Join thousands of product people at Insight Out Conf on April 11. Register free.

Learn
Help docs
Get in touch

Go to app
Log inTry for free

Product

InsightsAnalysisAutomationIntegrationsEnterprisePricingLog in

Company

About us
Careers9
Legal

© Dovetail Research Pty. Ltd.

TermsPrivacy Policy
Help centerBusiness and EnterpriseArticle

Configure single sign-on (SSO)

Last updated16 February 2024
Read time6 min

Admins of Business and Enterprise workspaces can force users to authenticate to Dovetail using OpenID Connect SSO.

This page includes instructions to set up SSO in your identity provider including AD FS, Auth0, Azure Active Directory, Google Workspace, and also Okta.


Table of contents


Business and Enterprise only

This feature is only available on Business and Enterprise plans. Check out our pricing page for more information.

Pricing page

Set up SSO

The process for configuring SSO will depend on your specific identity provider. We've outlined the general process for implementing SSO below.

Create a new application

  • Set up SSO in your identity provider - You must generate a Client ID, Client secret, and Discovery URL in your chosen provider. On your provider, set the application's 

    Redirect URI or Callback URI to be 

    https://dovetailapp.com/users/oauth2/callback

Enable SSO in Dovetail

  • Open your Dovetail workspace to add the Client ID, Client secret, and Discovery URL in ⚙️ Settings > Authentication > Authentication options.


Just-in-time provisioning

Dovetail supports just-in-time (JIT) provisioning when domain-restricted sign up is enabled for your SSO domain. When domain-restricted sign-up is enabled, a user that tries to log in when they don't have an account will automatically have a new viewer account created for them.

If your identity provider supports custom JWT claims at a per-user level you can optionally override the default viewer role they are first granted on a per-product basis by providing the key

default_dovetail_role
with a values of either "MANAGER", "CONTRIBUTOR", OR "VIEWER".


Active Directory Federation Services (AD FS)

Create a new application in Azure

  1. In AD FS Management, right-click on Application Groups and select Add Application Group.

  2. On the Application Group Wizard, for the name enter Dovetail and under Standalone applications select the Server application template. Click Next.

  3. Copy the Client Identifier value. Keep a note of it as it will be inserted later into Dovetail.

  4. Add the following for Redirect URI: -

    https://dovetailapp.com/users/oauth2/callback
    . Click Add. Click Next.

  5. Check the box beside Generate a shared secret, copy the Secret as this will also be used in Dovetail. Click Next twice, then close.

  6. Double-click on your newly created Application Group, click Add application, under Standalone application choose the Web API template. Click Next.

  7. In Identifier add the Client Identifier from step 3, also add the URI

    https://dovetailapp.com
    . Click Next.

  8. For Choose an access control policy, select Permit everyone. Click Next

  9. For Permitted Scopes, select

    allattclaims
    and
    openid
    . Click Next twice then Close.

  10. Double click on the newly created Web API Application. Click on the Issuance Transform Rules tab. Click Add Rule.

  11. For Claim rule template, choose Send LDAP Attributes as Claims. Click Next.

  12. For Claims rule name: Email claims. Attribute store choose: Active Directory. LDAP Attribute choose: E-Mail-Addresses. Outgoing Claim Type:

    email
    . Click Finish.

  13. Add another rule, this time for Claim rule template choose: Send Claims Using a Custom Rule. Click Next.

  14. For Claim rule name: Skip userinfo. Custom rule

    => issue(Type = "skip_userinfo", Value = "true");

  15. Click Finish and restart the AD FS service to ensure all new settings are applied.

Enable SSO in Dovetail

  • Open your Dovetail workspace to add the Client ID, Client secret, and Discovery URL in ⚙️ Settings > Authentication > Authentication options.

    • For this, add AD FS application’s Discovery URL (

      https://YOUR_ADFS_DOMAIN/adfs/.well-known/openid-configuration
       where 
      YOUR_ADFS_DOMAIN
       is the domain of the AD FS Issuer), Client ID and Client secret values.


Auth0

Create a new application in Auth0

  1. Login to your Auth0 admin dashboard and click Applications.

  2. Select Create Application, enter application name Dovetail, select Application type: Regular Web Applications and click Create.

  3. Navigate to Settings to upload Dovetail logo by pasting the following URL within Application Properties > Application Logo :

    https://static-assets.dovetailapp.com/logotype.png

  4. Navigate to Application URIs:

    1. Insert the following URL within the Allowed Callback URLs section

      https://dovetailapp.com/users/oauth2/callback

    2. Under Allowed Web Origins, input the following URL

      https://dovetailapp.com/

  5. Click Save Changes. The Dovetail application is now successfully set up in Auth0.

Enable SSO in Dovetail

  • Open your Dovetail workspace to add the Client ID, Client secret, and Discovery URL in ⚙️ Settings > Authentication > Authentication options.

    • For this, add Auth0’s Discovery URL (

      https://YOUR_AUTH0_DOMAIN/.well-known/openid-configuration
      where 

      YOUR_AUTH0_DOMAIN
       is the domain of the Auth0 application’s Issuer), Client ID, and Client secret values.


Azure Active Directory

  1. Enable Microsoft as an authentication method by navigating to Settings > Authentication > Authentication methods.

  2. From a new session in your browser, sign in to your workspace by pressing Continue with Microsoft.

  3. If prompted, select Work or school account from the sign in dialog.

  4. Check Consent on behalf of your organization, and press Accept.

If these steps have been completed successfully, the Dovetail application will be automatically added to your Azure Active Directory, and can be found under Enterprise applications.

Please note

You don't need to enable or manually configure SSO through your Dovetail workspace. You only need to have Microsoft enabled as an authentication method.


Google Workspace

Create a new application in Google Workspace

  1. Go to the Google API Console.

  2. From the projects list, Create a new project.

  3. Configure the project’s consent screen:

    1. Click OAuth consent screen in the sidebar.

    2. Select Internal, and click Create.

    3. Enter an Application name, and click Create.

  4. Create credentials

    1. Click Credentials in the sidebar.

    2. Click Create credentials > OAuth client ID.

    3. In Application type select Web application and enter a Name.

    4. In Authorized JavaScript origins, click Add URI and enter

      https://dovetailapp.com
      .

    5. In Authorized redirect URIs, click Add URI and enter

      https://dovetailapp.com/users/oauth2/callback
      .

    6. Click Create

    7. Copy your Client ID and secret in the dialog that appears. The Dovetail application is now successfully set up in G Suite.

Enable SSO in Dovetail


Okta

Users can authenticate to Dovetail using Okta SSO. Learn how to generate required values from Okta and how to add these values to Dovetail. Installing the Dovetail Okta integration can be found at Dovetail Okta integration.

Create a new application in Okta

  1. Login to your Okta admin dashboard

  2. Click Applications, select Browse App Catalog, and locate "Dovetail" in the Okta app catalog.

  3. Select the Dovetail app and click Add integration.

  4. Enter your Dovetail subdomain and click Done.

  5. Once the app is installed, click Sign-on and select Edit.

  6. Change Application username format from Okta username to Email and Save.

  7. Navigate to Okta > Assignments tab and assign users and groups to Dovetail.

Enable SSO in Dovetail

  • For this, add Okta’s Discovery URL (

    https://YOUR_OKTA_DOMAIN/.well-known/openid-configuration
    replacing YOUR_OKTA_DOMAIN with the domain of the Okta application’s Issuer), Client ID and Client secret values.

For example

If your Okta dashboard URL is dovetail.okta.com, you would enter https://dovetail.okta.com/.well-known/openid-configuration

FAQs


Troubleshooting Azure configuration

Below you will find some general errors that you or your users may see when trying to log in with Azure AD. If your error does not match any of the following, please reach out to us and we'll be able to help out!

Email not verified

This error is generally caused if your domain has not been added as a verified email domain. To resolve this, a workspace admin will need to enter it by opening ⚙️ Settings > Authentication > Verified email domains.

Invalid authentication details

This error appears when Dovetail cannot validate specific user data provided by Azure. Most commonly, when there is no email assigned to the user in your Azure Active Directory.

To resolve this, your Azure Active Directory admin will need to:

  1. Navigate to the Users section of your directory and select the user with the missing email.

  2. Select Edit properties.

  3. Navigate to Contact information.

  4. Enter the user's email and press Save.

Give us feedback

Was this article useful?


Next article

Authentication settings

Authentication settings

Streamline and manage authentication in Dovetail.

Last updated8 December 2023
Read time1 min

Your customer insights hub

Turn data into actionable insights. Bring your customer into every decision.

Try for free

Product

InsightsAnalysisAutomationIntegrationsEnterprisePricingLog in

Company

About us
Careers9
Legal

© Dovetail Research Pty. Ltd.
TermsPrivacy Policy

Log in or sign up

Get started with a free trial


or


By clicking “Continue with Google / Email” you agree to our User Terms of Service and Privacy Policy