Verkada Command has the ability to integrate with Okta (amongst other IdPs) in two capacities dependent on the use case:
SAML (Security Assertion Markup Language)
SCIM (System for Cross-Domain Identity Management)
SAML handles the authentication side of things allowing Okta to be used to manage access to Command, the same as any other SaaS application already integrated into your Okta tenant. This means Verkada Command can be incorporated into your existing identity framework and access-controlled based on your current policies in place.
SCIM on the other hand allows you to leverage your existing users and groups already present in Okta and synchronize these with Verkada Command. This allows you to retain the current central identity provider, and configure access using your existing users and groups through Verkada Command to control access to the platform.
Creating a Verkada Okta App
Log into Okta
Select the Applications page
Select the Browse Applications page
Enter 'Verkada' in the search bar
Select Add
Select Done
SAML
Prerequisites
Generate your SAML Client ID
Procedure
In Okta, select the Sign On tab for the Verkada app, then select Edit
Scroll down to the Advanced Sign-On Settings section. Enter the Client ID
Select Save
Scroll further down to the SAML Signing Certificates section. Generate a certificate by selecting Generate new certificate if one does not exist
Select Actions to the right of the certificate and then select View IdP metadata
Save the page to download the metadata
7. After downloading the XML file you need to upload it to Command
Troubleshooting/Known Issues
Updating usernames (emails) does not take effect in Verkada Command. If a username is to be changed, please unassign the user from the SAML app, then re-add them to the app for the change to take effect.
If a new user cannot log in via SSO, it could be due to the email domain not being added to the SSO configuration in the Verkada backend. If the user's email is outside of the email domains provided when SSO was set up, this will cause the user to be unable to use SSO. If this is the cause of the problem, You will need to edit the SSO configuration and add this domain to remedy the issue.
If you run into any other problems when setting up SSO, please reach out to Verkada Support.
SCIM
SCIM can be used with Verkada Command in order to create and modify users and groups. This document discusses setting up SCIM with Okta. This requires that you have Okta Lifecycle Management.
Prerequisites
API Token - This allows you to connect to the Verkada SCIM endpoint. This token is unique per the Verkada organization. This article explains how to acquire a SCIM API token.
Supported Features
The SCIM integration allows for user and group creation, management, and deletion from Command.
Note: SCIM managed users will no longer have the option to edit their phone number in Command. It can only be provisioned via SCIM.
Procedure
In Okta, select the Provisioning tab for the Verkada app, then select Configure API Integration
Check the box to Enable API Integration, then enter the API Token generated in Command
Select Test API Credentials and you should get a response "Verkada was verified successfully!" If successful, Select Save
After saving, select To App under settings and then select Edit
Select Create Users, Update User Attributes, Deactivate Users, and then select Save
Assigning users and groups to the SCIM app
Okta users and groups can now be assigned to the SCIM app. Users added to the app will push automatically, while groups will need to be pushed manually. Follow these steps to push groups:
In Okta, select the Push Groups tab for the Verkada app, then select the Push Groups button
Find the group, and select Save. If successful the Push Status will show Active
Command will tag users & groups as Externally Managed if they are imported via SCIM
Troubleshooting/Known Issues
Updating usernames (emails) does not take effect in Verkada Command. If a username is to be changed, please unassign the user from the SCIM app, then re-add them to the app for the change to take effect.
If a new user cannot be created, it could be due to the email domain not being added to the SCIM configuration in the Verkada backend. When the authentication token is generated for an organization, the expected email domains are tied to it. If the user is outside of the email domains provided when the token was created, this will cause the user to be unable to be created. If this is the cause of the problem, You will need to generate a new token and add this domain to remedy the issue.
Users can only be added/removed from SCIM managed groups through SCIM, not through Command.
Groups created in Command cannot be imported to or synced with SCIM.
If you run into problems when setting up SCIM or when provisioning users or groups, please reach out to Verkada Support.
Provision Users - Attribute Mapping
In this next section, we will configure the attributes for users.
Configure your mapping to match the screenshot provided or the data table below (in this example, we are configuring the "title" mapping). Then save.
Under Mappings
Make sure that your custom attribute is showing up here, then save
Here is a list of all of the customer attributes we support:
Okta Attribute | Verkada Attribute |
title | title |
employeeNumber | employeeNumber |
primaryPhone | primaryPhone |
department | department |
organization | organization |
Example Phone Number Mapping
Display name | primaryPhone (this can be anything) |
Variable name | primaryPhone |
External name | phoneNumbers.^[type==work].value |
External namespace | urn:ietf:params:scim:schemas:core:2.0:User |