Depending on your use case, Verkada Command has the ability to integrate with Azure Active Directory (AD), amongst other Identify Providers [IdPs], in the following capacities:
Security Assertion Markup Language (SAML)
System for Cross-Domain Identity Management (SCIM)
SAML handles the authentication side of things allowing Azure AD to be used to manage access to Command, the same as any other Software as a Service (SaaS) application already integrates into your Azure AD tenant. This means that you can incorporate Command into your existing identity framework and authorize users based on your current policies.
SCIM allows you to leverage your existing users and groups already present in Azure AD and synchronize these with Command. This allows you to retain the current central IdP, and configure permissions in Command using your existing users and groups.
Set up SCIM in Azure AD
Before you configure SCIM in Azure AD, you need to generate your secret token from Command:
Go to All Products > Admin > Privacy & Security > SCIM Configuration.
Add the email domain. This generates the token, which is only viewable once. To generate a new token, you need to refresh it.
Click Add Domain, type all relevant email domains you plan to use with SCIM, and then click Copy for later use. If you did not copy your token and it is not visible, click Refresh to generate a new token.
From the Azure AD homepage, select Enterprise applications > New application > Create your own application.
Select the non-gallery application, name the application, and click Create.
Under Provision User Accounts, click Get started (twice).
On the provisioning page:
a. Set the Provisioning Mode to Automatic.
b. Set the Tenant URL as:
For US orgs: https://api.command.verkada.com/scim
For EU orgs: https://scim.prod2.verkada.com/scim
Note: To confirm which region you're located, please refer to where your organization was created for Verkada.
Fill in your previously-generated secret token.
Click Test Connection. You should see a confirmation that the SCIM connection is successful.
Click Save to continue. (The attribute mappings do not appear if you do not click Save.)
Configure attributes for Azure AD groups
Click to expand the Mappings dropdown, then select Provision Azure Active Directory Groups.
To adhere to Azure AD default mapping suggestions, you need to add custom mappings for the customappsso column:
(Optional) If you need to add a mapping:
Click Save and confirm changes, if necessary.
At the top of the page, select Provisioning to return to the Provisioning page.
Configure attributes for Azure AD users
Select Provision Azure Active Directory Users to make changes to the user mappings.
Configure your mappings to match the screenshot or the data table (as shown below). The Switch attribute is added as an Expression mapping type.
Note: If any of the customappsso attributes are not available as a Target Attribute, you may need to add them to your Azure AD platform as an option. To do so, check the Show advanced options box and click Edit attribute list for customappsso.
Note: SCIM-managed users no longer have the option to edit their phone number in Command; instead, only provision via SCIM. On the IDP side, you can set up your attribute mapping such that any field in your IDP instance maps to the
phone numberfield in Command. You can also set it up such that the
nofield in the IDP maps to the
phone numberfield in Command. However, even in that case, phone numbers continue to be a
lockedfield in Command and can only be edited through SCIM. If you have questions or need further assistance, contact Verkada Support.
Add employeeNumber, department, and organization > click Save. Do not edit existing attributes.
Click Save, confirm your changes, and at the top of the page, select Provisioning to return to the Provisioning page.
Once finished with the mappings, toggle on the Provisioning Status.
Depending on the requirements, adjust the scope to one of the required options:
Sync all users and groups
Sync only assigned users and groups. Ensure users and groups are assigned to the enterprise application under Users and Groups. Those that are assigned are the ones provisioned and become present in Command.
Verify that the provisioning is set to On, and that users are assigned to the application.
Once the initial provisioning cycle has elapsed:
You should see the total number of users and groups that have been provisioned successfully.
In Command, you should be able to see these users and groups populated with the SCIM Managed tag associated. These synchronized users and groups can now be used in Command and assigned to permissions to control access to the Command platform.
Need more help? Contact Verkada Support