Verkada Command has the ability to integrate with (amongst other IdPs) in two capacities dependent on the use case:

  • SAML (Security Assertion Markup Language)

  • SCIM (System for Cross-Domain Identity Management)

SAML handles the authentication side of things allowing JumpCloud to be used to manage access to Verkada Command.

SCIM on the other hand allows you to leverage your existing users and groups already present in JumpCloud and synchronize these with Verkada Command. This allows you to retain the current central identity provider, and configure access using your existing users and groups through Verkada Command to control access to the platform.

SAML Integration

Client ID

The first step is to grab your Client ID.

Go to Admin > Privacy & Security > Single Sign-On (SSO) Configuration)

Next, begin the setup.

Click the Copy button to copy your Client ID. Remember this Client ID for future use as it is used many times. In my organization, my Client ID is cto. In most cases, the Client ID is the same as the organization's short-name.

Creating your Verkada App

Next, we'll begin working in JumpCloud. Navigate to your dashboard, and click SSO to view your SSO applications. Then, hit the plus icon to create a new application.

Click Custom SAML App.

Now, name your Application something relevant to Verkada, add a description and change the icon if you desire. When you're finished, click the SSO menu at the top.

Now, configure the IdP Entity ID, SP Entity ID, and ACS URL to match this format: https://vauth.command.verkada.com/saml/sso/<client-ID> where the <client-ID> is replaced by your Client ID as found earlier. In my application, cto is my Client ID.

Now, scroll down and click the drop-down to set your SAML Subject NameID Format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

Make sure the Sign Assertion box is checked.

Set the Login URL to https://vauth.command.verkada.com/saml/login/<client-ID> where the <client-ID> is replaced by your Client ID as found earlier. In my application, cto is my Client ID.

Make sure the Declare Redirect Endpoint box is checked.

SAML Attributes

Next, scroll down further and fill out the attributes. Click the add attribute button three times to open three attribute fields. Enter the information exactly as seen as it is case sensitive. An accompanying screenshot is below for reference.

Service Provider Attribute Name

JumpCloud Attribute Name

firstName

firstname

lastName

lastname

email

email

The accompanying screenshot:

Next, click User Groups and confirm the groups you wish to enable SSO access for are checked. In my JumpCloud instance, I only have one group called All Users, so I'll be enabling this group access to my Verkada application. Following this, we can activate our application!

Confirm your activation.

Export XML Metadata

Once activated, click back into the application to download your XML metadata file.

Next, click SSO and export the JumpCloud Metadata by pressing the Export Metadata button.

Save the exported file. Name it something relevant if you'd like.

Upload XML Metadata

Now, navigate back to Verkada Command, and upload your XML metadata file.

Once this file is uploaded, click Add Domain to add the FQDN that your users log in with. Click the checkbox to save the domain. You can repeat this process for multiple domain names.

Now, we can run the login test. It is expected behavior that the page refreshes to your IdP's authentication page (if you're not already authenticated), then bounces back to Verkada Command. If the test is successful, you'll see the success message as displayed in the video below!

Now you're finished! If you wish, you can enable Require SSO to force users to SSO instead of logging in through Command.

Make sure your users using SSO are already provisioned in Command, whether you use SCIM, or you create their accounts manually, otherwise SSO will not work.

Your users will have a few ways to login using SSO. They can make use of the JumpCloud User Console (IdP initiated flow), or you can choose SSO when logging in through Command (SP initiated flow).

Here's the JumpCloud User Console:

Or, here's the option to use SSO when following the login process on Command:

Interested in integrating SCIM? Keep reading below!

SCIM Integration

Go to Admin > Privacy & Security > SCIM Configuration

Next, click Add Domain to add the FQDN of your user's email accounts. Click the checkbox to save the domain. You can repeat this process for multiple domain names.

Note! You must add jumpcloud.com during this process. JumpCloud will test the SCIM configuration later and will not let you activate your SCIM application if you do not do so. Once the test is done, you can remove this domain.

Now, your SCIM token will be generated. Click the Copy button to copy your token.

Next, navigate to your JumpCloud dashboard, click SSO, and then open your existing application. If you haven't created a Verkada application in JumpCloud yet, click here to jump up this article to the relevant section.

Then, jump to Identity Management, and fill in the following information.

Set the Base URL to http://api.command.verkada.com/scim

Set the Token Key to the token you copied from Command earlier.

Then, click the test connection button.

If the test is successful, you'll see the popup appear.

Next, scroll down to the bottom of this section and click the test button. This test will create a test user and group, then the group will be removed and the user will be deleted. This ensures your application runs successfully.

If it works as expected, click activate, then click save.

Now you should have a successful SCIM integration. Make sure your users and groups in JumpCloud are assigned to this Verkada application. Then, refresh your page on Command and watch the users provision! You'll see users are Externally Managed when they're provisioned correctly.

Thanks for reading!

Did this answer your question?