Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

Set Up Capella SSO Using Google Workspace

  • Capella Operational
  • how-to
    +
    Configure Single Sign-On (SSO) between Google Workspace and Couchbase Capella to allow your organization’s users to authenticate securely without managing separate credentials. This integration enables streamlined access management while maintaining enterprise-grade security.

    Prerequisites

    To configure Google Workspace as an IdP, you need:

    Procedure

    Choose the tab for your preferred authentication protocol.

    • SAML

    • OIDC

    To configure federated and SSO authentication using SAML with Google as your identity provider (IdP), you must complete three procedures in the following order:

    1. In Google Workspace, create a custom SAML app.

    2. In Capella, create a realm.

    3. In Google Workspace, complete the configuration.

    Add a custom SAML app in Google Workspace

    Start by adding an app for Capella in the Google Cloud Console. You need information resulting from this step to create a realm in Capella.

    1. In the Google Cloud Console, click Apps  Web and mobile apps.

    2. Click Add app  Add custom SAML app.

    3. Complete these fields:

      • App Name: Enter the display name for this app.

      • (Optional) Description: Add a description of the application.

      • (Optional) App Icon: Add the Capella logo.

        1. Click Continue.

          Leave this new page open as you need its information for the next step.

    Create a Realm in Capella

    Create a realm in Capella using information from Google.

    1. In the Capella UI, click Settings  SSO.

    2. Click Create Realm  SAML.

    3. Complete the Create Realm page:

      1. Copy the following configuration details from Google into Capella:

        Google Field Capella Field

        Certificate

        SAML Signing Certificate

        SSO URL

        Sign-in Endpoint URL

      2. Verify that the remaining SAML protocol settings are as follows:

        Field Value

        Signature Algorithm

        RSA-SHA256

        Digest Algorithm

        SHA256

        SAML Protocol Binding

        HTTP-POST

      3. Choose a default team.

        Capella automatically assigns users to the chosen default team when they do not match any team based on their SSO groups. All users assigned to the default team have its chosen permission set.

        For more information, see Map User Roles.

      4. Choose to turn on or off group mapping.

        Group mapping allows you to assign roles to SSO users based on which teams map to their SSO group.

        If you do not use group mapping, Capella uses the default team to give SSO users their roles when they first sign in. Without group mapping, you must manage your users' organization roles using the People tab and project roles using each project’s Collaborators tab.

    4. Click Create Realm.

      Capella creates the new realm with an auto-generated name.

      Users need to know the realm name to sign in with SSO. You can change the a realm name after you create the realm. For more information, see Change the Realm Name.
    Complete the configuration in Google Workspace

    Now that you have created the realm, you must finish configuring the custom SAML app in Google.

    1. Returning to the Google Cloud Console, on the Add custom SAML app setup page, click Continue.

    2. Copy and paste the following fields from your Capella realm configuration into the Google custom SAML app setup:

      To find this information for your organization’s Capella realm, open the Settings  SSO page. Listed on this page is the realm you just created with an auto-generated name. Click its listing to open the realm information page.
      Capella Field Google Field

      Callback URL

      ACS URL

      Entity ID

      Entity ID

    3. In the Google Cloud Console, click Continue.

    4. Add the following attributes:

      Google Directory attributes App attributes

      Primary email

      email

      First name

      given_name

      Last name

      family_name

    5. Add group membership.

      Google groups App attribute

      Relevant Google groups, such as admins.

      Groups

    6. Click Finish.

      A page for the new custom SAML web app automatically loads with its configuration details.

    7. Turn on the SAML web app for everyone:

      To turn on the service for an organizational unit or user group, see Google Workspace Admin Help.

      1. Click User access.

      2. Click On for everyone.

      3. Click Save.

        It may take a few minutes for these changes to apply.

    To configure federated and SSO authentication using OIDC with Google as your identity provider (IdP), you must complete three procedures in the following order:

    1. In Google Workspace, create a new OAuth client configuration.

    2. In Capella, create a realm.

    3. In Google Workspace, complete the configuration.

    Add a new OAuth client configuration

    Start by adding an OAuth client configuration for Capella in the Google Cloud Console. You need information from this step to create a realm in Capella.

    1. In the Google Cloud Console, create a new project.

    2. With the new project open, click APIs & Services  Credentials.

    3. Click Configure consent screen.

    4. Click Get started.

    5. Complete the App Information, Audience, Contact Information, and Finish sections of the consent screen configuration:

      • App name: Enter a meaningful app name.

      • User support email: Choose or add a contact email for questions about users' consent.

      • Audience: Choose the Internal audience type.

      • Contact information: Add a contact email for Google to notify you about changes to your project.

    6. Review the User Data Policy. Click Continue

    7. Click Create.

    8. Click Data Access  Add or remove scopes.

    9. Add the following scopes:

      • …​/auth/userinfo.email

      • …​/auth/userinfo.profile

      • openid

    10. Click Update.

    11. Click Save.

    12. Click Clients  Create Client and configure the OAuth client:

      • Application type: Select Web application.

      • Name: Enter a name for your Capella integration.

      • Authorized JavaScript origins: Leave empty.

      • Authorized redirect URIs: Leave empty for now—​you’ll add this later.

    13. Click Create.

      Your Client ID and Client Secret are shown. Keep this information secure as you’ll need it for the next step.

    Create a Realm in Capella

    With the OAuth client created in Google, you need to create a realm in Capella using its information.

    1. In Capella, click Settings  SSO.

    2. Click Create Realm  OpenID Connect.

    3. Copy the following information from your Google Oauth client to Capella:

      Google Field Capella Field

      https://accounts.google.com/.well-known/openid-configuration (this is fixed)

      OpenID Connect Discovery URL

      Client ID

      Client ID

      Client secret

      Client Secret

    4. Configure scopes:

      Scopes determine which user information Capella requests from your identity provider. The openid, email, and profile scopes are automatically included in the realm by default, so you do not need to add them.

      When adding additional scopes, separate each entry with a space.

    5. Configure a default team and group mapping.

      1. Choose a default team.

        Capella automatically assigns users to the chosen default team when they do not match any team based on their SSO groups. All users assigned to the default team have its chosen permission set.

        For more information, see Map User Roles.

      2. Choose to turn on or off group mapping.

        Group mapping allows you to assign roles to SSO users based on which teams map to their SSO group.

        If you do not use group mapping, Capella uses the default team to give SSO users their roles when they first sign in. Without group mapping, you must manage your users' organization roles using the People tab and project roles using each project’s Collaborators tab.

    6. Click Create Realm.

      Capella creates the new realm with an auto-generated name.

      Users need to know the realm name to sign in with SSO. You can change the a realm name after you create the realm. For more information, see Change the Realm Name.
    Complete the configuration in Google Workspace

    Now that you have created the realm, you need to finish configuring the Google Workspace OAuth client.

    1. In the Google Cloud Console, open the OAuth client you created for Capella.

    2. Copy the following field from your Capella realm configuration to the Google OAuth client configuration:

      To find this information for your organization’s Capella realm, open the Settings  SSO page. Listed on this page is the realm you just created with an auto-generated name. Click its listing to open the realm information page.
      Capella Field Google Field

      Callback URL

      Authorized redirect URIs

    3. Click Save.

    Next Steps