- \n
- A JumpCloud administrator account<\/li>\n\n\n\n
- JumpCloud SSO Package or higher or SSO \u00e0 la carte option<\/li>\n\n\n\n
- An Organization Admin<\/a> of the organization where you want to configure SSO<\/li>\n\n\n\n
- Verkada Client ID<\/a><\/li>\n<\/ul>\n\n\n\n
Important Considerations<\/strong><\/p>\n\n\n\n
- \n
- Updating usernames (emails) does not take effect in Verkada Command. If a username is to be changed, please unassign the user from the SCIM app, then re-add them to the app for the change to take effect<\/li>\n\n\n\n
- When the authentication token is generated for an organization, the expected email domains are tied to it. If the user is outside of the email domains provided when the token was created, this will cause the user to be unable to be created<\/li>\n\n\n\n
- Users can only be added\/removed from SCIM managed groups through SCIM, not through Command<\/li>\n\n\n\n
- We can only update
Active<\/code> user attribute as Verkada supports OnlyPATCH<\/code>, changes made to other user details like Firstname, LastName, etc., will not get updated in Verkada<\/li>\n\n\n\n- If you need to update your token, you must deactivate the IdM integration<\/a>, update the token, and then reactivate the IdM integration<\/li>\n\n\n\n
- Groups are supported<\/li>\n<\/ul>\n\n\n\n
Attribute Considerations<\/strong><\/p>\n\n\n\n
- \n
- A default set of attributes are managed for users. See the Attribute Mappings<\/a> section for more details<\/li>\n<\/ul>\n\n\n\n
Creating a new JumpCloud Application Integration<\/strong><\/h2>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to\u00a0USER AUTHENTICATION\u00a0<\/strong>>\u00a0SSO<\/strong> Applications<\/strong>.<\/li>\n\n\n\n
- Click + Add New Application<\/strong>.<\/li>\n\n\n\n
- Type the name of the application in the Search <\/strong>field and select it.<\/li>\n\n\n\n
- Click Next<\/strong>.<\/li>\n\n\n\n
- In the Display Label<\/strong>, type your name for the application. Optionally, you can enter a Description<\/strong>, adjust the User Portal Image and choose to hide or Show in User Portal<\/strong>.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>Note:<\/strong> \nIf this is a Bookmark Application, enter your sign-in URL in the Bookmark URL<\/strong> field.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Optionally, expand Advanced Settings<\/strong> to specify a value for the SSO IdP URL<\/strong>. If no value is entered, it will default to https:\/\/sso.jumpcloud.com\/saml2\/<applicationname><\/kbd>.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\")
<\/p><\/div>Warning:<\/strong> \nThe SSO IdP URL<\/strong> is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click Save Application<\/strong>.<\/li>\n\n\n\n
- If successful, click:\n
- \n
- Configure Application<\/strong> and go to the next section <\/li>\n\n\n\n
- Close<\/strong> to configure your new application at a later time <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
Configuring the SSO Integration<\/strong><\/h2>\n\n\n\n
To configure JumpCloud<\/strong><\/h3>\n\n\n\n
- \n
- Create a new application<\/a> or select it from the Configured Application<\/strong>s list.<\/li>\n\n\n\n
- Select the SSO<\/strong> tab.<\/li>\n\n\n\n
- Replace any instances of YOUR_CLIENT_ID with your Verkada ID.<\/li>\n\n\n\n
- Add or change any desired attributes.<\/li>\n\n\n\n
- Click save<\/strong>.<\/li>\n<\/ol>\n\n\n\n
Download the JumpCloud metadata<\/strong> file<\/strong><\/h4>\n\n\n\n
- \n
- Find your application in the Configured Applications<\/strong> list and click anywhere in the row to reopen its configuration window.<\/li>\n\n\n\n
- Select the SSO <\/strong>tab and click Export Metadata<\/strong>.<\/li>\n\n\n\n
- The JumpCloud-<applicationname>-metadata.xml<\/strong> will be exported to your local Downloads <\/strong>folder.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\")
<\/p><\/div>Tip:<\/strong> \nMetadata can also be downloaded from the Configured Applications<\/strong> list. Search for and select the application in the list and then click Export Metadata<\/strong> in the top right corner of the window.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To configure Verkada Command<\/strong><\/h3>\n\n\n\n
- \n
- Sign in to Verkada company site as an administrator.<\/li>\n\n\n\n
- Go to Verkada Command > All Products ><\/strong> Admin<\/strong>.<\/li>\n\n\n\n
- Under Privacy & Security > Authentication & User management<\/strong>, select Single Sign-On (SSO) Configuration<\/strong>.<\/li>\n\n\n\n
- Select Begin Setup<\/strong>.\n
- \n
- You should see your client ID and the fields that you entered into your IdP.\n
- \n
- For Client ID<\/strong>:
For US orgs: https:\/\/vauth.command.verkada.com\/saml\/sso\/<client-id><\/a>
For EU orgs: https:\/\/saml.prod2.verkada.com\/saml\/sso<\/a>\/<client-id><\/a><\/li>\n\n\n\n- For Reply ID<\/strong>:
For US orgs: https:\/\/vauth.command.verkada.com\/saml\/sso\/<client-id><\/a>
For EU orgs: https:\/\/saml.prod2.verkada.com\/saml\/sso<\/a>\/<client-id><\/a><\/li>\n\n\n\n- For Sign-on URL<\/strong>:
For US orgs: https:\/\/vauth.command.verkada.com\/saml\/login\/<\/a><client-id><\/a>
For EU orgs: https:\/\/saml.prod2.verkada.com\/saml\/login<\/a>\/<client-id><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n- In Identity Provider XML Metadata<\/strong>, click Upload New XML<\/strong>.<\/li>\n\n\n\n
- Browse to and select the metadata file downloaded in the previous section.<\/li>\n\n\n\n
- When the file is uploaded, click Add Domain<\/strong> to add the Fully Qualified Domain Name (FQDN) that your users log in with.<\/li>\n\n\n\n
- Type the domain name and press Enter<\/strong> to save. You can repeat this process for multiple domain names.<\/li>\n\n\n\n
- Click Run the login test<\/strong>. It is expected behavior that the page refreshes to your IdP’s authentication page. If you’re not already authenticated, then it bounces back to Command. If the test is successful, you should see a success message.<\/li>\n\n\n\n
- (Optional) You can enable Require SSO <\/strong>to force users to SSO instead of logging in via Command.<\/li>\n<\/ol>\n\n\n\n
Using JIT Provisioning<\/strong><\/h2>\n\n\n\n
Additional attributes are required to use JIT provisioning. JIT required attributes are prepopulated and are on by default to enable JIT provisioning. You can\u2019t edit the JIT required service provider attributes. You can customize the JumpCloud attribute name and the constant value for JIT required attributes. Toggle off the attributes to opt out of sending the attributes in the SAML assertion<\/p>\n\n\n\n
To complete the provisioning process<\/strong><\/h3>\n\n\n\n
- \n
- Authorize a user\u2019s access to the application in JumpCloud. <\/li>\n\n\n\n
- Have the user log in to the application using SSO. The SAML assertion passes from JumpCloud to the service provider, and gives the service provider the information it needs to create the user account.<\/li>\n<\/ol>\n\n\n\n
Authorizing User SSO Access<\/strong><\/h2>\n\n\n\n
Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Application Configuration<\/strong> panel or from the Groups Configuration<\/strong> panel. <\/p>\n\n\n\n
To authorize user access from the Application Configuration panel<\/strong><\/h3>\n\n\n\n
- \n
- Log in to the <\/a>JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER AUTHENTICATION > SSO<\/strong> Applications<\/strong>, then select the application to which you want to authorize user access.<\/li>\n\n\n\n
- Select the User Groups<\/strong> tab. If you need to create a new group of users, see Get Started: User Groups<\/a>.<\/li>\n\n\n\n
- Select the check box next to the group of users you want to give access.<\/li>\n\n\n\n
- Click save<\/strong>. <\/li>\n<\/ol>\n\n\n\n
To learn how to authorize user access from the Groups Configuration<\/strong> panel, see Authorize Users to an SSO Application<\/a>.<\/p>\n\n\n\n
Validating SSO authentication workflow(s)<\/strong><\/h2>\n\n\n\n
IdP-initiated<\/strong><\/h3>\n\n\n\n
- \n
- Access the JumpCloud User Console<\/a><\/li>\n\n\n\n
- Select the application’s tile<\/li>\n\n\n\n
- The application will launch and login the user<\/li>\n<\/ul>\n\n\n\n
SP-initiated<\/strong><\/h3>\n\n\n\n
- \n
- Navigate to your Service Provider application URL<\/li>\n\n\n\n
- You will be redirected to log in to the JumpCloud User Portal<\/li>\n\n\n\n
- The browser will be redirected back to the application and be automatically logged in<\/li>\n<\/ul>\n\n\n\n
Configuring the Identity Management Integration<\/strong><\/h2>\n\n\n\n
To configure Verkada Command<\/strong><\/h3>\n\n\n\n
- \n
- In Verkada Command, go to All Products > Admin<\/strong> page.<\/li>\n\n\n\n
- Select Privacy & Security<\/strong> > SCIM Configuration<\/strong> to manage the SCIM configuration.<\/li>\n\n\n\n
- Click Add Domain<\/strong> and enter the desired email domains.<\/li>\n\n\n\n
- (Optional) Toggle off Send Email Invites <\/strong>if you do not want users to receive an email invite when their account is created.<\/li>\n\n\n\n
- The newly generated SCIM token displays.<\/li>\n\n\n\n
- Copy it to your clipboard.<\/li>\n<\/ol>\n\n\n\n
<\/p><\/div>Warning:<\/strong> \nThe Client ID and Secret (token) may only be shown once. Copy them to a secure location, like the JumpCloud Password Manager<\/a>, for future reference.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To configure JumpCloud<\/strong><\/h3>\n\n\n\n
- \n
- Create a new application<\/a> or select it from the Configured Application<\/strong>s list.<\/li>\n\n\n\n
- Select the Identity Managemen<\/strong>t tab.<\/li>\n\n\n\n
- Click Configure<\/strong>.<\/li>\n\n\n\n
- In the Token Key<\/strong> field, paste the SCIM token<\/strong> from the previous section.<\/li>\n\n\n\n
- Click Activate<\/strong>.<\/li>\n\n\n\n
- You can now connect user groups to the application in JumpCloud to provision the members of that group in Verkada. Learn how to Authorize Users to an Application<\/a>.<\/li>\n<\/ol>\n\n\n\n
Attribute Mappings<\/strong><\/h2>\n\n\n\n
The following table lists attributes that JumpCloud sends to the application. See Attribute Considerations<\/a> for more information regarding attribute mapping considerations. <\/p>\n\n\n\n
- Select the Identity Managemen<\/strong>t tab.<\/li>\n\n\n\n
- Select Privacy & Security<\/strong> > SCIM Configuration<\/strong> to manage the SCIM configuration.<\/li>\n\n\n\n
- In Verkada Command, go to All Products > Admin<\/strong> page.<\/li>\n\n\n\n
- Go to USER AUTHENTICATION > SSO<\/strong> Applications<\/strong>, then select the application to which you want to authorize user access.<\/li>\n\n\n\n
- Log in to the <\/a>JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- For Reply ID<\/strong>:
- For Client ID<\/strong>:
- Under Privacy & Security > Authentication & User management<\/strong>, select Single Sign-On (SSO) Configuration<\/strong>.<\/li>\n\n\n\n
- Select the SSO <\/strong>tab and click Export Metadata<\/strong>.<\/li>\n\n\n\n
- Select the SSO<\/strong> tab.<\/li>\n\n\n\n
- Close<\/strong> to configure your new application at a later time <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
- If successful, click:\n
- Click Save Application<\/strong>.<\/li>\n\n\n\n
- Go to\u00a0USER AUTHENTICATION\u00a0<\/strong>>\u00a0SSO<\/strong> Applications<\/strong>.<\/li>\n\n\n\n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- If you need to update your token, you must deactivate the IdM integration<\/a>, update the token, and then reactivate the IdM integration<\/li>\n\n\n\n
- Verkada Client ID<\/a><\/li>\n<\/ul>\n\n\n\n