Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

Capella UI Authentication

  • Capella Operational
  • concept
    +
    Couchbase Capella supports federated authentication with Single Sign-On (SSO) and Multi-Factor Authentication (MFA) for the Capella UI.

    This page covers authentication options for the Capella UI:

    These authentication methods apply only to the Capella UI. They do not affect programmatic access to Capella, which requires Cluster Access Credentials, Access Control Accounts, or Management API Keys depending on your use case.

    Single Sign-On (SSO) Authentication

    By configuring Capella to work with your existing identity provider (IdP), users in your organization can access the Capella UI using SSO authentication.

    As part of your company’s existing security infrastructure, SSO provides the following advantages:

    • Your company’s IdP manages Capella users—​not Couchbase. This means your administrators can onboard, offboard, and manage Capella users with existing workflows.

    • All supported IdPs provide their own built-in multi-factor authentication (MFA).

    • Your users can use Capella without needing to remember another set of credentials.

    Capella SSO integration supports both the Security Assertion Markup Language (SAML) 2.0 and OpenID Connect (OIDC) protocols.

    Configuration Requirements

    To set up and use SSO authentication in Capella, you need the following:

    Paid account

    You need a paid Support Plan to enable single sign-on (SSO) authentication. SSO is not available to free tier accounts. To upgrade to a paid Support Plan, see Upgrade to a Paid Account.

    Identity Provider (IdP)

    While you can configure Capella with any SAML 2.0 or OIDC compliant identity provider, Couchbase provides support for the following IdPs:

    Realm

    A realm in Capella manages the configuration linking your Capella organization with your IdP. Each organization can support one realm.

    Only users with the Organization Owner role can create, manage, and view realms.

    Team

    Use teams to map user groups from your IdP to permission sets in Capella. When you create a realm, Capella creates a default "My First Team" with no pre-existing role-mapping. Each organization can support multiple teams and you can assign users to one or more teams.

    Only users with the Organization Owner role can create and manage teams. Every user in an organization can view team information.

    What To Expect After You Enable SSO

    When you add SSO authentication to your organization:

    • Capella turns off Capella MFA for all SSO users in the organization who can then use the MFA provided by the IdP. Non-SSO users can continue to use the Capella MFA.

    • SSO Users within the organization cannot change their name, email, or set a password.

    • Capella adds each SSO user to the default team ("My First Team") as they sign in, unless you specify another default team or create IdP group mappings. You cannot delete a realm’s configured default team.

    • If a realm has group mapping turned off, Capella uses the default team to initially assign SSO users their roles. After SSO users sign in, you can manage their organization roles using the People tab and manage project access using each project’s Collaborators tab.

    • Capella supports service provider-initiated (SP-initiated) authentication only. Capella does not support identity provider-initiated (IdP-initiated) sign-in, where there’s a sign-in request through the SSO page of the IdP.

    Multi-Factor Authentication (MFA)

    Any non-SSO user within your organization can use Capella’s MFA. MFA improves your Capella account security by requiring two credentials to sign in: your password and a time-based one-time password (TOTP).

    To turn on MFA for your account, see Manage Multi-Factor Authentication (MFA).

    See Also