Add Federated and SSO Authentication
- Capella Operational
- how-to
Add federated authentication with single sign-on (SSO) to your Couchbase Capella organization.
To add federated and SSO authentication, you must create a realm in Capella. A realm manages the configuration of the link between Capella and your IdP. Each organization supports one realm.
This page walks you through the process of creating a realm and configuring your IdP to add federated and SSO authentication to your organization.
Access and Enable SSO Settings
You can manage federated and SSO authentication from the SSO page in your organization’s settings.
You are only able to see the SSO page if you have the Organization Owner role in your organization.
|
-
Navigate to the SSO page in Organization Settings:
-
In the Capella UI, on the navigation bar, click the Settings tab.
-
In the navigation menu, click SSO.
-
-
Enable SSO:
If not already enabled, enable federated and SSO authentication options by contacting Couchbase. You can do this automatically through the SSO page.
-
On the SSO page, click Enable SSO.
-
In the Enable SSO dialog box, click Create Support Ticket.
The SSO page remains unchanged until support enables SSO for your organization.
-
Configure Federated and SSO Authentication
While you can configure Capella with other SAML identity providers, Couchbase provides instructions and support for Microsoft Entra ID, Okta, Ping Identity, CyberArk, Google Workspace, and OneLogin.
Choose the tab corresponding to your IdP.
-
Entra ID
-
Okta
-
Ping
-
CyberArk
-
Google Workspace
-
OneLogin
Prerequisites
To configure Entra ID as an IdP, you need:
-
Ensure that SSO is enabled for your Capella organization.
-
An Azure Subscription. For more information, see the Microsoft Entra portal.
-
An Entra ID tenant associated with your Azure subscription. For more information, see the Entra ID Documentation.
-
Global Administrator privileges for your Entra ID tenant.
Procedures
To configure federated and SSO authentication using Entra ID as your identity provider (IdP), you must complete three procedures in the following order:
Start by registering an application with Entra ID. Information generated by this step is required to create a realm in Capella.
-
From the Entra portal, open the Entra ID service.
-
From the navigation pane, click App registrations.
-
Click New registration.
-
Configure options on the Register an application page:
-
Name: Enter the display name you want for this application.
-
-
Click Register.
The Overview page of the app appears once it’s registered.
With an Entra ID app registered, you need to create a realm in Capella that requires some information from Entra ID.
-
In Capella, Navigate to the SSO page in Organization Settings:
-
In the Capella UI, on the navigation bar, click the Settings tab.
-
In the navigation menu, click SSO.
-
-
Click Create Realm.
-
Complete the Create Realm page:
-
In Entra ID, on the Overview page of the app you registered, click Endpoints to open the Endpoints flyout.
-
Copy and paste the X.509 certificate from Entra ID to Capella:
-
In the Endpoints flyout, copy the contents of the Federation metadata document field.
-
Paste this URL into a new browser tab to view this XML document.
-
From the XML document, copy the certificate within the
<X509Certificate>…</X509Certificate>
tag. -
In Capella, paste the certificate contents into the SAML Signing Certificate text box.
-
-
Copy SAML - P sign-on endpoint from Entra ID to Capella.
-
In Entra ID, with the Endpoints flyout open, copy the contents of the SAML -P sign-on endpoint field.
-
In Capella, paste the SAML -P sign-on endpoint into the Sign-in Endpoint URL field.
-
-
Verify that the remaining SAML protocol settings are as follows:
Field Value Signature Algorithm
RSA-SHA256
Digest Algorithm
SHA256
SAML Protocol Binding
HTTP-POST
-
Choose a default team.
Capella automatically assigns users to the chosen default team when they don’t match any team based on their SSO groups. All users assigned to the default team have its chosen permission set.
See Manage Capella Role Mapping for information about Teams and how to configure their permissions.
-
Choose to enable or disable group mapping.
Capella enables group mapping by default. Group mapping allows you to assign roles to SSO users based on which teams map to their SSO group. If you disable group mapping, Capella uses the default team to give SSO users their roles when they first sign in. After SSO users sign in, you manage them like other Capella users through the People tab and each project’s Collaborators tab.
-
-
Click Create Realm.
Capella creates the new realm with an auto-generated name.
Users need to know the realm name to sign in with SSO. You can change the a realm name after you create the realm.
Now that you have created the realm, you need to finish configuring Entra to include the Application ID, Redirect URI, and optional claim information.
-
In Capella, open the information page for the realm that you created if it isn’t already.
-
Open the
page. -
Click the listed realm to open its information page.
-
-
Add the Application ID URL:
-
In Capella, on the realm information page, copy the Entity ID field.
-
In Entra ID, on the Overview page of the app you registered, click the Add an Application ID URI link.
-
Click Set.
-
In the Set the App ID URI dialog box, paste the Entity ID field you just copied from Capella.
-
Click Save.
-
-
Add the Redirect URI:
-
In Capella, on the realm information page, copy the Callback URL field.
-
In Entra ID, on the Overview page of the app you registered, click the Add a Redirect URI link.
-
Click Add a platform.
-
In the Configure platforms flyout, click the Single-page application tile.
-
In the Configure single-page application flyout, paste Callback URL into the Redirect URIs field.
-
Check the ID tokens (used for implicit and hybrid flows) checkbox.
-
Click Configure.
-
-
Add optional claims:
-
In Entra ID, in the navigation, click Token configuration.
-
Click Add groups claim.
-
In the Edit groups claim flyout, select all the group types.
-
Click Add.
-
On the Optional claims page, click Add optional claim.
-
In the Add optional claim flyout, choose the SAML option.
-
Check the checkbox for the email claim.
-
Click Add.
-
In the dialog box, select the Turn on the Microsoft Graph email permission box.
-
Click Add.
-
Prerequisites
To configure Okta as an IdP, you need:
-
Ensure that SSO is enabled for your Capella organization.
-
An Okta account.
-
Signed in to the Okta Admin Console as a super admin.
Procedures
To configure federated and SSO authentication using Okta as your identity provider (IdP), you must complete three procedures in the following order:
Start by creating an App Integration in Okta. Information generated by this step is required to create a realm in Capella.
-
In the Okta Admin Console, click
. -
Click Create App Integration.
-
For the sign-in method, choose SAML 2.0.
-
Click Next.
-
Configure the options on the General Settings page:
-
App Name: Enter your desired application name.
-
(Optional) App logo: Add the Capella logo.
-
(Optional) App visibility: Adjust if you don’t want to show the Capella app to users in Okta.
-
Click Next.
-
-
Configure the options on the Configure SAML page:
-
Add the following placeholders:
Field Value Single Sign-On URL
Enter a placeholder, such as
https://placeholder
. You’ll provide the real value in a later step.Audience URI (SP Entity ID)
Enter a placeholder, such as
uri:placeholder
. You’ll provide the real value in a later step. -
Click Show Advanced Settings.
Verify that the advanced settings have the following values:
Field Value Response
Signed
Assertion Signature
Signed
Signature Algorithm
RSA-SHA256
Digest Algorithm
SHA256
Assertion Encryption
Unencrypted
-
In the Attribute Statements (optional) section, create the following three attributes:
Values entered into the Name column are case-sensitive. Enter them as shown in the table. Name Name format Value email
Unspecified
user.email
given_name
Unspecified
user.firstName
family_name
Unspecified
user.lastName
-
In the Group Attribute Statements (optional) section, create the following attribute:
Name Name format Filter Filter Value groups
Basic
Matches regex
.*
This filter matches all group names associated with a user. You can filter the
groups
names sent to Capella further by adjusting the Filter and Filter Value. -
Click Next.
-
-
Complete the Feedback page:
-
Add any further feedback if desired.
-
Click Finish.
-
With an Okta integration app created, you need to create a realm in Capella that requires some information from Okta.
-
In Capella, navigate to the SSO page in Organization Settings:
-
In the Capella UI, on the navigation bar, click the Settings tab.
-
In the navigation menu, click SSO.
-
-
Click Create Realm.
-
Complete the Create Realm page:
-
Copy the following fields from your Okta configuration to Capella:
To find this information in Okta, open the app integration you just created to the Sign On tab. Within the SAML Setup section of this page, click View SAML setup instructions. Okta Field Capella Field X.509 Certificate
SAML Signing Certificate
Identity Provider Single Sign-On URL
Sign-in Endpoint URL
-
Verify that the remaining SAML protocol settings are as follows:
Field Value Signature Algorithm
RSA-SHA256
Digest Algorithm
SHA256
SAML Protocol Binding
HTTP-POST
-
Choose a default team.
Capella automatically assigns users to the chosen default team when they don’t match any team based on their SSO groups. All users assigned to the default team have its chosen permission set.
See Manage Capella Role Mapping for information about Teams and how to configure their permissions.
-
Choose to enable or disable group mapping.
Capella enables group mapping by default. Group mapping allows you to assign roles to SSO users based on which teams map to their SSO group. If you disable group mapping, Capella uses the default team to give SSO users their roles when they first sign in. After SSO users sign in, you manage them like other Capella users through the People tab and each project’s Collaborators tab.
-
-
Click Create Realm.
Capella creates the new realm with an auto-generated name.
Users need to know the realm name to sign in with SSO. You can change the a realm name after you create the realm.
Now that you have created the realm, you need to configure Okta to replace the placeholder values that you used.
-
In the Okta Console, open the app integration you created to the General tab.
-
Inside the SAML Settings section, click Edit.
-
On the General Settings page, click Next.
-
Edit the options on the Configure SAML page:
-
Copy the following fields from your Capella realm configuration to the Okta configuration:
To find this information for your organization’s Capella realm, first open the page. Listed on this page is the realm that you just created with an auto-generated name. Click the down arrow to show the realm information page.Capella Field Okta Field Callback URL
Single sign on URL
Entity ID
Audience URI (SP Entity ID)
-
-
Click Next.
-
Click Finish.
-
In Okta, assign users to the Capella app integration.
-
With the app integration open, click the Assignments tab.
-
Make sure that all your Capella organization users who use the Okta service are enrolled. See the Assign an app integration to a user page of the Okta documentation for more detail.
-
Prerequisites
To configure Ping as an IdP, you need:
-
Ensure that SSO is enabled for your Capella organization.
-
A Ping account.
-
To be signed in to the Ping admin console as an admin.
Procedures
To configure federated and SSO authentication using Ping as your identity provider (IdP), you must complete three procedures in the following order:
Start by creating a Ping Application in the Ping admin console. You need the information from this step to create a realm in Capella.
-
Create a key pair:
-
In the Ping admin console, click
. -
Click
. -
In the Create Key Pair form, enter the following:
-
Common Name: Enter a name for the new key pair.
-
Usage Type: Choose
Signing - Verification
. -
Organization: Enter an organization name.
-
Country: Enter your country.
-
-
Click Save & Finish.
-
-
Click Applications.
-
Create the application:
-
Click the plus sign icon.
-
Fill in the following fields:
-
Application Name: Add a unique application name.
-
(Optional) Description: Add a description of the application.
-
(Optional) Icon: Add the Capella logo.
-
Choose Application Type: Select
SAML Application
.
-
-
Click Configure.
-
-
Start the SAML configuration:
-
Choose Manually Enter.
-
Add the following placeholders:
Field Value ACS URLs
Enter a placeholder, such as
https://example.com
. You’ll provide the real value in a later step.Entity ID
Enter a placeholder, such as
placeholder
. You’ll provide the real value in a later step. -
Click Save.
-
-
Add attributes:
-
Click the Overview tab.
-
Update the SAML configuration with signing key information:
-
Click the Protocol button containing the gear icon.
-
In the Configuration section, enter or edit the following fields:
Field Value Signing Key
Signing Algorithm
RSA_SHA256
-
Click Save.
-
-
Near the top right corner of the details panel, enable the application by clicking the toggle switch.
With a Ping application created, you need to create a realm in Capella using information from Ping.
-
In Capella, open the SSO page:
-
In the Capella UI, click the Settings tab.
-
In the navigation menu, click SSO.
-
-
Click Create Realm.
-
Complete the Create Realm page:
-
Copy the following information from your Ping configuration to Capella:
To find this information in the Ping admin console, go to . Find and click the application that you want to view. In the details panel, click the Configuration tab.Ping Field Capella Field Contents of
SAML Signing Certificate
Single Sign On Service
Sign-in Endpoint URL
-
Verify that the remaining SAML protocol settings are as follows:
Field Value Signature Algorithm
RSA-SHA256
Digest Algorithm
SHA256
SAML Protocol Binding
HTTP-POST
-
Choose a default team.
Capella automatically assigns users to the chosen default team when they don’t match any team based on their SSO groups. All users assigned to the default team have its chosen permission set.
See Manage Capella Role Mapping for information about Teams and how to configure their permissions.
-
Choose to enable or disable group mapping.
Capella enables group mapping by default. Group mapping allows you to assign roles to SSO users based on which teams map to their SSO group. If you disable group mapping, Capella uses the default team to give SSO users their roles when they first sign in. After SSO users sign in, you manage them like other Capella users through the People tab and each project’s Collaborators tab.
-
-
Click Create Realm.
Capella creates the new realm with an auto-generated name.
Users need to know the realm name to sign in with SSO. You can change the a realm name after you create the realm.
Now that you have created the realm, you need to configure Ping to replace the placeholder values you used.
-
In the Ping admin console, open the application you created for Capella.
-
With the Overview tab open, click the Protocol button with the gear icon.
-
Edit the configuration settings:
-
Copy the following fields from your Capella realm configuration to the Ping configuration:
To find this information for your organization’s Capella realm, open the page. Listed on this page is the realm you just created with an auto-generated name. Click its listing to open the realm information page.Capella Field Ping Field Callback URL
ACS URLs
Entity ID
Entity ID
-
-
Click Save.
-
Assign users to the application.
-
With the application details open, click the Access tab.
-
Add the groups whose members need access to Couchbase Capella. See the Application access control page of the Ping documentation for more detail.
-
Prerequisites
To configure CyberArk as an IdP, you need:
-
Ensure that SSO is enabled for your Capella organization.
-
A CyberArk account.
-
To sign in to the CyberArk Admin Portal as an admin.
Procedures
To configure federated and SSO authentication using CyberArk as your identity provider (IdP), you must complete three procedures in the following order:
Start by creating a CyberArk web application in the CyberArk Admin Portal. You need the information from this step to create a realm in Capella.
-
In the CyberArk Admin Portal, click
. -
Create the web application:
-
Click Add Web Apps.
-
Click the Custom tab.
-
In the list of templates, find the SAML option and click Add.
-
To add this application, click Yes.
-
Exit the Add Web Apps dialog by clicking Close.
You now see the Settings page for the SAML app.
-
Fill in the following fields:
-
Name: Add a unique application name.
-
(Optional) Description: Add a description of the application.
-
(Optional) Logo: Add the Capella logo.
-
-
Click Save.
-
-
Start the SAML configuration:
-
Click SAML Response:
-
Use the Add button to add the following attributes:
After adding an attribute, you can show the Add button again by clearing the checkbox. Attributes Name Attribute Value email
LoginUser.Email
given_name
LoginUser.FirstName
family_name
LoginUser.LastName
groups
LoginUser.RoleNames
-
Click Save.
-
-
Assign your admin account with permissions to the app:
-
Click Permissions.
-
Click Add.
-
In the search field, enter your admin account.
-
From the list of results, select your name and click Add.
-
On the Permissions screen, grant your account the following permissions:
-
Grant
-
View
-
Manage
-
Delete
-
Run
-
Automatically Deploy
-
-
Click Save.
The status of your web app now shows Deployed.
-
-
Click the Trust tab.
You need information from this page to create a realm in Capella.
With a CyberArk web application created, you need to create a realm in Capella using information from CyberArk.
-
In Capella, open the SSO page:
-
In the Capella UI, click the Settings tab.
-
In the navigation menu, click SSO.
-
-
Click Create Realm.
-
Complete the Create Realm page:
-
Copy the following information from your CyberArk configuration to Capella:
To find this information in the CyberArk Admin Portal, go to . Find and open the web application that you want to view. Click Trust.CyberArk Field Capella Field Contents of
SAML Signing Certificate
Single Sign-On URL
Sign-in Endpoint URL
-
Verify that the remaining SAML protocol settings are as follows:
Field Value Signature Algorithm
RSA-SHA256
Digest Algorithm
SHA256
SAML Protocol Binding
HTTP-POST
-
Choose a default team.
Capella automatically assigns users to the chosen default team when they don’t match any team based on their SSO groups. All users assigned to the default team have its chosen permission set.
See Manage Capella Role Mapping for information about Teams and how to configure their permissions.
-
Choose to enable or disable group mapping.
Capella enables group mapping by default. Group mapping allows you to assign roles to SSO users based on which teams map to their SSO group. If you disable group mapping, Capella uses the default team to give SSO users their roles when they first sign in. After SSO users sign in, you manage them like other Capella users through the People tab and each project’s Collaborators tab.
-
-
Click Create Realm.
Capella creates the new realm with an auto-generated name.
Users need to know the realm name to sign in with SSO. You can change the a realm name after you create the realm.
Now that you have created the realm, you must finish configuring the CyberArk web application.
-
In the CyberArk Portal, open the application you created for Capella.
-
Click Trust.
-
At the end of the page, edit the Service Provider Configuration settings:
-
Select Manual Configuration.
-
Copy the following fields from your Capella realm configuration to the CyberArk configuration:
To find this information for your organization’s Capella realm, open the page. On this page is the realm you just created with an auto-generated name. Click its listing to open the realm information page.Capella Field CyberArk Field Callback URL
Assertion Consumer Service (ACS) URL
Entity ID
SP Entity ID / Issuer / Audience
-
-
Click Save.
-
Assign users to the application.
-
Click Permissions.
-
Add the groups whose members need access to Couchbase Capella. See the Deploy applications page of the CyberArk documentation for more detail.
-
Prerequisites
To configure Google Workspace as an IdP, you need:
-
Ensure that SSO is enabled for your Capella organization.
-
To sign in to the Google Admin console as a super administrator.
Procedures
To configure federated and SSO authentication using Google as your identity provider (IdP), you must complete three procedures in the following order:
Start by adding an app for Capella in the Google Admin console. You need information resulting from this step to create a realm in Capella.
-
In the Google Admin console, click
. -
Click
. -
Complete these fields:
-
App Name: Enter the display name for this app.
-
(Optional) Description: Add a description of the application.
-
(Optional) App Icon: Add the Capella logo.
-
Click Continue.
Leave this new page open as you need its information for the next step.
-
-
Create a realm in Capella using information from Google.
-
In Capella, go to meu:Settings[SSO].
-
Click Create Realm.
-
Complete the Create Realm page:
-
Copy the following configuration details from Google into Capella:
Google Field Capella Field Certificate
SAML Signing Certificate
SSO URL
Sign-in Endpoint URL
-
Verify that the remaining SAML protocol settings are as follows:
Field Value Signature Algorithm
RSA-SHA256
Digest Algorithm
SHA256
SAML Protocol Binding
HTTP-POST
-
Choose a default team.
Capella automatically assigns users to the chosen default team when they don’t match any team based on their SSO groups. All users assigned to the default team have its chosen permission set.
See Manage Capella Role Mapping for information about Teams and how to configure their permissions.
-
Choose to enable or disable group mapping.
Capella enables group mapping by default. Group mapping allows you to assign roles to SSO users based on which teams map to their SSO group. If you disable group mapping, Capella uses the default team to give SSO users their roles when they first sign in. After SSO users sign in, you manage them like other Capella users through the People tab and each project’s Collaborators tab.
-
-
Click Create Realm.
Capella creates the new realm with an auto-generated name.
Users need to know the realm name to sign in with SSO. You can change the a realm name after you create the realm.
Now that you have created the realm, you must finish configuring the custom SAML app in Google.
-
Returning to the Google Admin console, on the Add custom SAML app setup page, click Continue.
-
Copy and paste the following fields from your Capella realm configuration into the Google custom SAML app setup:
To find this information for your organization’s Capella realm, open the page. Listed on this page is the realm you just created with an auto-generated name. Click its listing to open the realm information page.Capella Field Google Field Callback URL
ACS URL
Entity ID
Entity ID
-
In the Google Admin console, click Continue.
-
Add the following attributes:
Google Directory attributes App attributes Primary email
email
First name
given_name
Last name
family_name
-
Add group membership.
Google groups App attribute Relevant Google groups, such as admins.
Groups
-
Click Finish.
A page for the new custom SAML web app automatically loads with its configuration details.
-
Turn on the SAML web app for everyone:
To turn on the service for an organizational unit or user group, see Google Workspace Admin Help. -
Click User access.
-
Click On for everyone.
-
Click Save.
It may take a few minutes for these changes to apply.
-
Prerequisites
To configure OneLogin as an IdP, you need:
-
Ensure that SSO is enabled for your Capella organization.
-
A OneLogin account.
-
To sign in to the OneLogin Admin panel as an Account Owner.
Procedures
To configure federated and SSO authentication using OneLogin as your identity provider (IdP), you must complete three procedures in the following order:
Start by adding an application for Capella in the OneLogin Admin panel. You need information from this step to create a realm in Capella.
-
In the OneLogin Admin panel, click
. -
Create the application:
-
Click Add App.
-
In the search field, type
SAML
and press Enter. -
From the
templates
list, find and click SAML Test Connector (IdP). -
Complete the following fields:
-
Display Name: Enter the display name for this app.
-
(Optional) Rectangular Icon / Square Icon: Add the Capella logo.
-
(Optional) Description: Add a description of the application.
-
-
Click Save.
-
-
In the navigation pane, click SSO.
-
In the X.509 Certificate section, click View Details.
-
Select SHA256 as the SHA fingerprint.
-
Copy the X.509 Certificate.
-
Click Save.
With the application created in OneLogin, you need to create a realm in Capella using information from OneLogin.
-
In Capella, go to
. -
Click Create Realm.
-
Complete the Create Realm page:
-
Copy the following information from your OneLogin configuration to Capella:
All this information is in the SSO section of the OneLogin Admin panel when configuring your application. OneLogin Field Capella Field X.509 Certificate
SAML Signing Certificate
SAML 2.0 Endpoint (HTTP)
Sign-in Endpoint URL
-
Verify that the remaining SAML protocol settings are as follows:
Field Value Signature Algorithm
RSA-SHA256
Digest Algorithm
SHA256
SAML Protocol Binding
HTTP-POST
-
Choose a default team.
Capella automatically assigns users to the chosen default team when they don’t match any team based on their SSO groups. All users assigned to the default team have its chosen permission set.
See Manage Capella Role Mapping for information about Teams and how to configure their permissions.
-
Choose to enable or disable group mapping.
Capella enables group mapping by default. Group mapping allows you to assign roles to SSO users based on which teams map to their SSO group. If you disable group mapping, Capella uses the default team to give SSO users their roles when they first sign in. After SSO users sign in, you manage them like other Capella users through the People tab and each project’s Collaborators tab.
-
-
Click Create Realm.
Capella creates the new realm with an auto-generated name.
Users need to know the realm name to sign in with SSO. You can change the a realm name after you create the realm.
Now that you have created the realm, you must finish configuring the OneLogin application.
-
In OneLogin, click Configuration.
-
Copy the following fields from your Capella realm configuration to the OneLogin configuration:
To find this information for your organization’s Capella realm, open the page. Listed on this page is the realm you just created with an auto-generated name. Click its listing to open the realm information page.Capella Field OneLogin Fields Callback URL
-
ACS (Consumer) URL Validator
-
ACS (Consumer) URL
Entity ID
-
Audience
-
-
In OneLogin, click Save.
-
Add the parameters:
-
In OneLogin, with the application open, click Parameters.
-
Click + to add each of the following attributes:
Field name Flags Value given_name
Include in SAML assertion
First Name
family_name
Include in SAML assertion
Last Name
email
Include in SAML assertion
Email
groups
Include in SAML assertion
User Roles
-
-
Click Save.
-
Assign users to the application or add the application to a role.
For more information, see the Roles and App Management pages of the OneLogin documentation.