Capsule8 Console Docs
Capsule8 Console Docs

Configuring single sign-on

Organizations can use third-party authentication to control who accesses the Capsule8 Console.

OAuth Configuration


  • Find the Client ID and Client secret of an existing Okta application, or create a new application. This requires an Okta account with administrative privileges. Sign up for a free account at To create a new application:

    • From the developer dashboard, click Applications then Add Application.
    • Choose Web as the platform.
    • We use Okta’s default openId scope as well as the email scope.
  • Set CAPSULE8_CONSOLE_AUTH_OKTA_ID and CAPSULE8_CONSOLE_AUTH_OKTA_SECRET to the Client ID and Client secret of the application.


    To find the Okta “Issuer URI”:

    From the Okta dashboard, navigate to API > Authorization Servers.

  • Add the Capsule8 callback to the Login redirect URIs list in the Okta application.

    It should be in the format https://<base-domain>/sessions/okta/callback.


Use an existing Client, or create a new OAuth 2.0 Client by navigating to (with the correct Google account and project selected) and select the Credentials link. Click Create credentials to generate a new Client ID.

  • Set CAPSULE8_CONSOLE_AUTH_GOOGLE_KEY and CAPSULE8_CONSOLE_AUTH_GOOGLE_SECRET to the Client ID and Client secret of the application.

  • Add the Capsule8 callback to the Authorized redirect URIs list in the Google Client ID settings.

    It should be in the format https://<base-domain>/sessions/google/callback.

Verifying Configuration

When the required variables are set, the Capsule8 Console login screen will include the option to authenticate with a 3rd party provider.

Restricting access

Okta lets administrators restrict access to applications through rules. Similarly, Google lets administrators restrict an application to users in the organization:

By default, any successfully authenticated user can access the console. To restrict users by email domain, add desired domain(s) to the whitelist. Separate multiple domains with a space.


LDAP Configuration

Note: The Capsule8 Console’s LDAP integration has only been tested and verified with OpenLDAP.


  • Set CAPSULE8_CONSOLE_AUTH_LDAP_HOSTNAME to the LDAP server address. For example "".
  • Set CAPSULE8_CONSOLE_AUTH_LDAP_BASE to an LDAP subtree where user searches can be run. For example "ou=Users,dc=my-company,dc=com".


  • Set CAPSULE8_CONSOLE_AUTH_LDAP_PORT to the LDAP server’s port, if not 389.
  • By default, we connect to the LDAP server over TLS. To ignore TLS, set CAPSULE8_CONSOLE_AUTH_LDAP_USE_TLS to false.
  • If CAPSULE8_CONSOLE_AUTH_LDAP_ALLOWED_GROUPS is empty, all authenticated users will be able to access the Capsule8 Console. A space-delimited list of allowed groups will restrict access to users in those groups. Note: only supported on LDAP installations using a memberOf overlay.