Before you begin
Configure Single Sign-On OIDC
Verkada currently only supports Okta and Microsoft Entra ID (Azure AD) identity providers for Single Sign-On with OIDC. For a detailed setup guide, refer to OIDC based SSO for Okta.
OIDC SSO must be enabled in your organization to enable ECE.
Update Command mobile app
To ensure a smooth user experience, ask all users in your organization to update their Verkada Command mobile app. The app updates automatically unless auto-update is disabled. This step is required only for users of the Command mobile app.
iOS: Verkada Command
Android: Verkada Command
There is no need to update the Verkada Pass app.
Enable ECE
In Verkada Command, go to All Products > Admin
. In the left navigation, select Privacy & Security
> Enterprise Controlled Encryption.Click Get Started.
Under Generate Key:
Click Generate Key
Download the encryption key.
Click Continue.
Under Verify:
Click Logout and Test.
If the test is successful, you will be redirected to this page.
Click Continue.
Under Enroll Devices:
Click Select Devices and choose the devices to enroll in ECE.
Note: We recommend choosing Select All Devices to ensure you have the additional security and data protection for your entire fleet.
Click Enroll Devices.
Example template of the encryption key file:
File name: <command-org-name>_org_secret.txt
Format:
<display-name / variable-name>
<encryption-key>
Add Encryption Key to Identity Provider
ECE is currently only supported on Okta and Microsoft Entra ID (Azure AD). Follow the steps below based on your identity provider.
Okta
Okta
Log in your Okta admin account.
On the left, click Directory.
Click Profile Editor.
Open Verkada SSO OIDC User.
Select Add Attribute.
Add the Display name and Variable name (both values are the same) from the “<org_name>_org_secret.txt” file. It starts with “vkdae2ee…”.
Click Save.
Select Mappings.
Click Okta User to Verkada SSO OIDC.
Copy the <encryption-key> value (the second value) in the downloaded “<org_name>_org_secret.txt” file (including the quotation marks).
At the bottom of the Mappings page, paste the <encryption-key> into the text box corresponding to the new variable just added above.
Click on the icon in the middle between the <encryption-key> and <variable-name>, and select Apply mapping on user create and update.
Click Save Mappings then Apply updates now.
Refer to Add Custom Profile Attributes if you run into issues editing the profile.
Microsoft Entra ID (Azure AD)
Microsoft Entra ID (Azure AD)
Log in to your Azure portal.
Search for and select App registrations.
Select Verkada SSO OIDC.
Note: If you do not see this app, go to All applications.
On the left, click Manage > App roles.
Click Create app role.
Add the Display name and Description (both values are the same) from the “<org_name>_org_secret.txt” file. It starts with “vkdae2ee…”.
Under Allowed member types select Users/Groups.
Under Value enter <display-name>:<encryption-key> (second value) in the downloaded “<org_name>_org_secret.txt” file. Do not copy the quotes for the encryption key.
Click Apply.
On the left, click on Manage Token > Configuration.
Click Add groups claim.
Select Security groups as the group type.
Select Emit groups as role claims as the ID.
Click Add.
On the left side, click on Manage > Authentication.
Under Implicit grant and hybrid flows, select both ID tokens and Access tokens.
Click Save.
On the left, click on Manage > Manifest.
Verify Manifest for Optional Claims looks like this:
Note: You must see idToken.additionalProperties.emit_as_roles.
Assign the users to the new role. Only these users will be able to access Verkada Command.
Search for and select Microsoft Entra ID.
On the left, click Manage > Enterprise applications.
Need more help? Contact Verkada Support.