The current Openpath Jira and Confluence instances will be migrated to the MSI On-Premise solution from August 9th-11th, the current platform will be set to read-only and all future usage will be in the Avigilon Instance. Please ensure access to MSI Jira & MSI Confluence, both are accessible through OKTA. For additional information and details please refer to the Atlassian migration page
How to sync users with Okta
You can integrate Okta with Avigilon Alta to import and sync users automatically.
Note: To use the API Key auth method, you must have administrative privileges in your Okta account. We recommend using a dedicated service account that uses only the "Group Membership Administrator" role as that role contains only the permissions that Openpath requires to synchronize your users and groups.
If you are using the OAuth method you will need to have a Super Administrator to add the API Service Integration.
When an Identity Provider (IDP) creates unique IDs for users, deleting and recreating a user in the IDP results in a new unique ID for that user. If you add the recreated user back into Avigilon Alta, the system will recognize them as a new user due to the new ID, even though the email address is the same. This can cause confusion, as it becomes unclear which version of the user is correct.
To set up the integration:
Go to https://control.openpath.com/login and log in. To access the European Alta Access, please go to https://control.eu.openpath.com/login.
Under App Marketplace > Get Apps, click on Okta, then click Get App.
Under App Marketplace > My Apps, click Okta.
The two ways to authenticate to OKTA are by using an API Key or OAuth.
To use API key:
A. Enter your API URL. This should be the Okta domain for your organization, prefixed with https://
, for example, https://yourcompanyname.okta.com.
B. Enter an API Key. First, you’ll need to generate an Okta API Key (Token) associated with the Okta service account you have created for this integration. Ideally, you should create a dedicated API Key to be used only with the Openpath integration, so that you have control over the lifecycle of this integration.
Note: Once you save the API Key, Avigilon Alta does not use or otherwise expose the API Key anywhere except when using it to call Okta to synchronize users and groups.
2. To use OAuth:
A. Enter your Client ID, this should be the Client ID provided on the Okta API Service Integrations page.
B. Now enter your Client secret. This should be the Client Secret provided on the Okta API Service Integrations page.
C. Finally enter your Okta domain. This should be the Okta Domain, (https://developer.okta.com/docs/api/getting_started/finding_your_domain) for your organization, prefixed with https://
for example, https://yourcompanyname.okta.com.
After saving the OAuth config or API key, you can enable the following settings:
A. Auto-sync every 1 hour/15 minutes - this will sync Avigilon Alta with Okta once every hour or once every 15 minutes depending on which user management package you're using (see Administration > Account for package details).
B. Auto-create mobile credential - this will create a mobile credential for every user.
C. Auto-create cloud key credential - this will create a cloud key credential for every user.
D. Enable Single Sign-On (SSO) for users with portal access - this will let users log into Alta Access with their Okta credentials.
E. Enable Single Sign-On (SSO) for mobile app - this lets users log into the Avigilon Alta Open mobile app using Okta SSO. For more information, see How do I enable Single Sign-On for Okta?
F. Only import users from groups with an Avigilon Alta group mapping - When enabled, no users will be imported from Okta if they are not assigned to an Avigilon Alta group.
G. Auto-remove users from groups - this will remove users from Avigilon Alta groups if they no longer exist in Okta groups.
H. Mobile Phone - Okta has a specific mobilePhone
field to sync the mobile phone of users. You must use the E.164 format and it is recommended it is an actual mobile phone number and not a landline.
2. To map a specific group from Okta to Avigilon Alta (required if you enabled Only import users from groups with an Avigilon Alta group mapping), click + Create Group Mapping.
A. Select the group from Okta.
B. Select the group from Avigilon Alta.
C. Click + Create Group Mapping.
3. Repeat step 2 until all groups that need to be mapped have been created.
After saving, you now have the option to Manually Sync. You can perform this action at any time by clicking the Synchronize button on the Okta settings page.
Additional resources