Okta
Configure SSO and user provisioning with Okta
Verkada Command has the ability to integrate with Okta (amongst other Identify Providers [IdPs]) in 2 capacities, depending on the use case:
Security Assertion Markup Language (SAML)
System for Cross-Domain Identity Management (SCIM)
SAML handles the authentication process, allowing Okta to be used to manage access to Command, the same as any other Software as a Service (SaaS) application already integrated into your Okta tenant. This means Command can be incorporated into your existing identity framework and be access-controlled based on your current policies in place.
SCIM allows you to leverage your existing users and groups already present in Okta and synchronize these with Command. This allows you to retain the current central identity provider, and configure access using your existing users and groups through Command to control access to the platform.
Verkada recommends OIDC over SAML for enhanced security and easier configuration. OIDC also enables Enterprise Controlled Encryption.
OIDC based SSO for Okta
Verkada Command supports Single Sign-On (SSO) through OpenID Connect (OIDC) with Okta. This integration allows our users to seamlessly and securely authenticate using their existing Okta credentials, streamlining access to Command and enhancing overall security.
OIDC is not supported on the Pass app or Desk Station apps.
Enable Enterprise Controlled Encryption (ECE) for enhanced security.
OIDC configuration
Navigate to your Okta instance to create a new application to manage your OIDC configuration. Click on Applications from the Applications sidebar option and click Create App Integration.
Under Create a new app integration, select OIDC - OpenID Connect as your Sign-in method and Single-Page Application as your Application type.
Under Sign-in redirect URIs give your application an identifiable name and add the following links to the list of Sign-in redirect URIs:
a. https://command.verkada.com/oidc/okta/callback b. https://.command.verkada.com/oidc/okta/callback where in the URL is the short-name of your Command organization.
(Optional) Under Sign-out redirect URIs add https://command.verkada.com/.
Under Assignments, select Skip Group Assignment for now and click Save.
Under Assignments, click on the Assign dropdown to assign this application to your (and other relevant) user profiles.
Under General, copy the Client ID displayed under Client Credentials.
Command configuration
In Verkada Command, go to All Products > Admin.
In the left navigation, select Login & Access.
Select Single Sign-On Configuration.
Under OIDC Configuration, click Add New.
a. Toggle on Enable. b. (Optional) Toggle on Require OIDC SSO. c. Under Select Provider, select Okta. d. Under Add Client and Tenant, click :plus:.
In the Client ID field paste the Client ID you copied from Okta.
In the Tenant ID field enter the first part of your Okta instance's URL. It should look like this: https://yourinstancename.okta.com.
Click Done.
h. Email Domains, click :plus:.
Enter your domain name present (e.g. @verkada.com).
Click Done.
Under Login Test click Run Login Test.
A successful login test should redirect to the OIDC configuration page. Once you're logged in, add the domain that you need to whitelist.
Once your domain is added, run the login test again. SSO will not be enabled until this second login test successfully completes.
Once your domain is verified, you should see it successfully validated.
Okta SAML Integration
Before you begin
For a successful integration, choose the best path for your region:
For US orgs, you will use an existing Verkada application following steps directly below.
For EU and AUS orgs, follow the steps for the next section to configure a new app integration in Okta.
Create a Verkada Okta app (US orgs)
Log in to Okta.
Go to the Applications page and click Browse App Catalog.
In the search bar, type Verkada.
Click Add. ​
Click Done.
Configure a new app integration from Okta (EU orgs)
Go to Applications, and select Create App Integration.
Create a new app integration, select SAML 2.0, and click Next.
On the "Create a SAML integration" page, under General Settings, enter an application name, optionally add an application logo, and then click Next.
In the configure SAML page, fill in the Single sign-on- URL & Entity ID. ​Single sign-on URL for EU orgs:
For EU orgs: https://saml.prod2.verkada.com/saml/sso/<client-ID>
For AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/sso/<client-ID> ​Audience URI (SP Entity ID) for EU orgs:
For EU orgs: https://saml.prod2.verkada.com/saml/sso/<client-ID>
For AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/sso/<client-ID>
Note: client-ID should be pulled from Command configuration and replaced in the links inserted in Okta application.
The application username is the Okta Username.
In the attributes statements section, set up attributes mapping as follows:
email>user.emailfirstName>user.firstNamelastName>user.lastName​
On the feedback page, check the box labeled "This is an internal app that we have created". ​
Attribute mappings
Navigate to Directory > Profile Editor > choose the Verkada app > verify the attributes
Click on Mappings and Verify App to Okta user mappings ​
User to App mappings: ​
Configuration
In Okta, select the Sign On tab for the Verkada app, and click Edit.
Scroll down to Advanced Sign-On Settings and enter the Client ID from your Command account.
Select Save.
Scroll further down to SAML Signing Certificates and click Generate new certificate, if a new certificate does not exist.
To the right of the certificate, select the Actions dropdown and click View IdP metadata
Right click on the metadata and select save as and download as XML file type.
After downloading the XML file, you need to upload it to Command.
In the Verify Metadata section, click Run Login Test.
Troubleshooting
Updating usernames (emails) does not automatically take effect in Command. If you need to change a username, un-assign the user from the SAML app, then re-add the user to the app for the change to take effect.
If a new user cannot log in via SSO, it could be because the email domain is not being added to the SSO configuration in the Verkada backend. If the user's email is outside of the email domains provided when SSO was set up, this causes the user to be unable to use SSO. If this is the cause of the problem, you need to edit the SSO configuration and add this domain to remedy the issue.
If you experience any other problems with setting up SSO, contact Verkada Support.
Okta SCIM Integration
Before you begin
You need an API token to connect to the Verkada SCIM endpoint. This token is unique per the Verkada organization. Learn how to acquire a SCIM API token.
For a successful integration, choose the best path for your region:
For US orgs, follow the steps in Create a Verkada Okta app.
For EU and AUS orgs, follow the steps in Enable SCIM provisioning in Okta app.
To confirm which region you're located, refer to where your organization was created for Verkada.
Create a Verkada Okta app
US region
Log in to Okta.
On the left navigation panel, click Applications.
At the top, click Browse App Catalog.
In the search bar, type Verkada, click the app, and then click Add Integration.
For Application label, type Verkada (or any unique name you prefer) and click Done.
EU and AUS region
Log in to Okta.
Go to the Applications page and click Create App Integration.
On Create a new app integration, select SAML 2.0 and click Next.
In the App name field, enter a name and click Next.
On Create SAML Integration:
For Single sign-on URL:
For EU orgs: https://saml.prod2.verkada.com/saml/login/<org short name> where <org short name> is your organization’s short name.
For AUS orgs: https://saml.ap-syd.verkada.com/saml/login/<org short name> where <org short name> is your organization’s short name.
For Audience URI (SP Entity ID):
For EU orgs: https://saml.prod2.verkada.com/saml/sso/<org short name> where <org short name> is your organization’s short name.
For AUS orgs: https://saml.ap-syd.verkada.com/saml/sso/<org short name> where <org short name> is your organization’s short name.
Scroll down and click Next.
Select the I’m an Okta customer adding an internal app radio button and click Finish (optionally, you can skip Okta’s additional questions).
On the left navigation, click Applications and click your newly created app (if you are not automatically redirected to your app).
At the top, select the General tab:
At the top right, click Edit for your app’s App Settings.
Check the Enable SCIM provisioning box.
Click Save.
On SCIM Connection:
At the top of your newly created app, select the Provisioning tab.
Click Edit for the SCIM Connection settings.
For SCIM connector base URL
For EU orgs, https://scim.prod2.verkada.com/scim
For AUS orgs, https://scim.ap-syd.verkada.com/scim
For Unique identifier field for users, enter userName.
Check the Push New Users, Push Profile Updates, and Push Groups boxes.
Click the Authentication Mode dropdown and select HTTP Header.
Copy and paste the SCIM token from Command in the Authorization field.
Click Save.
Configure the Verkada app in Okta
US region
Log in to Okta.
On the left, click Applications and click the Verkada app.
On the left, select the Provisioning tab.
Under the Provisioning tab > Integration:
Click Configure API Integration.
Check the Enable API integration box.
In the API Token field, copy and paste your Command-generated API token.
Click Save.
Under the Provisioning tab > Settings:
Select To App and click Edit.
Check the Enable box for Create Users, Update User Attributes, and Deactivate Users.
Click Save.
Under the Provisioning tab > To App section > Verkada Attribute Mappings, click Go to Profile Editor.
Ensure that the attributes match, as shown in example below. You can add more attributes than shown. See Add attributes to SCIM-managed users.
EU and AUS region
Log in to Okta.
On the left, click Applications and click the Verkada app.
Under the Provisioning tab > Settings:
Select To App and click Edit.
Check the Enable box for Create Users, Update User Attributes, and Deactivate Users.
Click Save. You can add more attributes than shown. See Add attributes to SCIM-managed users.
Provision users and groups
Users added to the app push automatically; groups need to be pushed manually.
Users within Okta
Log in to Okta.
On the left, click Applications and click the Verkada app.
Click the Assignments tab.
Click the Assign dropdown and select Assign to People.
Click Assign for the people you want to provision to the app.
You'll see the information for that user. At the bottom, click Save and Go Back.
When you are redirected to the Assign page, click Done.
Groups within Okta
Log in to Okta.
On the left, click Applications and click the Verkada app.
At the top, select the Push Groups tab.
Click the Push Groups dropdown to find groups (by name or by rule).
Find the group you want to push and click Save. If successful, the Push Status shows Active.
Command then tags users and groups as SCIM Managed, if they are imported via SCIM.
On the left, click Applications, then select the Verkada app.
Click the Assignments tab.
Click the Assign dropdown and select Assign to Groups.
Click Assign for the groups you want to provision to the app.
You'll see the information for that group. At the bottom, click Save and Go Back.
When you are redirected to the Assign page, click Done.
Add attributes to SCIM-managed users (optional)
US region
Verkada and Okta support these attributes: userName (default), givenName (default), familyName (default), title, employeeNumber, primaryPhone, department, organization
How it works
Log in to Okta.
Go to the Applications page and click the Verkada app.
Select the Provisioning tab.
Under Verkada Attribute Mappings, click Go to Profile Editor.
On Attributes, click Add Attribute.
In the Display name, Variable name, and External name fields, type the attribute name. A primary phone number's external name should be typed as phoneNumbers.^[type==work].value
In the external namespace field, type urn:ietf:params:scim:schemas:core:2.0:User
Under User Permission, select the Read-Write radio button, and click Save.
EU and AUS region
Verkada and Okta support these attributes: userName (default), givenName (default), familyName (default), title, employeeNumber, primaryPhone, department, organization
To provision phone numbers outside the US in Command, the user phone number in the profile in Okta requires the country code. For example, 0123 456 789 needs to be entered in Okta as +61 123 456 789 to properly be pulled into Command.
How it works
Log in to Okta.
Go to the Applications page and click the Verkada app.
Go to Provisioning tab > Go to Profile Editor.
Click Add Attribute.
In the pop-up window:
Enter a unique display name.
Enter variable name. You will need to remember this for future use.
Enter an external name. Must be one of the supported attributes.
For external namespace, enter urn:ietf:params:scim:schemas:core:2.0:User
Select the Read-Write radio button.
Click Save.
On Profile Editor, click Mappings.
Click Okta User to [name of your verkada app].
Find your unmapped, newly created attribute.
Enter the proper user attribute for the Okta user to map the newly created attribute.
Click Save Mappings.
Delete SCIM-managed users from Command
When a SCIM-managed user is deactivated in your identity provider, you can remove the user from Command in two ways:
Delete the user – The account moves to the Deleted Users page but keeps historical records, roles, and permissions.
Permanently remove the user – All roles, credentials, access logs, and associated data are erased. If the user is re-provisioned via SCIM, Command creates a new user record.
You must deactivate the user in your identity provider (IdP) before either deletion option is available in Command.
Add access credentials to SCIM-managed users (optional)
Log in to Okta.
On the left navigation, select Directory > Profile Editor.
a. Select User (default) as the user type. b. Click Add Attribute and add the custom attributes from the table below.
On the left navigation, select Applications and open your Verkada SCIM-managed application.
On the Provisioning tab, select To App > Go to Profile Editor.
Click Add Attribute to create the attributes listed above using the exact same Data Type, Display Name, Variable Name, Description, and ENUM values.
a. Set the External namespace value for all attributes to:
b. Set Attritbute type to Personal*.* c. Click Save toadd the attribute.
Click Mappings to map the attributes from the Okta User application to your SCIM application.
a. Select Okta User to YourSCIMApp at the top and map the custom attributes created for the Okta Default User to the ones created on your SCIM application. b. Click Save Mappings and Apply updates now to apply the changes.
The attributes should now be available to use on all your Okta application's users' profiles. Once synced, you can view the credentials on Command under Access > Access Users> User Profile > Credentials.
Attribute table
Refer to this list of credentials for the list of acceptable card formats.
Data Type
Display Name
External Name
External Namespace
Description
ENUM
string
Card Format
cardFormat
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User
Card format for access credential
Leave unchecked
string
Card Number
cardNumber
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User
Card number for access credential
Leave unchecked
string
Card Number Hex
cardNumberHex
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User
Hexadecimal representation of the card number
Leave unchecked
string
Credential Status
credentialStatus
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User
Status of the card credential
Checkbox: active → active, deactivated → deactivated, deleted → deleted
string
Facility Code
facilityCode
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User
Facility code associated with the card
Leave unchecked
string
External ID
externalId
urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User
Customer-defined unique ID, not exposed in UI
Leave unchecked
string
Department ID
costCenter
urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User
Identifier used to map user's department in Command
Leave unchecked
string
Title
title
urn:ietf:params:scim:schemas:core:2.0:User
User's title or role
Leave unchecked
string
Employee Number
employeeNumber
urn:ietf:params:scim:schemas:core:2.0:User
Employee ID
Leave unchecked
string
Phone Number
phoneNumbers[type eq "work"].value
urn:ietf:params:scim:schemas:core:2.0:User
Work phone number
Leave unchecked
string
Department
department
urn:ietf:params:scim:schemas:core:2.0:User
User's department
Leave unchecked
string
Organization
organization
urn:ietf:params:scim:schemas:core:2.0:User
Company or organization
Leave unchecked
Add externalId to SCIM-managed users (optional)
You can sync a unique identifier of your choice to Command by mapping it to the externalId field. This allows for advanced use cases like disambiguating users across systems or syncing access credentials to a unique user reference. This value is not shown in the Command UI but is stored in the database and can be queried via API.
To add the externalId attribute and map it from Okta:
Create the Attribute in the SCIM App Profile
In Okta, go to Directory > Profile Editor
Select your Verkada SCIM-managed application
Click Add Attribute and add the attribute details as listed in the table above.
Click Save\
Map the Attribute
Still in Profile Editor, click Mappings
Choose Okta User to [Your SCIM App]
Find the source field you want to map (e.g., user.nickName, employeeNumber, or another custom field)
Map it to verkadaExternalId
Click the arrow between fields and select Apply mapping on user create and update
Click Save Mappings
Confirm Attribute is Populated
Navigate to Directory > People
Open a user profile and ensure the source field you're mapping from (e.g., Nickname) has a value
From the SCIM App > Provisioning tab, use Force Sync to push updates if needed\
Refer to this list of credentials for the list of acceptable card formats.
Known issues
Updating usernames (emails) does not automatically take effect in Command. If you need to change a username, unassign the user from the SAML app, then re-add the user to the app for the change to take effect.
If a new user cannot log in via SSO, it could be because the email domain is not being added to the SSO configuration in the Verkada backend. If the user's email is outside of the email domains provided when SSO was set up, this causes the user to be unable to use SSO. If this is the cause of the problem, you need to edit the SSO configuration and add this domain to remedy the issue.
If you run into this error while provisioning users "Error while trying to push profile update for user: Bad Request. Errors reported by remote server: Invalid request", see this Okta article for troubleshooting steps.
If you experience any other problems with setting up SSO, contact Verkada Support.
Prefer to see it in action? Check out the video tutorial.
Last updated
Was this helpful?