All Collections
Command
SAML/SSO
Okta SCIM Integration
Okta SCIM Integration

Learn how to set up SCIM with Okta

Updated this week

Verkada Command has the ability to integrate with Okta (amongst other Identify Providers [IdPs]) in 2 capacities, depending on the use case:

  • Security Assertion Markup Language (SAML)

  • System for Cross-Domain Identity Management (SCIM)

SAML handles the authentication process, allowing Okta to be used to manage access to Command, the same as any other Software as a Service (SaaS) application already integrated into your Okta tenant. This means Command can be incorporated into your existing identity framework and be access-controlled based on your current policies in place.

SCIM allows you to leverage your existing users and groups already present in Okta and synchronize these with Command. This allows you to retain the current central identity provider, and configure access using your existing users and groups through Command to control access to the platform.

You can use SCIM with Verkada Command to create and modify users and groups. This requires that you have Okta Lifecycle Management.

The SCIM integration allows for user and group creation, management, and deletion from Command.

Note: SCIM users no longer have the option to edit their phone number in Command. It can only be provisioned via SCIM.

Before you begin

  1. You need an API token to connect to the Verkada SCIM endpoint. This token is unique per the Verkada organization. Learn how to acquire a SCIM API token.

  2. For a successful integration, choose the best path for your region:

Create a Verkada Okta app

  1. Log in to Okta.

  2. Go to the Applications page and click Browse App Catalog.

  3. In the search bar, type Verkada and click Add.

  4. Click Done.

Enable SCIM provisioning in Okta app

  1. Log in to Okta.

  2. Go to the App Settings and check Enable SCIM provisioning.

  3. Set up SCIM in Command, where you should see Tenant URL. There should also be a SCIM token on the page.

  4. Set up SCIM in Okta:

    1. Insert the SCIM connector base URL:

    2. Insert the unique identifier field for users as userName.

    3. Set Authentication Mode as HTTP Header.

    4. Set the Authorization as the SCIM token copied from Command.

    5. Test the connector configuration. It should pass.

  5. Enable functionality in SCIM:

    1. Enable Create Users.

    2. Enable Update User Attributes.

    3. Enable Deactivate Users.

  6. In Okta, push the group. If successful, the group is created and users are synced. You can check this in Command > Users and Groups panels.

How the integration works

To enable provisioning to automate Verkada user account creation, deactivation, and updates:

  1. In Okta > Verkada app (US) or custom app previously created (EU), select the Provisioning tab and click Configure API Integration.

  2. Check the Enable API Integration box and type the Command-generated API Token.

  3. Click Test API Credentials.
    You should see a "Verkada was verified successfully!" response.

  4. If successful, click Save.

  5. Under Provisioning > Settings, select To App, and then click Edit.

  6. Check Enable for Create Users, Update User Attributes, Deactivate Users, and then click Save.

Assign users and groups to the SCIM app

You can now assign Okta users and groups to the SCIM app.

Note: Users added to the app push automatically, while groups need to be pushed manually.

  1. In Okta > Verkada app, select the Push Groups tab > Push Groups dropdown to find groups (by name or by rule).

  2. Find the group you want to push and click Save. If successful, the Push Status shows Active.

  3. Command then tags users and groups as Externally Managed, if they are imported via SCIM.

Provision Users—Attribute Mapping

  1. Configure your mapping (as shown), select the Read-Write option, and click Save. This example configures the "title" mapping.

  2. Under Mappings, ensure that your custom user profile mappings appear.

  3. Once you verify the mappings, click Save Mappings.

Verkada-supported customer attributes

Okta Attribute

Verkada Attribute

title

title

employeeNumber

employeeNumber

primaryPhone

primaryPhone

department

department

organization

organization

Example: Phone Number Mapping

Display name

primaryPhone (this can be anything)

Variable name

primaryPhone

External name

phoneNumbers.^[type==work].value

External namespace

urn:ietf:params:scim:schemas:core:2.0:User

Troubleshooting/Known Issues

  • Updating usernames (emails) does not automatically take effect in Command. If you need to change a username, unassign the user from the SAML app, then re-add the user to the app for the change to take effect.

  • If a new user cannot log in via SSO, it could be because the email domain is not being added to the SSO configuration in the Verkada backend. If the user's email is outside of the email domains provided when SSO was set up, this causes the user to be unable to use SSO. If this is the cause of the problem, you need to edit the SSO configuration and add this domain to remedy the issue.

  • If you experience any other problems with setting up SSO, contact Verkada Support.


Learn more help? Contact Verkada Support

Did this answer your question?