SAML Integration

Client ID

The first step is to grab your Client ID:

Go to Admin > Privacy & Security > Single Sign-On (SSO) Configuration).

Next, begin the setup.

Select the Copy button to copy Your Client ID. Remember this Client ID for future use as it is used many times. In this organization, the Client ID is 'cto'. In most cases, the Client ID is the same as the organization's short name.

Creating your Verkada App

Next, we'll begin working in JumpCloud. Navigate to your dashboard, and click SSO to view your SSO applications. Then, select the plus icon to create a new application.

Select Custom SAML App.

Now, name your application something relevant to Verkada, add a description and change the icon if you desire. When you're finished, select the SSO menu at the top.

Now, configure the IdP Entity ID, SP Entity ID, and ACS URL to match this format: https://vauth.command.verkada.com/saml/sso/<client-ID> where the <client-ID> is replaced by your Client ID as found earlier. In this application, 'cto' is the Client ID.

Now, scroll down and select the drop-down to set your SAML Subject NameID Format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

Make sure the Sign Assertion box is checked.

Set the Login URL to https://vauth.command.verkada.com/saml/login/<client-ID> where the <client-ID> is replaced by your Client ID as found earlier. In this application example, 'cto' is the Client ID.

Make sure the Declare Redirect Endpoint box is checked.

SAML Attributes

Next, scroll down further and fill out the attributes. Click the add attribute button three times to open three attribute fields. Enter the information exactly as seen as it is case-sensitive. An accompanying screenshot is below for reference.

Service Provider Attribute Name

JumpCloud Attribute Name

firstName

firstname

lastName

lastname

email

email

Next, select User Groups and confirm the groups you wish to enable SSO access for are checked. In this JumpCloud instance, there is only have one group called All Users, so I'll be enabling this group access to my Verkada application. Following this, you can activate your application.

Confirm your activation.

Export XML Metadata

Once activated, select back into the application to download your XML metadata file.

Next, select SSO and export the JumpCloud Metadata by choosing the Export Metadata button.

Save the exported file. Name it something relevant if you'd like.

Upload XML Metadata

Now, navigate back to Verkada Command, and upload your XML metadata file.

Once this file is uploaded, select Add Domain to add the FQDN that your users log in with. Press enter after entering the domain for it to save. You can repeat this process for multiple domain names.

Now, we can run the login test. It is expected behavior that the page refreshes to your IdP's authentication page (if you're not already authenticated), then bounces back to Verkada Command. If the test is successful, you'll see the success message as displayed in the video below.

Now you're finished! If you wish, you can enable Require SSO to force users to SSO instead of logging in through Command.

Make sure your users using SSO are already provisioned in Command, whether you use SCIM, or you create their accounts manually, otherwise SSO will not work.

Your users will have a few ways to log in using SSO. They can make use of the JumpCloud User Console (IdP initiated flow), or you can choose SSO when logging in through Command (SP initiated flow).

Here's the JumpCloud User Console:

Or, here's the option to use SSO when following the login process on Command:

Did this answer your question?