Admins of Business and Enterprise workspaces can enforce users to authenticate to Dovetail using OpenID Connect SSO.
This page includes instructions to set up SSO in your identity provider including AD FS, Auth0, Azure Active Directory, Google Workspace and Okta.
This feature is only available on our business and enterprise plans. Business and enterprise workspaces come with additional features and support to meet your organization’s needs. Check out our pricing page for more information on business and enterprise.Pricing page
The process for configuring SSO will depend on your specific identity provider. We've outlined the general process for implementing SSO below.
Set up SSO in your identity provider - You must generate a Client ID, Client secret and Discovery URL in your chosen provider. On your provider, set the application's
Redirect URI or Callback URI to be
Open your Dovetail workspace to add the Client ID, Client secret and Discovery URL in ⚙️ Settings > Authentication > Authentication options.
Dovetail supports just-in-time (JIT) provisioning when domain-restricted sign up is enabled for your SSO domain. When domain-restricted sign-up is enabled, a user that tries to log in when they don't have an account will automatically have a new viewer account created for them.
If your identity provider supports custom JWT claims at a per-user level you can optionally override the default viewer role they are first granted on a per-product basis by providing the key
with a values of either "MANAGER", "CONTRIBUTOR", OR "VIEWER".
In AD FS Management, right-click on Application Groups and select Add Application Group.
On the Application Group Wizard, for the name enter Dovetail and under Standalone applications select the Server application template. Click Next.
Copy the Client Identifier value. Keep a note of it as it will be inserted later into Dovetail.
Add the following for Redirect URI: -
. Click Add. Click Next.
Check the box beside Generate a shared secret, copy the Secret as this will also be used in Dovetail. Click Next twice, then close.
Double-click on your newly created Application Group, click Add application, under Standalone application choose the Web API template. Click Next.
In Identifier add the Client Identifier from step 3, also add the URI
. Click Next.
For Choose an access control policy, select Permit everyone. Click Next
For Permitted Scopes, select
. Click Next twice then Close.
Double click on the newly created Web API Application. Click on the Issuance Transform Rules tab. Click Add Rule.
For Claim rule template, choose Send LDAP Attributes as Claims. Click Next.
For Claims rule name: Email claims. Attribute store choose: Active Directory. LDAP Attribute choose: E-Mail-Addresses. Outgoing Claim Type:
. Click Finish.
Add another rule, this time for Claim rule template choose: Send Claims Using a Custom Rule. Click Next.
For Claim rule name: Skip userinfo. Custom rule
Click Finish and restart the AD FS service to ensure all new settings are applied.
Follow steps at the top of this article under Enable SSO in Dovetail to add AD FS application’s Discovery URL (
is the domain of the AD FS Issuer), Client ID and Client secret values.
Login to your Auth0 admin dashboard and click Applications.
Select Create Application, enter application name Dovetail, select Application type: Regular Web Applications and click Create.
Navigate to Settings to upload Dovetail logo by pasting the following URL within Application Properties > Application Logo :
Navigate to Application URIs:
Insert the following URL within the Allowed Callback URLs section
Under Allowed Web Origins, input the following URL
Click Save Changes. The Dovetail application is now successfully set up in Auth0.
Follow steps at the top of this article under Enable SSO in Dovetail to add Auth0’s Discovery URL (
is the domain of the Auth0 application’s Issuer), Client ID and Client secret values.
Enable Microsoft as an authentication method by navigating to Settings > Authentication > Authentication methods.
From a new session in your browser, sign in to your workspace by pressing Continue with Microsoft.
If prompted, select Work or school account from the sign in dialog.
Check Consent on behalf of your organization, and press Accept.
If these steps have been completed successfully, the Dovetail application will be automatically added to your Azure Active Directory, and can be found under Enterprise applications.
You don't need to enable or manually configure SSO through your Dovetail workspace. You only need to have Microsoft enabled as an authentication method.
Go to the Google API Console.
From the projects list, Create a new project.
Configure the project’s consent screen:
Click OAuth consent screen in the sidebar.
Select Internal, and click Create.
Enter an Application name, and click Create.
Click Credentials in the sidebar.
Click Create credentials > OAuth client ID.
In Application type select Web application and enter a Name.
In Authorized redirect URIs, click Add URI and enter
Copy your Client ID and secret in the dialog that appears. The Dovetail application is now successfully set up in G Suite.
Follow steps at the top of this article under Enable SSO in Dovetail and add Google Workspace’s Discovery URL (
), Client ID and Client secret values.
Users can authenticate to Dovetail using Okta SSO. Learn how to generate required values from Okta and how to add these values to Dovetail. Installing the Dovetail Okta integration can be found at Dovetail Okta integration.
Login to your Okta admin dashboard
Click Applications, select Browse App Catalog and locate "Dovetail" in the Okta app catalog.
Select the Dovetail app and click Add integration.
Enter your Dovetail subdomain and click Done.
Once the app is installed, click Sign-on and select Edit.
Change Application username format from Okta username to Email and Save.
Follow steps at the top of this article under Enable SSO in Dovetail and add Okta’s Discovery URL (
replacing YOUR_OKTA_DOMAIN with the domain of the Okta application’s Issuer), Client ID and Client secret values.
In Okta > Assignments tab, you can now assign users and groups to Dovetail.
Below you will find some general errors that you or your users may see when trying to log in with Azure AD. If your error does not match any of the following, please reach out to us and we'll be able to help out!
This error is generally caused if your domain has not been added as a verified email domain. To resolve this, a workspace admin will need to enter it by opening ⚙️ Settings > Authentication > Verified email domains.
This error appears when Dovetail cannot validate specific user data provided by Azure. Most commonly, when there is no email assigned to the user in your Azure Active Directory.
To resolve this, your Azure Active Directory admin will need to:
Navigate to the Users section of your directory and select the user with the missing email.
Select Edit properties.
Navigate to Contact information.
Enter the user's email and press Save.
Give us feedback
Was this article useful?