| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
This setup might fail without parameter values that are customized for your organization. Please use the Okta Administrator Dashboard to add an application and view the values that are specific for your organization. |
Contents
| Anchor | ||||
|---|---|---|---|---|
|
The Okta/Avigilon Alta Security SAML integration currently supports the following features:
SP-initiated SSO
IdP-initiated SSO
For more information on the listed features, visit the Okta Glossary.
| Anchor | ||||
|---|---|---|---|---|
|
1. Create an API token in Okta:
In Okta, navigate to Security > API.
Click Create Token, name the token Openpath Security, then click Create Token.
| Iframe | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Save the token value for later.
Important: This is the only time that you will able to view it.
| Iframe | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
2. Log in to the Avigilon Alta Control Center.
3. Navigate to App Marketplace> Get apps, click on Okta:
| Iframe | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
4. Navigate to App Marketplace > My apps, click on Okta:
5. Enter the following:
API URL: Copy and paste the following:
Sign in to the Okta Admin app to have this variable generated for you
API Key: Enter the API Token you made a copy of in step 1.
Check Enable Single Sign-On (SSO) for users with portal access.
Namespace: Make a copy of this value.
Turn on Allow IDP-Initiated SSO.
SAML SSO URL: Copy and paste the following:
Sign into the Okta Admin Dashboard to generate this variable.
SAML Issuer: Copy and paste the following:
Sign into the Okta Admin Dashboard to generate this variable.
SAML Certificate: Copy and paste the following:
Sign into the Okta Admin Dashboard to generate this variable.
Click Save:
| Iframe | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
6. Go back to the Okta integration.
Auto-remove users from groups: This will remove users from Openpath groups if they no longer exist in Okta groups.
Only import users from groups with an Openpath group mapping: When enabled, this feature prevents users from being imported from the identity provider if they do not belong to at least one identity provider group mapped to an Openpath group. This is typically the desired behavior when the identity provider contains large numbers of users (or non-person system accounts) that will never need access to Openpath-managed resources.
Map Okta groups to Openpath groups.
Click Save:
| Iframe | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
7. Click Sync:
| Iframe | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
8. Navigate to Users > Users and check that the users were imported from Okta into Openpath.
9. Done!
| Anchor | ||||
|---|---|---|---|---|
|
The following SAML attributes are supported:
Name | Value |
|---|---|
firstName | user.firstName |
lastName | user.lastName |
user.email | |
login | user.login |
id | user.id |
SP-initiated SSO
1. Go to: https://control.openpath.com/login/sso
2. Enter your email then click Sign In:
| Iframe | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| Info |
|---|
Note: Avigilon Alta only prompts for a Namespace (you made a copy of in step 4 above) if the namespace is required to disambiguate between multiple IDP-synced records on the Avigilon Alta side that have the identical email address. |