# Identity Providers

Integrate Verkada Command with your organization's identity provider (IdP) for Single Sign-On (SSO) and automated user provisioning.

***

## Supported providers

| Provider                                                                                              | OIDC | SAML | SCIM | ECE Support |
| ----------------------------------------------------------------------------------------------------- | :--: | :--: | :--: | :---------: |
| [Okta](https://help.verkada.com/command/security/identity-providers/okta)                             |  Yes |  Yes |  Yes |     Yes     |
| [Microsoft Entra ID](https://help.verkada.com/command/security/identity-providers/microsoft-entra-id) |  Yes |  Yes |  Yes |     Yes     |
| [Google Workspace](https://help.verkada.com/command/security/identity-providers/google-workspace)     |  Yes |  Yes |  Yes |     Yes     |
| [OneLogin](https://help.verkada.com/command/security/identity-providers/onelogin)                     |   —  |  Yes |   —  |      —      |
| [JumpCloud](https://help.verkada.com/command/security/identity-providers/jumpcloud)                   |   —  |  Yes |   —  |      —      |
| [AD FS](https://help.verkada.com/command/security/identity-providers/ad-fs)                           |   —  |  Yes |   —  |      —      |

{% hint style="info" %}
Verkada recommends OIDC over SAML when available for enhanced security and easier configuration.
{% endhint %}

***

## Which method should I use?

* **Want the most secure option?** Use OIDC + [Enterprise Controlled Encryption](https://help.verkada.com/command/security/enterprise-controlled-encryption)
* **Need automated user management?** Add SCIM provisioning to sync users from your IdP
* **IdP only supports SAML?** Follow the generic SAML setup instructions below

***

{% hint style="danger" %}
You need [Organization Admin](https://help.verkada.com/command/users-and-permissions/roles-and-permissions-for-command) permissions to set up SSO.
{% endhint %}

## Generate client-ID

{% stepper %}
{% step %}
**Go to Verkada Command > All Products > Admin.**
{% endstep %}

{% step %}
**Under Login & Access, select Single Sign-On (SSO).**
{% endstep %}

{% step %}
**Click**  <i class="fa-plus">:plus:</i> **Add.**

You should see your client ID and the fields to enter into your IdP:

* **Client ID**:
  * US orgs: `https://vauth.command.verkada.com/saml/sso/<client-ID>`
  * EU orgs: `https://saml.prod2.verkada.com/saml/sso/<client-ID>`
  * AUS orgs: `https://saml.prod-ap-syd.verkada.com/saml/sso/<client-ID>`
* **Reply ID**:
  * US orgs: `https://vauth.command.verkada.com/saml/sso/<client-ID>`
  * EU orgs: `https://saml.prod2.verkada.com/saml/sso/<client-ID>`
  * AUS orgs: `https://saml.prod-ap-syd.verkada.com/saml/sso/<client-ID>`
* **Sign-on URL**:
  * US orgs: `https://vauth.command.verkada.com/saml/login/<client-ID>`
  * EU orgs: `https://saml.prod2.verkada.com/saml/login/<client-ID>`
  * AUS orgs: `https://saml.prod-ap-syd.verkada.com/saml/login/<client-ID>`

{% hint style="info" %}
To confirm which region you're located in, refer to where [your organization was created for Verkada](https://help.verkada.com/command/getting-started/get-started-with-verkada-command).
{% endhint %}
{% endstep %}

{% step %}
**Complete your IdP configutation then come back to complete the** [**Command configuration**](#command-configuration)**.**
{% endstep %}
{% endstepper %}

***

## Command SSO configuration

After configuring your IdP, you'll receive an XML metadata file to upload to Command.

{% stepper %}
{% step %}
**Go to Verkada Command > All Products > Admin.**
{% endstep %}

{% step %}
**Under Login & Access, select Single Sign-On (SSO).**
{% endstep %}

{% step %}
**Click** <i class="fa-pencil-line">:pencil-line:</i> **next to your SAML configuration.**
{% endstep %}

{% step %}
**In the Email Domains section, configure the email domains that users in your organization will use to log in.**&#x20;
{% endstep %}

{% step %}
**In the Identify Provider XML Metadata section, click Upload New XML.**

Upload the XML file you downloaded during your IdP configuration.
{% endstep %}

{% step %}
**In the Verify Metadata section, click Run Login Test to verify that the setup was completed correctly. If the login tests fail, review your metadata file and associated domains.**

Common error: `app_not_configured_for_user` — This can happen when your browser has cached app access. Use an incognito browser or clear your cache and retry.

{% hint style="danger" %}
Before you can verify the XML, you must add email domains.
{% endhint %}
{% endstep %}

{% step %}
**(Optional) Toggle on Require SSO to force everyone in your organization to login with SSO.**

* Anyone using the configured email domain must go through SAML to sign in
* Provides greater control over user access
* If SAML has issues, users cannot sign in until resolved or enforcement is disabled

{% hint style="warning" %}
&#x20;You cannot require SSO until the XML has been verified.
{% endhint %}
{% endstep %}
{% endstepper %}

***

#### Need help?

See [SCIM Token Management](https://help.verkada.com/command/security/identity-providers/scim-token-management) for provisioning configuration.