Capella UI Authentication

  • concept
    Couchbase Capella supports federated authentication with Single Sign-On (SSO) and Multi-Factor Authentication (MFA) for the Capella UI.

    Federated & SSO Authentication

    Couchbase Capella allows users to sign in to the Capella UI using federated and SSO authentication after configuring Capella to authenticate using data passed from your identity provider (IdP). Couchbase Capella’s SSO services use the SAML (Security Assertion Markup Language) 2.0 standard.

    Couchbase Capella does not support identity provider-initiated (IdP-initiated) sign-in, where the user initiates a sign-in request through the IdP’s SSO page.

    As part of your company’s existing security infrastructure, SSO provides the following advantages:

    • Your company’s IdP manages Capella users—​not Couchbase. Your administrators can onboard, offboard, and manage Capella users with existing workflows.

    • All supported IdPs provide their own built-in multi-factor authentication (MFA).

    • Your users can use Capella without needing to remember another username and password.

    Configuration Requirements

    To configure federated and SSO authentication, you need the following:

    Identity Provider (IdP)
    While you can configure Capella with other SAML identity providers, Couchbase provides instructions and support for only the IdPs on this list.

    Capella supports the following IdPs:


    Capella manages and configures the link with your IdP with a realm. Each organization supports one realm.

    Only users with the Organization Owner role can create, manage, and view realms.


    Map user groups from your IdP to permission sets in Capella with a team. Capella creates a default team, called "My First Team," with no pre-existing role-mapping when you create a realm. Each organization can support multiple teams. You can assign users to one or more teams.

    Only users with the Organization Owner role can create and manage teams. Every user in an organization can view team information.


    When you add federated and SSO authentication to an organization:

    • Capella turns off Capella MFA for all SSO users in the organization who can then use the MFA provided by the IdP. Non-SSO users can continue to use the Capella MFA.

    • SSO Users within the organization can’t change their name, email, or set a password.

    • Capella adds each SSO user to the default team ("My First Team") as they sign in, unless you specify another default team or create IdP group mappings. You can’t delete a realm’s configured default team.

    • If a realm has group mapping turned off, Capella uses the default team to initially assign SSO users their roles. After SSO users sign in, you can manage their organization roles using the People tab and manage project access using each project’s Collaborators tab.

    Multi-Factor Authentication (MFA)

    Any non-SSO user within your organization can use Capella’s MFA. MFA improves your Capella account security by requiring two credentials to sign in: your password and a time-based one-time password (TOTP).

    To turn on MFA for your account, see Manage Multi-Factor Authentication (MFA).