Google Workspace

Log in to your Google Cloud console.

Click New Project to create a new project under your Google Workspace organization.

In your new project, navigate to APIs & Services > Library.

a. Enable the following APIs:

1. Identity and Access Management (IAM) API

   
2. Admin SDK API

   

Navigate to APIs & Services > OAuth Consent Screen. Select Internal for the User Type and click Create.

Click Edit App.

Configure your OAuth Consent Screen. Give your app an identifiable name (e.g., Verkada SSO OIDC), and put the email of the entity that manages your organization's Google Workspace (e.g., IT) as your app's user support email. Click Save and Continue.

Configure your OAuth Scopes.

Select the following scopes:

• userinfo.email

• userinfo.profile

• openid

• https://www.googleapis.com/auth/admin.directory.user.readonly

Click Update.

If you do not see the last option, you may have to Add To Table under Manually add scopes.

Click Save and Continue and return to your application's dashboard.

Navigate to Credentials. Click Create Credentials and create an OAuth client ID.

Select Web application as your application type. Give your client an identifiable name, and add the following to the list of authorized redirect URIs:

• https://command.verkada.com/oidc/google/callback

• https://org-short-name.command.verkada.com/oidc/google/callback (where org-short-name is the short-name for your Command organization)

Click Create.

Copy your Client ID. Note that we will not be using the Client secret.

In Verkada Command, go to All Products > Admin.

In the left navigation, select Login & Access.

Select Single Sign-On Configuration.

Under OIDC Configuration, click Add New.

a. Toggle on Enable. b. (Optional) Toggle on Require OIDC SSO. c. Under Select Provider, select Google. d. Under Add Client and Tenant, click :plus:.

1. In the Client ID field, paste the Client ID you copied from Google Cloud Console.

2. In the Tenant ID field, enter the domain used by your organization's Google Workspace (if your Google email is [email protected], enter your-domain.com).

3. Click on Done to complete the configuration.

   

h. Email Domains, click :plus:.

1. Enter your domain name present (e.g. @verkada.com).

2. Click Done.

   

Under Login Test click Run Login Test.

A successful login test should redirect to the OIDC configuration page. Once you're logged in, add the domain that you need to whitelist under Associated Domains.

Once your domain is added, run the login test again. SSO will not be enabled until this second login test successfully completes.

Once your domain is verified, you should see it successfully validated.

Ensure you have already registered on Verkada Command and an account exists for the user in the same custom domain. You can add Command as a custom application.

Familiarize yourself with these terms to maximize your integration:

• Client ID—Client ID. To locate, go to Admin > Privacy & Security > Single Sign-On Configuration > Add New.

• Federation Data XML—The unique information from your Google Workspace instance that allows Verkada to set up the federation between Google Workspace and your Command instance (the steps to download this are provided later).

Go to Google Workspace > Google Admin dashboard and select Web and mobile apps.

Select the Add app dropdown and select Add custom SAML app.

Fill in the application information; you can use any name and description.

Get the Verkada Command logo to add to your Google Workspace application.

Click Continue.

Use Option 1 to download the IdP metadata that corresponds to the federation metadata Extensible Markup Language (XML) and click Continue.

Note: This file allows Verkada to configure SSO in Command. Save it in a convenient location for future use.

Type the service provider details (as shown) to configure SSO or, you can copy the details from the New SSO Configuration page (in Verkada Command), and click Continue.

a. For ACS URL: For US orgs: https://vauth.command.verkada.com/saml/sso/ For EU orgs: https://saml.prod2.verkada.com/saml/sso/For AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/sso/ b. For Entity ID: For US orgs: https://vauth.command.verkada.com/saml/sso/ For EU orgs: https://saml.prod2.verkada.com/saml/sso/For AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/sso/ c. For Start URL: For US orgs: https://vauth.command.verkada.com/saml/login/ For EU orgs: https://saml.prod2.verkada.com/saml/login/For AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/login/

Note: Refer to where your organization was created to confirm which region your organization is located.

Fill in the Attributes mappings (as shown below) and click Finish. This ensures that Command receives the correct information about the user. You should be redirected to the app configuration page.

In Verkada Command, go to All Products > Admin .

Select Login & Access > Single Sign On (SSO).

Click Add to start a new configuration or to edit an existing configuration.

Under Identity Provider XML Metadata, upload your metadata file.

Under Email Domains, add the email domains that will be used to log in to your organization.

Verify that you can access Command at one of these URLs (substitute the client-id with the one used during setup).

• For US orgs: https://vauth.command.verkada.com/saml/login/

• For EU orgs: https://saml.prod2.verkada.com/saml/login/

• For AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/sso/ Note: See Admin > Data Privacy > Data Residency > Data Processing Location to confirm where your region is located.

You'll be redirected to the Google Workspace app configuration page to complete the login.

In the email address field, type the user's email and click Next.

You should be redirected to your IdP (Google Workspace) to complete the login process.

Go to the Google Cloud console and sign in with your Super Admin credentials.

In the top-left corner, open the Project Selector dropdown, and choose your top-level (Type: Organization) resource.

From the left-hand panel, navigate to IAM & Admin → IAM.

Click Grant Access under View by principals.

a. Under Add principals, enter the user's email address. b. Under Assign roles, search for and select Organization Policy Administrator. c. Click Save.

From the left-hand panel, select Organization Policies.

In the list of policies, search for and disable the following:

In the Google Cloud console, in the top left, open the Project Selector dropdown.

Click New Project.

Enter a project name (for example, Verkada User Sync) and create the project.

Once the project is created, confirm it's selected in the navigation bar at the top left.

From the left-hand sidebar, go to IAM & Admin → Service Accounts.

Click + Create Service Account.

Fill in the following fields:

• Name: Enter a descriptive name (e.g., Verkada User Provisioning)

• ID: Leave as-is or customize (optional)

• Description: Add a note, such as Used by Verkada to read Workspace directory data (optional)

Click Create and Continue.

Skip the Grant Project Access step — no roles are required here.

Click Continue → Done.

From the list of service accounts, copy the OAuth 2 Client ID for the newly created account. You will need this ID later to complete your setup.

From the Service Accounts list, click the account name or select the three dots next to your new service account and choose Manage keys.

Under the Keys tab, click Add Key → Create new key.

Select JSON and click Create.

A .json file will download to your computer. Save it in a secure location for use later when setting up the integration in Verkada Command.

Go to the Google Cloud console, and sign in with your Super Admin credentials.

From the left-hand sidebar, go to APIs & Services → API Library.

In the search bar, find and select Admin SDK API, then click Enable.

Note: This API is required to read users, groups, and domain metadata.

(Optional) Search for and enable the Reports API to allow audit log monitoring and detect directory changes.

Navigate to the Google Admin Console and sign in with your Super Administrator credentials for your Google Workspace tenant.

From the Admin Console homepage, go to Security →Access & data control → API Controls.

On the API Controls page, scroll to the Domain-wide Delegation section and click Manage Domain Wide Delegation.

Click Add New and enter the following details:

• Client ID: Paste the OAuth 2 Client ID for your service account key file (the client_id field in the JSON).

• OAuth Scopes (comma-separated):

Click Authorize.

Sign in to the Google Admin Console using your Super Admin account.

Go to Directory → Users.

Select the user profile you want to update.

Click User information, then expand the relevant sections (for example, Basic information or Employee information).

Update the following fields as needed:

• Primary email address

• First name and Last name

• Employee ID (under Employee information)

• Phone number (under Contact information)

Click Save to apply your changes.

In Verkada Command, go to All Products > Admin.

On Org Settings, select Login & Access → User Provisioning → Google Workspace.

a. Enter the email address of your Google Workspace Super Admin. For security and continuity, Verkada recommends using a dedicated service account that has equivalent admin permissions, rather than a personal user account. a. Upload the JSON key you generated in your Google Cloud Console project. b. Once authentication succeeds, click Add to select the Groups and/or Organizational Units you want to sync to Command. c. Click Enable.

Upon successfully completing the first sync, a Sync Now button will be available for on-demand updates at any time.