Contact Support

AD FS SAML Integration

Integrate SAML with Active Directory Federation Services

Verkada Command has the ability to integrate with Active Directory Federation Services (AD FS) to allow your users to log in using their existing AD credentials.

Security Assertion Markup Language (SAML) is the language that allows AD FS to communicate to Command to securely grant your users access to your organization.

SAML does not add or invite users to your organization. It simply allows previously provisioned users to log in with their AD credentials, rather than with a Verkada-managed username and password.

If you’re interested in syncing domain users and groups to Command, learn more about SCIM.

Before you begin

To begin the SAML integration, you must generate your organization’s client ID (where the client ID is case-sensitive).

How it works

Step 1: Add relying party trust

1

Open AD FS Management.

2

Select Action > Add Relying Party Trust.

3

Check Claims aware and click Start.

4

Select Enter data about the relying party manually and click Next.

5

Type a Display name (can be anything) and click Next.

6

Specify and optional token encryption certificate (click Browse to specify), then click Next.

7

Check Enable support for the SAML 2.0 WebSSO protocol and in the Relying party SAML 2.0 SSO service URL field (substitute client-ID with the client ID that was previously generated):

8

Click Next.

9

In the Relying party trust identifier field, type the same URL from step 7, and click Add > Next.

10

Configure an appropriate access control policy for this application and click Next.

11

Review the relying party settings and click Next > Close.

Step 2: Edit the claim issuance policy

1

Right-click the newly-created Relying Party Trust and select Edit Claim Issuance Policy.

2

Click Add Rule > OK.

Step 3: Add the transform claim rule

1

Ensure that Send LDAP Attributes as Claims is selected and click Next.

2

Configure these rule settings and (when done) click Finish:

a. Enter a Claim rule name (can be anything). b. Under Attribute store, ensure that Active Directory is selected. c. Configure these LDAP attributes to map to the proper Outgoing Claim Type:

  • E-Mail-Addresses > E-Mail Address

  • Given-Name > Given Name

  • Surname > Surname

3

Under Claim rule template, select Transform an Incoming Claim to add another rule, and click Next.

4

Configure the claim rule:

a. Type a Claim rule name (can be anything). b. Next to Incoming claim type, select E-Mail Address. c. Next to Outgoing claim type, select Name ID. d. Next to Outgoing name ID format, select Transient Identifier. e. Ensure that Pass through all claim values is selected. f. Click Finish.

Go to https:///FederationMetadata/2007-06/FederationMetadata.xml to download your XML metadata file.

⚠️ Do not use Internet Explorer to complete this step; using Internet Explorer may cause issues with the XML file.

Step 4: Complete the SAML setup on Command

Follow the steps in Enable SAML for Your Command Account to complete the SAML setup on Command.

Step 5: Test the integration

Once the integration is complete, test it.

1

Open an incognito/private browsing window and go to (where you will replace clientID with the client ID you generated above):

2

You should be taken to your AD FS login page. Try to sign in with your credentials.

If you are redirected to your Command organization—congratulations—the SAML integration was a success!

Need more help? Contact Verkada Support.

Last updated

Was this helpful?