{"id":15596,"date":"2024-04-17T11:11:55","date_gmt":"2024-04-17T18:11:55","guid":{"rendered":"https:\/\/www.couchbase.com\/blog\/?p=15596"},"modified":"2025-06-13T19:26:07","modified_gmt":"2025-06-14T02:26:07","slug":"saml-sso-with-couchbase-server","status":"publish","type":"post","link":"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/","title":{"rendered":"Getting Ready for SAML: Essential Preparations for Couchbase Server Integration"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">In the evolving landscape of digital security, the integration of Couchbase with a Security Assertion Markup Language (SAML) Identity Provider (IdP) stands as a cornerstone for robust authentication mechanisms.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Why Should You Implement SSO with Couchbase Server?<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Single Sign-On (SSO) integration with Couchbase Server offers several compelling advantages that make it a valuable addition to your database management strategy:<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Centralized User Management:<\/b><span style=\"font-weight: 400;\"> SSO simplifies user provisioning and de-provisioning by centralizing user accounts within your Identity Provider (IdP). This means you can effortlessly manage user access to Couchbase Server and other applications from a single location, enhancing efficiency and security.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Multi-Factor Authentication (MFA):<\/b><span style=\"font-weight: 400;\"> SSO servers often include support for MFA, an essential security feature. By requiring multiple forms of authentication, such as a password and a one-time code sent to a mobile device, you significantly increase the protection of your Couchbase Server UI.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Reduced Credential Management:<\/b><span style=\"font-weight: 400;\"> Implementing SSO eliminates the need for users to remember multiple usernames and passwords. This not only simplifies their experience but also reduces the risk of password-related security breaches.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>In summary, SSO with Couchbase Server offers a powerful solution for centralized user management, enhanced security through MFA, and a simplified user experience with fewer credentials to manage. These benefits combine to streamline access control and enhance the overall security posture of your Couchbase Server environment.<\/p>\n<p><span style=\"font-weight: 400;\">This article serves as an introductory guide to the fundamentals of SAML and its role in enabling secure, single sign-on (SSO) experiences. While this piece focuses on the general principles of SAML integration, a forthcoming article will delve into the specifics of integrating various IdPs with Couchbase server, offering a more tailored guide for implementation.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Overview of SAML Authentication<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Before we delve into the nitty-gritty of setting up an Identity server with Couchbase Server, it&#8217;s crucial to understand the underlying mechanism of SAML-based authentication. This will not only help you grasp the steps involved but also assist you in troubleshooting issues.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Key Terms<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Before we dive in, let&#8217;s clarify some key terms that we&#8217;ll be using throughout this guide:<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>SAML<\/b><span style=\"font-weight: 400;\"> (Security Assertion Markup Language): An XML-based standard for exchanging authentication and authorization data between parties, in particular, between an Identity Provider and a Service Provider.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>IdP<\/b><span style=\"font-weight: 400;\"> (Identity Provider): A service that authenticates users and sends identity information to the Service Provider. Example IdPs include Okta, Auth0, MS Entra ID (Azure AD).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>SP<\/b><span style=\"font-weight: 400;\"> (Service Provider): The service that the user wants to access, which trusts the IdP to authenticate users. Coucbase will act as the SP in this setup.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>SSO<\/b><span style=\"font-weight: 400;\"> (Single Sign-On): A user authentication process that allows a user to access multiple services with a single set of credentials.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>SAML Post<\/b><span style=\"font-weight: 400;\">: A SAML binding that allows for the transfer of SAML assertions within the body of an HTTP POST request.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>SAML Redirect<\/b><span style=\"font-weight: 400;\">: A SAML binding that allows for the transfer of SAML assertions within the url of an HTTP GET request.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">What is SAML?<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between parties. In the context of our article these parties are an Identity Provider (like Okta or MS Entra ID (Azure AD)) and a Service Provider (Couchbase).<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">How Does SAML Work?<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Here&#8217;s a simplified flow of SAML-based SSO:<\/span><\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>User Request<\/b><span style=\"font-weight: 400;\">: The user attempts to access Couchbase UI (Service Provider).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Redirection<\/b><span style=\"font-weight: 400;\">: If the user is not already authenticated, the SP (Couchbase Server) redirects the user to the IdP for authentication using a Saml Request (XML).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Authentication<\/b><span style=\"font-weight: 400;\">: The IdP challenges the user for credentials (like a username and password). Once verified, the IdP generates a SAML assertion for the user.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Assertion Transfer:<\/b><span style=\"font-weight: 400;\"> The IdP sends this SAML assertion back to the SP (Couchbase Server) via an HTTP POST or a Redirect (SAML Response)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>SP Verification:<\/b><span style=\"font-weight: 400;\"> The SP verifies the SAML assertion and, if valid, grants the user access to Couchbase Server UI using the claims found in the SAML response it received from the IdP.<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<h3><span style=\"font-weight: 400;\">Components of a SAML Request<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Below is a simplified example of a SAML 2.0 Authentication Request (SAML <em>AuthnRequest<\/em>) that Couchbase might send to an Identity Provider:<\/span><\/p>\n<pre class=\"nums:false lang:default decode:true \">&lt;samlp:AuthnRequest\r\n\u00a0\u00a0\u00a0\u00a0xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"\r\n\u00a0\u00a0\u00a0\u00a0xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\"\r\n\u00a0\u00a0\u00a0\u00a0ID=\"id169641890989101756399586\"\r\n\u00a0\u00a0\u00a0\u00a0Version=\"2.0\"\r\n\u00a0\u00a0\u00a0\u00a0IssueInstant=\"2023-10-05T14:48:00Z\"\r\n\u00a0\u00a0\u00a0\u00a0Destination=\"https:\/\/identityprovider.example.com\/SSOService\"\r\n\u00a0\u00a0\u00a0\u00a0AssertionConsumerServiceURL=\"https:\/\/mycouchbase.example.com\/saml\/consume\"\r\n\u00a0\u00a0\u00a0\u00a0ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"&gt;\r\n\r\n\u00a0\u00a0\u00a0\u00a0&lt;saml:Issuer&gt;https:\/\/mycouchbase.example.com\/metadata&lt;\/saml:Issuer&gt;\r\n\u00a0\u00a0\u00a0\u00a0&lt;samlp:NameIDPolicy\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0AllowCreate=\"true\" \/&gt;\r\n\u00a0\u00a0\u00a0&lt;ds:Signature xmlns:ds=\"https:\/\/www.w3.org\/2000\/09\/xmldsig#\"&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:SignedInfo&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:CanonicalizationMethod Algorithm=\"https:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\"\/&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:SignatureMethod Algorithm=\"https:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1\"\/&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:Reference URI=\"#_1234567890\"&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:Transforms&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:Transform Algorithm=\"https:\/\/www.w3.org\/2000\/09\/xmldsig#enveloped-signature\"\/&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;\/ds:Transforms&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:DigestMethod Algorithm=\"https:\/\/www.w3.org\/2000\/09\/xmldsig#sha1\"\/&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:DigestValue&gt;...&lt;\/ds:DigestValue&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;\/ds:Reference&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;\/ds:SignedInfo&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:SignatureValue&gt;...&lt;\/ds:SignatureValue&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:KeyInfo&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:X509Data&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:X509Certificate&gt;...&lt;\/ds:X509Certificate&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;\/ds:X509Data&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;\/ds:KeyInfo&gt;\r\n\u00a0\u00a0\u00a0\u00a0&lt;\/ds:Signature&gt;\r\n&lt;\/samlp:AuthnRequest&gt;<\/pre>\n<p>&nbsp;<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>ID<\/b><span style=\"font-weight: 400;\">: A unique identifier for the request. This is used for tracking the SAML flow and for preventing replay attacks.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Version<\/b><span style=\"font-weight: 400;\">: Specifies the version of the SAML protocol being used, which is <em>2.0<\/em>\u00a0in this case.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>IssueInstant<\/b><span style=\"font-weight: 400;\">: The timestamp when the request was issued. It&#8217;s often in UTC and conforms to the ISO 8601 standard.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Destination<\/b><span style=\"font-weight: 400;\">: The URL of the Identity Provider&#8217;s Single Sign-On Service. This is where the <em>AuthnRequest<\/em> will be sent.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>AssertionConsumerServiceURL<\/b><span style=\"font-weight: 400;\">: The URL where the Identity Provider should send its response. This is an endpoint on Couchbase.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>ProtocolBinding<\/b><span style=\"font-weight: 400;\">: Specifies how the SAML assertion should be sent back to the Service Provider. In this example, it&#8217;s set to use the HTTP POST binding.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Issuer<\/b><span style=\"font-weight: 400;\">: This specifies the entity that generated the <em>AuthnRequest<\/em>. It usually corresponds to the<\/span><b> entity ID<\/b><span style=\"font-weight: 400;\"> of the Service Provider and is by default a URL where Couchbase\u2019s SAML metadata can be found.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>NameIDPolicy format<\/b><span style=\"font-weight: 400;\">: Specifies the format of the <em>NameID<\/em> to be returned. This is optional and if omitted, the IdP will use its default <em>NameID<\/em> format.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>SignatureMethod: <\/b><span style=\"font-weight: 400;\">Specifies the algorithm used for the digital signature.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>X509Certificate<\/b><span style=\"font-weight: 400;\">: These elements contain the X.509 public certificate that the recipient can use to validate the signature.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">Components of a SAML Response<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Below is a simplified example of a SAML 2.0 Response (SAML AuthnRequest) that an Identity Provider (IdP)\u00a0 might send back to Couchbase after authentication:<\/span><\/p>\n<p>&nbsp;<\/p>\n<pre class=\"nums:false lang:default decode:true \">&lt;samlp:Response xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ID=\"id352723298151130132106815994\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Version=\"2.0\"\r\n\u00a0 \u00a0 \u00a0           InResponseTo=\"id169641890989101756399586\"\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0IssueInstant=\"2023-10-05T15:48:00Z\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Destination=\"https:\/\/couchbase.example.com\/ACS\"&gt;\r\n\u00a0\u00a0\u00a0\u00a0&lt;ds:Signature xmlns:ds=\"https:\/\/www.w3.org\/2000\/09\/xmldsig#\"&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:SignedInfo&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:CanonicalizationMethod Algorithm=\"https:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\"\/&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:SignatureMethod Algorithm=\"https:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256\"\/&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:Reference URI=\"#_9876543210\"&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:Transforms&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:Transform Algorithm=\"https:\/\/www.w3.org\/2000\/09\/xmldsig#enveloped-signature\"\/&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;\/ds:Transforms&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:DigestMethod Algorithm=\"https:\/\/www.w3.org\/2000\/09\/xmldsig#sha1\"\/&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:DigestValue&gt;...&lt;\/ds:DigestValue&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;\/ds:Reference&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;\/ds:SignedInfo&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:SignatureValue&gt;...&lt;\/ds:SignatureValue&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:KeyInfo&gt;\r\n\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:X509Data&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;ds:X509Certificate&gt;...&lt;\/ds:X509Certificate&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;\/ds:X509Data&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;\/ds:KeyInfo&gt;\r\n\u00a0\u00a0\u00a0\u00a0&lt;\/ds:Signature&gt;\r\n\r\n\u00a0\u00a0\u00a0\u00a0&lt;saml:Issuer&gt;https:\/\/identityprovider.example.com\/metadata&lt;\/saml:Issuer&gt;\r\n\u00a0\u00a0\u00a0\u00a0&lt;samlp:Status&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"\/&gt;\r\n\u00a0\u00a0\u00a0\u00a0&lt;\/samlp:Status&gt;\r\n\r\n\u00a0\u00a0\u00a0\u00a0&lt;saml:Assertion ID=\"_1234567890\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Version=\"2.0\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0IssueInstant=\"2023-10-05T15:48:00Z\"&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;saml:Issuer&gt;https:\/\/identityprovider.example.com\/metadata&lt;\/saml:Issuer&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;saml:Subject&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;saml:NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\"&gt;john.doe&lt;\/saml:NameID&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;\/saml:Subject&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;saml:Conditions NotBefore=\"2023-10-05T15:43:00Z\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0NotOnOrAfter=\"2023-10-05T15:53:00Z\"&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;saml:AudienceRestriction&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;saml:Audience&gt;https:\/\/couchbase.example.com\/metadata&lt;\/saml:Audience&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;\/saml:AudienceRestriction&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&lt;\/saml:Conditions&gt;\r\n\u00a0\u00a0\u00a0\u00a0&lt;\/saml:Assertion&gt;\r\n&lt;\/samlp:Response&gt;\r\n\r\n\r\n<\/pre>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>ID, Version, IssueInstant, Destination<\/b><span style=\"font-weight: 400;\">: These attributes serve the same purpose as in the <em>AuthnRequest<\/em>, but they are specific to this <em>Response<\/em> message.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Issuer<\/b><span style=\"font-weight: 400;\">: Specifies the entity that generated the SAML Response, the IDP in this case.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>StatusCode<\/b><span style=\"font-weight: 400;\">: <em>Success<\/em>\u00a0means the authentication was successful.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Subject<\/b><span style=\"font-weight: 400;\">: Describes the authenticated user.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Conditions<\/b><span style=\"font-weight: 400;\">: Specifies the conditions under which the assertion is valid.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Attribute Statements<\/b><span style=\"font-weight: 400;\">: Additional user attributes defined by the IdP or SP.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Signature<\/b><span style=\"font-weight: 400;\">: A digital signature to verify the integrity of the assertion.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">By understanding these fundamental concepts, you&#8217;ll be better equipped to configure SAML-based authentication between an Identity provider and Couchbase.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Troubleshooting and Common Issues<\/span><\/h2>\n<h3><span style=\"font-weight: 400;\">General Troubleshooting Steps<\/span><\/h3>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Check Logs:<\/b><span style=\"font-weight: 400;\"> Both the Identity provider and Couchbase provide detailed logs that can offer insights into what might be going wrong. Always start by checking there.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Use Debugging Tools:<\/b><span style=\"font-weight: 400;\"> Browser-based <\/span><a href=\"https:\/\/chrome.google.com\/webstore\/detail\/saml-tracer\/mpdajninpobndbfcldcmbpnnbhibjmch\"><span style=\"font-weight: 400;\">SAML debugging tools<\/span><\/a><span style=\"font-weight: 400;\"> can capture SAML requests and responses, making it easier to spot issues.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Test with a Single User:<\/b><span style=\"font-weight: 400;\"> Before rolling out any changes to all users, test the SAML SSO processes with a single, known user account to minimize impact.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Verify the SAMLRequest:<\/b><span style=\"font-weight: 400;\"> it&#8217;s also important to test the <\/span><b>SAML Request<\/b><span style=\"font-weight: 400;\"> that Couchbase sends to the Identity Provider (IdP). This ensures that the initial request for authentication is correctly formatted and includes all the necessary information. <\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">What to Check in the SAML Message:<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Issuer: The <em>&lt;saml:Issuer&gt;<\/em> element should match the Entity ID of Couchbase. This confirms that the request is coming from the expected SP.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">AssertionConsumerServiceURL: This attribute specifies where the IdP should send the SAML assertion after successful authentication. Make sure this matches the Assertion Consumer Service (ACS) URL you&#8217;ve configured in both the Identity provider and Couchbase.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\">NameIDPolicy: The <em>&lt;samlp:NameIDPolicy&gt;<\/em> element specifies the format of the NameID to be returned. This should align with what you&#8217;ve configured in your Identity Provider and Couchbase.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\">ID and IssueInstant: The ID attribute is a unique identifier for the request, and IssueInstant specifies when the request was issued. These are often used for logging and debugging.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Verify the SAMLResponse<\/b><span style=\"font-weight: 400;\">: SAML assertion that you receive in an HTTP POST request after successful authentication. <\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">What to Check in the SAML Message:<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Issuer<\/b><span style=\"font-weight: 400;\">: The <em>&lt;saml:Issuer&gt;<\/em> element should match the defined by your IDP. This confirms that the assertion is coming from the expected IdP.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>NameID<\/b><span style=\"font-weight: 400;\">: The <em>&lt;saml:NameID&gt;<\/em> element contains the username or email of the authenticated user. Ensure this matches what you expect and what you&#8217;ve configured in your IdP.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Conditions<\/b><span style=\"font-weight: 400;\">: The <em>&lt;saml:Conditions&gt;<\/em> element specifies the time window in which the assertion is valid. Make sure the NotBefore and NotOnOrAfter attributes are set correctly.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>AttributeStatement<\/b><span style=\"font-weight: 400;\">: The<em> &lt;saml:AttributeStatement&gt;<\/em> element contains the user attributes. Verify that these match the attributes you&#8217;ve configured in your Identity Provider and Couchbase.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>email<\/b><span style=\"font-weight: 400;\">: Check that the email attribute is correctly passed and matches the user&#8217;s email.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Signature<\/b><span style=\"font-weight: 400;\">: While not shown in the sample, a valid SAML assertion should also include a digital signature that Couchbase can use to verify the integrity of the message. Make sure Couchbase is configured to check this signature against the public certificate provided by your Identity provider.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<h3><span style=\"font-weight: 400;\">Common Issues and Solutions<\/span><\/h3>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Invalid SAML Response<\/b><span style=\"font-weight: 400;\"> or Assertion<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Symptom: Users are unable to log in, and an error message indicates an invalid SAML response or assertion.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Solution: Verify that the SAML response is correctly signed and that the certificate used for verification is up-to-date on both the IdP and SP sides.<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Attribute Mismatch<\/b>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Symptom: User attributes are not correctly displayed or used in Couchbase.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Solution: Double-check the attribute mapping configurations in both your IdP and Couchbase. Ensure that the attribute names match exactly.<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Username can not be extracted<\/b>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Symptom: Unable to extract username from SAML assertion<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Solution: Make sure that the SAML Attribute Nameformat is Unspecified for the Username attribute<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>User not found<\/b>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Symptom: Access denied for user: Insufficient Permissions<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Solution: Create an external user in Couchbase, as the user attempting to log in via the IdP cannot be found within the Couchbase system.<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Time Skew<\/b>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Symptom: SAML assertions are considered invalid, even though everything else seems to be configured correctly.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Solution: Ensure that the system clocks on both the IdP and SP servers are synchronized. Time skew can invalidate otherwise perfectly valid assertions.<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Logout Issues<\/b>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Symptom: Users are not logged out of either the SP or IdP during a Single Logout (SLO) operation.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Solution: Verify that the Single Logout Service (SLS) URLs are correctly configured in both in the IdP and in Couchbase. Also, ensure that both are set to use HTTP POST.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">In summary, understanding the complexities of SAML is essential for anyone looking to strengthen the security of Couchbase Server UI. This article serves as a foundational guide, examining SAML&#8217;s core elements, and the technical nuances of crafting and interpreting SAML messages. Upcoming articles will specifically focus on the practical aspects of integrating Couchbase Server with various Identity Providers, including a detailed guide on integrating with Okta, Microsoft Entra ID (Azure AD).<\/span><\/p>\n<h4>Learn more about Couchbase<\/h4>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><a href=\"https:\/\/www.couchbase.com\/blog\/wp-admin\/post.php?post=15570&amp;action=edit\">Couchbase Server 7.6 Awesomeness Unleashed: The Top 10 Features Every SRE Must Know!<\/a><\/li>\n<li><a href=\"https:\/\/cloud.couchbase.com\/sign-up\">Capella DBaaS &#8211; sign up for a free trial<\/a><\/li>\n<li>Our approach to <a href=\"https:\/\/www.couchbase.com\/products\/security\/\">Enterprise-grade Data Security<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In the evolving landscape of digital security, the integration of Couchbase with a Security Assertion Markup Language (SAML) Identity Provider (IdP) stands as a cornerstone for robust authentication mechanisms. Why Should You Implement SSO with Couchbase Server? Single Sign-On (SSO) [&hellip;]<\/p>\n","protected":false},"author":84313,"featured_media":15597,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[1815,1816,1813],"tags":[9945,9955,9954,9953,9917],"ppma_author":[9812],"class_list":["post-15596","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-best-practices-and-tutorials","category-couchbase-server","category-security","tag-couchbase-7-6","tag-mfa","tag-okta","tag-saml","tag-sso"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.7.1 (Yoast SEO v25.7) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Getting Ready for SAML: Essential Preparations for Couchbase Server Integration - The Couchbase Blog<\/title>\n<meta name=\"description\" content=\"Integrate Single Sign-On with Couchbase Server for centralized user management, MFA, &amp; improved security. Discover SAML benefits for database access.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Getting Ready for SAML: Essential Preparations for Couchbase Server Integration\" \/>\n<meta property=\"og:description\" content=\"Integrate Single Sign-On with Couchbase Server for centralized user management, MFA, &amp; improved security. Discover SAML benefits for database access.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/\" \/>\n<meta property=\"og:site_name\" content=\"The Couchbase Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-04-17T18:11:55+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-14T02:26:07+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/04\/image1-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Istvan Orban\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Istvan Orban\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/\"},\"author\":{\"name\":\"Istvan Orban, Principal Product Manager\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/da80693db66ef61daaabe98bc56afc26\"},\"headline\":\"Getting Ready for SAML: Essential Preparations for Couchbase Server Integration\",\"datePublished\":\"2024-04-17T18:11:55+00:00\",\"dateModified\":\"2025-06-14T02:26:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/\"},\"wordCount\":1793,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/04\/image1-1.png\",\"keywords\":[\"Couchbase 7.6\",\"MFA\",\"okta\",\"SAML\",\"SSO\"],\"articleSection\":[\"Best Practices and Tutorials\",\"Couchbase Server\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/\",\"url\":\"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/\",\"name\":\"Getting Ready for SAML: Essential Preparations for Couchbase Server Integration - The Couchbase Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/04\/image1-1.png\",\"datePublished\":\"2024-04-17T18:11:55+00:00\",\"dateModified\":\"2025-06-14T02:26:07+00:00\",\"description\":\"Integrate Single Sign-On with Couchbase Server for centralized user management, MFA, & improved security. Discover SAML benefits for database access.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/#primaryimage\",\"url\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/04\/image1-1.png\",\"contentUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/04\/image1-1.png\",\"width\":1024,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.couchbase.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Getting Ready for SAML: Essential Preparations for Couchbase Server Integration\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#website\",\"url\":\"https:\/\/www.couchbase.com\/blog\/\",\"name\":\"The Couchbase Blog\",\"description\":\"Couchbase, the NoSQL Database\",\"publisher\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.couchbase.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#organization\",\"name\":\"The Couchbase Blog\",\"url\":\"https:\/\/www.couchbase.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png\",\"contentUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png\",\"width\":218,\"height\":34,\"caption\":\"The Couchbase Blog\"},\"image\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/da80693db66ef61daaabe98bc56afc26\",\"name\":\"Istvan Orban, Principal Product Manager\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/image\/c873b4cba9199faca7f2d3db2f443f81\",\"url\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.png\",\"contentUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.png\",\"caption\":\"Istvan Orban, Principal Product Manager\"},\"description\":\"Istvan Orban is the Principal Product Manager for Couchbase and lives in the United Kingdom. Istvan has a wide range of experience as a Full stack Software Engineer, Team leader and Devops Engineer. His main focus is security and Single Sign On. Istvan has led several large scale projects of his 20 year professional career.\",\"url\":\"https:\/\/www.couchbase.com\/blog\/author\/istvanorban\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Getting Ready for SAML: Essential Preparations for Couchbase Server Integration - The Couchbase Blog","description":"Integrate Single Sign-On with Couchbase Server for centralized user management, MFA, & improved security. Discover SAML benefits for database access.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/","og_locale":"en_US","og_type":"article","og_title":"Getting Ready for SAML: Essential Preparations for Couchbase Server Integration","og_description":"Integrate Single Sign-On with Couchbase Server for centralized user management, MFA, & improved security. Discover SAML benefits for database access.","og_url":"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/","og_site_name":"The Couchbase Blog","article_published_time":"2024-04-17T18:11:55+00:00","article_modified_time":"2025-06-14T02:26:07+00:00","og_image":[{"width":1024,"height":1024,"url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/04\/image1-1.png","type":"image\/png"}],"author":"Istvan Orban","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Istvan Orban","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/#article","isPartOf":{"@id":"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/"},"author":{"name":"Istvan Orban, Principal Product Manager","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/da80693db66ef61daaabe98bc56afc26"},"headline":"Getting Ready for SAML: Essential Preparations for Couchbase Server Integration","datePublished":"2024-04-17T18:11:55+00:00","dateModified":"2025-06-14T02:26:07+00:00","mainEntityOfPage":{"@id":"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/"},"wordCount":1793,"commentCount":0,"publisher":{"@id":"https:\/\/www.couchbase.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/#primaryimage"},"thumbnailUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/04\/image1-1.png","keywords":["Couchbase 7.6","MFA","okta","SAML","SSO"],"articleSection":["Best Practices and Tutorials","Couchbase Server","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/","url":"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/","name":"Getting Ready for SAML: Essential Preparations for Couchbase Server Integration - The Couchbase Blog","isPartOf":{"@id":"https:\/\/www.couchbase.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/#primaryimage"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/#primaryimage"},"thumbnailUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/04\/image1-1.png","datePublished":"2024-04-17T18:11:55+00:00","dateModified":"2025-06-14T02:26:07+00:00","description":"Integrate Single Sign-On with Couchbase Server for centralized user management, MFA, & improved security. Discover SAML benefits for database access.","breadcrumb":{"@id":"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/#primaryimage","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/04\/image1-1.png","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/04\/image1-1.png","width":1024,"height":1024},{"@type":"BreadcrumbList","@id":"https:\/\/www.couchbase.com\/blog\/saml-sso-with-couchbase-server\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.couchbase.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Getting Ready for SAML: Essential Preparations for Couchbase Server Integration"}]},{"@type":"WebSite","@id":"https:\/\/www.couchbase.com\/blog\/#website","url":"https:\/\/www.couchbase.com\/blog\/","name":"The Couchbase Blog","description":"Couchbase, the NoSQL Database","publisher":{"@id":"https:\/\/www.couchbase.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.couchbase.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.couchbase.com\/blog\/#organization","name":"The Couchbase Blog","url":"https:\/\/www.couchbase.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png","width":218,"height":34,"caption":"The Couchbase Blog"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/da80693db66ef61daaabe98bc56afc26","name":"Istvan Orban, Principal Product Manager","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/image\/c873b4cba9199faca7f2d3db2f443f81","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.png","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.png","caption":"Istvan Orban, Principal Product Manager"},"description":"Istvan Orban is the Principal Product Manager for Couchbase and lives in the United Kingdom. Istvan has a wide range of experience as a Full stack Software Engineer, Team leader and Devops Engineer. His main focus is security and Single Sign On. Istvan has led several large scale projects of his 20 year professional career.","url":"https:\/\/www.couchbase.com\/blog\/author\/istvanorban\/"}]}},"authors":[{"term_id":9812,"user_id":84313,"is_guest":0,"slug":"istvanorban","display_name":"Istvan Orban","avatar_url":{"url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.png","url2x":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.png"},"author_category":"","last_name":"Orban","first_name":"Istvan","job_title":"","user_url":"","description":"Istvan Orban is the Principal Product Manager for Couchbase and lives in the United Kingdom. Istvan has a wide range of experience as a Full stack Software Engineer, Team leader and Devops Engineer. His main focus is security and Single Sign On. Istvan has led several large scale projects of his 20 year professional career."}],"_links":{"self":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts\/15596","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/users\/84313"}],"replies":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/comments?post=15596"}],"version-history":[{"count":0,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts\/15596\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/media\/15597"}],"wp:attachment":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/media?parent=15596"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/categories?post=15596"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/tags?post=15596"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=15596"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}