Feature Request: Support Highly Available Deployment

[ChefAustin]

This feature request can be quite simply summarized as: Allow for 1Password's SCIM Bridge to be deployed in a highly-available manner.

As stated in the preparation docs:

The SCIM bridge is not considered a high-availability service and running multiple SCIM bridges is not supported.

Implementing a highly-available deployment model for 1Password’s SCIM Bridge is highly desirable for IT organizations for several reasons:

1. Minimized Downtime and Continuous Operations: High availability ensures that the SCIM Bridge is operational at all times, minimizing downtime that can disrupt user provisioning and deprovisioning processes. Continuous access is crucial for maintaining productivity and ensuring that the service functions without interruption.
2. Improved Reliability and Resilience: A highly-available deployment reduces the risk of a single point of failure. By distributing the load across multiple instances or servers, the bridge can continue to function even if one instance of it fails.
3. Enhanced Security and Compliance: Immediate provisioning and deprovisioning of user access are critical for security. High availability ensures that changes in user status are promptly reflected across all systems, reducing the risk of unauthorized access and helping organizations stay compliant with regulations like GDPR or HIPAA.
4. Scalability to Meet Demand: As organizations grow, so does the demand on their identity management systems. A highly-available deployment model can scale horizontally to handle increased load without performance degradation, ensuring that the system can accommodate organizational growth seamlessly.
5. Business Continuity and Disaster Recovery: In the event of unexpected outages or disasters, a highly-available SCIM Bridge can provide failover capabilities, maintaining essential services and supporting the organization’s business continuity plans.
6. Simplified Maintenance and Updates: High availability setups often allow for rolling updates and maintenance without service interruption. This means IT teams can perform necessary updates or fixes without affecting end-users, leading to smoother operations.
7. Alignment with IT Best Practices: Modern IT environments prioritize high availability as a best practice. Supporting this in 1Password’s SCIM Bridge aligns the product with industry standards, making it more attractive to organizations that adhere to strict IT governance policies.

In summary, adding support for a highly-available deployment model to 1Password’s SCIM Bridge addresses critical operational, security, and business needs. It enhances reliability, security, and scalability, all of which are essential for IT organizations aiming to provide seamless and secure access to resources in a constantly evolving technological landscape.

I hope you please consider this request in future development of the SCIM bridge.

[ag-adampike]

Hey @ChefAustin! Thanks for sharing this feature request. Despite that bit of copy in the preparation guide, most of our deployment examples already support a high availability configuration for 1Password SCIM Bridge or provide it out-of-the-box.

Some examples:

• an Amazon ECS service attached to subnets that span multiple availability zones will automatically relaunch a task in a new availability zone if a running task's AZ goes down
• a Kubernetes deployment allows for rolling updates by creating a new Pod and evaluating its health before directing Service traffic to the new Pod and removing the old one
• workload scaling guidelines are included in our examples based on expected provisioning volume; none provide vertical autoscaling as a documented configuration option, but this potentially could be enabled if the platform supports it

The intent behind this sentence is more specific to replication. At this time, we don't claim support for horizontal scaling of 1Password SCIM Bridge: our engineers originally architected this application with a single instance design. We have done some testing internally to determine whether replication could be well-supported, but we don't have any references to share at the moment.

Given your and others indicated similar interest, we could consider revisiting this and providing some reference example deployments with replication enabled for the SCIM bridge container based on our findings.

In the meantime, please feel free to continue the discussion here or reach out to us by email if you'd like to discuss strategies to provide high availability for your specific environment.

[ChefAustin]

Thanks for the prompt response, @ag-adampike; it is much appreciated!

While the examples of fail-over/rolling-update mechanisms are, indeed, fantastic to see, let it be known that this request is focused on HA achieved through horizontal scaling¹.

[¹] It seems that you grokked as much but I just wanted to clarify to ensure we're seeing eye-to-eye, here.

[ag-adampike]

No problem, @ChefAustin! Thanks for continuing the discussion here. 😊

I'd like to have some internal discussion regarding our support for replication and respond to that later with some more details, but I wanted to ensure that I was responding to the excellent points you addressed and the broader context of high availability in the meantime. :-)