The current Openpath Jira and Confluence instances will be migrated to the MSI On-Premise solution from August 9th-11th, the current platform will be set to read-only and all future usage will be in the Avigilon Instance. Please ensure access to MSI Jira & MSI Confluence, both are accessible through OKTA. For additional information and details please refer to the Atlassian migration page

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 29 Current »

This setup might fail without parameter values that are customized for your organization. Please use the Okta Administrator Dashboard to add an application and view the values that are specific for your organization.

When an Identity Provider (IDP) creates unique IDs for users, deleting and recreating a user in the IDP results in a new unique ID for that user. If you add the recreated user back into Avigilon Alta, the system will recognize them as a new user due to the new ID, even though the email address is the same. This can cause confusion, as it becomes unclear which version of the user is correct.

Contents


Supported Features

The Okta/Avigilon Alta Security SAML integration currently supports the following features:

  • SP-initiated SSO

  • IdP-initiated SSO

For more information on the listed features, visit the Okta Glossary.


Configuration Steps

On Okta:

1. Go to your Okta instance and install the Avigilon Alta app.

  • Search for the Avigilon Alta app here:

2. Set up your Region Base URL:

  • The US region is https;//api.openpath.com

  • The EU region is https://api.eu.openpath.com

3. Create an API token in Okta:

  • In Okta, navigate to Security > API.

  • Click Create Token, name the token Openpath Security, then click Create Token.

  • Save the token value for later.

Important: This is the only time that you will able to view it.

4. Log in to the Avigilon Alta Access system.

5. Navigate to App Marketplace, click ‘Get apps’, and select Okta:

6. Now, from App Marketplace, click ‘My apps’, and select Okta:

7. Enter the following:

  • API URL:

    • Sign in to the Okta Admin Dashboard to generate this variable.

    • Copy and paste the API URL provided.

  • API Key:

    • Enter the API Token you saved in step 3.

  • Enable Single Sign-On (SSO):

    • Check the option to enable SSO for users with portal access.

  • Namespace:

    • Make a copy of the Namespace value provided.

  • Allow IDP-Initiated SSO:

    • Turn on the option to allow IDP-Initiated SSO.

  • SAML SSO URL:

    • Sign in to the Okta Admin Dashboard to generate this variable.

    • Copy and paste the SAML SSO URL provided.

  • SAML Issuer:

    • Sign in to the Okta Admin Dashboard to generate this variable.

    • Copy and paste the SAML Issuer provided.

  • SAML Certificate:

    • Sign in to the Okta Admin Dashboard to generate this variable.

    • Copy and paste the SAML Certificate provided.

  • Click Save:

8. Go back to the Okta integration.

  • Auto-remove Users from Groups:

    • Enabling this feature will automatically remove users from Avigilon Alta groups if they no longer exist in the corresponding Okta groups.

  • Import Users Only from Mapped Groups:

    • When enabled, this feature ensures that only users who belong to at least one identity provider group mapped to an Avigilon Alta group will be imported. This is useful when the identity provider contains many users or non-person system accounts that do not require access to Avigilon Alta-managed resources.

  • Map Okta groups to Avigilon Alta groups.

  • Click Save:

9. Click Sync:

10. Navigate to Users > Users and check that the users were imported from Okta into Avigilon Alta.

11. Done!


Notes

The following SAML attributes are supported:

Name

Value

firstName

user.firstName

lastName

user.lastName

email

user.email

login

user.login

id

user.id

SP-initiated SSO

1. Go to: https://control.openpath.com/login/sso

2. Enter your email then click Sign In:

Note: Avigilon Alta only prompts for a Namespace (you made a copy of in step 7 above) if the namespace is required to disambiguate between multiple IDP-synced records on the Avigilon Alta side that have the identical email address.

Related Pages:

How do I log into the Avigilon Alta Open app with Okta SSO?

How do I sync users with Okta?

How do I enable Single Sign-On for Okta?

  • No labels