Okta

Configure SSO and user provisioning with Okta

Integrate Verkada Command with Okta for Single Sign-On (SSO) and automated user provisioning.

Feature

Supported

OIDC SSO

Yes

SAML SSO

Yes

SCIM Provisioning

Yes

ECE Support

Yes

Verkada recommends OIDC over SAML for enhanced security and easier configuration. OIDC also enables Enterprise Controlled Encryption.

OIDC Single Sign-On

Verkada Command supports Single Sign-On (SSO) through OpenID Connect (OIDC) with Okta. This integration allows users to seamlessly and securely authenticate using their existing Okta credentials.

OIDC is not supported on the Pass app or Desk Station apps.

Enable Enterprise Controlled Encryption (ECE) for enhanced security.

Okta configuration

Navigate to your Okta instance to create a new application. Click Applications from the sidebar and click Create App Integration.

Under Create a new app integration, select OIDC - OpenID Connect as your Sign-in method and Single-Page Application as your Application type.

Give your application an identifiable name and add the following Sign-in redirect URIs:

a. https://command.verkada.com/oidc/okta/callback b. https://<org-short-name>.command.verkada.com/oidc/okta/callback (replace with your Command organization's short-name)

(Optional) Under Sign-out redirect URIs add https://command.verkada.com/.

Under Assignments, select Skip Group Assignment for now and click Save.

Under Assignments, click the Assign dropdown to assign this application to your user profiles.

Under General, copy the Client ID displayed under Client Credentials.

Command configuration

In Verkada Command, go to All Products > Admin.

In the left navigation, select Login & Access.

Select Single Sign-On Configuration.

Under OIDC Configuration, click Add New.

a. Toggle on Enable. b. (Optional) Toggle on Require OIDC SSO. c. Under Select Provider, select Okta. d. Under Add Client and Tenant, click :plus:.

In the Client ID field, paste the Client ID you copied from Okta.
In the Tenant ID field, enter the first part of your Okta instance's URL (e.g., https://yourinstancename.okta.com).
Click Done.

e. Under Email Domains, click :plus:.

Enter your domain name (e.g., @verkada.com).
Click Done.

Under Login Test, click Run Login Test.

A successful login test should redirect to the OIDC configuration page. Once logged in, add the domain to whitelist.

Once your domain is added, run the login test again. SSO will not be enabled until this second login test successfully completes.

Once your domain is verified, you should see it successfully validated.

SAML Single Sign-On

Verkada Command integrates with Okta using Security Assertion Markup Language (SAML) for authentication. SAML allows Okta to manage access to Command like any other SaaS application.

Before you begin

For a successful integration, choose the best path for your region:

First, enable SAML for your Command account
US orgs: Use the existing Verkada gallery application
EU and AUS orgs: Configure a new app integration in Okta

Create a Verkada Okta app (US orgs)

Log in to Okta.
Go to the Applications page and click Browse App Catalog.
In the search bar, type Verkada.
Click Add.
Click Done.

Configure a new app integration (EU and AUS orgs)

Go to Applications and select Create App Integration.
Select SAML 2.0 and click Next.
Enter an application name and optionally add a logo, then click Next.
Configure the SAML settings:

Single sign-on URL:

EU orgs: https://saml.prod2.verkada.com/saml/sso/<client-ID>
AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/sso/<client-ID>

Audience URI (SP Entity ID):

EU orgs: https://saml.prod2.verkada.com/saml/sso/<client-ID>
AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/sso/<client-ID>

Set the application username to Okta Username.
Configure attribute statements:
- email → user.email
- firstName → user.firstName
- lastName → user.lastName
On the feedback page, check This is an internal app that we have created.

Configuration

In Okta, select the Sign On tab for the Verkada app, and click Edit.

Scroll down to Advanced Sign-On Settings and enter the Client ID from your Command account.

Click Save.

Scroll to SAML Signing Certificates and click Generate new certificate if one doesn't exist.

To the right of the certificate, select the Actions dropdown and click View IdP metadata.

Right-click on the metadata and save as an XML file.

After downloading the XML file, upload it to Command.

In the Verify Metadata section, click Run Login Test.

Troubleshooting

Updating usernames (emails) does not automatically take effect in Command. Un-assign the user from the SAML app, then re-add them for changes to take effect.
New users cannot log in via SSO? The email domain may not be in the SSO configuration. Add the domain to fix this.
Other SSO problems? Contact Verkada Support.

SCIM User Provisioning

Verkada Command integrates with Okta using System for Cross-Domain Identity Management (SCIM) for automated user and group provisioning.

SCIM synchronizes users and groups from Okta directly into Command. This lets you:

Retain Okta as your central IdP
Automatically update users and groups in Command as changes occur in Okta
Assign and manage permissions in Command using your existing identity structure

If your organization uses SCIM, phone numbers can only be provisioned through SCIM. You will not be able to edit your phone number directly in Command.

Before you begin

You need an API token to connect to the Verkada SCIM endpoint. Learn how to acquire a SCIM API token.

Choose the path for your region:

US orgs: Follow the steps to create a Verkada Okta app
EU and AUS orgs: Follow the steps to enable SCIM provisioning

To confirm your region, refer to where your organization was created.

Create a Verkada Okta app

US region

Log in to Okta.
On the left navigation, click Applications.
At the top, click Browse App Catalog.
Search for Verkada, click the app, and then click Add Integration.
Enter a name for the application and click Done.

EU and AUS region

Log in to Okta.
Go to Applications and click Create App Integration.
Select SAML 2.0 and click Next.
Enter an app name and click Next.
Configure the SAML URLs:

Single sign-on URL:

EU orgs: https://saml.prod2.verkada.com/saml/login/<org-short-name>
AUS orgs: https://saml.ap-syd.verkada.com/saml/login/<org-short-name>

Audience URI (SP Entity ID):

EU orgs: https://saml.prod2.verkada.com/saml/sso/<org-short-name>
AUS orgs: https://saml.ap-syd.verkada.com/saml/sso/<org-short-name>

Click Next and finish the setup.
On the General tab, click Edit and check Enable SCIM provisioning.
On the Provisioning tab, click Edit for SCIM Connection:
- SCIM connector base URL:
  - EU orgs: https://scim.prod2.verkada.com/scim
  - AUS orgs: https://scim.ap-syd.verkada.com/scim
- Unique identifier field: userName
- Check: Push New Users, Push Profile Updates, Push Groups
- Authentication Mode: HTTP Header
- Paste your SCIM token in the Authorization field
Click Save.

Configure the Verkada app

US region

Log in to Okta.
Click Applications and select the Verkada app.
Select the Provisioning tab.
Under Integration, click Configure API Integration:
- Check Enable API integration
- Paste your Command-generated API token
- Click Save
Under Settings > To App, click Edit:
- Enable: Create Users, Update User Attributes, Deactivate Users
- Click Save
Under Verkada Attribute Mappings, click Go to Profile Editor and verify attributes match.

EU and AUS region

Log in to Okta.
Click Applications and select the Verkada app.
Under Provisioning > Settings > To App, click Edit:
- Enable: Create Users, Update User Attributes, Deactivate Users
- Click Save

Provision users and groups

Users added to the app push automatically; groups need to be pushed manually.

Provision users

Log in to Okta.
Click Applications and select the Verkada app.
Click the Assignments tab.
Click Assign > Assign to People.
Click Assign for the users you want to provision.
Click Save and Go Back, then Done.

Provision groups

Log in to Okta.
Click Applications and select the Verkada app.
Select the Push Groups tab.
Click Push Groups to find groups by name or rule.
Select the group and click Save. Push Status should show Active.

Alternatively, use Assign to Groups under the Assignments tab.

Add attributes to SCIM-managed users (optional)

Verkada and Okta support these attributes: userName, givenName, familyName, title, employeeNumber, primaryPhone, department, organization

US region

Log in to Okta.
Go to Applications and click the Verkada app.
Select the Provisioning tab.
Under Verkada Attribute Mappings, click Go to Profile Editor.
Click Add Attribute:
- Enter attribute name in Display name, Variable name, and External name fields
- For phone numbers, use: phoneNumbers[type eq "work"].value
- External namespace: urn:ietf:params:scim:schemas:core:2.0:User
- User Permission: Read-Write
Click Save.

EU and AUS region

Log in to Okta.
Go to Applications and click the Verkada app.
Go to Provisioning > Go to Profile Editor.
Click Add Attribute:
- Enter a unique display name
- Enter variable name (remember for later)
- Enter external name (must be a supported attribute)
- External namespace: urn:ietf:params:scim:schemas:core:2.0:User
- Select Read-Write
Click Save.
Click Mappings > Okta User to [your app].
Map the newly created attribute and click Save Mappings.

To provision phone numbers outside the US, include the country code (e.g., +61 123 456 789).

Delete SCIM-managed users

When a SCIM-managed user is deactivated in Okta, you can remove them from Command:

Delete the user – Moves to Deleted Users page, keeps historical records
Permanently remove the user – Erases all data; re-provisioning creates a new record

You must deactivate the user in Okta before either deletion option is available in Command.

Add access credentials (optional)

Log in to Okta.

Go to Directory > Profile Editor and select User (default).

Click Add Attribute and add the custom attributes from the table below.

Go to Applications and open your Verkada SCIM application.

On the Provisioning tab, select To App > Go to Profile Editor.

Click Add Attribute to create attributes with these details:

External namespace: urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User
Attribute type: Personal

Click Mappings and map attributes from Okta User to your SCIM app.

Click Save Mappings and Apply updates now.

Credential attributes:

Data Type

Display Name

External Name

string

Card Format

cardFormat

string

Card Number

cardNumber

string

Card Number Hex

cardNumberHex

string

Credential Status

credentialStatus

string

Facility Code

facilityCode

string

External ID

externalId

string

Department ID

costCenter

Known issues

Updating usernames (emails) does not automatically take effect. Un-assign and re-add the user.
New users cannot log in via SSO? The email domain may not be added to SSO configuration.
Provisioning errors? See Okta's troubleshooting article.
Other problems? Contact Verkada Support.

Prefer to see it in action? Check out the video tutorial.

Last updated 15 hours ago

Was this helpful?