Skip to main content

Okta SCIM Integration

Learn how to set up SCIM with Okta

Updated over 2 months ago

Verkada Command has the ability to integrate with Okta (amongst other Identity Providers [IdPs]) in 2 capacities, depending on the use case:

  • System for Cross-Domain Identity Management (SCIM)

  • Security Assertion Markup Language (SAML)

SCIM allows you to leverage your existing users and groups already present in Okta and synchronize these with Command. This allows you to retain the current central identity provider, and configure access using your existing users and groups through Command to control access to the platform.

You can use SCIM with Verkada Command to create and modify users and groups. This requires that you have Okta Lifecycle Management.

The SCIM integration allows for user and group creation, management, and deletion from Command.

If you're a SCIM user, you no longer have the option to edit your phone number in Command. You can only provision it via SCIM.

SAML handles the authentication process, allowing Okta to be used to manage access to Command, the same as any other Software as a Service (SaaS) application already integrated into your Okta tenant. This means Command can be incorporated into your existing identity framework and be access-controlled based on your current policies in place.

Jump to Okta SAML integration

Before you begin

  1. You need an API token to connect to the Verkada SCIM endpoint. This token is unique per the Verkada organization. Learn how to acquire a SCIM API token.

  2. For a successful integration, choose the best path for your region:

To confirm which region you're located, refer to where your organization was created for Verkada.

Create a Verkada Okta app

US region

  1. Log in to Okta.

  2. On the left navigation panel, click Applications.

  3. At the top, click Browse App Catalog.

  4. In the search bar, type Verkada, click the app, and then click Add Integration.

  5. For Application label, type Verkada (or any unique name you prefer) and click Done.

EU and AUS region

  1. Log in to Okta.

  2. Go to the Applications page and click Create App Integration.

  3. On Create a new app integration, select SAML 2.0 and click Next.

  4. In the App name field, enter a name and click Next.

  5. On Create SAML Integration:

    1. For Single sign-on URL:

      For EU orgs: https://saml.prod2.verkada.com/saml/login/<org short name> where <org short name> is your organization’s short name.

      For AUS orgs: https://saml.ap-syd.verkada.com/saml/login/<org short name> where <org short name> is your organization’s short name.

    2. For Audience URI (SP Entity ID):

      For EU orgs: https://saml.prod2.verkada.com/saml/sso/<org short name> where <org short name> is your organization’s short name.

      For AUS orgs: https://saml.ap-syd.verkada.com/saml/sso/<org short name> where <org short name> is your organization’s short name.

    3. Scroll down and click Next.

  6. Select the I’m an Okta customer adding an internal app radio button and click Finish (optionally, you can skip Okta’s additional questions).

  7. On the left navigation, click Applications and click your newly created app (if you are not automatically redirected to your app).

  8. At the top, select the General tab:

    1. At the top right, click Edit for your app’s App Settings.

    2. Check the Enable SCIM provisioning box.

    3. Click Save.

  9. On SCIM Connection:

    1. At the top of your newly created app, select the Provisioning tab.

    2. Click Edit for the SCIM Connection settings.

    3. For SCIM connector base URL

      For EU orgs, https://scim.prod2.verkada.com/scim

      For AUS orgs, https://scim.ap-syd.verkada.com/scim

    4. For Unique identifier field for users, enter userName.

    5. Check the Push New Users, Push Profile Updates, and Push Groups boxes.

    6. Click the Authentication Mode dropdown and select HTTP Header.

  10. Copy and paste the SCIM token from Command in the Authorization field.

  11. Click Save.

Configure the Verkada app in Okta

US region

  1. Log in to Okta.

  2. On the left, click Applications and click the Verkada app.

  3. On the left, select the Provisioning tab.

  4. Under the Provisioning tab > Integration:

    1. Click Configure API Integration.

    2. Check the Enable API integration box.

    3. In the API Token field, copy and paste your Command-generated API token.

    4. Click Save.

  5. Under the Provisioning tab > Settings:

    1. Select To App and click Edit.

    2. Check the Enable box for Create Users, Update User Attributes, and Deactivate Users.

    3. Click Save.

  6. Under the Provisioning tab > To App section > Verkada Attribute Mappings, click Go to Profile Editor.

  7. Ensure that the attributes match, as shown in example below. You can add more attributes than shown. See Add attributes to SCIM-managed users.

EU and AUS region

  1. Log in to Okta.

  2. On the left, click Applications and click the Verkada app.

  3. Under the Provisioning tab > Settings:

    1. Select To App and click Edit.

    2. Check the Enable box for Create Users, Update User Attributes, and Deactivate Users.

    3. Click Save. You can add more attributes than shown. See Add attributes to SCIM-managed users.

Provision users and groups

You can now assign Okta users and groups to the SCIM app.

Users added to the app push automatically; groups need to be pushed manually.

Users within Okta

  1. Log in to Okta.

  2. On the left, click Applications and click the Verkada app.

  3. Click the Assignments tab.

  4. Click the Assign dropdown and select Assign to People.

  5. Click Assign for the people you want to provision to the app.

  6. You'll see the information for that user. At the bottom, click Save and Go Back.

  7. When you are redirected to the Assign page, click Done.

Groups within Okta

  1. Log in to Okta.

  2. On the left, click Applications and click the Verkada app.

  3. At the top, select the Push Groups tab.

  4. Click the Push Groups dropdown to find groups (by name or by rule).

  5. Find the group you want to push and click Save. If successful, the Push Status shows Active.

  6. Command then tags users and groups as SCIM Managed, if they are imported via SCIM.

Alternatively, you can use the Assign to Groups option.

  1. Log in to Okta.

  2. On the left, click Applications and click the Verkada app.

  3. Click the Assignments tab.

  4. Click the Assign dropdown and select Assign to Groups.

  5. Click Assign for the groups you want to provision to the app.

  6. You'll see the information for that group. At the bottom, click Save and Go Back.

  7. When you are redirected to the Assign page, click Done.

Add attributes to SCIM-managed users (optional)

US region

Verkada and Okta support these attributes: userName (default), givenName (default), familyName (default), title, employeeNumber, primaryPhone, department, organization

How it works

  1. Log in to Okta.

  2. Go to the Applications page and click the Verkada app.

  3. Select the Provisioning tab.

  4. Under Verkada Attribute Mappings, click Go to Profile Editor.

  5. On Attributes, click Add Attribute.

  6. In the Display name, Variable name, and External name fields, type the attribute name. A primary phone number's external name should be typed as phoneNumbers.^[type==work].value

  7. In the external namespace field, type urn:ietf:params:scim:schemas:core:2.0:User

  8. Under User Permission, select the Read-Write radio button, and click Save.

EU and AUS region

Verkada and Okta support these attributes: userName (default), givenName (default), familyName (default), title, employeeNumber, primaryPhone, department, organization

To provision phone numbers outside the US in Command, the user phone number in the profile in Okta requires the country code. For example, 0123 456 789 needs to be entered in Okta as +61 123 456 789 to properly be pulled into Command.

How it works

  1. Log in to Okta.

  2. Go to the Applications page and click the Verkada app.

  3. Go to Provisioning tab > Go to Profile Editor.

  4. Click Add Attribute.

  5. In the pop-up window:

    1. Enter a unique display name.

    1. Enter variable name. You will need to remember this for future use.

    2. Enter an external name. Must be one of the supported attributes.

    3. For external namespace, enter urn:ietf:params:scim:schemas:core:2.0:User

    4. Select the Read-Write radio button.

    5. Click Save.

  6. On Profile Editor, click Mappings.

  7. Click Okta User to [name of your verkada app].

  8. Find your unmapped, newly created attribute.

  9. Enter the proper user attribute for the Okta user to map the newly created attribute.

  10. Click Save Mappings.

Add access credentials to SCIM-managed users (optional)

  1. Log in to Okta.

  2. On the left navigation, select Directory > Profile Editor.

    1. Select User (default) as the user type.

    2. Click Add Attribute and add the custom attributes from the table below.

  3. On the left navigation, select Applications and open your Verkada SCIM-managed application.

  4. On the Provisioning tab, select To App > Go to Profile Editor.

  5. Click Add Attribute to create the attributes listed above using the exact same Data Type, Display Name, Variable Name, Description, and ENUM values.

    1. Set the External namespace value for all attributes to:

      urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User

    2. Set Attritbute type to Personal.

    3. Click Save toadd the attribute.

  6. Click Mappings to map the attributes from the Okta User application to your SCIM application.

    1. Select Okta User to YourSCIMApp at the top and map the custom attributes created for the Okta Default User to the ones created on your SCIM application.

    2. Click Save Mappings and Apply updates now to apply the changes.

  7. The attributes should now be available to use on all your Okta application’s users’ profiles. Once synced, you can view the credentials on Command under Access > Access Users> User Profile > Credentials.

Attribute table

Data Type

Display Name

Variable Name

Description

ENUM

User Permissions

string

cardFormat

cardFormat

Card Format for credential

Leave unchecked

Read-Write

string

cardNumber

cardNumber

Card Number of credential

Leave unchecked

Read-Write

string

cardNumberHex

cardNumberHex

HEX value of credential

Leave unchecked

Read-Write

string

credentialStatus

credentialStatus

Status of your credential

Check box, add display name ‘active’ and set its Value to ‘active’, add Display name ‘deactivated’ and set its Value to ‘deactivated’

Read-Write

string

facilityCode

facilityCode

Facility Code of the site this card will grant access to

Leave unchecked

Read-Write

Refer to this list of credentials for the list of acceptable card formats.

Known issues

  • Updating usernames (emails) does not automatically take effect in Command. If you need to change a username, unassign the user from the SAML app, then re-add the user to the app for the change to take effect.

  • If a new user cannot log in via SSO, it could be because the email domain is not being added to the SSO configuration in the Verkada backend. If the user's email is outside of the email domains provided when SSO was set up, this causes the user to be unable to use SSO. If this is the cause of the problem, you need to edit the SSO configuration and add this domain to remedy the issue.

  • If you run into this error while provisioning users "Error while trying to push profile update for user: Bad Request. Errors reported by remote server: Invalid request", see this Okta article for troubleshooting steps.

  • If you experience any other problems with setting up SSO, contact Verkada Support.

Need more help? Contact Verkada Support.

Related Articles
Okta SAML Integration
Create or Refresh an Organization's SCIM Token
Use SCIM for Access Groups
JumpCloud SAML Integration
Microsoft Entra ID SCIM Integration
Did this answer your question?