Verkada Command has the ability to integrate with Okta (amongst other Identity Providers [IdPs]) in 2 capacities, depending on the use case:
System for Cross-Domain Identity Management (SCIM)
Security Assertion Markup Language (SAML)
SCIM allows you to leverage your existing users and groups already present in Okta and synchronize these with Command. This allows you to retain the current central identity provider, and configure access using your existing users and groups through Command to control access to the platform.
You can use SCIM with Verkada Command to create and modify users and groups. This requires that you have Okta Lifecycle Management.
The SCIM integration allows for user and group creation, management, and deletion from Command.
If you're a SCIM user, you no longer have the option to edit your phone number in Command. You can only provision it via SCIM.
SAML handles the authentication process, allowing Okta to be used to manage access to Command, the same as any other Software as a Service (SaaS) application already integrated into your Okta tenant. This means Command can be incorporated into your existing identity framework and be access-controlled based on your current policies in place.
Before you begin
You need an API token to connect to the Verkada SCIM endpoint. This token is unique per the Verkada organization. Learn how to acquire a SCIM API token.
For a successful integration, choose the best path for your region:
For US orgs, follow the steps in Create a Verkada Okta app.
For EU and AUS orgs, follow the steps in Enable SCIM provisioning in Okta app.
To confirm which region you're located, refer to where your organization was created for Verkada.
Create a Verkada Okta app
EU and AUS region
EU and AUS region
Log in to Okta.
Go to the Applications page and click Create App Integration.
On Create a new app integration, select SAML 2.0 and click Next.
In the App name field, enter a name and click Next.
On Create SAML Integration:
For Single sign-on URL:
For EU orgs: https://saml.prod2.verkada.com/saml/login/<org short name> where <org short name> is your organization’s short name.
For AUS orgs: https://saml.prod3.verkada.com/saml/login/<org short name> where <org short name> is your organization’s short name.
For Audience URI (SP Entity ID):
For EU orgs: https://saml.prod2.verkada.com/saml/sso/<org short name> where <org short name> is your organization’s short name.
For AUS orgs: https://saml.prod3.verkada.com/saml/sso/<org short name> where <org short name> is your organization’s short name.
Scroll down and click Next.
Select the I’m an Okta customer adding an internal app radio button and click Finish (optionally, you can skip Okta’s additional questions).
On the left navigation, click Applications and click your newly created app (if you are not automatically redirected to your app).
At the top, select the General tab:
At the top right, click Edit for your app’s App Settings.
Check the Enable SCIM provisioning box.
Click Save.
On SCIM Connection:
At the top of your newly created app, select the Provisioning tab.
Click Edit for the SCIM Connection settings.
For SCIM connector base URL
For EU orgs, https://scim.prod2.verkada.com/scim
For AUS orgs, https://scim.prod3.verkada.com/scim
For Unique identifier field for users, enter userName.
Check the Push New Users, Push Profile Updates, and Push Groups boxes.
Click the Authentication Mode dropdown and select HTTP Header.
Copy and paste the SCIM token from Command in the Authorization field.
Click Save.
Configure the Verkada app in Okta
US region
US region
Log in to Okta.
On the left, click Applications and click the Verkada app.
On the left, select the Provisioning tab.
Under the Provisioning tab > Integration:
Click Configure API Integration.
Check the Enable API integration box.
In the API Token field, copy and paste your Command-generated API token.
Click Save.
Under the Provisioning tab > Settings:
Select To App and click Edit.
Check the Enable box for Create Users, Update User Attributes, and Deactivate Users.
Click Save.
Under the Provisioning tab > To App section > Verkada Attribute Mappings, click Go to Profile Editor.
Ensure that the attributes match, as shown in example below. You can add more attributes than shown. See Add attributes to SCIM-managed users.
EU and AUS region
EU and AUS region
Log in to Okta.
On the left, click Applications and click the Verkada app.
Under the Provisioning tab > Settings:
Select To App and click Edit.
Check the Enable box for Create Users, Update User Attributes, and Deactivate Users.
Click Save. You can add more attributes than shown. See Add attributes to SCIM-managed users.
Provision users and groups
Users added to the app push automatically; groups need to be pushed manually.
Users within Okta
Users within Okta
Log in to Okta.
On the left, click Applications and click the Verkada app.
Click the Assignments tab.
Click the Assign dropdown and select Assign to People.
Click Assign for the people you want to provision to the app.
You'll see the information for that user. At the bottom, click Save and Go Back.
When you are redirected to the Assign page, click Done.
Groups within Okta
Groups within Okta
Log in to Okta.
On the left, click Applications and click the Verkada app.
At the top, select the Push Groups tab.
Click the Push Groups dropdown to find groups (by name or by rule).
Find the group you want to push and click Save. If successful, the Push Status shows Active.
Command then tags users and groups as SCIM Managed, if they are imported via SCIM.
Alternatively, you can use the Assign to Groups option.
Log in to Okta.
On the left, click Applications and click the Verkada app.
Click the Assignments tab.
Click the Assign dropdown and select Assign to Groups.
Click Assign for the groups you want to provision to the app.
You'll see the information for that group. At the bottom, click Save and Go Back.
When you are redirected to the Assign page, click Done.
Add attributes to SCIM-managed users (optional)
US region
US region
Verkada and Okta support these attributes: userName
(default), givenName
(default), familyName
(default), title
, employeeNumber
, primaryPhone
, department
, organization
How it works
Log in to Okta.
Go to the Applications page and click the Verkada app.
Select the Provisioning tab.
Under Verkada Attribute Mappings, click Go to Profile Editor.
On Attributes, click Add Attribute.
In the Display name, Variable name, and External name fields, type the attribute name. A primary phone number's external name should be typed as phoneNumbers.^[type==work].value
In the external namespace field, type urn:ietf:params:scim:schemas:core:2.0:User
Under User Permission, select the Read-Write radio button, and click Save.
EU and AUS region
EU and AUS region
Verkada and Okta support these attributes: userName
(default), givenName
(default), familyName
(default), title
, employeeNumber
, primaryPhone
, department
, organization
To provision phone numbers outside the US in Command, the user phone number in the profile in Okta requires the country code. For example, 0123 456 789 needs to be entered in Okta as +61 123 456 789 to properly be pulled into Command.
How it works
Log in to the Verkada app.
Go to Provisioning tab > Go to Profile Editor.
Click Add Attribute.
In the pop-up window:
Enter a unique display name.
On Profile Editor, click Mappings.
Click Okta User to [name of your verkada app].
Find your unmapped, newly created attribute.
Enter the proper user attribute for the Okta user to map the newly created attribute.
Click Save Mappings.
Known issues
Updating usernames (emails) does not automatically take effect in Command. If you need to change a username, unassign the user from the SAML app, then re-add the user to the app for the change to take effect.
If a new user cannot log in via SSO, it could be because the email domain is not being added to the SSO configuration in the Verkada backend. If the user's email is outside of the email domains provided when SSO was set up, this causes the user to be unable to use SSO. If this is the cause of the problem, you need to edit the SSO configuration and add this domain to remedy the issue.
If you run into this error while provisioning users "Error while trying to push profile update for user: Bad Request. Errors reported by remote server: Invalid request", see this Okta article for troubleshooting steps.
If you experience any other problems with setting up SSO, contact Verkada Support.
Need more help? Contact Verkada Support.