Contact Support

Okta SCIM Integration

Learn how to set up SCIM with Okta

Verkada Command integrates with Okta using System for Cross-Domain Identity Management (SCIM) for automated user and group provisioning.

SCIM synchronizes users and groups from Okta directly into Command. This lets you:

  • Retain Okta as your central IdP.

  • Automatically update users and groups in Command as changes occur in Okta.

  • Assign and manage permissions in Command using your existing identity structure.

If your organization uses SCIM, phone numbers can only be provisioned through SCIM. You will not be able to edit your phone number directly in Command.

See Okta SAML Integration for the SAML integration steps.

Before you begin

1

You need an API token to connect to the Verkada SCIM endpoint. This token is unique per the Verkada organization. Learn how to acquire a SCIM API token.

2

For a successful integration, choose the best path for your region:

To confirm which region you’re located, refer to where your organization was created for Verkada.

Create a Verkada Okta app

US region

Log in to Okta.On the left navigation panel, click Applications.At the top, click Browse App Catalog.In the search bar, type Verkada, click the app, and then click Add Integration.For Application label, type Verkada (or any unique name you prefer) and click Done.

EU and AUS region

Log in to Okta.Go to the Applications page and click Create App Integration.On Create a new app integration, select SAML 2.0 and click Next.In the App name field, enter a name and click Next.On Create SAML Integration:a. For Single sign-on URL:For EU orgs: https://saml.prod2.verkada.com/saml/login/ where is your organization’s short name. For AUS orgs: https://saml.ap-syd.verkada.com/saml/login/ where is your organization’s short name. b. For Audience URI (SP Entity ID): For EU orgs: https://saml.prod2.verkada.com/saml/sso/ where is your organization’s short name.For AUS orgs: https://saml.ap-syd.verkada.com/saml/sso/ where is your organization’s short name. c. Scroll down and click Next.Select the I’m an Okta customer adding an internal app radio button and click Finish (optionally, you can skip Okta’s additional questions).On the left navigation, click Applications and click your newly created app (if you are not automatically redirected to your app).At the top, select the General tab:a. At the top right, click Edit for your app’s App Settings. b. Check the Enable SCIM provisioning box. c. Click Save.On SCIM Connection:a. At the top of your newly created app, select the Provisioning tab. b. Click Edit for the SCIM Connection settings. c. For SCIM connector base URLFor EU orgs, https://scim.prod2.verkada.com/scimFor AUS orgs, https://scim.ap-syd.verkada.com/scim d. For Unique identifier field for users, enter userName. e. Check the Push New Users, Push Profile Updates, and Push Groups boxes. f. Click the Authentication Mode dropdown and select HTTP Header.Copy and paste the SCIM token from Command in the Authorization field.Click Save.

Configure the Verkada app in Okta

US region

Log in to Okta.On the left, click Applications and click the Verkada app.On the left, select the Provisioning tab.Under the Provisioning tab > Integration:a. Click Configure API Integration. b. Check the Enable API integration box. c. In the API Token field, copy and paste your Command-generated API token. d. Click Save.Under the Provisioning tab > Settings:a. Select To App and click Edit. b. Check the Enable box for Create Users, Update User Attributes, and Deactivate Users. c. Click Save.Under the Provisioning tab > To App section > Verkada Attribute Mappings, click Go to Profile Editor.Ensure that the attributes match, as shown in example below. You can add more attributes than shown. See Add attributes to SCIM-managed users.

EU and AUS region

Log in to Okta.On the left, click Applications and click the Verkada app.Under the Provisioning tab > Settings:a. Select To App and click Edit. b. Check the Enable box for Create Users, Update User Attributes, and Deactivate Users. c. Click Save. You can add more attributes than shown. See Add attributes to SCIM-managed users.

Provision users and groups

Users added to the app push automatically; groups need to be pushed manually.

Users within Okta

Log in to Okta.On the left, click Applications and click the Verkada app.Click the Assignments tab.Click the Assign dropdown and select Assign to People.Click Assign for the people you want to provision to the app.You’ll see the information for that user. At the bottom, click Save and Go Back.When you are redirected to the Assign page, click Done.

Groups within Okta

Log in to Okta.On the left, click Applications and click the Verkada app.At the top, select the Push Groups tab.Click the Push Groups dropdown to find groups (by name or by rule).Find the group you want to push and click Save. If successful, the Push Status shows Active.Command then tags users and groups as SCIM Managed, if they are imported via SCIM.

Alternatively, you can use the Assign to Groups option.

Log in to Okta.On the left, click Applications and click the Verkada app.Click the Assignments tab.Click the Assign dropdown and select Assign to Groups.Click Assign for the groups you want to provision to the app.You’ll see the information for that group. At the bottom, click Save and Go Back.When you are redirected to the Assign page, click Done.

Add attributes to SCIM-managed users (optional)

US region

Verkada and Okta support these attributes: userName (default), givenName (default), familyName (default), title, employeeNumber, primaryPhone, department, organization

How it works

Log in to Okta.Go to the Applications page and click the Verkada app.Select the Provisioning tab.Under Verkada Attribute Mappings, click Go to Profile Editor.On Attributes, click Add Attribute.In the Display name, Variable name, and External name fields, type the attribute name. A primary phone number’s external name should be typed as phoneNumbers.^[type==work].valueIn the external namespace field, type urn:ietf:params:scim:schemas:core:2.0:UserUnder User Permission, select the Read-Write radio button, and click Save.

EU and AUS region

Verkada and Okta support these attributes: userName (default), givenName (default), familyName (default), title, employeeNumber, primaryPhone, department, organization

To provision phone numbers outside the US in Command, the user phone number in the profile in Okta requires the country code. For example, 0123 456 789 needs to be entered in Okta as +61 123 456 789 to properly be pulled into Command.

How it works

Log in to Okta.Go to the Applications page and click the Verkada app.Go to Provisioning tab > Go to Profile Editor.Click Add Attribute.In the pop-up window:a. Enter a unique display name. a. Enter variable name. You will need to remember this for future use. b. Enter an external name. Must be one of the supported attributes. c. For external namespace, enter urn:ietf:params:scim:schemas:core:2.0:Userd. Select the Read-Write radio button.e. Click Save.On Profile Editor, click Mappings.Could not display contentClick Okta User to [name of your verkada app].Find your unmapped, newly created attribute.Enter the proper user attribute for the Okta user to map the newly created attribute.Click Save Mappings.

Delete SCIM-managed users from Command

When a SCIM-managed user is deactivated in your identity provider, you can remove the user from Command in two ways:

  • Delete the user – The account moves to the Deleted Users page but keeps historical records, roles, and permissions.

  • Permanently remove the user – All roles, credentials, access logs, and associated data are erased. If the user is re-provisioned via SCIM, Command creates a new user record.

You must deactivate the user in your identity provider (IdP) before either deletion option is available in Command.

Add access credentials to SCIM-managed users (optional)

1

Log in to Okta.

2

On the left navigation, select Directory > Profile Editor.

a. Select User (default) as the user type. b. Click Add Attribute and add the custom attributes from the table below.

3

On the left navigation, select Applications and open your Verkada SCIM-managed application.

4

On the Provisioning tab, select To App > Go to Profile Editor.

5

Click Add Attribute to create the attributes listed above using the exact same Data Type, Display Name, Variable Name, Description, and ENUM values.

a. Set the External namespace value for all attributes to:

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User

b. Set Attritbute type to Personal*.* c. Click Save toadd the attribute.

6

Click Mappings to map the attributes from the Okta User application to your SCIM application.

a. Select Okta User to YourSCIMApp at the top and map the custom attributes created for the Okta Default User to the ones created on your SCIM application. b. Click Save Mappings and Apply updates now to apply the changes.

7

The attributes should now be available to use on all your Okta application’s users’ profiles. Once synced, you can view the credentials on Command under Access > Access Users> User Profile > Credentials.

Attribute table

Refer to this list of credentials for the list of acceptable card formats.

Data Type

Display Name

External Name

External Namespace

Description

ENUM

string

Card Format

cardFormat

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User

Card format for access credential

Leave unchecked

string

Card Number

cardNumber

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User

Card number for access credential

Leave unchecked

string

Card Number Hex

cardNumberHex

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User

Hexadecimal representation of the card number

Leave unchecked

string

Credential Status

credentialStatus

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User

Status of the card credential

Checkbox: active → active, deactivated → deactivated, deleted → deleted

string

Facility Code

facilityCode

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User

Facility code associated with the card

Leave unchecked

string

External ID

externalId

urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User

Customer-defined unique ID, not exposed in UI

Leave unchecked

string

Department ID

costCenter

urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User

Identifier used to map user’s department in Command

Leave unchecked

string

Title

title

urn:ietf:params:scim:schemas:core:2.0:User

User’s title or role

Leave unchecked

string

Employee Number

employeeNumber

urn:ietf:params:scim:schemas:core:2.0:User

Employee ID

Leave unchecked

string

Phone Number

phoneNumbers[type eq "work"].value

urn:ietf:params:scim:schemas:core:2.0:User

Work phone number

Leave unchecked

string

Department

department

urn:ietf:params:scim:schemas:core:2.0:User

User’s department

Leave unchecked

string

Organization

organization

urn:ietf:params:scim:schemas:core:2.0:User

Company or organization

Leave unchecked

Add externalId to SCIM-managed users (optional)

You can sync a unique identifier of your choice to Command by mapping it to the externalId field. This allows for advanced use cases like disambiguating users across systems or syncing access credentials to a unique user reference. This value is not shown in the Command UI but is stored in the database and can be queried via API.

To add the externalId attribute and map it from Okta:

1

Create the Attribute in the SCIM App Profile

  • In Okta, go to Directory > Profile Editor

  • Select your Verkada SCIM-managed application

  • Click Add Attribute and add the attribute details as listed in the table above.

  • Click Save

2

Map the Attribute

  • Still in Profile Editor, click Mappings

  • Choose Okta User to [Your SCIM App]

  • Find the source field you want to map (e.g., user.nickName, employeeNumber, or another custom field)

  • Map it to verkadaExternalId

  • Click the arrow between fields and select Apply mapping on user create and update

  • Click Save Mappings

3

Confirm Attribute is Populated

  • Navigate to Directory > People

  • Open a user profile and ensure the source field you’re mapping from (e.g., Nickname) has a value

  • From the SCIM App > Provisioning tab, use Force Sync to push updates if needed ​

Refer to this list of credentials for the list of acceptable card formats.

Known issues

  • Updating usernames (emails) does not automatically take effect in Command. If you need to change a username, unassign the user from the SAML app, then re-add the user to the app for the change to take effect.

  • If a new user cannot log in via SSO, it could be because the email domain is not being added to the SSO configuration in the Verkada backend. If the user’s email is outside of the email domains provided when SSO was set up, this causes the user to be unable to use SSO. If this is the cause of the problem, you need to edit the SSO configuration and add this domain to remedy the issue.

  • If you run into this error while provisioning users "Error while trying to push profile update for user: Bad Request. Errors reported by remote server: Invalid request", see this Okta article for troubleshooting steps.

  • If you experience any other problems with setting up SSO, contact Verkada Support.

Prefer to see it in action? Check out the video tutorial.

Need more help? Contact Verkada Support.

Last updated

Was this helpful?