search

1Password / scim-examples

1Password SCIM Bridge deployment examples
https://support.1password.com/scim/
MIT License
147 stars 137 forks source link

Seeking Advice: Does a WAF make sense to place in front of the SCIM bridge? #243

Closed Unearthed2112 closed 1 year ago

Unearthed2112 commented 1 year ago

Hello,

A team member of mine has recently deployed a 1Password SCIM bridge in AWS. Reportedly, this must be public facing. As a result, I am trying to decide if it makes sense to place a web application firewall on the load balancer in front the SCIM bridge.

I don't know what the actual application looks like, but it looks like traffic is over HTTP (443 forwarded to 3002). Looking at SCIM2 documentation https://scim.cloud/, its all over HTTP.

So, would 1password's team here agree that it makes sense to apply a WAF? If not, is there any reasons in particular?

And if you do agree the SCIM bridge would benefit from a WAF's protection, could you tell me what the web server is based on? (tomcat, nginx, jetty, etc?). I can't find any documentation on this.

Much appreciated!

ag-adampike commented 1 year ago

Hi @Unearthed2112, and thanks for opening this discussion! 👋

In my experience, some customers do choose to implement a WAF in front of their SCIM bridge, but as you can imagine, customer environments vary widely and often include accompanying security policies, requirements, and of course, opinions. 😉

1Password SCIM Bridge is our proprietary Docker image that provides a SCIM API, which customers can use in the absence of a public API provided directly by 1Password. As far as an identity provider is concerned, it works the same as any target application SCIM provisioning API that is protected by bearer token access, but with a URL that points to customer-hosted infrastructure instead of ours.

This means that ingress to the SCIM bridge is strictly required by the identity provider on a public endpoint that terminates TLS on port 443 or passes through the TLS-encrypted traffic to the SCIM bridge container. The SCIM bridge itself can be configured to terminate TLS traffic using a managed Let's Encrypt certificate, but our recent AWS deployment examples invoke AWS Certificate Manager (ACM) certificate attached to an Application Load Balancer. This is by design to enable customers who want to consider firewalling traffic: Let's Encrypt requires wide ingress to the public internet (on port 443 only, even in the case of Let's Encrypt), whereas ACM does not. These examples use security groups to restrict public access to that specific port on the load balancer, but all of our deployment examples have to be generic to enough to work with any possible supported identity provider, so they cannot be more strictly configured than that.

Our supported identity providers use the typical SCIM endpoints noted on the website you referenced:

Without a more in-depth discussion about your specific environment, I can't really offer any guidance about whether or not you should enable WAF for your SCIM bridge, but I hope this at least helps in your decision-making.

If you would like to chat that out with someone from 1Password, reach out to your account team or support@1password.com. 🙂

Unearthed2112 commented 1 year ago

Beautiful. Thank you so much @ag-adampike! Would you also be able to share with me if its Java based at least? That will help me figure out if a number of the rules are applicable or not.

(For other readers) Based on this, we will be deploying a WAF in front of our deployment of the SCIM bridge. Its still infrastructure in our AWS accounts, so we want to protect it, and everything here still indicates to me that a WAF would have applicable protections for the SCIM bridge application.