SAML Integration

Client ID

The first step is to grab your Client ID.

Go to Admin > Privacy & Security > Single Sign-On (SSO) Configuration)

Next, begin the setup.

Click the Copy button to copy your Client ID. Remember this Client ID for future use as it is used many times. In my organization, my Client ID is cto. In most cases, the Client ID is the same as the organization's short name.

Creating your Verkada App

Next, we'll begin working in JumpCloud. Navigate to your dashboard, and click SSO to view your SSO applications. Then, hit the plus icon to create a new application.

Click Custom SAML App.

Now, name your application something relevant to Verkada, add a description and change the icon if you desire. When you're finished, click the SSO menu at the top.

Now, configure the IdP Entity ID, SP Entity ID, and ACS URL to match this format: https://vauth.command.verkada.com/saml/sso/<client-ID> where the <client-ID> is replaced by your Client ID as found earlier. In my application, cto is my Client ID.

Now, scroll down and click the drop-down to set your SAML Subject NameID Format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

Make sure the Sign Assertion box is checked.

Set the Login URL to https://vauth.command.verkada.com/saml/login/<client-ID> where the <client-ID> is replaced by your Client ID as found earlier. In my application, cto is my Client ID.

Make sure the Declare Redirect Endpoint box is checked.

SAML Attributes

Next, scroll down further and fill out the attributes. Click the add attribute button three times to open three attribute fields. Enter the information exactly as seen as it is case-sensitive. An accompanying screenshot is below for reference.

Service Provider Attribute Name

JumpCloud Attribute Name

firstName

firstname

lastName

lastname

email

email

Next, click User Groups and confirm the groups you wish to enable SSO access for are checked. In my JumpCloud instance, I only have one group called All Users, so I'll be enabling this group access to my Verkada application. Following this, you can activate your application.

Confirm your activation.

Export XML Metadata

Once activated, click back into the application to download your XML metadata file.

Next, click SSO and export the JumpCloud Metadata by pressing the Export Metadata button.

Save the exported file. Name it something relevant if you'd like.

Upload XML Metadata

Now, navigate back to Verkada Command, and upload your XML metadata file.

Once this file is uploaded, click Add Domain to add the FQDN that your users log in with. Click the checkbox to save the domain. You can repeat this process for multiple domain names.

Now, we can run the login test. It is expected behavior that the page refreshes to your IdP's authentication page (if you're not already authenticated), then bounces back to Verkada Command. If the test is successful, you'll see the success message as displayed in the video below!

Now you're finished! If you wish, you can enable Require SSO to force users to SSO instead of logging in through Command.

Make sure your users using SSO are already provisioned in Command, whether you use SCIM, or you create their accounts manually, otherwise SSO will not work.

Your users will have a few ways to log in using SSO. They can make use of the JumpCloud User Console (IdP initiated flow), or you can choose SSO when logging in through Command (SP initiated flow).

Here's the JumpCloud User Console:

Or, here's the option to use SSO when following the login process on Command:

Did this answer your question?