Before you begin
To integrate Security Assertion Markup Language (SAML), you must first generate a client ID.
How it works
Step 1: Set up SSO
In Verkada Command, go to All Products > Admin > Privacy & Security > Authentication & User Management.
Click Add New to set up single sign-on (SSO).
Step 2: Create your Verkada app
Navigate to your JumpCloud dashboard and click SSO to view your SSO applications.
Click the plus (+) icon to create a new application.
Click Custom SAML App.
Name your application, add a description, and (optionally) change the icon. Use a name relevant to Verkada.
When you're finished, at the top menu, select SSO, and click activate.
Configure the IdP Entity ID, SP Entity ID, and ACS URL as follows:
For IdP Entity ID:
For US orgs: https://vauth.command.verkada.com/sam/sso
For EU orgs: https://saml.prod2.verkada.com/saml/ssoFor SP Entity ID:
For US orgs: https://vauth.command.verkada.com/sam/sso
For EU orgs: https://saml.prod2.verkada.com/saml/ssoFor Sign on URL:
For US orgs: https://vauth.command.verkada.com/saml/login
For EU orgs: https://saml.prod2.verkada.com/saml/loginAlternatively, you can copy the fields from Command.
Note: To confirm which region you're located, please refer to where your organization was created for Verkada.
Click activate.
Scroll down and select the dropdown to set your SAML Subject NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.Check the Sign Assertion box, if not done already.
Set the Login URL where you can replace
<client-ID>by your previously-generated client ID (in this application example,ctois the client ID):For EU orgs: https://saml.prod2.verkada.com/saml/login/<client-ID>
Note: To confirm which region you're located, please refer to where your organization was created for Verkada.
Check the Declare Redirect Endpoint box, if not done already, and click activate.
Step 3: Configure SAML attributes
Scroll down further and click add attribute THREE times to open 3 attribute fields.
Type the information exactly as it appears in the screen below; it is case-sensitive.
Select User Groups and confirm the groups you want to enable SSO access for are checked. In this JumpCloud instance, there is only one group named All Users.
Click activate to enable this group access to your Verkada application.
Click activate > confirm to complete your new SSO connector instance.
Step 4: Export XML metadata
Once activated, go back to the featured application to download your XML metadata file.
Select SSO and click Export Metadata to export the JumpCloud Metadata file.
Save the exported file, give it a relevant name, and click OK > Save.
Step 5: Upload XML metadata
Go to Command and upload your IdP XML metadata file.
When the file is uploaded, click Add Domain to add the Fully Qualified Domain Name (FQDN) that your users log in with.
Type the domain name and press Enter to save. You can repeat this process for multiple domain names.
Run the login test. It is expected behavior that the page refreshes to your IdP's authentication page. If you're not already authenticated, then it bounces back to Command. If the test is successful, you should see a success message.
(Optional) You can enable Require SSO to force users to SSO instead of logging in via Command.
Step 5: Ensure your SSO users are provisioned (optional)
Note: Make sure your users using SSO are already provisioned in Command, whether you use SCIM or you create their accounts manually; otherwise, SSO does not work.
To log in using SSO:
Your users can access the JumpCloud User Console (IdP-initiated flow).
Choose single sign-on via Command (Service Provider [SP]-initiated flow).
Need more help? Contact Verkada Support