Verkada Command has the ability to integrate with ADFS (amongst other IDPs) to allow your users to log in using their existing Active Directory credentials.
SAML is the language that allows ADFS to securely communicate to Verkada Command whether or not a user should be granted access to your organization. Please note that SAML does not add or invite users to your organization; it simply allows those users who are already invited to your organization to log in with their AD credentials, rather than with a username and password managed by Verkada. If you are interested in syncing domain users and groups to Command, please see more information about SCIM.
Step 1: Open AD FS Management
Step 2: Click Action > Add Relying Party Trust
Step 3: Click Start
Step 4: Select Enter data about the relying party manually
Step 5: The Display name can be anything
Step 6: Click Next
Step 7: Select Enable support for the SAML 2.0 WebSSO protocol and enter https://vauth.command.verkada.com/saml/sso/clientID into the Relying party SAML 2.0 SSO service URL field, replacing clientID with your organization's domain name (excluding the top level domain; the client ID for example.com would be example)
Step 8: Enter the same URL from the previous step into the Relying party trust identifier field and click Add
Step 9: Configure an appropriate access control policy for this application
Step 10: Click Next
Step 11: Click Close
Step 12: Right click on the newly-created Relying Party Trust and select Edit Claim Issuance Policy
Step 13: Click Add Rule
Step 14: Ensure Send LDAP Attributes as Claims is selected and click Next
Step 15: Enter a Claim rule name (which can be anything), ensure that Active Directory is selected under Attribute store, and configure the following LDAP Attributes to map to the proper Outgoing Claim Type:
- E-Mail-Addresses > E-Mail Address
- Given-Name > Given Name
- Surname > Surname
Step 16: Add another rule, this time selecting Transform an Incoming Claim under Claim rule template
Step 17: Enter a Claim rule name (this can be anything), select E-Mail Address next to Incoming claim type, select Name ID next to Outgoing claim type, select Transient Identifier next to Outgoing name ID format, and ensure that Pass through all claim values is selected
Step 18: Go to https://<your ADFS server>/FederationMetadata/2007-06/FederationMetadata.xml to download your XML metadata file. Please do not use Internet Explorer to complete this step; using Internet Explorer may cause issues with the XML file.
Step 19: Send a copy of the Federation Metadata XML file to Verkada Support who will be able to complete the integration process. Please email [email protected] with this information along with the client ID (from step 7) and the email domain(s) that your organization uses.
Step 20: Once the integration is complete, please test it by opening an Incognito/Private Browsing window and visiting https://vauth.command.verkada.com/saml/login/clientID, replacing clientID with your Client ID from step 7. You should be taken to your ADFS login page. Please attempt to sign in using your credentials. If you are then taken to your Command organization, congratulations, the SAML integration was a success! If you see an error presented to you, please contact Verkada Support for further assistance.