Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

Set Up Capella SSO Using Microsoft Entra ID

  • Capella Operational
  • how-to
    +
    Configure Single Sign-On (SSO) between Microsoft Entra ID and Couchbase Capella to allow your organization’s users to authenticate securely without managing separate credentials. This integration enables streamlined access management while maintaining enterprise-grade security.

    Prerequisites

    To configure Microsoft Entra ID as an IdP, you need:

    • To enable SSO for your Capella organization.

    • An Azure subscription with Microsoft Entra ID. For more information, see Microsoft.

    • An Entra ID tenant associated with your Azure subscription. For more information, see the Microsoft Entra ID documentation.

    • Global Administrator privileges for your Entra ID tenant.

    • The family_name or given_name fields populated for your users in Entra ID.

    Procedures

    Choose the tab for your preferred authentication protocol.

    • SAML

    • OIDC

    To configure federated and SSO authentication using SAML with Entra ID as your identity provider (IdP) using SAML, you must complete three procedures in the following order:

    1. In Entra ID, register an application

    2. In Capella, create a realm

    3. In Entra ID, complete the configuration

    Register an Application

    Start by registering an application with Entra ID. You will need information from your registered application to create a realm in Capella.

    1. Sign in to the Microsoft Entra admin center.

    2. Click Identity  Applications  App registrations.

    3. Click New registration.

    4. Enter a meaningful display name for this application.

    5. Click Register.

      The Overview page of the app appears once it’s registered.

    Create a Realm in Capella

    With an application registered with Entra ID, you need to create a realm in Capella. To create a realm, you need some information from Entra ID.

    1. In Capella, click Settings  SSO.

    2. Click Create Realm  SAML.

    3. Return to Entra ID. On the Overview page of your registered app, click Endpoints.

    4. Copy and paste the X.509 certificate from Entra ID to Capella:

      1. In the Endpoints flyout, copy the contents of the Federation metadata document field.

      2. Paste this URL into a new browser tab to view this XML document.

      3. From the XML document, copy the certificate within the <X509Certificate>…​</X509Certificate> tag.

        In cases where multiple instances of <X509Certificate> exist, you may need to use trial an error to find the correct one. You can do this more easily after you create a realm by updating its signing certificate. For more information, see Change Signing Endpoint URL and Certificate.

      4. In Capella, paste the certificate contents into the SAML Signing Certificate box.

    5. Copy SAML - P sign-on endpoint from Entra ID to Capella.

      1. In Entra ID, with the Endpoints flyout open, copy the contents of the SAML -P sign-on endpoint field.

      2. In Capella, paste the copied SAML -P sign-on endpoint into the Sign-in Endpoint URL field.

      3. Verify that the remaining SAML protocol settings are as follows:

        Field Value

        Signature Algorithm

        RSA-SHA256

        Digest Algorithm

        SHA256

        SAML Protocol Binding

        HTTP-POST

      4. Choose a default team.

        Capella automatically assigns users to the chosen default team when they do not match any team based on their SSO groups. All users assigned to the default team have its chosen permission set.

        For more information, see Map User Roles.

      5. Choose to turn on or off group mapping.

        Group mapping allows you to assign roles to SSO users based on which teams map to their SSO group.

        If you do not use group mapping, Capella uses the default team to give SSO users their roles when they first sign in. Without group mapping, you must manage your users' organization roles using the People tab and project roles using each project’s Collaborators tab.

    6. Click Create Realm.

      Capella creates the new realm with an auto-generated name.

      Users need to know the realm name to sign in with SSO. You can change the a realm name after you create the realm. For more information, see Change the Realm Name.
    Complete the Entra ID Configuration

    Copy the Application ID, Redirect URI, and optional claim information from your Capella realm to your Entra ID configuration. You need to have both Capella and Entra ID open in your browser.

    1. In Capella, show the Realm Summary for the realm you created for this configuration.

      1. Click Settings  SSO.

      2. In the realm listing, click the down arrow to show the Realm Summary.

    2. Add the Application ID URL to Entra ID:

      1. In Capella, copy the Entity ID field.

      2. In Entra ID, on the Overview page of the registered application, click Add an Application ID URI.

      3. Click Set.

      4. In the Set the App ID URI dialog box, paste the Entity ID field you copied from Capella.

      5. Click Save.

    3. Add the Redirect URI to Entra ID:

      1. In Capella, copy the Callback URL field.

      2. In Entra ID, on the Overview page of the registered application, click Add a Redirect URI.

      3. Click Add a platform.

      4. In the Configure platforms flyout, click Single-page application.

      5. In the Configure single-page application flyout, paste the Callback URL into the Redirect URIs field.

      6. Select ID tokens (used for implicit and hybrid flows).

      7. Click Configure.

    4. Add optional claims to Entra ID:

      1. In Entra ID, click Token configuration.

      2. Click Add groups claim.

      3. In the Edit groups claim flyout, select all the group types.

      4. Click Add.

      5. On the Optional claims page, click Add optional claim.

      6. In the Add optional claim flyout, choose the SAML option.

      7. Select the email claim.

      8. Click Add.

      9. In the dialog box, select Turn on the Microsoft Graph email permission.

      10. Click Add.

    5. Assign users to the application.

      1. Add the users and groups whose members need access to Couchbase Capella.

        See Quickstart: Create and assign a user account in the Azure documentation for more detail.

    To configure federated and SSO authentication using OIDC with Entra ID as your identity provider (IdP), you must complete three procedures in the following order:

    1. In Entra ID, register an application

    2. In Capella, create a realm

    3. In Entra ID, complete the configuration

    Register an Application

    Start by registering an application with Entra ID. You need information from your registered application to create a realm in Capella.

    1. Sign in to the Microsoft Entra admin center.

    2. Click Identity  Applications  App registrations.

    3. Click New registration.

    4. Configure the basic settings:

      • Name: Enter a meaningful display name for this application.

      • Supported account types: Choose who can use this application. Typically, this is the default option—​Accounts in this organizational directory only.

      • Redirect URI: Leave empty for now—​you’ll add this later.

    5. Click Register.

    Create a Realm in Capella

    With an application registered with Entra ID, you need to create a realm in Capella. To create a realm, you need some information from Entra ID.

    1. In Capella, click Settings  SSO.

    2. Click Create Realm  OpenID Connect.

    3. Add the OpenID Connect Discovery URL to your realm configuration.

      1. In Entra ID, on your new app’s Overview page, click Endpoints

      2. On the Endpoints flyout, copy the OpenID Connect metadata document field.

      3. In Capella, paste the URL into the OpenID Connect Discovery URL field.

    4. Add the Client ID to your realm configuration.

      1. In Entra ID, on your new app’s Overview page, copy the Application (client) ID.

      2. In Capella, paste the Client ID into the Client ID field.

    5. Create and add the Client Secret to your realm configuration.

      The secret is only shown once. You must copy it at the time of creation. If you forget to copy the secret value, you must create a new one.

      1. In Entra ID, on your new app’s Overview page, click Add a certificate or secret.

      2. Click New client secret.

      3. Enter an optional description and choose the expiration time frame.

      4. Click Add.

      5. Copy the secret Value.

      6. In Capella, paste the Value into the Client Secret field.

    6. Configure scopes:

      Scopes determine which user information Capella requests from your identity provider. The openid, email, and profile scopes are automatically included in the realm by default, so you do not need to add them.

      When adding additional scopes, separate each entry with a space.

    7. Configure a default team and group mapping.

      1. Choose a default team.

        Capella automatically assigns users to the chosen default team when they do not match any team based on their SSO groups. All users assigned to the default team have its chosen permission set.

        For more information, see Map User Roles.

      2. Choose to turn on or off group mapping.

        Group mapping allows you to assign roles to SSO users based on which teams map to their SSO group.

        If you do not use group mapping, Capella uses the default team to give SSO users their roles when they first sign in. Without group mapping, you must manage your users' organization roles using the People tab and project roles using each project’s Collaborators tab.

    8. Click Create Realm.

      Capella creates the new realm with an auto-generated name.

      Users need to know the realm name to sign in with SSO. You can change the a realm name after you create the realm. For more information, see Change the Realm Name.
    Complete the Entra ID Configuration

    Copy the Application ID, Redirect URI, and optional claim information from your Capella realm to your Entra ID configuration. You need to have both Capella and Entra ID open in your browser.

    1. In Capella, show the Realm Summary for the realm you created for this configuration.

      1. Click Settings  SSO.

      2. In the realm listing, click the down arrow to show the Realm Summary.

    2. Add the Redirect URI to Entra ID:

      1. In Capella, copy the Callback URL field.

      2. In Entra ID, on the Overview page of the registered application, click Add a Redirect URI.

      3. Click Add a platform.

      4. In the Configure platforms flyout, click Web.

      5. Paste the Callback URL into the Redirect URIs field.

      6. Select ID tokens (used for implicit and hybrid flows).

      7. Click Configure.

    3. Add optional claims to Entra ID:

      1. In Entra ID, click Token configuration.

      2. Click Add groups claim.

      3. In the Edit groups claim flyout, select all of the group types:

        • Security groups

        • Directory roles

        • All groups

        • Groups assigned to the application

      4. Click Add.

      5. On the Optional claims page, click Add optional claim.

      6. In the Add optional claim flyout, choose the ID token type and select the following claims:

        • email

        • family_name

        • given_name

      7. Click Add.

      8. In the dialog box, select Turn on the Microsoft Graph email permission and click Add.

    4. Assign users to the application.

      1. Add the users and groups whose members need access to Couchbase Capella.

        See Quickstart: Create and assign a user account in the Azure documentation for more detail.

    Next Steps