Important Considerations<\/strong><\/p>\n\n\n\n
- \n
- Email domains are verified and must be added to the list of domains in Verkada. If a user has an an email domain that does not match one of the domains in the allowed list in Verkada, the user will fail to be created if they don’t exist or updated if they already exist. <\/li>\n\n\n\n
- Users can only be added\/removed from SCIM managed groups through SCIM, not through Command<\/li>\n\n\n\n
- If you need to update your token, you must deactivate the IdM integration<\/a>, update the token, and then reactivate the IdM integration<\/li>\n\n\n\n
- Groups are supported<\/li>\n<\/ul>\n\n\n\n
Attribute Considerations<\/strong><\/p>\n\n\n\n
- \n
- A default set of attributes are managed for users. See the Attribute Mappings<\/a> section for more details<\/li>\n<\/ul>\n\n\n\n
Creating a new JumpCloud Application Integration<\/strong><\/h2>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to\u00a0USER AUTHENTICATION\u00a0<\/strong>>\u00a0SSO<\/strong> Applications<\/strong>.<\/li>\n\n\n\n
- Click + Add New Application<\/strong>.<\/li>\n\n\n\n
- Type the name of the application in the Search <\/strong>field and select it.<\/li>\n\n\n\n
- Click Next<\/strong>.<\/li>\n\n\n\n
- In the Display Label<\/strong>, type your name for the application. Optionally, you can enter a Description<\/strong>, adjust the User Portal Image and choose to hide or Show in User Portal<\/strong>.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>Note:<\/strong> \nIf this is a Bookmark Application, enter your sign-in URL in the Bookmark URL<\/strong> field.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Optionally, expand Advanced Settings<\/strong> to specify a value for the SSO IdP URL<\/strong>. If no value is entered, it will default to https:\/\/sso.jumpcloud.com\/saml2\/<applicationname><\/kbd>.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\")
<\/p><\/div>Warning:<\/strong> \nThe SSO IdP URL<\/strong> is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click Save Application<\/strong>.<\/li>\n\n\n\n
- If successful, click:\n
- \n
- Configure Application<\/strong> and go to the next section <\/li>\n\n\n\n
- Close<\/strong> to configure your new application at a later time <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
Configuring the SSO Integration<\/strong><\/h2>\n\n\n\n
To configure JumpCloud<\/strong><\/h3>\n\n\n\n
- \n
- Create a new application<\/a> or select it from the Configured Application<\/strong>s list.<\/li>\n\n\n\n
- Select the SSO<\/strong> tab.<\/li>\n\n\n\n
- Replace any instances of YOUR_CLIENT_ID with your Verkada ID.<\/li>\n\n\n\n
- Add or change any desired attributes.<\/li>\n\n\n\n
- Click save<\/strong>.<\/li>\n<\/ol>\n\n\n\n
Download the JumpCloud metadata<\/strong> file<\/strong><\/h4>\n\n\n\n
- \n
- Find your application in the Configured Applications<\/strong> list and click anywhere in the row to reopen its configuration window.<\/li>\n\n\n\n
- Select the SSO <\/strong>tab and click Export Metadata<\/strong>.<\/li>\n\n\n\n
- The JumpCloud-<applicationname>-metadata.xml<\/strong> will be exported to your local Downloads <\/strong>folder.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\")
<\/p><\/div>Tip:<\/strong> \nMetadata can also be downloaded from the Configured Applications<\/strong> list. Search for and select the application in the list and then click Export Metadata<\/strong> in the top right corner of the window.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To configure Verkada Command<\/strong><\/h3>\n\n\n\n
- \n
- Sign in to Verkada company site as an administrator.<\/li>\n\n\n\n
- Go to Verkada Command > All Products ><\/strong> Admin<\/strong>.<\/li>\n\n\n\n
- Under Privacy & Security > Authentication & User management<\/strong>, select Single Sign-On (SSO) Configuration<\/strong>.<\/li>\n\n\n\n
- Select Begin Setup<\/strong>.\n
- \n
- You should see your client ID and the fields that you entered into your IdP.\n
- \n
- For Client ID<\/strong>:
For US orgs: https:\/\/vauth.command.verkada.com\/saml\/sso\/<client-id><\/a>
For EU orgs: https:\/\/saml.prod2.verkada.com\/saml\/sso<\/a>\/<client-id><\/a><\/li>\n\n\n\n - For Reply ID<\/strong>:
For US orgs: https:\/\/vauth.command.verkada.com\/saml\/sso\/<client-id><\/a>
For EU orgs: https:\/\/saml.prod2.verkada.com\/saml\/sso<\/a>\/<client-id><\/a><\/li>\n\n\n\n - For Sign-on URL<\/strong>:
For US orgs: https:\/\/vauth.command.verkada.com\/saml\/login\/<\/a><client-id><\/a>
For EU orgs: https:\/\/saml.prod2.verkada.com\/saml\/login<\/a>\/<client-id><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n - In Identity Provider XML Metadata<\/strong>, click Upload New XML<\/strong>.<\/li>\n\n\n\n
- Browse to and select the metadata file downloaded in the previous section.<\/li>\n\n\n\n
- When the file is uploaded, click Add Domain<\/strong> to add the Fully Qualified Domain Name (FQDN) that your users log in with.<\/li>\n\n\n\n
- Type the domain name and press Enter<\/strong> to save. You can repeat this process for multiple domain names.<\/li>\n\n\n\n
- Click Run the login test<\/strong>. It is expected behavior that the page refreshes to your IdP’s authentication page. If you’re not already authenticated, then it bounces back to Command. If the test is successful, you should see a success message.<\/li>\n\n\n\n
- (Optional) You can enable Require SSO <\/strong>to force users to SSO instead of logging in via Command.<\/li>\n<\/ol>\n\n\n\n
Using JIT Provisioning<\/strong><\/h2>\n\n\n\n
Additional attributes are required to use JIT provisioning. JIT required attributes are prepopulated and are on by default to enable JIT provisioning. You can\u2019t edit the JIT required service provider attributes. You can customize the JumpCloud attribute name and the constant value for JIT required attributes. Toggle off the attributes to opt out of sending the attributes in the SAML assertion.<\/p>\n\n\n\n
To complete the provisioning process<\/strong><\/h3>\n\n\n\n
- \n
- Authorize a user\u2019s access to the application in JumpCloud. <\/li>\n\n\n\n
- Have the user log in to the application using SSO. The SAML assertion passes from JumpCloud to the service provider, and gives the service provider the information it needs to create the user account.<\/li>\n<\/ol>\n\n\n\n
Authorizing User SSO Access<\/strong><\/h2>\n\n\n\n
Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Application Configuration<\/strong> panel or from the Groups Configuration<\/strong> panel. <\/p>\n\n\n\n
To authorize user access from the Application Configuration panel<\/strong><\/h3>\n\n\n\n
- For Client ID<\/strong>:
- You should see your client ID and the fields that you entered into your IdP.\n
- Go to USER AUTHENTICATION > SSO<\/strong> Applications<\/strong>, then select the application to which you want to authorize user access.<\/li>\n\n\n\n
- Select the User Groups<\/strong> tab. If you need to create a new group of users, see Get Started: User Groups<\/a>.<\/li>\n\n\n\n
- Select the check box next to the group of users you want to give access.<\/li>\n\n\n\n
- Click save<\/strong>. <\/li>\n<\/ol>\n\n\n\n
To learn how to authorize user access from the Groups Configuration<\/strong> panel, see Authorize Users to an SSO Application<\/a>.<\/p>\n\n\n\n
Validating SSO user authentication workflow(s)<\/strong><\/h2>\n\n\n\n
IdP-initiated<\/strong> user workflow<\/strong><\/h3>\n\n\n\n
- \n
- Access the JumpCloud User Console<\/a><\/li>\n\n\n\n
- Go to\u00a0Applications<\/strong> and click an application tile to launch it<\/li>\n\n\n\n
- JumpCloud asserts the user’s identity to the SP and is authenticated without the user having to log in to the application<\/li>\n<\/ul>\n\n\n\n
SP-initiated<\/strong> user workflow<\/strong><\/h3>\n\n\n\n
- \n
- Go\u00a0to the SP application login – generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO<\/li>\n<\/ul>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
This varies by SP.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Login redirects the user to JumpCloud where the user enters their JumpCloud credentials<\/li>\n\n\n\n
- After the user is logged in successfully, they are redirected\u00a0back to the SP and automatically logged in<\/li>\n<\/ul>\n\n\n\n
Configuring the Identity Management Integration<\/strong><\/h2>\n\n\n\n
To configure Verkada Command<\/strong><\/h3>\n\n\n\n
- \n
- In Verkada Command, go to All Products > Admin<\/strong> page.<\/li>\n\n\n\n
- Select Privacy & Security<\/strong> > SCIM Configuration<\/strong> to manage the SCIM configuration.<\/li>\n\n\n\n
- Click Add Domain<\/strong> and enter the desired email domains.<\/li>\n\n\n\n
- (Optional) Toggle off Send Email Invites <\/strong>if you do not want users to receive an email invite when their account is created.<\/li>\n\n\n\n
- The newly generated SCIM token displays.<\/li>\n\n\n\n
- Copy it to your clipboard.<\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Warning:<\/strong> \n
The Client ID and Secret (token) may only be shown once. Copy them to a secure location, like the JumpCloud Password Manager<\/a>, for future reference.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To configure JumpCloud<\/strong><\/h3>\n\n\n\n
- \n
- Create a new application<\/a> or select it from the Configured Application<\/strong>s list.<\/li>\n\n\n\n
- Select the Identity Managemen<\/strong>t tab.<\/li>\n\n\n\n
- Click\u00a0Configure<\/strong> and enter the following:\n
- \n
- Base URL<\/strong> – enter the URL for the region you selected when you created your command organization<\/a>:\n
- \n
- US orgs: https:\/\/api.command.verkada.com\/scim<\/a><\/li>\n\n\n\n
- EU orgs: https:\/\/scim.prod2.verkada.com\/scim<\/a><\/li>\n\n\n\n
- AUS orgs: https:\/\/scim.prod-ap-syd.verkada.com\/scim<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Token Key<\/strong> – paste the SCIM token<\/strong> from the previous section<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Click Activate<\/strong>.<\/li>\n\n\n\n
- You can now connect user groups to the application in JumpCloud to provision the members of that group in Verkada. Learn how to Authorize Users to an Application<\/a>.<\/li>\n<\/ol>\n\n\n\n
Attribute Mappings<\/strong><\/h2>\n\n\n\n
The following table lists attributes that JumpCloud sends to the application. See Attribute Considerations<\/a> for more information regarding attribute mapping considerations. <\/p>\n\n\n\n
Learn about JumpCloud Properties and how they work with system users in our API<\/a>. <\/p>\n\n\n\n
\nVerkada User Attributes<\/h3>\n
\n \n\n \n \n \n \n \n \n \n \n \n \n
- Base URL<\/strong> – enter the URL for the region you selected when you created your command organization<\/a>:\n
- Go\u00a0to the SP application login – generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO<\/li>\n<\/ul>\n\n\n\n
- Optionally, expand Advanced Settings<\/strong> to specify a value for the SSO IdP URL<\/strong>. If no value is entered, it will default to https:\/\/sso.jumpcloud.com\/saml2\/<applicationname><\/kbd>.<\/li>\n<\/ol>\n\n\n\n
- A default set of attributes are managed for users. See the Attribute Mappings<\/a> section for more details<\/li>\n<\/ul>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\"){kind=icon}
<\/p><\/div>