Verkada Command has the ability to integrate with Azure AD (amongst other IDPs) in two capacities dependent on the use case:
SAML (Security Assertion Markup Language)
SCIM (System for Cross-Domain Identity Management)
SAML handles the authentication side of things allowing Azure AD to be used to manage access to Verkada Command, the same as any other SaaS application already integrated into your Azure AD tenant. This means Verkada Command can be incorporated into your existing identity framework and access-controlled based on your current policies in place.
SCIM on the other hand allows you to leverage your existing users and groups already present in Azure AD and synchronize these with Verkada Command. This allows you to retain the current central identity provider, and configure access using your existing users and groups through Verkada Command to control access to the platform.
Verkada Command is registered as a gallery application and can be found within the Azure AD marketplace which means it can be leveraged with Azure AD Free, Azure AD P1, and Azure AD P2 licenses.
To get started there are a couple of pieces of information we are going to be using:
Client ID - Follow our guide to generate it
Federation Data XML - This is unique information from your tenant allowing us to set up the federation between your Azure AD tenant and your Verkada Command instance (the steps to download this are provided later).
The first step is to add Verkada Command as an enterprise application in your Azure AD tenant. Head to your Azure AD overview page and select Enterprise Applications:
Select New Application at the top of the page:
Verkada Command is registered in the Azure AD gallery. Therefore, search for Verkada Command under the gallery section:
Select Verkada Command from the search results and select Add. It will take a few minutes to add the application to your Azure AD tenant.
Now that we have Verkada Command added we need to set up the SAML integration. Select Verkada Command in the list of your enterprise applications. Under the "Getting Started" section, select setup single sign-on:
The SAML sign-on configuration page contains 5 individual boxes containing various pieces of information related to the integration. There are a few steps we need to do here:
Within box 1 there are three items to fill in denoted by the "Required" tag:
Identifier (Entity ID) - https://vauth.command.verkada.com/saml/sso/<client id> substituting <client id> for your custom domain name.
Reply URL (Assertion Consumer Service URL) - https://vauth.command.verkada.com/saml/sso/<client id> substituting <client id> for your custom domain name.
Sign on URL - https://vauth.command.verkada.com/saml/login/<client id> substituting <client id> for your custom domain name.
Box 2 will already be populated with the correct user attributes and claims and should match the screenshot above. If so, no changes are needed for this section.
Box 3 contains the information specific to your Azure AD tenant that will allow us to set up the federation. We mentioned at the start we needed the Federation Metadata XML file, this can be downloaded from within this section. Download a copy of this as we will need this later.
Box 4 and Box 5 contain tools we can use after the integration has been finalised.
Uploading your Federation Metadata:
After completing the steps in Azure and downloading the metadata proceed to upload the Metadata
Once support has confirmed the integration is complete on our side, you can go ahead and test the integration with the button in Box 5:
If everything is set up correctly, you should be taken straight through to the Command platform if you select "Sign in as current user" when running the test.
Access to Verkada Command can then be achieved through the following URL - https://vauth.command.verkada.com/saml/login/<client id> substituting the client ID with the one used during setup. This will redirect you to the IDP (Azure AD) to complete the login process.
Please note that at this time, Azure does not support nested groups for App Access. All users will need to be direct members of groups for assignment
Login through the Mobile Application when leveraging SAML Integration
Verkada Command on both Android and iOS supports login through SAML.
Within the email address field, enter the email of the user in question and hit next. At this point, you will be redirected to your IDP (Azure AD) to complete the login process.
Setting up SCIM
Before we start the following prerequisites need to be done to ensure a successful integration:
Organization ID - This is the unique identifier for your Verkada Command organization.
Secret Token - This allows you to connect successfully to our SCIM endpoint. It is unique to you to allow us to map the Azure AD tenant to the correct Verkada Command organization. To generate the token go to Admin -> SCIM and add the email domain. This will generate the token which is only viewable once. To generate a new token you will need to refresh it.
Please note the pre-requisite requirement to obtain the secret token prior to setup.
To set up SCIM integration we are going to create another enterprise application within Azure AD.
Select the non-gallery application. On the getting started page, select Provision User Accounts:
On the provisioning page, set the Provisioning Mode to “Automatic”.
For the SCIM integration we need to configure a few key settings:
Admin Credentials require two values: the Tenant URL and Secret Token. The Tenant URL should be set as https://api.command.verkada.com/scim and the Secret Token can be obtained from support.
Once you have entered the Tenant URL and Secret Token, hit Test Connection in order to verify the connectivity to our SCIM endpoint.
If everything is correct the connection test should succeed as above.
Once a connection to Verkada Command has been established the Mapping section will populate with two mappings, one for Groups and one for Users.
There are some changes we need to make the default mappings suggested by Azure AD. Custom mappings will have to be added to match the below screenshots for the customappsso column. These can be added by selecting "Provision Azure Active Directory Groups" and "Provision Azure Active Directory Users" in the blue text under the Mappings section.
Start with the group mapping section and configure the mapping to match the below image:
The user mappings should look like the below image:
Once finished with the mappings, adjust the scope to the required options, either "Sync all users and groups" or "Sync only assigned users and groups" depending on the requirements. If selecting the second option, ensure users and groups are assigned to the enterprise application under the "Users and Groups" section. Those that are assigned will be the ones provisioned and become present in Verkada Command.
Make sure the provisioning is set to On, and eventually once the initial provisioning cycle has elapsed you should see the total number of users and groups that have been provisioned successfully.
On Verkada Command you should be able to see these users and groups populated with the "Externally Managed" tag associated.
These synchronized users and groups can now be used in Verkada Command and assigned to permissions to control access to the command platform.
Further information on permissions in the Verkada Command can be found in the following articles: