Skip to main content

Integrate Kisi with Okta

info

This is a Kisi-built integration, maintained and supported by Kisi.

As a Kisi organization owner you can set up Okta single sign-on (SSO) for your Kisi users. To further control your SSO integration, you can sync it with your Okta directory members and groups with SCIM.

Kisi organizations with single sign-on (SSO) can, if needed, also enable authentication with password for users. If enabled, the user will be able to log in with email and password. If the user is in the organizations' IdP directory, an SSO login will also be available.

Before you begin

Before setting up the integration, make sure you have a valid and activated SSO license. Otherwise, the SSO & SCIM option won't show up in your admin dashboard.

Enable SSO on Okta

Set up the integration in Okta

  1. Sign in to Okta and ensure you are using the classic UI interface (top-left corner)
  2. From the main navigation click on Applications and select Add Application
  3. Open the dropdown menu and look for the Kisi Physical Security app
  4. Click Add
  5. On the following General Settings page, click Done
  6. In the Kisi Physical Security app detail page, click on the Sign On tab
  7. Click Identity Provider metadata and copy the Metadata URL

Set up the integration in Kisi

  1. Sign in to Kisi
  2. Under Organization Setup, click on SSO & SCIM and paste the metadata URL that you saved in the step above
  3. Click Save
  4. Click Generate Certificate

Now that you have generated the encryption certificate, go back to Okta and follow the steps below to complete the configuration.

  1. In the Kisi Physical Security SAML app in Okta, click on the Sign On tab
  2. Under Settings, click Edit
  3. In the Encryption Certificate field, upload the encryption certificate that you have previously downloaded in Kisi
  4. In the Domain field, enter your Kisi domain. (You can find your Kisi organization domain under Organization Setup > Settings)
  5. Click Save

As a last step, make sure you assign people or groups from Okta to the Kisi application.

  1. Navigate to the Kisi Physical Security SAML app in Okta, look for the Assignments tab, and click on Assign
  2. Choose to Assign to people or Assign to groups

Enable SCIM on Okta

Before you start, make sure you have SSO set up for your organization. Then just follow the next steps to generate a SCIM token and add the Kisi Physical Security app in Okta.

info

Okta's SCIM implementation doesn't allow deleting of users in other applications and thus users that are removed in Okta are not removed in Kisi. We recommend doing regular audits and clean up of suspended users.

Generate your SCIM Token in Kisi

  1. Sign in to Kisi
  2. Under Organization setup click on SSO & SCIM
  3. Enable SCIM and click on Generate Token
  4. Copy the token (shown once)

Set up SCIM with Okta

  1. Sign in to Okta and ensure you are using the classic UI interface (top-left corner)
  2. Click on Admin, select Applications, and select your Kisi Physical Security app from the list
  3. Navigate to the Provisioning tab, and click Configure API Integration
  4. Click on the Enable API Integration checkbox and enter your SCIM token (without the leading Bearer if present)
  5. Click Test API Credentials
  6. Once a success message is displayed above the Enable API Integration checkbox, click Save
  7. Navigate to the Provisioning tab, and under Settings select To App
  8. Click Edit and enable Create Users, Update User Attributes and Deactivate Users
  9. Click Save

As a last step, you need to assign users under Push Groups.

Push Okta Groups to Kisi

  1. In the Kisi Physical Security SAML app in Okta, click on Push Groups
  2. Select Find Groups by name
  3. Search for the Okta group you want to push to Kisi
  4. Under Match result & push action choose to either Create Group or Link Group

For more details on how to configure Okta, please visit SCIM: Provisioning and Deprovisioning Kisi Organization Members with Okta.

Restrict Kisi emails for managed users

If you are a Kisi partner and you manage users yourself, you may not want them to receive emails from Kisi. You can restrict this by using the sendEmails custom attribute. This attribute can only be set when the user is created in Kisi, and cannot be updated later.

info

Please note that the sendEmails attribute should only be used for managed users. Setting it to false will disable all Kisi emails, including the emails that are required for creating password and signing in.

  1. In the Kisi Physical Security SAML app in Okta, click on Provisioning
  2. Click Go to Profile Editor
  3. Click Add Attribute
  4. Select Data type boolean
  5. Fill in the form as follows:
  • Display name: Send Kisi emails (or what makes sense for you)
  • Variable name: sendEmails
  • External name: sendEmails
  • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
  • Scope: Check the box next to User personal
  1. Click Save

Now, when you assign a user to your Kisi Physical Security app in Okta, you can select whether or not they should receive emails. If you always want the same value for all of your users, follow the steps below.

  1. In the Kisi Physical Security SAML app in Okta, click on Provisioning
  2. If the sendEmails attribute is not already shown in the list, scroll down and click on Show Unmapped Attributes
  3. Click on the pencil icon for the sendEmails attribute
  4. Select Same value for all users in the Attribute value dropdown
  5. Select the value you want applied to all users in the second dropdown
  6. Make sure Apply on is set to Create
  7. Click Save
Last updated on by KatalinH16