Google Workspace
Configure SSO and user provisioning with Google Workspace
Verkada Command has the ability to integrate with Google Workspace (among other Identity Providers [IdPs]) for single sign-on (SSO) scenarios. Security Assertion Markup Language (SAML) handles the authentication side of things to allow Google Workspace to be used to manage access to Command.
OIDC Based SSO for Google Workspace
Verkada Command supports Single Sign-On (SSO) through OpenID Connect (OIDC) with Google Workspace. This integration allows our users to seamlessly and securely authenticate using their existing Google credentials, streamlining access to Command and enhancing overall security.
OIDC is not supported on the Pass app or Desk Station apps.
OIDC configuration
Log in to your Google Cloud console.
Click New Project to create a new project under your Google Workspace organization.
In your new project, navigate to APIs & Services > Library.
a. Enable the following APIs:
Identity and Access Management (IAM) API
Admin SDK API
Navigate to APIs & Services > OAuth Consent Screen. Select Internal for the User Type and click Create.
Click Edit App.
Configure your OAuth Consent Screen. Give your app an identifiable name (e.g., Verkada SSO OIDC), and put the email of the entity that manages your organization's Google Workspace (e.g., IT) as your app's user support email. Click Save and Continue.
Configure your OAuth Scopes.
Select the following scopes:
userinfo.email
userinfo.profile
openid
Click Update.
If you do not see the last option, you may have to Add To Table under Manually add scopes.
Click Save and Continue and return to your application's dashboard.
Navigate to Credentials. Click Create Credentials and create an OAuth client ID.
Select Web application as your application type. Give your client an identifiable name, and add the following to the list of authorized redirect URIs:
https://org-short-name.command.verkada.com/oidc/google/callback (where org-short-name is the short-name for your Command organization)
Click Create.
Copy your Client ID. Note that we will not be using the Client secret.
Verkada Command Configuration
In Verkada Command, go to All Products > Admin.
In the left navigation, select Login & Access.
Select Single Sign-On Configuration.
Under OIDC Configuration, click Add New.
a. Toggle on Enable. b. (Optional) Toggle on Require OIDC SSO. c. Under Select Provider, select Google. d. Under Add Client and Tenant, click :plus:.
In the Client ID field, paste the Client ID you copied from Google Cloud Console.
In the Tenant ID field, enter the domain used by your organization's Google Workspace (if your Google email is [email protected], enter your-domain.com).
Click on Done to complete the configuration.
h. Email Domains, click :plus:.
Enter your domain name present (e.g. @verkada.com).
Click Done.
Under Login Test click Run Login Test.
A successful login test should redirect to the OIDC configuration page. Once you're logged in, add the domain that you need to whitelist under Associated Domains.
Once your domain is added, run the login test again. SSO will not be enabled until this second login test successfully completes.
Once your domain is verified, you should see it successfully validated.
Google Workspace SAML Integration
Verkada Command has the ability to integrate with Google Workspace (among other Identity Providers [IdPs]) for single sign-on (SSO) scenarios. Security Assertion Markup Language (SAML) handles the authentication side of things to allow Google Workspace to be used to manage access to Command.
Before you begin
Ensure you have already registered on Verkada Command and an account exists for the user in the same custom domain. You can add Command as a custom application.
Familiarize yourself with these terms to maximize your integration:
Client ID—Client ID. To locate, go to Admin > Privacy & Security > Single Sign-On Configuration > Add New.
Federation Data XML—The unique information from your Google Workspace instance that allows Verkada to set up the federation between Google Workspace and your Command instance (the steps to download this are provided later).
Google Workspace Configuration
Go to Google Workspace > Google Admin dashboard and select Web and mobile apps.
Select the Add app dropdown and select Add custom SAML app.
Fill in the application information; you can use any name and description.
Get the Verkada Command logo to add to your Google Workspace application.
Click Continue.
Use Option 1 to download the IdP metadata that corresponds to the federation metadata Extensible Markup Language (XML) and click Continue.
This file allows Verkada to configure SSO in Command. Save it in a convenient location for future use.
Type the service provider details (as shown) to configure SSO or, you can copy the details from the New SSO Configuration page (in Verkada Command), and click Continue.
a. For ACS URL: For US orgs: https://vauth.command.verkada.com/saml/sso/ For EU orgs: https://saml.prod2.verkada.com/saml/sso/For AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/sso/%3Cclient-ID%3E b. For Entity ID: For US orgs: https://vauth.command.verkada.com/saml/sso/ For EU orgs: https://saml.prod2.verkada.com/saml/sso/For AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/sso/%3Cclient-ID%3E c. For Start URL: For US orgs: https://vauth.command.verkada.com/saml/login/ For EU orgs: https://saml.prod2.verkada.com/saml/login/For AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/login/
Refer to where your organization was created to confirm which region your organization is located.
Fill in the Attributes mappings (as shown below) and click Finish. This ensures that Command receives the correct information about the user. You should be redirected to the app configuration page.
Command Configuration
In Verkada Command, go to All Products > Admin .
Select Login & Access > Single Sign On (SSO).
Click Add to start a new configuration or to edit an existing configuration.
Under Identity Provider XML Metadata, upload your metadata file.
Under Email Domains, add the email domains that will be used to log in to your organization.
Verify that you can access Command at one of these URLs (substitute the client-id with the one used during setup).
For US orgs: https://vauth.command.verkada.com/saml/login/
For EU orgs: https://saml.prod2.verkada.com/saml/login/
See Admin > Data Privacy > Data Residency > Data Processing Location to confirm where your region is located.
You'll be redirected to the Google Workspace app configuration page to complete the login.
Log in via the mobile application
In the email address field, type the user's email and click Next.
You should be redirected to your IdP (Google Workspace) to complete the login process.
Google Workspace User Provisioning
The Google Workspace native integration allows organizations to automatically sync users and groups from Google Workspace into Verkada Command. This simplifies identity management and general user onboarding.
Unlike Verkada's SCIM integrations with Okta or Azure, this integration uses the Google Workspace Admin SDK and Reports API, authenticated through a Google service account with domain-wide delegation.
With the integration enabled, Command can:
Import users and groups from selected Google Workspace Groups or Organizational Units (OUs)
Sync them into Command as managed users and groups
Maintain directory accuracy with scheduled background syncs and on-demand syncs from the Admin UI
Create a Google service account
To allow Command to read user and group data from your Google Workspace domain, it must authenticate with Google's APIs using a service account. This type of account is designed for programmatic access and must be configured with the correct API scopes and domain-wide delegation. These settings are configured in your Google Cloud console account.
Verify policies & roles
You must first verify whether your user has permissions to create a service account and to generate the service account JSON Key. To ensure you are not blocked by security policies in your tenant:
Go to the Google Cloud console and sign in with your Super Admin credentials.
In the top-left corner, open the Project Selector dropdown, and choose your top-level (Type: Organization) resource.
From the left-hand panel, navigate to IAM & Admin → IAM.
Click Grant Access under View by principals.
a. Under Add principals, enter the user's email address. b. Under Assign roles, search for and select Organization Policy Administrator. c. Click Save.
From the left-hand panel, select Organization Policies.
In the list of policies, search for and disable the following:
Create a service account
In the Google Cloud console, in the top left, open the Project Selector dropdown.
Click New Project.
Enter a project name (for example, Verkada User Sync) and create the project.
Once the project is created, confirm it's selected in the navigation bar at the top left.
From the left-hand sidebar, go to IAM & Admin → Service Accounts.
Click + Create Service Account.
Fill in the following fields:
Name: Enter a descriptive name (e.g., Verkada User Provisioning)
ID: Leave as-is or customize (optional)
Description: Add a note, such as Used by Verkada to read Workspace directory data (optional)
Click Create and Continue.
Skip the Grant Project Access step — no roles are required here.
Click Continue → Done.
From the list of service accounts, copy the OAuth 2 Client ID for the newly created account. You will need this ID later to complete your setup.
Generate a JSON key
From the Service Accounts list, click the account name or select the three dots next to your new service account and choose Manage keys.
Under the Keys tab, click Add Key → Create new key.
Select JSON and click Create.
A .json file will download to your computer. Save it in a secure location for use later when setting up the integration in Verkada Command.
This JSON file contains the credentials that the Google Workspace integration in Command uses to authenticate to Google APIs via OAuth 2.0. Keep this file secure, as it provides access to your Workspace data and should never be shared or made public.
Enable required Google APIs
Verkada Command requires access to specific Google Workspace APIs to read users, groups, domains, and audit logs. These APIs must be enabled in your Google Cloud project before the integration can function.
Go to the Google Cloud console, and sign in with your Super Admin credentials.
From the left-hand sidebar, go to APIs & Services → API Library.
In the search bar, find and select Admin SDK API, then click Enable.
This API is required to read users, groups, and domain metadata.
(Optional) Search for and enable the Reports API to allow audit log monitoring and detect directory changes.
Enable Domain-wide delegation
To allow the service account to impersonate an administrator and access user and group data across your domain, you must grant it domain-wide delegation. This enables the service account to perform read operations on behalf of an admin without requiring manual re-authentication.
Navigate to the Google Admin Console and sign in with your Super Administrator credentials for your Google Workspace tenant.
From the Admin Console homepage, go to Security →Access & data control → API Controls.
On the API Controls page, scroll to the Domain-wide Delegation section and click Manage Domain Wide Delegation.
Click Add New and enter the following details:
Client ID: Paste the OAuth 2 Client ID for your service account key file (the
client_idfield in the JSON).OAuth Scopes (comma-separated):
Click Authorize.
The new delegation entry will appear on the page, confirming that the service account can now be used by Verkada Command to query user, group, and audit data.
Set user attribute values
Before syncing users to Verkada Command, confirm that key attributes (such as first name, last name, email, and employee ID) are correctly populated in Google Workspace.
Sign in to the Google Admin Console using your Super Admin account.
Go to Directory → Users.
Select the user profile you want to update.
Click User information, then expand the relevant sections (for example, Basic information or Employee information).
Update the following fields as needed:
Primary email address
First name and Last name
Employee ID (under Employee information)
Phone number (under Contact information)
Click Save to apply your changes.
The following attributes can be synced from Google Workspace to Verkada Command:
Google Workspace Attribute Name
Command Field
First name
First Name
Last name
Last Name
Department
Department
Cost center
Department ID
Employee ID
Employee ID
Job title
Employee Title
Phone number (Primary Home/Work/Mobile)
Phone Number
Users and groups synced from Google Workspace are managed exclusively in Workspace and cannot be manually edited in Verkada Command.
Enable the integration in Command
You need Org Admin permissions to configure this integration.
In Verkada Command, go to All Products > Admin.
On Org Settings, select Login & Access → User Provisioning → Google Workspace.
a. Enter the email address of your Google Workspace Super Admin. For security and continuity, Verkada recommends using a dedicated service account that has equivalent admin permissions, rather than a personal user account. a. Upload the JSON key you generated in your Google Cloud Console project. b. Once authentication succeeds, click Add to select the Groups and/or Organizational Units you want to sync to Command. c. Click Enable.
Upon successfully completing the first sync, a Sync Now button will be available for on-demand updates at any time.
FAQ
Last updated
Was this helpful?