufficient. Let’s Encrypt handles TLS, Docker Compose handles the rest.
For under 4 euros a month, you get enterprise-grade SCIM provisioning that runs just as reliably as on Azure — just without the bill.