Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

Add Federated and SSO Authentication

  • how-to
    +
    Add federated authentication with single sign-on (SSO) to your Couchbase Capella organization.

    To add federated and SSO authentication, you must create a realm in Capella. A realm manages the configuration of the link between Capella and your IdP. Each organization supports one realm.

    This page walks you through the process of creating a realm and configuring your IdP to add federated and SSO authentication to your organization.

    Access and Enable SSO Settings

    You can manage federated and SSO authentication from the SSO page in your organization’s settings.

    You are only able to see the SSO page if you have the Organization Owner role in your organization.

    1. Navigate to the SSO page in Organization Settings:

      1. In the Capella UI, on the navigation bar, click the Settings tab.

      2. In the navigation menu, click SSO.

    2. Enable SSO:

      If not already enabled, enable federated and SSO authentication options by contacting Couchbase. You can do this automatically through the SSO page.

      1. On the SSO page, click Enable SSO.

      2. In the Enable SSO dialog box, click Create Support Ticket.

        The SSO page remains unchanged until support enables SSO for your organization.

    Configure Federated and SSO Authentication

    While you can configure Capella with other SAML identity providers, Couchbase provides instructions and support for Microsoft Azure AD, Okta, Ping Identity, CyberArk, Google Workspace, and OneLogin.

    Choose the tab corresponding to your IdP.

    • Azure AD

    • Okta

    • Ping

    • CyberArk

    • Google Workspace

    • OneLogin

    Prerequisites

    To configure Azure Active Directory (Azure AD) as an IdP, you need:

    Procedures

    To configure federated and SSO authentication using Azure AD as your identity provider (IdP), you must complete three procedures in the following order:

    1. In Azure AD, register an Azure AD application

    2. In Capella, create a realm

    3. In Azure AD, complete the configuration

    Register an Azure AD Application

    Start by registering an application with Azure AD. Information generated by this step is required to create a realm in Capella.

    1. From the Azure portal, open the Azure Active Directory service.

    2. From the navigation pane, click App registrations.

    3. Click New registration.

    4. Configure options on the Register an application page:

      1. Name: Enter the display name you want for this application.

    5. Click Register.

      The Overview page of the app appears once it’s registered.

    Create a Realm in Capella

    With an Azure AD app registered, you need to create a realm in Capella that requires some information from Azure AD.

    1. In Capella, Navigate to the SSO page in Organization Settings:

      1. In the Capella UI, on the navigation bar, click the Settings tab.

      2. In the navigation menu, click SSO.

    2. Click Create Realm.

    3. Complete the Create Realm page:

      1. In Azure AD, on the Overview page of the app you registered, click Endpoints to open the Endpoints flyout.

      2. Copy and paste the X.509 certificate from Azure AD to Capella:

        1. In the Endpoints flyout, copy the contents of the Federation metadata document field.

        2. Paste this URL into a new browser tab to view this XML document.

        3. From the XML document, copy the certificate within the <X509Certificate>…​</X509Certificate> tag.

        4. In Capella, paste the certificate contents into the SAML Signing Certificate text box.

      3. Copy SAML - P sign-on endpoint from Azure AD to Capella.

        1. In Azure AD, with the Endpoints flyout open, copy the contents of the SAML -P sign-on endpoint field.

        2. In Capella, paste the SAML -P sign-on endpoint into the Sign-in Endpoint URL field.

      4. Verify that the remaining SAML protocol settings are as follows:

        Field Value

        Signature Algorithm

        RSA-SHA256

        Digest Algorithm

        SHA256

        SAML Protocol Binding

        HTTP-POST

      5. Choose a default team.

        Capella automatically assigns users to the chosen default team when they don’t match any team based on their SSO groups. All users assigned to the default team have its chosen permission set.

        See Manage Capella Role Mapping for information about Teams and how to configure their permissions.

      6. Choose to enable or disable group mapping.

        Capella enables group mapping by default. Group mapping allows you to assign roles to SSO users based on which teams map to their SSO group. If you disable group mapping, Capella uses the default team to give SSO users their roles when they first sign in. After SSO users sign in, you manage them like other Capella users through the People tab and each project’s Collaborators tab.

    4. Click Create Realm.

      Capella creates the new realm with an auto-generated name.

      Users need to know the realm name to sign in with SSO.
    Complete the Azure AD Configuration

    Now that you have created the realm, you need to finish configuring Azure to include the Application ID, Redirect URI, and optional claim information.

    1. In Capella, open the information page for the realm that you created if it isn’t already.

      1. Open the Settings  SSO page.

      2. Click the listed realm to open its information page.

    2. Add the Application ID URL:

      1. In Capella, on the realm information page, copy the Entity ID field.

      2. In Azure AD, on the Overview page of the app you registered, click the Add an Application ID URI link.

      3. Click Set.

      4. In the Set the App ID URI dialog box, paste the Entity ID field you just copied from Capella.

      5. Click Save.

    3. Add the Redirect URI:

      1. In Capella, on the realm information page, copy the Callback URL field.

      2. In Azure AD, on the Overview page of the app you registered, click the Add a Redirect URI link.

      3. Click Add a platform.

      4. In the Configure platforms flyout, click the Single-page application tile.

      5. In the Configure single-page application flyout, paste Callback URL into the Redirect URIs field.

      6. Check the ID tokens (used for implicit and hybrid flows) checkbox.

      7. Click Configure.

    4. Add optional claims:

      1. In Azure AD, in the navigation, click Token configuration.

      2. Click Add groups claim.

      3. In the Edit groups claim flyout, select all the group types.

      4. Click Add.

      5. On the Optional claims page, click Add optional claim.

      6. In the Add optional claim flyout, choose the SAML option.

      7. Check the checkbox for the email claim.

      8. Click Add.

      9. In the dialog box, select the Turn on the Microsoft Graph email permission box.

      10. Click Add.

    Prerequisites

    To configure Okta as an IdP, you need:

    • SSO enabled for your Capella organization.

    • An Okta account.

    • Signed in to the Okta Admin Console as a super admin.

    Procedures

    To configure federated and SSO authentication using Okta as your identity provider (IdP), you must complete three procedures in the following order:

    1. In Okta, create an App Integration

    2. In Capella, create a realm

    3. In Okta, complete the configuration

    Create an Okta App Integration

    Start by creating an App Integration in Okta. Information generated by this step is required to create a realm in Capella.

    1. In the Okta Admin Console, click Applications.

    2. Click Create App Integration.

    3. For the sign-in method, choose SAML 2.0.

    4. Click Next.

    5. Configure the options on the General Settings page:

      1. App Name: Enter your desired application name.

      2. (Optional) App logo: Add the Capella logo.

      3. (Optional) App visibility: Adjust if you don’t want to show the Capella app to users in Okta.

      4. Click Next.

    6. Configure the options on the Configure SAML page:

      1. Add the following placeholders:

        Field Value

        Single Sign-On URL

        Enter a placeholder, such as https://placeholder. You’ll provide the real value in a later step.

        Audience URI (SP Entity ID)

        Enter a placeholder, such as uri:placeholder. You’ll provide the real value in a later step.

      2. Click Show Advanced Settings.

        Verify that the advanced settings have the following values:

        Field Value

        Response

        Signed

        Assertion Signature

        Signed

        Signature Algorithm

        RSA-SHA256

        Digest Algorithm

        SHA256

        Assertion Encryption

        Unencrypted

      3. In the Attribute Statements (optional) section, create the following three attributes:

        Values entered into the Name column are case-sensitive. Enter them as shown in the table.
        Name Name format Value

        email

        Unspecified

        user.email

        given_name

        Unspecified

        user.firstName

        family_name

        Unspecified

        user.lastName

      4. In the Group Attribute Statements (optional) section, create the following attribute:

        Name Name format Filter Filter Value

        groups

        Basic

        Matches regex

        .*

        This filter matches all group names associated with a user. You can filter the groups names sent to Capella further by adjusting the Filter and Filter Value.

      5. Click Next.

    7. Complete the Feedback page:

      1. Choose I’m an Okta customer adding an internal app.

      2. Add any further feedback if desired.

      3. Click Finish.

    Create a Realm in Capella

    With an Okta integration app created, you need to create a realm in Capella that requires some information from Okta.

    1. In Capella, navigate to the SSO page in Organization Settings:

      1. In the Capella UI, on the navigation bar, click the Settings tab.

      2. In the navigation menu, click SSO.

    2. Click Create Realm.

    3. Complete the Create Realm page:

      1. Copy the following fields from your Okta configuration to Capella:

        To find this information in Okta, first open the Sign On tab. Within the SAML Setup section of this page, click View SAML setup instructions.
        Okta Field Capella Field

        X.509 Certificate

        SAML Signing Certificate

        Identity Provider Single Sign-On URL

        Sign-in Endpoint URL

      2. Verify that the remaining SAML protocol settings are as follows:

        Field Value

        Signature Algorithm

        RSA-SHA256

        Digest Algorithm

        SHA256

        SAML Protocol Binding

        HTTP-POST

      3. Choose a default team.

        Capella automatically assigns users to the chosen default team when they don’t match any team based on their SSO groups. All users assigned to the default team have its chosen permission set.

        See Manage Capella Role Mapping for information about Teams and how to configure their permissions.

      4. Choose to enable or disable group mapping.

        Capella enables group mapping by default. Group mapping allows you to assign roles to SSO users based on which teams map to their SSO group. If you disable group mapping, Capella uses the default team to give SSO users their roles when they first sign in. After SSO users sign in, you manage them like other Capella users through the People tab and each project’s Collaborators tab.

    4. Click Create Realm.

      Capella creates the new realm with an auto-generated name.

      Users need to know the realm name to sign in with SSO.
    Complete the Okta Configuration

    Now that you have created the realm, you need to configure Okta to replace the placeholder values that you used.

    1. In the Okta Console, open the Couchbase Capella app you created to the General tab.

    2. Inside the SAML Settings section, click Edit.

    3. On the General Settings page, click Next.

    4. Edit the options on the Configure SAML page:

      1. Copy the following fields from your Capella realm configuration to the Okta configuration:

        To find this information for your organization’s Capella realm, first open the Settings  SSO page. Listed on this page is the realm that you just created with an auto-generated name. Click its listing to open the realm information page.
        Capella Field Okta Field

        Callback URL

        Single sign on URL

        Entity ID

        Audience URI (SP Entity ID)

    5. Click Next.

    6. Click Finish.

    7. Assign users to the Capella app integration.

      1. On the Okta application page, click the Assignments tab.

      2. Make sure that all your Capella organization users who use the Okta service are enrolled. See the Assign an app integration to a user page of the Okta documentation for more detail.

    Prerequisites

    To configure Ping as an IdP, you need:

    • SSO enabled for your Capella organization.

    • A Ping account.

    • To be signed in to the Ping admin console as an admin.

    Procedures

    To configure federated and SSO authentication using Ping as your identity provider (IdP), you must complete three procedures in the following order:

    1. In Ping, create an Application

    2. In Capella, create a realm

    3. In Ping, complete the configuration

    Add a Ping Application

    Start by creating a Ping Application in the Ping admin console. You need the information from this step to create a realm in Capella.

    1. Create a key pair:

      1. In the Ping admin console, click Connections  Certificates & Key Pairs.

      2. Click Add  Create Key Pair.

      3. In the Create Key Pair form, enter the following:

        • Common Name: Enter a name for the new key pair.

        • Usage Type: Choose Signing - Verification.

        • Organization: Enter an organization name.

        • Country: Enter your country.

      4. Click Save & Finish.

    2. Click Applications.

    3. Create the application:

      1. Click the plus sign icon.

      2. Fill in the following fields:

        • Application Name: Add a unique application name.

        • (Optional) Description: Add a description of the application.

        • (Optional) Icon: Add the Capella logo.

        • Choose Application Type: Select SAML Application.

      3. Click Configure.

    4. Start the SAML configuration:

      1. Choose Manually Enter.

      2. Add the following placeholders:

        Field Value

        ACS URLs

        Enter a placeholder, such as https://example.com. You’ll provide the real value in a later step.

        Entity ID

        Enter a placeholder, such as placeholder. You’ll provide the real value in a later step.

      3. Click Save.

    5. Add attributes:

      1. Click the Attributes button containing the pencil icon.

      2. In the Attribute Mapping section, add the following attributes using the + Add button:

        Attributes PingOne Mappings Required

        saml_subject

        User ID

        email

        Email Address

        family_name

        Family Name

        given_name

        Given Name

        groups

        Group Name

        The saml_subject attribute is a default attribute that you can’t remove.

      3. Click Save.

    6. Click the Overview tab.

    7. Update the SAML configuration with signing key information:

      1. Click the Protocol button containing the gear icon.

      2. In the Configuration section, enter or edit the following fields:

        Field Value

        Signing Key

        The name of the signing key you created.

        Signing Algorithm

        RSA_SHA256

      3. Click Save.

    8. Near the top right corner of the details panel, enable the application by clicking the toggle switch.

    Create a Realm in Capella

    With a Ping application created, you need to create a realm in Capella using information from Ping.

    1. In Capella, open the SSO page:

      1. In the Capella UI, click the Settings tab.

      2. In the navigation menu, click SSO.

    2. Click Create Realm.

    3. Complete the Create Realm page:

      1. Copy the following information from your Ping configuration to Capella:

        To find this information in the Ping admin console, go to Connections  Applications. Find and click the application that you want to view. In the details panel, click the Configuration tab.
        Ping Field Capella Field

        Contents of Download Signing Certificate  X509 PEM (.crt)

        SAML Signing Certificate

        Single Signon Service

        Sign-in Endpoint URL

      2. Verify that the remaining SAML protocol settings are as follows:

        Field Value

        Signature Algorithm

        RSA-SHA256

        Digest Algorithm

        SHA256

        SAML Protocol Binding

        HTTP-POST

      3. Choose a default team.

        Capella automatically assigns users to the chosen default team when they don’t match any team based on their SSO groups. All users assigned to the default team have its chosen permission set.

        See Manage Capella Role Mapping for information about Teams and how to configure their permissions.

      4. Choose to enable or disable group mapping.

        Capella enables group mapping by default. Group mapping allows you to assign roles to SSO users based on which teams map to their SSO group. If you disable group mapping, Capella uses the default team to give SSO users their roles when they first sign in. After SSO users sign in, you manage them like other Capella users through the People tab and each project’s Collaborators tab.

    4. Click Create Realm.

      Capella creates the new realm with an auto-generated name.

      Users need to know the realm name to sign in with SSO.
    Complete the Ping Configuration

    Now that you have created the realm, you need to configure Ping to replace the placeholder values you used.

    1. In the Ping admin console, open the application you created for Capella.

    2. With the Overview tab open, click the Protocol button with the gear icon.

    3. Edit the configuration settings:

      1. Copy the following fields from your Capella realm configuration to the Ping configuration:

        To find this information for your organization’s Capella realm, open the Settings  SSO page. Listed on this page is the realm you just created with an auto-generated name. Click its listing to open the realm information page.
        Capella Field Ping Field

        Callback URL

        ACS URLs

        Entity ID

        Entity ID

    4. Click Save.

    5. Assign users to the application.

      1. With the application details open, click the Access tab.

      2. Add the groups whose members need access to Couchbase Capella. See the Application access control page of the Ping documentation for more detail.

    Prerequisites

    To configure CyberArk as an IdP, you need:

    • SSO enabled for your Capella organization.

    • A CyberArk account.

    • To sign in to the CyberArk Admin Portal as an admin.

    Procedures

    To configure federated and SSO authentication using CyberArk as your identity provider (IdP), you must complete three procedures in the following order:

    1. In CyberArk, create an Application

    2. In Capella, create a realm

    3. In CyberArk, complete the configuration

    Add a CyberArk Web App

    Start by creating a CyberArk web application in the Cyberark Admin Portal. You need the information from this step to create a realm in Capella.

    1. In the CyberArk Admin Portal, click Apps & Widgets  Web Apps.

    2. Create the web application:

      1. Click Add Web Apps.

      2. Click the Custom tab.

      3. In the list of templates, find the SAML option and click Add.

      4. To add this application, click Yes.

      5. Exit the Add Web Apps dialog by clicking Close.

        You now see the Settings page for the SAML app.

      6. Fill in the following fields:

        • Name: Add a unique application name.

        • (Optional) Description: Add a description of the application.

        • (Optional) Logo: Add the Capella logo.

      7. Click Save.

    3. Start the SAML configuration:

      1. Click SAML Response:

      2. Use the Add button to add the following attributes:

        After adding an attribute, you can show the Add button again by clearing the check box.
        Attributes Name Attribute Value

        email

        LoginUser.Email

        given_name

        LoginUser.FirstName

        family_name

        LoginUser.LastName

        groups

        LoginUser.RoleNames

      3. Click Save.

    4. Assign your admin account with permissions to the app:

      1. Click Permissions.

      2. Click Add.

      3. In the search field, enter your admin account.

      4. From the list of results, select your name and click Add.

      5. On the Permissions screen, grant your account the following permissions:

        • Grant

        • View

        • Manage

        • Delete

        • Run

        • Automatically Deploy

      6. Click Save.

        The status of your web app now shows Deployed.

    5. Click the Trust tab.

      You need information from this page to create a realm in Capella.

    Create a realm in Capella

    With a CyberArk web application created, you need to create a realm in Capella using information from CyberArk.

    1. In Capella, open the SSO page:

      1. In the Capella UI, click the Settings tab.

      2. In the navigation menu, click SSO.

    2. Click Create Realm.

    3. Complete the Create Realm page:

      1. Copy the following information from your CyberArk configuration to Capella:

        To find this information in the CyberArk Admin Portal, go to Apps & Widgets  Web Apps. Find and open the web application that you want to view. Click Trust.
        CyberArk Field Capella Field

        Contents of Signing Certificate  Download

        SAML Signing Certificate

        Single Sign On URL

        Sign-in Endpoint URL

      2. Verify that the remaining SAML protocol settings are as follows:

        Field Value

        Signature Algorithm

        RSA-SHA256

        Digest Algorithm

        SHA256

        SAML Protocol Binding

        HTTP-POST

      3. Choose a default team.

        Capella automatically assigns users to the chosen default team when they don’t match any team based on their SSO groups. All users assigned to the default team have its chosen permission set.

        See Manage Capella Role Mapping for information about Teams and how to configure their permissions.

      4. Choose to enable or disable group mapping.

        Capella enables group mapping by default. Group mapping allows you to assign roles to SSO users based on which teams map to their SSO group. If you disable group mapping, Capella uses the default team to give SSO users their roles when they first sign in. After SSO users sign in, you manage them like other Capella users through the People tab and each project’s Collaborators tab.

    4. Click Create Realm.

      Capella creates the new realm with an auto-generated name.

      Users need to know the realm name to sign in with SSO.
    Complete the CyberArk Configuration

    Now that you have created the realm, you must finish configuring the CyberArk web application.

    1. In the CyberArk Portal, open the application you created for Capella.

    2. Click Trust.

    3. At the end of the page, edit the Service Provider Configuration settings:

      1. Select Manual Configuration.

      2. Copy the following fields from your Capella realm configuration to the CyberArk configuration:

        To find this information for your organization’s Capella realm, open the Settings  SSO page. On this page is the realm you just created with an auto-generated name. Click its listing to open the realm information page.
        Capella Field CyberArk Field

        Callback URL

        Assertion Consumer Service (ACS) URL

        Entity ID

        SP Entity ID / Issuer / Audience

    4. Click Save.

    5. Assign users to the application.

      1. Click Permissions.

      2. Add the groups whose members need access to Couchbase Capella. See the {cyberark-deploy-ref}[Deploy applications] page of the CyberArk documentation for more detail.

    Prerequisites

    To configure Google Workspace as an IdP, you need:

    Procedures

    To configure federated and SSO authentication using Google as your identity provider (IdP), you must complete three procedures in the following order:

    1. In Google Workspace, create a custom SAML app.

    2. In Capella, create a realm.

    3. In Google Workspace, complete the configuration.

    Add a custom SAML app in Google Workspace

    Start by adding an app for Capella in the Google Admin console. You need information resulting from this step to create a realm in Capella.

    1. In the Google Admin console, click Apps  Web and mobile apps.

    2. Click Add app  Add custom SAML app.

    3. Complete these fields:

      • App Name: Enter the display name for this app.

      • (Optional) Description: Add a description of the application.

      • (Optional) App Icon: Add the Capella logo.

        1. Click Continue.

          Leave this new page open as you need its information for the next step.

    Create a realm in Capella

    Create a realm in Capella using information from Google.

    1. In Capella, go to meu:Settings[SSO].

    2. Click Create Realm.

    3. Complete the Create Realm page:

      1. Copy the following configuration details from Google into Capella:

        Google Field Capella Field

        Certificate

        SAML Signing Certificate

        SSO URL

        Sign-in Endpoint URL

      2. Verify that the remaining SAML protocol settings are as follows:

        Field Value

        Signature Algorithm

        RSA-SHA256

        Digest Algorithm

        SHA256

        SAML Protocol Binding

        HTTP-POST

      3. Choose a default team.

        Capella automatically assigns users to the chosen default team when they don’t match any team based on their SSO groups. All users assigned to the default team have its chosen permission set.

        See Manage Capella Role Mapping for information about Teams and how to configure their permissions.

      4. Choose to enable or disable group mapping.

        Capella enables group mapping by default. Group mapping allows you to assign roles to SSO users based on which teams map to their SSO group. If you disable group mapping, Capella uses the default team to give SSO users their roles when they first sign in. After SSO users sign in, you manage them like other Capella users through the People tab and each project’s Collaborators tab.

    4. Click Create Realm.

      Capella creates the new realm with an auto-generated name.

      Users need to know the realm name to sign in with SSO.
    Complete the configuration in Google Workspace

    Now that you have created the realm, you must finish configuring the custom SAML app in Google.

    1. Returning to the Google Admin console, on the Add custom SAML app setup page, click Continue.

    2. Copy and paste the following fields from your Capella realm configuration into the Google custom SAML app setup:

      To find this information for your organization’s Capella realm, open the Settings  SSO page. Listed on this page is the realm you just created with an auto-generated name. Click its listing to open the realm information page.
      Capella Field Google Field

      Callback URL

      ACS URL

      Entity ID

      Entity ID

    3. In the Google Admin console, click Continue.

    4. Add the following attributes:

      Google Directory attributes App attributes

      Primary email

      email

      First name

      given_name

      Last name

      family_name

    5. Add group membership.

      Google groups App attribute

      Relevant Google groups, such as admins.

      Groups

    6. Click Finish.

      A page for the new custom SAML web app automatically loads with its configuration details.

    7. Turn on the SAML web app for everyone:

      To turn on the service for an organizational unit or user group, see Google Workspace Admin Help.

      1. Click User access.

      2. Click On for everyone.

      3. Click Save.

        It may take a few minutes for these changes to apply.

    Prerequisites

    To configure OneLogin as an IdP, you need:

    Procedures

    To configure federated and SSO authentication using OneLogin as your identity provider (IdP), you must complete three procedures in the following order:

    1. In OneLogin, create an Application.

    2. In Capella, create a realm.

    3. In OneLogin, complete the configuration.

    Add an Application in OneLogin

    Start by adding an application for Capella in the OneLogin Admin panel. You need information from this step to create a realm in Capella.

    1. In the OneLogin Admin panel, click Applications  Applications.

    2. Create the application:

      1. Click Add App.

      2. In the search field, type SAML and press Enter.

      3. From the templates list, find and click SAML Test Connector (IdP).

      4. Complete the following fields:

        • Display Name: Enter the display name for this app.

        • (Optional) Rectangular Icon / Square Icon: Add the Capella logo.

        • (Optional) Description: Add a description of the application.

      5. Click Save.

    3. In the navigation pane, click SSO.

    4. In the X.509 Certificate section, click View Details.

    5. Select SHA256 as the SHA fingerprint.

    6. Copy the X.509 Certificate.

    7. Click Save.

    Create a realm in Capella

    With the application created in OneLogin, you need to create a realm in Capella using information from OneLogin.

    1. In Capella, go to Settings  SSO.

    2. Click Create Realm.

    3. Complete the Create Realm page:

      1. Copy the following information from your OneLogin configuration to Capella:

        All this information is in the SSO section of the OneLogin Admin panel when configuring your application.
        OneLogin Field Capella Field

        X.509 Certificate

        SAML Signing Certificate

        SAML 2.0 Endpoint (HTTP)

        Sign-in Endpoint URL

      2. Verify that the remaining SAML protocol settings are as follows:

        Field Value

        Signature Algorithm

        RSA-SHA256

        Digest Algorithm

        SHA256

        SAML Protocol Binding

        HTTP-POST

      3. Choose a default team.

        Capella automatically assigns users to the chosen default team when they don’t match any team based on their SSO groups. All users assigned to the default team have its chosen permission set.

        See Manage Capella Role Mapping for information about Teams and how to configure their permissions.

      4. Choose to enable or disable group mapping.

        Capella enables group mapping by default. Group mapping allows you to assign roles to SSO users based on which teams map to their SSO group. If you disable group mapping, Capella uses the default team to give SSO users their roles when they first sign in. After SSO users sign in, you manage them like other Capella users through the People tab and each project’s Collaborators tab.

    4. Click Create Realm.

      Capella creates the new realm with an auto-generated name.

      Users need to know the realm name to sign in with SSO.
    Complete the OneLogin Configuration

    Now that you have created the realm, you must finish configuring the OneLogin application.

    1. In OneLogin, click Configuration.

    2. Copy the following fields from your Capella realm configuration to the OneLogin configuration:

      To find this information for your organization’s Capella realm, open the Settings  SSO page. Listed on this page is the realm you just created with an auto-generated name. Click its listing to open the realm information page.
      Capella Field OneLogin Fields

      Callback URL

      • ACS (Consumer) URL Validator

      • ACS (Consumer) URL

      Entity ID

      • Audience

    3. In OneLogin, click Save.

    4. Add the parameters:

      1. In OneLogin, with the application open, click Parameters.

      2. Click + to add each of the following attributes:

        Field name Flags Value

        given_name

        Include in SAML assertion

        First Name

        family_name

        Include in SAML assertion

        Last Name

        email

        Include in SAML assertion

        Email

        groups

        Include in SAML assertion

        User Roles

    5. Click Save.

    6. Assign users to the application or add the application to a role.

      For more information, see the Roles and App Management pages of the OneLogin documentation.

    Next Steps