# Identity Providers

Integrate Verkada Command with your organization's identity provider (IdP) for Single Sign-On (SSO) and automated user provisioning.

***

## Supported providers

| Provider                                                                         | OIDC | SAML | SCIM | ECE Support |
| -------------------------------------------------------------------------------- | :--: | :--: | :--: | :---------: |
| [Okta](/command/security/identity-providers/okta.md)                             |  Yes |  Yes |  Yes |     Yes     |
| [Microsoft Entra ID](/command/security/identity-providers/microsoft-entra-id.md) |  Yes |  Yes |  Yes |     Yes     |
| [Google Workspace](/command/security/identity-providers/google-workspace.md)     |  Yes |  Yes |  Yes |     Yes     |
| [OneLogin](/command/security/identity-providers/onelogin.md)                     |   —  |  Yes |   —  |      —      |
| [JumpCloud](/command/security/identity-providers/jumpcloud.md)                   |   —  |  Yes |   —  |      —      |
| [AD FS](/command/security/identity-providers/ad-fs.md)                           |   —  |  Yes |   —  |      —      |

{% hint style="info" %}
Verkada recommends OIDC over SAML when available for enhanced security and easier configuration.
{% endhint %}

***

## Which method should I use?

* **Want the most secure option?** Use OIDC + [Enterprise Controlled Encryption](/command/security/enterprise-controlled-encryption.md)
* **Need automated user management?** Add SCIM provisioning to sync users from your IdP
* **IdP only supports SAML?** Follow the generic SAML setup instructions below

***

{% hint style="danger" %}
You need [Organization Admin](/command/users-and-permissions/roles-and-permissions-for-command.md) permissions to set up SSO.
{% endhint %}

## Generate client-ID

{% stepper %}
{% step %}
**Go to Verkada Command > All Products > Admin.**
{% endstep %}

{% step %}
**Under Login & Access, select Single Sign-On (SSO).**
{% endstep %}

{% step %}
**Click**  <i class="fa-plus">:plus:</i> **Add.**

You should see your client ID and the fields to enter into your IdP:

* **Client ID**:
  * US orgs: `https://vauth.command.verkada.com/saml/sso/<client-ID>`
  * EU orgs: `https://saml.prod2.verkada.com/saml/sso/<client-ID>`
  * AUS orgs: `https://saml.prod-ap-syd.verkada.com/saml/sso/<client-ID>`
* **Reply ID**:
  * US orgs: `https://vauth.command.verkada.com/saml/sso/<client-ID>`
  * EU orgs: `https://saml.prod2.verkada.com/saml/sso/<client-ID>`
  * AUS orgs: `https://saml.prod-ap-syd.verkada.com/saml/sso/<client-ID>`
* **Sign-on URL**:
  * US orgs: `https://vauth.command.verkada.com/saml/login/<client-ID>`
  * EU orgs: `https://saml.prod2.verkada.com/saml/login/<client-ID>`
  * AUS orgs: `https://saml.prod-ap-syd.verkada.com/saml/login/<client-ID>`

{% hint style="info" %}
To confirm which region you're located in, refer to where [your organization was created for Verkada](/command/getting-started/get-started-with-verkada-command.md).
{% endhint %}
{% endstep %}

{% step %}
**Complete your IdP configutation then come back to complete the** [**Command configuration**](#command-configuration)**.**
{% endstep %}
{% endstepper %}

***

## Command SSO configuration

After configuring your IdP, you'll receive an XML metadata file to upload to Command.

{% stepper %}
{% step %}
**Go to Verkada Command > All Products > Admin.**
{% endstep %}

{% step %}
**Under Login & Access, select Single Sign-On (SSO).**
{% endstep %}

{% step %}
**Click** <i class="fa-pencil-line">:pencil-line:</i> **next to your SAML configuration.**
{% endstep %}

{% step %}
**In the Email Domains section, configure the email domains that users in your organization will use to log in.**&#x20;
{% endstep %}

{% step %}
**In the Identify Provider XML Metadata section, click Upload New XML.**

Upload the XML file you downloaded during your IdP configuration.
{% endstep %}

{% step %}
**In the Verify Metadata section, click Run Login Test to verify that the setup was completed correctly. If the login tests fail, review your metadata file and associated domains.**

Common error: `app_not_configured_for_user` — This can happen when your browser has cached app access. Use an incognito browser or clear your cache and retry.

{% hint style="danger" %}
Before you can verify the XML, you must add email domains.
{% endhint %}
{% endstep %}

{% step %}
**(Optional) Toggle on Require SSO to force everyone in your organization to login with SSO.**

* Anyone using the configured email domain must go through SAML to sign in
* Provides greater control over user access
* If SAML has issues, users cannot sign in until resolved or enforcement is disabled

{% hint style="warning" %}
&#x20;You cannot require SSO until the XML has been verified.
{% endhint %}
{% endstep %}
{% endstepper %}

***

#### Need help?

See [SCIM Token Management](/command/security/identity-providers/scim-token-management.md) for provisioning configuration.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.verkada.com/command/security/identity-providers.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.