Manage Identity Providers

  • Capella Operational
  • how-to
    +
    After creating a realm, you can change its realm name, rotate its certificates, change the default team, turn group mapping on or off, or delete it.

    Realms manage the link with your identity provider (IdP). Each organization supports one realm. If you need to create a realm, see Add Federated and SSO Authentication.

    Prerequisites

    Edit Realms in the Capella UI

    1. In the Capella UI, click Settings  SSO.

      When you first open it, the Organization Realms page shows basic information about your configured realm.

      On the Organization Realms page, there is a copy button that provides a link pointing to the SSO login page for Capella and has your realm name prepopulated. You can send this to your users so they can more easily sign in with SSO.
    2. Click to show more detailed information about the realm. This information includes its Callback URL, Entity ID, Signature Certificate, Signature Algorithm, and Digest Algorithm.

    3. Click Edit Realm.

    Change the Realm Name

    It may be possible for another party to guess your custom realm name. Keep this in mind when you’re choosing one. Automatically generated realm names can help prevent this.

    When you create a realm, the realm is automatically assigned a unique auto-generated realm name. To change your realm name:

    1. Enter your new realm name into the Realm Name field.

      When you change the text in the Realm Name field, Notify SSO users of your organizations when the realm name changes checks automatically. When you save your changes, this notification option sends an email to all SSO users in your organization with the new realm name and a sign-in link that prepopulates the sign-in form with the new realm name.

    2. Click Save.

      SSO users must provide the realm name when they sign in to Capella to connect to the SSO provider.

    Change Signing Endpoint URL and Certificate

    You can change the signing endpoint URL and signing certificate for an existing realm. Editing these fields allows you to rotate the SAML certificate without having to recreate a realm or cause an outage.

    1. In the Signing Endpoints URL & Certificate section, enter the new signing endpoint URL and certificate you would like the realm to use.

      You must provide both the URL and certificate to save your changes.

    2. Click Save.

    Change the Default Team

    Capella assigns SSO users to the default team if they’re not mapped to another team. Typically, a default team should have the fewest permissions.

    Every SSO user is a member of a realm’s default team unless otherwise specified through role mapping. When you create a realm, the default team is "My First Team," but you can designate any team in your organization as the default. You cannot delete any team set as the default team.

    1. In the Default Team section use the Capella Team list to choose a new default team.

      This list includes any existing teams within your organization.

    2. Click Save.

      Any permission changes apply to affected users when they next sign in to Capella.

    Turn Group Mapping On or Off

    By default, Capella assigns roles to SSO users based on which teams map to which SSO groups. To manage SSO users like any other Capella user, turn off group mapping.

    When you turn off group mapping for a realm, Capella still uses the default team to assign roles when SSO users first sign in. After SSO users sign in, you manage them like other Capella users through the People tab and each project’s Collaborators tab.

    When SSO users sign in for the first time after you turn off group mapping, they keep their current roles. If they sign in after you turn on group mapping, their roles sync based on any mapped SSO groups, and Capella deletes the old permissions.

    1. In the Default Team section, turn group mapping on or off by selecting or deselecting Group Mapping.

    2. Click Save.

      Any permission changes apply to affected users when they next sign in to Capella.

    For more information about managing SSO users with group mapping turned off, see Manage Organization Users and Manage Project Users.

    Delete a Realm

    You cannot delete a realm that you’re signed into.
    When you delete a realm, Capella deletes the permissions of all SSO users connected to your organization through that realm.
    1. In the Delete Realm section, click Delete Realm.

    2. Type delete to confirm the action.

    3. Click Delete Realm.