Stack: 1Password Business
Okta disaster recovery for teams running 1Password Business through Okta
1Password Business federated through Okta means the secrets engineering depends on — production credentials, vendor API keys, customer-managed secrets — all sit behind the Okta authentication policy. A single bad policy push blocks the team from the credentials they need to do their job.
Butterfly captures versioned snapshots of the Okta configuration governing 1Password Business access — the SAML / OIDC app, the SCIM feed, assigned groups, sign-on policies, and Workflows automations. Restore preview shows the diff before any revert.
What you get
How Butterfly fits 1Password Business
1Password SSO app is versioned
Every backup captures the Okta-side 1Password app integration — SAML signing certificate, attribute mapping, assigned groups, and sign-on policy.
SCIM provisioning into 1Password groups
The Okta-to-1Password SCIM connection is part of every snapshot. Group-to-vault mappings (where surfaced via SCIM) are versioned.
Group rules drive 1Password access
Group rules are how most teams scale 1Password group membership. Butterfly versions every rule.
What goes wrong
Three incidents you have already seen variations of
Sign-on policy change blocks engineering from production secrets
A device-trust tightening caught the engineering group. The team could not reach 1Password during a deploy. Restore preview surfaces the policy diff.
SCIM-driven group change strips vault access
A SCIM attribute mapping change moved a population to a different 1Password group that did not have access to the production vault. Restore preview surfaces the mapping diff.
Group rule deletion drops on-call from break-glass vault
A directory cleanup removed a group rule feeding the break-glass-engineers group. The on-call could not reach emergency credentials.
Honest scope
What Butterfly captures — and what it does not
In scope
The Okta-side configuration governing 1Password Business access: the 1Password SAML / OIDC app integration, attribute mappings, SCIM provisioning configuration, assigned users and groups, group rules, sign-on policies, and Workflows automations.
Out of scope
We do not back up 1Password vaults, items, or any 1Password-side data. 1Password-side backup is handled by 1Password's own infrastructure and the customer's own export practices.
Plans
Free, Standard, or Business
Free
$0 / forever
- 1 Okta connection
- 7-day retention
- 1 total backup
- No credit card
Standard
$1 / user / month — $99 minimum
- 2 Okta connections
- 90-day retention
- Restore preview + dry-run
- Audit Pack PDF (framework-filterable)
Business
$2 / user / month — $299 minimum
- Unlimited Okta connections
- Unlimited retention
- Continuity (warm standby)
- Priority restore support
Pricing reference: /upgrade. Provider coverage today: Okta, Okta Workflows, Auth0.
Regulatory shape
Compliance and audit angle
SOC 2 CC6 (logical access — especially for privileged credentials), ISO 27001 A.5.16 (identity management), and PCI DSS Requirement 7 (need-to-know access) all apply.
Butterfly's own SOC 2 Type II work is in progress; current status lives in the Trust Center.
Frequently asked
FAQ
Does Butterfly access 1Password vault contents?
No. Butterfly only backs up the Okta configuration governing 1Password access. We never touch vault contents.
What about Microsoft Entra ID + 1Password environments?
Butterfly's supported providers today are Okta, Okta Workflows, and Auth0. For Entra ID coverage, see our roadmap or contact us.
Can we revert a single sign-on policy?
Yes. Restore preview lets you pick the scope before committing.
Recover your Okta org in minutes, not hours
Talk to Mick (the founder) for a 30-minute demo, or start the free trial. No credit card for the free tier.
More stacks
Okta DR for other stacks
Trust posture, subprocessors, and security details: Trust Center.