Okta
Configure SSO and user provisioning with Okta
Verkada Command has the ability to integrate with Okta (amongst other Identify Providers [IdPs]) in 2 capacities, depending on the use case:
Security Assertion Markup Language (SAML)
System for Cross-Domain Identity Management (SCIM)
SAML handles the authentication process, allowing Okta to be used to manage access to Command, the same as any other Software as a Service (SaaS) application already integrated into your Okta tenant. This means Command can be incorporated into your existing identity framework and be access-controlled based on your current policies in place.
SCIM allows you to leverage your existing users and groups already present in Okta and synchronize these with Command. This allows you to retain the current central identity provider, and configure access using your existing users and groups through Command to control access to the platform.
Verkada recommends OIDC over SAML for enhanced security and easier configuration. OIDC also enables Enterprise Controlled Encryption.
OIDC based SSO for Okta
Verkada Command supports Single Sign-On (SSO) through OpenID Connect (OIDC) with Okta. This integration allows our users to seamlessly and securely authenticate using their existing Okta credentials, streamlining access to Command and enhancing overall security.
OIDC is not supported on the Pass app or Desk Station apps.
Enable Enterprise Controlled Encryption (ECE) for enhanced security.
OIDC configuration
Navigate to your Okta instance to create a new application to manage your OIDC configuration. Click on Applications from the Applications sidebar option and click Create App Integration.
Under Create a new app integration, select OIDC - OpenID Connect as your Sign-in method and Single-Page Application as your Application type.
Under Sign-in redirect URIs give your application an identifiable name and add the following links to the list of Sign-in redirect URIs:
a. https://command.verkada.com/oidc/okta/callback b. http://<org-short-name>.command.verkada.com/oidc/okta/callback where in the URL is the short-name of your Command organization.
(Optional) Under Sign-out redirect URIs add https://command.verkada.com/.
Under Assignments, select Skip Group Assignment for now and click Save.
Under Assignments, click on the Assign dropdown to assign this application to your (and other relevant) user profiles.
Under General, copy the Client ID displayed under Client Credentials.
Command configuration
In Verkada Command, go to All Products > Admin.
In the left navigation, select Login & Access.
Select Single Sign-On Configuration.
Under OIDC Configuration, click Add New.
a. Toggle on Enable. b. (Optional) Toggle on Require OIDC SSO. c. Under Select Provider, select Okta. d. Under Add Client and Tenant, click :plus:.
In the Client ID field paste the Client ID you copied from Okta.
In the Tenant ID field enter the first part of your Okta instance's URL. It should look like this: https://yourinstancename.okta.com.
Click Done.
h. Email Domains, click :plus:.
Enter your domain name present (e.g. @verkada.com).
Click Done.
Under Login Test click Run Login Test.
A successful login test should redirect to the OIDC configuration page. Once you're logged in, add the domain that you need to whitelist.
Once your domain is added, run the login test again. SSO will not be enabled until this second login test successfully completes.
Once your domain is verified, you should see it successfully validated.
Okta SAML Integration
Before you begin
For a successful integration, choose the best path for your region:
For US orgs, you will use an existing Verkada application following steps directly below.
For EU and AUS orgs, follow the steps for the next section to configure a new app integration in Okta.
Create a Verkada Okta app (US regions)
Log in to Okta.
Go to the Applications page and click Browse App Catalog.
In the search bar, type Verkada.
Click Add Integration.
Click Done.
In Okta, select the Sign On tab for the Verkada app, and click Edit.
Scroll down to Advanced Sign-On Settings and enter the Client ID from your Command account.
Select Save.
Configure a new app integration from Okta (EU & AUS regions)
Go to Applications, and select Create App Integration.
Create a new app integration, select SAML 2.0, and click Next.
On the "Create a SAML integration" page, under General Settings, enter an application name, optionally add an application logo, and then click Next.
In the configure SAML page, fill in the Single Sign-On URL and Audience URI (SP Entity ID) with these links:
For EU orgs: https://saml.prod2.verkada.com/saml/sso/<client-ID>
Check the Use this for Recipient URL and Destination URL box.
Client ID should be pulled from the Command configuration and replaced in the links inserted in the Okta application.
The application username is the Okta Username.
Click Next. On the feedback page, check the box labeled "This is an internal app that we have created". Click Finish.
In the attributes statements section, set up attributes mapping as follows:
email>user.emailfirstName>user.firstNamelastName>user.lastName
Configuration
In Okta, select the Assignments tab for the app. Click Assign and select People or Groups to enable SSO for these users.
Select the Sign On tab for the app.
Scroll down to SAML Signing Certificates and click Generate new certificate if a new certificate does not exist.
To the right of the certificate, select the Actions dropdown and click View IdP metadata.
Right-click the metadata, select "Save As," and download as an XML file.
After downloading the XML file, upload it to Command.
In the Verify Metadata section, click Run Login Test.
Troubleshooting
Updating usernames (emails) does not automatically take effect in Command. If you need to change a username, unassign the user from the SAML app, then re-add the user to the app for the change to take effect.
If a new user cannot log in via SSO, it could be because the email domain is not being added to the SSO configuration in the Verkada backend. If the user's email is outside the email domains configured when SSO was set up, the user cannot use SSO. If this is the cause of the problem, you need to edit the SSO configuration and add this domain to remedy the issue.
If you experience any other problems with setting up SSO, contact Verkada Support.
Okta SCIM Integration
Before you begin
You need an API token to connect to the Verkada SCIM endpoint. This token is unique per the Verkada organization. Learn how to acquire a SCIM API token.
For a successful integration, choose the best path for your region:
For US orgs, follow the steps in Create a Verkada Okta app.
For EU and AUS orgs, follow the steps in Enable SCIM provisioning in Okta app.
To confirm which region you're located, refer to where your organization was created for Verkada.
Create a Verkada Okta app
US region
Log in to Okta.
On the left navigation panel, click Applications.
At the top, click Browse App Catalog.
4. In the search bar, type Verkada, click the app, and then click Add Integration.
5. For Application label, type Verkada (or any unique name you prefer) and click Done.
EU & AUS region
Log in to Okta.
Go to the Applications page and click Create App Integration.
On Create a new app integration, select SAML 2.0 and click Next.
In the App name field, enter a name and click Next.
On Create SAML Integration:
For Single sign-on URL:
For EU orgs: https://saml.prod2.verkada.com/saml/login/<org short name> where <org short name> is your organization’s short name.
For AUS orgs: https://saml.ap-syd.verkada.com/saml/login/<org short name> where <org short name> is your organization’s short name.
For Audience URI (SP Entity ID):
For EU orgs: https://saml.prod2.verkada.com/saml/sso/<org short name> where <org short name> is your organization’s short name.
For AUS orgs: https://saml.ap-syd.verkada.com/saml/sso/<org short name> where <org short name> is your organization’s short name.
Scroll down and click Next.
Select the I’m an Okta customer adding an internal app radio button and click Finish (optionally, you can skip Okta’s additional questions).
On the left navigation, click Applications and click your newly created app (if you are not automatically redirected to your app).
At the top, select the General tab:
At the top right, click Edit for your app’s App Settings.
Check the Enable SCIM provisioning box.
Click Save.
On SCIM Connection:
At the top of your newly created app, select the Provisioning tab.
Click Edit for the SCIM Connection settings.
For SCIM connector base URL
For EU orgs, https://scim.prod2.verkada.com/scim
For AUS orgs, https://scim.ap-syd.verkada.com/scim
For Unique identifier field for users, enter userName.
Check the Push New Users, Push Profile Updates, and Push Groups boxes.
Click the Authentication Mode dropdown and select HTTP Header.
Copy and paste the SCIM token from Command in the Authorization field.
Click Save.
Configure the Verkada Okta app
US region
Log in to Okta.
On the left, click Applications and click the Verkada app.
On the left, select the Provisioning tab.
Under the Provisioning tab > Integration:
Click Configure API Integration.
Check the Enable API integration box.
In the API Token field, copy and paste your Command-generated API token.
Click Save.
Under the Provisioning tab > Settings:
Select To App and click Edit.
Check the Enable box for Create Users, Update User Attributes, and Deactivate Users.
Click Save.
Under the Provisioning tab > To App section > Verkada Attribute Mappings, click Go to Profile Editor.
Ensure that the attributes match, as shown in example below. You can add more attributes than shown. See Add attributes to SCIM-managed users.
EU and AUS region
Log in to Okta.
On the left, click Applications and click the Verkada app.
Under the Provisioning tab > Settings:
Select To App and click Edit.
Check the Enable box for Create Users, Update User Attributes, and Deactivate Users.
Click Save. You can add more attributes than shown. See Add attributes to SCIM-managed users.
Add-on attributes to SCIM-managed users
Add attributes to SCIM-managed users (optional)
Verkada and Okta support these attributes: userName (default), givenName (default), familyName (default), title, employeeNumber, primaryPhone, department, organization.
You can also sync a unique identifier to Command by mapping it to the externalId field. This enables advanced use cases such as disambiguating users across systems or syncing access credentials to a unique user reference. This value is stored in the database and can be queried via API, but it does not appear in the Command UI.
To provision phone numbers outside the US in Command, include the country code in the user's phone number in the Okta profile.
For example:
US: 123-456-7890 → +1 123-456-7890
UK: 07123 456789 → +44 7123 456789
Using the international format ensures the number is correctly imported into Command.
Log in to Okta.
Create the Attribute in the SCIM App Profile.
In Okta, go to Directory > Profile Editor.
Select your Verkada SCIM-managed application User.
Click Add Attribute and add the attribute details as listed in the table below.
Click Save.
Map the Attribute
Still in Profile Editor, click Mappings.
Choose Okta User to [Your SCIM App].
Click the dropdown and find the source field you want to map (e.g., user.nickName, employeeNumber, or another custom field) and map it to the
appuserattribute.Click the arrow between fields and select Apply mapping on user create and update.
Click Save Mappings.
Confirm Attribute is Populated
Navigate to Directory > People.
Open a user profile and ensure the source field you're mapping from (e.g., Nickname) has a value.
From the SCIM App > Provisioning tab, use Force Sync to push updates if needed.
Refer to this list of credentials for the list of acceptable card formats.
Add access credentials to SCIM-managed users (optional)
Log in to Okta.
On the left navigation, select Directory > Profile Editor.
Select User (default) as the user type.
Click Add Attribute and add the custom attributes from the table below.
On the left navigation, select Applications and open your Verkada SCIM-managed application.
On the Provisioning tab, select To App > Go to Profile Editor.
Click Add Attribute to create the attributes listed above using the exact same Data Type, Display Name, Variable Name, Description, and ENUM values.
Set the External namespace value for all attributes to:
Set Attribute type to Personal.
Click Save to add the attribute.
Click Mappings to map the attributes from the Okta User application to your SCIM application.
Select Okta User to YourSCIMApp at the top and map the custom attributes created for the Okta Default User to the ones created on your SCIM application.
Click Save Mappings and Apply updates now to apply the changes.
The attributes should now be available to use on all your Okta application's users' profiles. Once synced, you can view the credentials on Command under Access > Access Users > User Profile > Credentials.
Attribute table
Refer to this list of credentials for the list of acceptable card formats. Data type for all attributes will be string.
Display Name
Variable Name /External Name
External Namespace
Description
ENUM
Card Format
cardFormat
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User
Card format for access credential
Leave unchecked
Card Number
cardNumber
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User
Card number for access credential
Leave unchecked
Card Number Hex
cardNumberHex
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User
Hexadecimal representation of the card number
Leave unchecked
Credential Status
credentialStatus
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User
Status of the card credential
Checkbox: active → active, deactivated → deactivated, deleted → deleted
Facility Code
facilityCode
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User
Facility code associated with the card
Leave unchecked
External ID
externalId
urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User
Customer-defined unique ID, not exposed in UI
Leave unchecked
Department ID
costCenter
urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User
Identifier used to map user's department in Command
Leave unchecked
Title
title
urn:ietf:params:scim:schemas:core:2.0:User
User's title or role
Leave unchecked
Employee Number
employeeNumber
urn:ietf:params:scim:schemas:core:2.0:User
Employee ID
Leave unchecked
Phone Number
Variable Name: phoneNumber
External Name: phoneNumbers[type==work].value
urn:ietf:params:scim:schemas:core:2.0:User
Work phone number
Leave unchecked
Department
department
urn:ietf:params:scim:schemas:core:2.0:User
User's department
Leave unchecked
Organization
organization
urn:ietf:params:scim:schemas:core:2.0:User
Company or organization
Leave unchecked
Provision users and groups
Users added to the app push automatically; groups need to be pushed manually.
Users within Okta
Log in to Okta.
On the left, click Applications and click the Verkada app.
Click the Assignments tab.
Click the Assign dropdown and select Assign to People.
Click Assign for the people you want to provision to the app.
You'll see the information for that user. At the bottom, click Save and Go Back.
When you are redirected to the Assign page, click Done.
Groups within Okta
Log in to Okta.
On the left, click Applications and click the Verkada app.
Click the Assign dropdown and select Assign to Groups.
Click Assign for the groups you want to provision to the app.
You'll see the information for that group. At the bottom, click Save and Go Back.
When you are redirected to the Assign page, click Done.
At the top, select the Push Groups tab.
Click the Push Groups dropdown to find groups (by name or by rule).
Find the group you want to push and click Save. If successful, the Push Status shows Active.
Command then tags users and groups as SCIM Managed, if they are imported via SCIM.
Delete SCIM-managed users from Command
When a SCIM-managed user is deactivated in your identity provider, you can remove the user from Command in two ways:
Delete the user – The account moves to the Deleted Users page but keeps historical records, roles, and permissions.
Permanently remove the user – All roles, credentials, access logs, and associated data are erased. If the user is re-provisioned via SCIM, Command creates a new user record.
You must deactivate the user in your identity provider (IdP) before either deletion option is available in Command.
Known issues
Updating usernames (emails) does not automatically take effect in Command. If you need to change a username, unassign the user from the SAML app, then re-add the user to the app for the change to take effect.
If a new user cannot log in via SSO, it could be because the email domain is not being added to the SSO configuration in the Verkada backend. If the user's email is outside of the email domains provided when SSO was set up, this causes the user to be unable to use SSO. If this is the cause of the problem, you need to edit the SSO configuration and add this domain to remedy the issue.
If you run into this error while provisioning users, "Error while trying to push profile update for user: Bad Request. Errors reported by remote server: Invalid request", see this Okta article for troubleshooting steps.
If you experience any other problems with setting up SSO, contact Verkada Support.
Prefer to see it in action? Check out the video tutorial.
Last updated
Was this helpful?