Verkada

Verkada Command supports Single Sign-On (SSO) through OpenID Connect (OIDC) with Google Workspace. This integration allows our users to seamlessly and securely authenticate using their existing Google credentials, streamlining access to Command and enhancing overall security.

___________________________________________________________

Log in to your <a href="https://console.cloud.google.com/" rel="nofollow noopener noreferrer" target="_blank">Google Cloud console</a>.

Click New Project to create a new project under your Google Workspace organization.

In your new project, navigate to APIs &amp; Services &gt; Library.

1. Enable the following APIs:
   1. Identity and Access Management (IAM) API
   
   2. Admin SDK API


Navigate to APIs &amp; Services &gt; OAuth Consent Screen. Select Internal for the User Type and click Create.

Configure your OAuth Consent Screen. Give your app an identifiable name (e.g., Verkada SSO OIDC), and put the email of the entity that manages your organization’s Google Workspace (e.g., IT) as your app’s user support email. Click Save and Continue.

- userinfo.email
- userinfo.profile
- openid
- <a href="https://www.googleapis.com/auth/admin.directory.user.readonly" rel="nofollow noopener noreferrer" target="_blank">https://www.googleapis.com/auth/admin.directory.user.readonly</a>

If you do not see the last option, you may have to Add To Table under Manually add scopes.

Click Save and Continue and return to your application’s dashboard.

Navigate to Credentials. Click Create Credentials and create an OAuth client ID.

Select Web application as your application type. Give your client an identifiable name, and add <a href="https://command.verkada.com/oidc/google/callback" rel="nofollow noopener noreferrer" target="_blank">https://command.verkada.com/oidc/google/callback</a> to the list of authorized redirect URIs. Click Create.

Copy your Client ID. Note that we will not be using the Client secret.

1. Log in to your <a href="https://console.cloud.google.com/" rel="nofollow noopener noreferrer" target="_blank">Google Cloud console</a>.
2. Click New Project to create a new project under your Google Workspace organization.

3. In your new project, navigate to APIs &amp; Services &gt; Library.
 
 1. Enable the following APIs:
 1. Identity and Access Management (IAM) API
 
 2. Admin SDK API

4. Navigate to APIs &amp; Services &gt; OAuth Consent Screen. Select Internal for the User Type and click Create.

5. Click Edit App.

6. Configure your OAuth Consent Screen. Give your app an identifiable name (e.g., Verkada SSO OIDC), and put the email of the entity that manages your organization’s Google Workspace (e.g., IT) as your app’s user support email. Click Save and Continue.

7. Configure your OAuth Scopes.

8. Select the following scopes:
 - userinfo.email
 - userinfo.profile
 - openid
 - <a href="https://www.googleapis.com/auth/admin.directory.user.readonly" rel="nofollow noopener noreferrer" target="_blank">https://www.googleapis.com/auth/admin.directory.user.readonly</a>
9. Click Update.
 
 
 If you do not see the last option, you may have to Add To Table under Manually add scopes.

10. Click Save and Continue and return to your application’s dashboard.
11. Navigate to Credentials. Click Create Credentials and create an OAuth client ID. 

12. Select Web application as your application type. Give your client an identifiable name, and add <a href="https://command.verkada.com/oidc/google/callback" rel="nofollow noopener noreferrer" target="_blank">https://command.verkada.com/oidc/google/callback</a> to the list of authorized redirect URIs. Click Create.

13. Copy your Client ID. Note that we will not be using the Client secret.

In Verkada Command, go to All Products &gt; Admin<img src="https://downloads.intercomcdn.com/i/o/956793463/e6b90df44b6e69f8d8f18544/Admin_icon.png?expires=1737288000&amp;signature=fb17e9ba63a4f9507644914617ef6b7a15f0f8c996821ba67c8eb431ac6c8462&amp;req=fSUhEcB9mYdcFb4X1HO4ge6XZ1%2FNC0UQQCCgTFKkGB27QWNhXMUx6iDpeXCj%0A" width="25" alt="">.

In the left navigation, select Privacy &amp; Security <img src="https://downloads.intercomcdn.com/i/o/1093430549/dfb5e7456fb70a2f024013d4/Screenshot+2024-06-25+at+2_11_17%E2%80%AFPM.png?expires=1737288000&amp;signature=150f2d5e1d2702282a140d1fded30b17e6cdc66f02ae9c7817ef5d581f369985&amp;req=dSAuFc19nYRbUPMW3Hu4gZzJ8nYuzfaONblOBPV1RxkXjfYrKeWL1GoOXmQZ%0A%2BA%3D%3D%0A" width="20" alt="">.

Under Authentication &amp; User Configuration select Single Sign-On Configuration.

Next to OIDC Configuration, click Add New.

Under Select Provider, select Google.

Under Client and Tenant ID's click Add.

1. In the Client ID field, paste the Client ID you copied from Google Cloud Console.
2. In the Tenant ID field, enter the domain used by your organization’s Google Workspace (if your Google email is <a href="mailto:example@your-domain.com" rel="nofollow noopener noreferrer" target="_blank">example@your-domain.com</a>, enter your-domain.com). 
3. Click on Done to complete the configuration.

Under Login Test click Run Login Test.

A successful login test should redirect to the OIDC configuration page. Once you’re logged in, add the domain that you need to whitelist under Associated Domains.

Once your domain is added, run the login test again. SSO will not be enabled until this second login test successfully completes.

Once your domain is verified, you should see it successfully validated.

1. In Verkada Command, go to All Products &gt; Admin<img src="https://downloads.intercomcdn.com/i/o/956793463/e6b90df44b6e69f8d8f18544/Admin_icon.png?expires=1737288000&amp;signature=fb17e9ba63a4f9507644914617ef6b7a15f0f8c996821ba67c8eb431ac6c8462&amp;req=fSUhEcB9mYdcFb4X1HO4ge6XZ1%2FNC0UQQCCgTFKkGB27QWNhXMUx6iDpeXCj%0A" width="25" alt="">. 
2. In the left navigation, select Privacy &amp; Security <img src="https://downloads.intercomcdn.com/i/o/1093430549/dfb5e7456fb70a2f024013d4/Screenshot+2024-06-25+at+2_11_17%E2%80%AFPM.png?expires=1737288000&amp;signature=150f2d5e1d2702282a140d1fded30b17e6cdc66f02ae9c7817ef5d581f369985&amp;req=dSAuFc19nYRbUPMW3Hu4gZzJ8nYuzfaONblOBPV1RxkXjfYrKeWL1GoOXmQZ%0A%2BA%3D%3D%0A" width="20" alt="">.
3. Under Authentication &amp; User Configuration select Single Sign-On Configuration.
4. Next to OIDC Configuration, click Add New.
5. Under Select Provider, select Google.
6. Under Client and Tenant ID's click Add.
 1. In the Client ID field, paste the Client ID you copied from Google Cloud Console.
 2. In the Tenant ID field, enter the domain used by your organization’s Google Workspace (if your Google email is <a href="mailto:example@your-domain.com" rel="nofollow noopener noreferrer" target="_blank">example@your-domain.com</a>, enter your-domain.com). 
 3. Click on Done to complete the configuration.

7. Under Login Test click Run Login Test.
8. A successful login test should redirect to the OIDC configuration page. Once you’re logged in, add the domain that you need to whitelist under Associated Domains.
9. Once your domain is added, run the login test again. SSO will not be enabled until this second login test successfully completes.
10. Once your domain is verified, you should see it successfully validated.

Need more help? Contact <a href="https://help.verkada.com/en/articles/3430714-contact-verkada-support">Verkada Support</a>.

OIDC configuration

Verkada Command Configuration