Verkada Command has the ability to integrate with Azure AD (amongst other IdPs) in two capacities dependent on the use case:

  • SAML (Security Assertion Markup Language)

  • SCIM (System for Cross-Domain Identity Management)

SAML handles the authentication side of things allowing Azure AD to be used to manage access to Verkada Command, the same as any other SaaS application already integrated into your Azure AD tenant. This means Verkada Command can be incorporated into your existing identity framework and access-controlled based on your current policies in place.

SCIM on the other hand allows you to leverage your existing users and groups already present in Azure AD and synchronize these with Verkada Command. This allows you to retain the current central identity provider, and configure access using your existing users and groups through Verkada Command to control access to the platform.

SAML Integration

Verkada Command is registered as a gallery application and can be found within the Azure AD marketplace which means it can be leveraged with Azure AD Free, Azure AD P1, and Azure AD P2 licenses.

To get started there are a couple of pieces of information we are going to be using:

  • Client ID - Follow our guide to generate it

  • Federation Data XML - This is unique information from your tenant allowing us to set up the federation between your Azure AD tenant and your Verkada Command instance (the steps to download this are provided later).

The first step is to add Verkada Command as an enterprise application in your Azure AD tenant. Head to your Azure AD overview page and select Enterprise Applications:

Select New Application at the top of the page:

Verkada Command is registered in the Azure AD gallery. Therefore, search for Verkada Command under the gallery section:

Select Verkada Command from the search results and select Add. It will take a few minutes to add the application to your Azure AD tenant.

Now that we have Verkada Command added we need to set up the SAML integration. Select Verkada Command in the list of your enterprise applications. Under the "Getting Started" section, select setup single sign-on:

The SAML sign-on configuration page contains 5 individual boxes containing various pieces of information related to the integration. There are a few steps we need to do here:

Within box 1 there are three items to fill in denoted by the "Required" tag:

Box 2 will already be populated with the correct user attributes and claims and should match the screenshot above. If so, no changes are needed for this section.

Box 3 contains the information specific to your Azure AD tenant that will allow us to set up the federation. We mentioned at the start we needed the Federation Metadata XML file, this can be downloaded from within this section. Download a copy of this as we will need this later.

Box 4 and Box 5 contain tools we can use after the integration has been finalized.

Uploading your Federation Metadata

After completing the steps in Azure and downloading the metadata proceed to upload the Metadata

Once support has confirmed the integration is complete on our side, you can go ahead and test the integration with the button in Box 5:

If everything is set up correctly, you should be taken straight through to the Command platform if you select "Sign in as current user" when running the test.

Access to Verkada Command can then be achieved through the following URL - https://vauth.command.verkada.com/saml/login/<client id> substituting the client ID with the one used during setup. This will redirect you to the IDP (Azure AD) to complete the login process.

Note: Azure does not support nested groups for App Access at this time. All users will need to be direct members of groups for assignment

Login through the Mobile Application when leveraging SAML Integration

Verkada Command on both Android and iOS supports login through SAML.

Within the email address field, enter the email of the user in question and hit next. At this point, you will be redirected to your IDP (Azure AD) to complete the login process.


Setting up SCIM

Before we start the following prerequisites need to be done to ensure a successful integration:

  • Organization ID - This is the unique identifier for your Verkada Command organization.

  • Secret Token - This allows you to connect successfully to our SCIM endpoint. It is unique to you to allow us to map the Azure AD tenant to the correct Verkada Command organization. To generate the token go to Admin -> SCIM and add the email domain. This will generate the token which is only viewable once. To generate a new token you will need to refresh it.

Please note the pre-requisite requirement to obtain the secret token prior to setup.

To set up SCIM integration we are going to create another enterprise application within Azure AD. 

Using the new Azure interface from the home page, click Enterprise applications > + New application > + Create your own application.

Select the non-gallery application, name the application, then click the Create button.

On the getting started page, select Provision User Accounts, then click the Get Started button.

On the provisioning page, set the Provisioning Mode to “Automatic”.

For the SCIM integration we need to configure a few key settings:

  • Admin Credentials

  • Mappings

Admin Credentials require two values: the Tenant URL and Secret Token.  The Tenant URL should be set as https://api.command.verkada.com/scim and the Secret Token can be obtained from the steps above.

Once you have entered the Tenant URL and Secret Token, click the Test Connection button in order to verify the connectivity to our SCIM endpoint.

If everything is correct the connection test should succeed as shown below.

Click the Save button to continue.

Attribute Mapping

Once a connection to Verkada Command has been established the Mapping section will populate with two mappings, one for Groups and one for Users.  

There are some changes we need to make the default mappings suggested by Azure AD. Custom mappings will have to be added to match the below screenshots for the customappsso column.

Provision Azure Active Directory Groups

To make these changes, click on Provision Azure Active Directory Groups to make changes to the groups mappings. Configure your mappings to match the screenshot provided, or the data table below.

If you need to add a mapping, click Add New Mapping > select the Source attribute to match the Azure Active Directory Attribute in the column below > set the Target attribute to match the customappsso Attribute in the column below > click Ok.

The data in the image above as provided in a table:

Azure Active Directory Attribute

customappsso Attribute

displayName

displayName

objectId

externalId

members

members

Click the Save button. Confirm your changes. Then, click Provisioning in the breadcrumb link at the top of the page to return back to the Provisioning page.

Provision Azure Active Directory Users

Next, click on Provision Azure Active Directory Users to make changes to the user mappings. Configure your mappings to match the screenshot provided, or the data table below.

Note: The Switch attribute will be added as an Expression Mapping Type.

The data in the image above as provided in a table:

Azure Active Directory Attribute

customappsso Attribute

Matching precendence

userPrincipalName

userName

1

givenName

name.givenName

surname

name.familyName

Switch([IsSoftDeleted], , "False", "True", "True", "False")

active

Click the Save button. Confirm your changes. Then, click Provisioning in the breadcrumb link at the top of the page to return back to the Provisioning page.

Once finished with the mappings, click the Provisioning Status slider to on.

Adjust the scope to the required options, either "Sync all users and groups" or "Sync only assigned users and groups" depending on the requirements. If selecting the second option, ensure users and groups are assigned to the enterprise application under the "Users and Groups" section. Those that are assigned will be the ones provisioned and become present in Verkada Command.

Make sure the provisioning is set to On, and eventually once the initial provisioning cycle has elapsed you should see the total number of users and groups that have been provisioned successfully.

On Verkada Command you should be able to see these users and groups populated with the "Externally Managed" tag associated.

These synchronized users and groups can now be used in Verkada Command and assigned to permissions to control access to the command platform. 

Further information on permissions in the Verkada Command can be found in the following articles:

https://help.verkada.com/en/articles/4148648-user-permissions-overview
https://help.verkada.com/en/articles/3085073-a-simplified-camera-user-permissions-model
https://help.verkada.com/en/articles/3495051-setting-permissions

Did this answer your question?