Verkada Command has the ability to integrate with Okta (amongst other Identify Providers [IdPs]) in 2 capacities, depending on the use case:
Security Assertion Markup Language (SAML)
System for Cross-Domain Identity Management (SCIM)
SAML handles the authentication process, allowing Okta to be used to manage access to Command, the same as any other Software as a Service (SaaS) application already integrated into your Okta tenant. This means Command can be incorporated into your existing identity framework and be access-controlled based on your current policies in place.
SCIM allows you to leverage your existing users and groups already present in Okta and synchronize these with Command. This allows you to retain the current central identity provider, and configure access using your existing users and groups through Command to control access to the platform.
Before you begin
For a successful integration, choose the best path for your region:
For US orgs, you will use an existing Verkada application following steps directly below.
For EU and AUS orgs, follow the steps for the next section to configure a new app integration in Okta.
Create a Verkada Okta app (US orgs)
Create a Verkada Okta app (US orgs)
Log in to Okta.
Go to the Applications page and click Browse App Catalog.
In the search bar, type Verkada.
Click Add.
Click Done.
Configure a new app integration from Okta (EU orgs)
Configure a new app integration from Okta (EU orgs)
Go to Applications, and select Create App Integration
Create a new app integration, select SAML 2.0, and click Next.
On the "Create a SAML integration" page, under General Settings, enter an application name, optionally add an application logo, and then click "Next."
In the configure SAML page, fill in the Single sign-on- URL & Entity ID.
Single sign-on URL for EU orgs:For EU orgs: https://saml.prod2.verkada.com/saml/sso/<client-ID>
For AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/sso/<client-ID>
Audience URI (SP Entity ID) for EU orgs:For EU orgs: https://saml.prod2.verkada.com/saml/sso/<client-ID>
Note: client-ID should be pulled from Command configuration and replaced in the links inserted in Okta application.
The application username is the Okta Username.
In the attributes statements section, set up attributes mapping as follows:
email>user.emailfirstName>user.firstNamelastName>user.lastName
On the feedback page, check the box labeled "This is an internal app that we have created".
Attribute mappings
Attribute mappings
Navigate to Directory > Profile Editor > choose the Verkada app > verify the attributes
Click on Mappings and Verify App to Okta user mappings
User to App mappings:
How the integration works
In Okta, select the Sign On tab for the Verkada app, and click Edit.
Scroll down to Advanced Sign-On Settings and enter the Client ID from your Command account.
Select Save.
Scroll further down to SAML Signing Certificates and click Generate new certificate, if a new certificate does not exist.
To the right of the certificate, select the Actions dropdown and click View IdP metadata.
6. Right click on the metadata and select save as and download as XML file type.
7. After downloading the XML file, you need to upload it to Command.
8. In the Verify Metadata section, click Run Login Test.
Troubleshooting/Known Issues
Updating usernames (emails) does not automatically take effect in Command. If you need to change a username, un-assign the user from the SAML app, then re-add the user to the app for the change to take effect.
If a new user cannot log in via SSO, it could be because the email domain is not being added to the SSO configuration in the Verkada backend. If the user's email is outside of the email domains provided when SSO was set up, this causes the user to be unable to use SSO. If this is the cause of the problem, you need to edit the SSO configuration and add this domain to remedy the issue.
If you experience any other problems with setting up SSO, contact Verkada Support.
Need more help? Contact Verkada Support.