Verkada Command has the ability to integrate with Okta (amongst other IdPs) in two capacities dependent on the use case:

  • SAML (Security Assertion Markup Language)

  • SCIM (System for Cross-Domain Identity Management)

SAML handles the authentication side of things allowing Okta to be used to manage access to Command, the same as any other SaaS application already integrated into your Okta tenant. This means Verkada Command can be incorporated into your existing identity framework and access-controlled based on your current policies in place.

SCIM on the other hand allows you to leverage your existing users and groups already present in Okta and synchronize these with Verkada Command. This allows you to retain the current central identity provider, and configure access using your existing users and groups through Verkada Command to control access to the platform.

Creating a Verkada Okta App

  1. Log into Okta

  2. Select the Applications page

  3. Select the Browse Applications page

  4. Enter 'Verkada' in the search bar

  5. Select Add

  6. Select Done

SAML

Prerequisites

Procedure

  1. In Okta, select the Sign On tab for the Verkada app, then select Edit

  2. Scroll down to the Advanced Sign-On Settings section. Enter the Client ID

  3. Select Save

  4. Scroll further down to the SAML Signing Certificates section. Generate a certificate by selecting Generate new certificate if one does not exist

  5. Select Actions to the right of the certificate and then select View IdP metadata

  6. Save the page to download the metadata

7. After downloading the XML file you need to upload it to Command

Troubleshooting/Known Issues

  • Updating usernames (emails) does not take effect in Verkada Command. If a username is to be changed, please unassign the user from the SAML app, then re-add them to the app for the change to take effect.

  • If a new user cannot log in via SSO, it could be due to the email domain not being added to the SSO configuration in the Verkada backend. If the user's email is outside of the email domains provided when SSO was set up, this will cause the user to be unable to use SSO. If this is the cause of the problem, You will need to edit the SSO configuration and add this domain to remedy the issue.

  • If you run into any other problems when setting up SSO, please reach out to Verkada Support.

SCIM

SCIM can be used with Verkada Command in order to create and modify users and groups. This document discusses setting up SCIM with Okta. This requires that you have Okta Lifecycle Management.

Prerequisites

  • API Token - This allows you to connect to the Verkada SCIM endpoint. This token is unique per the Verkada organization. This article explains how to acquire a SCIM API token.

Supported Features

The SCIM integration allows for user and group creation, management, and deletion from Command.

Procedure

  1. In Okta, select the Provisioning tab for the Verkada app, then select Configure API Integration

  2. Check the box to Enable API Integration, then enter the API Token generated in Command

  3. Select Test API Credentials and you should get a response "Verkada was verified successfully!" If successful, Select Save

  4. After saving, select To App under settings and then select Edit

  5. Select Create Users, Update User Attributes, Deactivate Users, and then select Save

Assigning users and groups to the SCIM app

Okta users and groups can now be assigned to the SCIM app. Users added to the app will push automatically, while groups will need to be pushed manually. Follow these steps to push groups:

  1. In Okta, select the Push Groups tab for the Verkada app, then select the Push Groups button

  2. Find the group, and select Save. If successful the Push Status will show Active.

  3. Command will tag users & groups as Externally Managed if they are imported via SCIM

Troubleshooting/Known Issues

  • Updating usernames (emails) does not take effect in Verkada Command. If a username is to be changed, please unassign the user from the SCIM app, then re-add them to the app for the change to take effect.

  • If a new user cannot be created, it could be due to the email domain not being added to the SCIM configuration in the Verkada backend. When the authentication token is generated for an organization, the expected email domains are tied to it. If the user is outside of the email domains provided when the token was created, this will cause the user to be unable to be created. If this is the cause of the problem, You will need to generate a new token and add this domain to remedy the issue.

  • Users can only be added/removed from SCIM managed groups through SCIM, not through Command.

  • Groups created in Command cannot be imported to or synced with SCIM.

  • If you run into problems when setting up SCIM or when provisioning users or groups, please reach out to Verkada Support.

Did this answer your question?