Log InContact Support

AD FS

Integrate SAML with Active Directory Federation Services

Verkada Command integrates with Active Directory Federation Services (AD FS) to allow users to log in using their existing AD credentials.

Feature
Supported

OIDC SSO

—

SAML SSO

Yes

SCIM Provisioning

—

ECE Support

—

SAML does not add or invite users to your organization. It allows previously provisioned users to log in with their AD credentials instead of a Verkada-managed username and password.

To sync domain users and groups to Command, see Microsoft Entra ID for SCIM integration.

Before you begin

To begin the SAML integration, you must generate your organization's client ID (case-sensitive).

Step 1: Add relying party trust

1

Open AD FS Management.

2

Select Action > Add Relying Party Trust.

3

Check Claims aware and click Start.

4

Select Enter data about the relying party manually and click Next.

5

Type a Display name and click Next.

6

Specify an optional token encryption certificate and click Next.

7

Check Enable support for the SAML 2.0 WebSSO protocol and enter the Relying party SAML 2.0 SSO service URL (replace <client-ID> with your client ID):

  • US orgs: https://vauth.command.verkada.com/saml/sso/<client-ID>

  • EU orgs: https://saml.prod2.verkada.com/saml/sso/<client-ID>

  • AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/sso/<client-ID>

To confirm your region, refer to where your organization was created.

8

Click Next.

9

In the Relying party trust identifier field, enter the same URL from step 7, then click Add > Next.

10

Configure an appropriate access control policy and click Next.

11

Review the settings and click Next > Close.

Step 2: Edit the claim issuance policy

1

Right-click the newly-created Relying Party Trust and select Edit Claim Issuance Policy.

2

Click Add Rule > OK.

Step 3: Add the transform claim rule

1

Ensure Send LDAP Attributes as Claims is selected and click Next.

2

Configure the rule settings:

a. Enter a Claim rule name. b. Under Attribute store, select Active Directory. c. Configure these LDAP attributes:

LDAP Attribute
Outgoing Claim Type

E-Mail-Addresses

E-Mail Address

Given-Name

Given Name

Surname

Surname

Click Finish.

3

Under Claim rule template, select Transform an Incoming Claim and click Next.

4

Configure the claim rule:

a. Type a Claim rule name. b. Incoming claim type: E-Mail Address c. Outgoing claim type: Name ID d. Outgoing name ID format: Transient Identifier e. Select Pass through all claim values. f. Click Finish.

Step 4: Download XML metadata

Go to https://<your-adfs-server>/FederationMetadata/2007-06/FederationMetadata.xml to download your XML metadata file.

Do not use Internet Explorer; it may cause issues with the XML file.

Step 5: Complete the SAML setup

Follow the steps in Generic SAML Setup to upload the metadata and complete the configuration in Command.

Step 6: Test the integration

1

Open an incognito/private browser and go to (replace <client-ID> with your client ID):

  • US orgs: https://vauth.command.verkada.com/saml/login/<client-ID>

  • EU orgs: https://saml.prod2.verkada.com/saml/login/<client-ID>

  • AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/sso/<client-ID>

2

You should be taken to your AD FS login page. Sign in with your credentials.

If you are redirected to your Command organization, the SAML integration was successful.

Last updated

Was this helpful?