# Okta Verkada Command has the ability to integrate with Okta (amongst other Identify Providers \[IdPs]) in 2 capacities, depending on the use case: * Security Assertion Markup Language (SAML) * System for Cross-Domain Identity Management (SCIM) **SAML** handles the authentication process, allowing Okta to be used to manage access to Command, the same as any other Software as a Service (SaaS) application already integrated into your Okta tenant. This means Command can be incorporated into your existing identity framework and be access-controlled based on your current policies in place. **SCIM** allows you to leverage your existing users and groups already present in Okta and synchronize these with Command. This allows you to retain the current central identity provider, and configure access using your existing users and groups through Command to control access to the platform. {% hint style="info" %} Verkada recommends OIDC over SAML for enhanced security and easier configuration. OIDC also enables [Enterprise Controlled Encryption](https://help.verkada.com/command/security/enterprise-controlled-encryption). {% endhint %} *** {% tabs %} {% tab title="OIDC (Recommended)" %} #### OIDC based SSO for Okta Verkada Command supports Single Sign-On (SSO) through OpenID Connect (OIDC) with Okta. This integration allows our users to seamlessly and securely authenticate using their existing Okta credentials, streamlining access to Command and enhancing overall security. {% hint style="danger" %} OIDC is not supported on Desk Station apps. {% endhint %} {% hint style="info" %} Enable [Enterprise Controlled Encryption (ECE)](https://help.verkada.com/command/security/enterprise-controlled-encryption) for enhanced security. {% endhint %} *** **OIDC configuration** {% stepper %} {% step %} **Navigate to your Okta instance to create a new application to manage your OIDC configuration. Click on Applications from the Applications sidebar option and click Create App Integration.**

{% endstep %} {% step %} **Under Create a new app integration, select OIDC - OpenID Connect as your Sign-in method and Single-Page Application as your Application type.**

{% endstep %} {% step %} **Under Sign-in redirect URIs give your application an identifiable name and add the following links to the list of Sign-in redirect URIs:** a. \ b. [http://\.command.verkada.com/oidc/okta/callback](http://org-short-name.command.verkada.com/oidc/okta/callback) where in the URL is the short-name of your Command organization.

{% endstep %} {% step %} **(Optional) Under Sign-out redirect URIs add** [**https://command.verkada.com/**](https://command.verkada.com/)**.**

{% endstep %} {% step %} **Under Assignments, select Skip Group Assignment for now and click Save.**

{% endstep %} {% step %} **Under Assignments, click on the Assign dropdown to assign this application to your (and other relevant) user profiles.**

{% endstep %} {% step %} **Under General, copy the Client ID displayed under Client Credentials.**

{% endstep %} {% endstepper %} *** **Command configuration** {% stepper %} {% step %} **In Verkada Command, go to All Products > Admin.** {% endstep %} {% step %} **In the left navigation, select Login & Access.** {% endstep %} {% step %} **Select Single Sign-On Configuration.** {% endstep %} {% step %} **Under OIDC Configuration, click Add New.** a. Toggle on **Enable.**\ b. (Optional) Toggle on **Require OIDC SSO.**\ c. Under **Select Provider,** select **Okta.**\ d. Under **Add Client and Tenant,** click :plus:. 1. In the **Client ID** field paste the Client ID you copied from Okta. 2. In the **Tenant ID** field enter the first part of your Okta instance's URL. It should look like this: [https://yourinstancename.okta.com](https://yourinstancename.okta.com/). 3. Click **Done**.

h. **Email Domains,** click :plus:**.** 1. Enter your domain name present (e.g. @verkada.com). 2. Click **Done**.

{% endstep %} {% step %} **Under Login Test click Run Login Test.** {% endstep %} {% step %} **A successful login test should redirect to the OIDC configuration page. Once you're logged in, add the domain that you need to whitelist.** {% endstep %} {% step %} **Once your domain is added, run the login test again. SSO will not be enabled until this second login test successfully completes.** {% endstep %} {% step %} **Once your domain is verified, you should see it successfully validated.** {% endstep %} {% endstepper %} {% endtab %} {% tab title="SAML" %} **Okta SAML Integration** *** **Before you begin** For a successful integration, choose the best path for your region: * [Enable SAML for Your Command Account](https://help.verkada.com/command/security/identity-providers/..#upload-saml-xml-metadata) * **For US orgs**, you will use an existing Verkada application following steps directly below. * **For EU and AUS orgs**, follow the steps for the next section to configure a new app integration in Okta.

Create a Verkada Okta app (US regions)

1. **Log in to Okta.** 2. **Go to the Applications page and click Browse App Catalog.**

3. **In the search bar, type Verkada.** 4. **Click Add Integration.**

5. **Click Done.**

6. **In Okta, select the Sign On tab for the Verkada app, and click Edit.**

7. **Scroll down to Advanced Sign-On Settings and enter the Client ID from your Command account.**

8. **Select Save.**

Configure a new app integration from Okta (EU & AUS regions)

1. **Go to Applications, and select Create App Integration.** 2. **Create a new app integration, select SAML 2.0, and click Next.**

3. **On the "Create a SAML integration" page, under General Settings, enter an application name, optionally add an application logo, and then click Next.** 4. **In the configure SAML page, fill in the Single Sign-On URL and Audience URI (SP Entity ID) with these links:** * For EU orgs: [https://saml.prod2.verkada.com/saml/sso/\](https://saml.prod2.verkada.com/saml/sso/%3Cclient-ID%3E) * For AUS orgs: [https://saml.prod-ap-syd.verkada.com/saml/sso/\](https://saml.prod-ap-syd.verkada.com/saml/sso/%3Cclient-ID%3E) Check the **Use this for Recipient URL and Destination URL** box.

Client ID should be pulled from the Command configuration and replaced in the links inserted in the Okta application.

5. **The application username is the Okta Username.** 6. **Click Next. On the feedback page, check the box labeled "This is an internal app that we have created". Click Finish.**

7. **In the attributes statements section, set up attributes mapping as follows:** * `email` > `user.email` * `firstName` > `user.firstName` * `lastName` > `user.lastName`

*** **Configuration** {% stepper %} {% step %} **In Okta, select the Assignments tab for the app. Click Assign and select People or Groups to enable SSO for these users.** {% endstep %} {% step %} **Select the Sign On tab for the app.** {% endstep %} {% step %} **Scroll down to SAML Signing Certificates and click Generate new certificate if a new certificate does not exist.** {% endstep %} {% step %} **To the right of the certificate, select the Actions dropdown and click View IdP metadata.**

{% endstep %} {% step %} **Right-click the metadata, select "Save As," and download as an XML file.** {% endstep %} {% step %} **After downloading the XML file,** [**upload it to Command**](https://help.verkada.com/command/security/identity-providers/..#upload-saml-xml-metadata)**.** {% endstep %} {% step %} **In the Verify Metadata section, click Run Login Test.** {% endstep %} {% endstepper %} *** **Troubleshooting** * **Updating usernames (emails) does not automatically take effect in Command**. If you need to change a username, unassign the user from the SAML app, then re-add the user to the app for the change to take effect. * **If a new user cannot log in via SSO**, it could be because the email domain is not being added to the SSO configuration in the Verkada backend. If the user's email is outside the email domains configured when SSO was set up, the user cannot use SSO. If this is the cause of the problem, you need to edit the SSO configuration and add this domain to remedy the issue. * **If you experience any other problems with setting up SSO**, contact [Verkada Support](https://help.verkada.com/command/need-help/contact-verkada-support). {% endtab %} {% tab title="User Provisioning" %} #### Okta SCIM Integration *** **Before you begin** {% stepper %} {% step %} **You need an API token to connect to the Verkada SCIM endpoint. This token is unique per the Verkada organization. Learn how to** [**acquire a SCIM API token**](https://help.verkada.com/command/security/identity-providers/scim-token-management)**.** {% endstep %} {% step %} **For a successful integration, choose the best path for your region:** * **For US orgs**, follow the steps in Create a Verkada Okta app. * **For EU and AUS orgs**, follow the steps in Enable SCIM provisioning in Okta app. {% endstep %} {% endstepper %} {% hint style="warning" %} To confirm which region you're located, [refer to where your organization was created for Verkada](https://help.verkada.com/command/getting-started/get-started-with-verkada-command). {% endhint %} *** **Create a Verkada Okta app**

US region

1. Log in to Okta. 2. On the left navigation panel, click Applications. 3. At the top, click Browse App Catalog.

4\. In the search bar, type Verkada, click the app, and then click Add Integration.

5\. For Application label, type Verkada (or any unique name you prefer) and click Done.

EU & AUS region

1. Log in to Okta. 2. Go to the Applications page and click Create App Integration.

3. On Create a new app integration, select SAML 2.0 and click Next. 4. In the App name field, enter a name and click Next. 5. On Create SAML Integration: 1. For Single sign-on URL: For EU orgs: [https://saml.prod2.verkada.com/saml/login/\](https://saml.prod2.verkada.com/saml/login/) where *\* is your organization’s short name. For AUS orgs: [https://saml.ap-syd.verkada.com/saml/login/\ ](https://saml.prod3.verkada.com/saml/login/)where *\* is your organization’s short name. 2. For Audience URI (SP Entity ID): For EU orgs:[ https://saml.prod2.verkada.com/saml/sso/\ ](https://saml.prod2.verkada.com/saml/sso/)where *\* is your organization’s short name. For AUS orgs: [https://saml.](https://saml.prod3.verkada.com/saml/sso/)[ap-syd](https://saml.prod3.verkada.com/saml/login/)[.verkada.com/saml/sso/\ ](https://saml.prod3.verkada.com/saml/sso/)where *\* is your organization’s short name. 3. Scroll down and click Next.

6. Select the I’m an Okta customer adding an internal app radio button and click Finish (optionally, you can skip Okta’s additional questions). 7. On the left navigation, click Applications and click your newly created app (if you are not automatically redirected to your app). 8. At the top, select the General tab: 1. At the top right, click Edit for your app’s App Settings. 2. Check the Enable SCIM provisioning box. 3. Click Save.

9. On SCIM Connection: 1. At the top of your newly created app, select the Provisioning tab. 2. Click Edit for the SCIM Connection settings. 3. For SCIM connector base URL For EU orgs, For AUS orgs, [https://scim.ap-syd.verkada.com/scim](https://scim.prod2.verkada.com/scim) 4. For Unique identifier field for users, enter userName. 5. Check the Push New Users, Push Profile Updates, and Push Groups boxes. 6. Click the Authentication Mode dropdown and select HTTP Header. 10. Copy and paste the SCIM token from Command in the Authorization field.

11. Click Save.

*** **Configure the Verkada Okta app**

US region

1. Log in to Okta. 2. On the left, click Applications and click the Verkada app. 3. On the left, select the Provisioning tab. 4. Under the Provisioning tab > Integration: 1. Click Configure API Integration. 2. Check the Enable API integration box. 3. In the API Token field, copy and paste your Command-generated API token. 4. Click Save.

5. Under the Provisioning tab > Settings: 1. Select To App and click Edit. 2. Check the Enable box for Create Users, Update User Attributes, and Deactivate Users. 3. Click Save.

6. Under the Provisioning tab > To App section > Verkada Attribute Mappings, click Go to Profile Editor. 7. Ensure that the attributes match, as shown in example below. You can add more attributes than shown. See [Add attributes to SCIM-managed users](#add-attributes-to-scim-managed-users).

EU and AUS region

1. Log in to Okta. 2. On the left, click Applications and click the Verkada app. 3. Under the Provisioning tab > Settings: 1. Select To App and click Edit. 2. Check the Enable box for Create Users, Update User Attributes, and Deactivate Users. 3. Click Save. You can add more attributes than shown. See [Add attributes to SCIM-managed users](#add-attributes-to-scim-managed-users).

*** **Add-on attributes to SCIM-managed users**

Add attributes to SCIM-managed users (optional)

Verkada and Okta support these attributes: `userName` (default), `givenName` (default), `familyName` (default), `title`, `employeeNumber`, `primaryPhone`, `department`, `organization`. You can also sync a unique identifier to Command by mapping it to the **externalId** field. This enables advanced use cases such as disambiguating users across systems or syncing access credentials to a unique user reference. This value is stored in the database and can be queried via API, but it does not appear in the Command UI. {% hint style="info" %} To provision phone numbers outside the US in Command, include the country code in the user's phone number in the Okta profile. For example: * **US:** 123-456-7890 → **+1 123-456-7890** * **UK:** 07123 456789 → **+44 7123 456789** Using the international format ensures the number is correctly imported into Command. {% endhint %} 1. **Log in to Okta.** 2. **Create the Attribute in the SCIM App Profile.** 1. In Okta, go to **Directory > Profile Editor.** 2. Select your **Verkada SCIM-managed application User.** 3. Click **Add Attribute** and add the attribute details as listed in the [table](#attribute-table) below. 4. Click **Save.**

3. **Map the Attribute** 1. Still in Profile Editor, click **Mappings.** 2. Choose **Okta User to \[Your SCIM App].** 3. Click the dropdown and find the source field you want to map (e.g., user.nickName, employeeNumber, or another custom field) and map it to the `appuser` attribute. 4. Click the arrow between fields and select **Apply mapping on user create and update.** 5. Click **Save Mappings.**

4. **Confirm Attribute is Populated** 1. Navigate to **Directory > People.** 2. Open a user profile and ensure the source field you're mapping from (e.g., Nickname) has a value. 3. From the **SCIM App > Provisioning tab**, use **Force Sync** to push updates if needed.

{% hint style="warning" %} Refer to this list of credentials for the list of [acceptable card formats](https://app.gitbook.com/s/aaHs5RfKqv9Z49mi02cC/installation/badge-reader-support/supported-card-formats). {% endhint %}

Add access credentials to SCIM-managed users (optional)

1. **Log in to Okta.** 2. **On the left navigation, select Directory > Profile Editor.** 1. Select **User (default)** as the user type. 2. Click **Add Attribute** and add the custom attributes from the [table](#attribute-table) below. 3. **On the left navigation, select Applications and open your Verkada SCIM-managed application.** 4. **On the Provisioning tab, select To App > Go to Profile Editor.** 5. **Click Add Attribute to create the attributes listed above using the exact same Data Type, Display Name, Variable Name, Description, and ENUM values.** 1. Set the **External namespace** value for all attributes to: ``` urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User ``` 2. Set **Attribute type** to **Personal**. 3. Click **Save** to add the attribute. 6. **Click Mappings to map the attributes from the Okta User application to your SCIM application.** 1. Select **Okta User to YourSCIMApp** at the top and map the custom attributes created for the Okta Default User to the ones created on your SCIM application. 2. Click **Save Mappings** and **Apply updates now** to apply the changes.

7. **The attributes should now be available to use on all your Okta application's users' profiles.** Once synced, you can view the credentials on Command under Access > Access Users > User Profile > Credentials.

Attribute table

Refer to this list of credentials for the list of [acceptable card formats](https://app.gitbook.com/s/aaHs5RfKqv9Z49mi02cC/installation/badge-reader-support/supported-card-formats). Data type for all attributes will be string. | | | | | | | ----------------- | ------------------------------------------------------------------------------------------ | -------------------------------------------------------------- | --------------------------------------------------- | ----------------------------------------------------------------------- | | **Display Name** | **Variable Name /External Name** | **External Namespace** | **Description** | **ENUM** | | Card Format | cardFormat | urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User | Card format for access credential | Leave unchecked | | Card Number | cardNumber | urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User | Card number for access credential | Leave unchecked | | Card Number Hex | cardNumberHex | urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User | Hexadecimal representation of the card number | Leave unchecked | | Credential Status | credentialStatus | urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User | Status of the card credential | Checkbox: active → active, deactivated → deactivated, deleted → deleted | | Facility Code | facilityCode | urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User | Facility code associated with the card | Leave unchecked | | External ID | externalId | urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User | Customer-defined unique ID, not exposed in UI | Leave unchecked | | Department ID | costCenter | urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User | Identifier used to map user's department in Command | Leave unchecked | | Title | title | urn:ietf:params:scim:schemas:core:2.0:User | User's title or role | Leave unchecked | | Employee Number | employeeNumber | urn:ietf:params:scim:schemas:core:2.0:User | Employee ID | Leave unchecked | | Phone Number |

Variable Name: phoneNumber

External Name: phoneNumbers\[type==work].value

*** **Provision users and groups** {% hint style="warning" %} Users added to the app push automatically; groups need to be pushed manually. {% endhint %}

Users within Okta

1. Log in to Okta. 2. On the left, click Applications and click the Verkada app. 3. Click the Assignments tab. 4. Click the Assign dropdown and select Assign to People. 5. Click Assign for the people you want to provision to the app. 6. You'll see the information for that user. At the bottom, click Save and Go Back. 7. When you are redirected to the Assign page, click Done.

Groups within Okta

1. Log in to Okta. 2. On the left, click Applications and click the Verkada app. 3. Click the Assign dropdown and select Assign to Groups. 4. Click Assign for the groups you want to provision to the app. 5. You'll see the information for that group. At the bottom, click Save and Go Back. 6. When you are redirected to the Assign page, click Done. 7. At the top, select the Push Groups tab. 8. Click the Push Groups dropdown to find groups (by name or by rule).

9. Find the group you want to push and click Save. If successful, the Push Status shows Active.

10. Command then tags users and groups as SCIM Managed, if they are imported via SCIM.

*** **Delete SCIM-managed users from Command** When a SCIM-managed user is deactivated in your identity provider, you can remove the user from Command in two ways: * **Delete the user** – The account moves to the Deleted Users page but keeps historical records, roles, and permissions. * **Permanently remove the user** – All roles, credentials, access logs, and associated data are erased. If the user is re-provisioned via SCIM, Command creates a new user record. {% hint style="warning" %} You must deactivate the user in your identity provider (IdP) before either deletion option is available in Command. {% endhint %} *** **Known issues** * **Updating usernames (emails) does not automatically take effect in Command**. If you need to change a username, unassign the user from the SAML app, then re-add the user to the app for the change to take effect. * **If a new user cannot log in via SSO**, it could be because the email domain is not being added to the SSO configuration in the Verkada backend. If the user's email is outside of the email domains provided when SSO was set up, this causes the user to be unable to use SSO. If this is the cause of the problem, you need to edit the SSO configuration and add this domain to remedy the issue. * **If you run into this error while provisioning users,** *"Error while trying to push profile update for user: Bad Request. Errors reported by remote server: Invalid request",* see this [Okta article](https://support.okta.com/help/s/article/verkada-provisioning-error-error-while-trying-to-push-profile-update-for-user-bad-request-errors-reported-by-remote-server-invalid-request?language=en_US) for troubleshooting steps. * **If you experience any other problems with setting up SSO**, contact [Verkada Support](https://help.verkada.com/command/need-help/contact-verkada-support). *** {% hint style="info" %} **Prefer to see it in action?** Check out the [video tutorial](https://www.youtube.com/watch?v=YSMzqFwWlW4). {% endhint %} {% endtab %} {% endtabs %}