Docs
New to Dovetail
Make sense of your data
Summarize and present
Organize your data
Share and collaborate
Settings
Enterprise admin
Billing and payment
Security
Legal and privacy
Courses
Getting started with projects
Advancing your analysis
Crafting shareable findings
Answering your questions
Enabling your team
Managing your insights hub
Resources
Webinars
Templates
Champions Slack
Import data
App StoreFrontGoogle CalendarGoogle DriveGoogle Play StoreIntercomMicrosoft OneDriveMicrosoft Outlook CalendarZendeskZoom
Share findings
Automate workflows
Changelog
Get Dovetail free
Go to app
Help centerEnterprise admin

Single sign-on (SSO)

👤 Who can use this feature

Available on Enterprise plans

Overview

Admins of Enterprise workspaces can force users to authenticate to Dovetail using OpenID Connect SSO.

This page includes instructions to set up SSO in your identity provider including AD FS, Auth0, Azure Active Directory, Google Workspace, and also Okta.

Set up SSO

The process for configuring SSO will depend on your specific identity provider. We've outlined the general process for implementing SSO below.

Create a new application

  • Set up SSO in your identity provider - You must generate a Client ID, Client secret, and Discovery URL in your chosen provider. On your provider, set the application's 

    Redirect URI or Callback URI to be https://dovetailapp.com/users/oauth2/callback

Enable SSO in Dovetail

Just-in-time provisioning

Dovetail supports just-in-time (JIT) provisioning when domain-restricted sign up is enabled for your SSO domain. When domain-restricted sign-up is enabled, a user that tries to log in when they don't have an account will automatically have a new viewer account created for them.

If your identity provider supports custom JWT claims at a per-user level you can optionally override the default viewer role they are first granted on a per-product basis by providing the key default_dovetail_role with a values of either "MANAGER", "CONTRIBUTOR", OR "VIEWER".

Active Directory Federation Services (AD FS)

Create a new application in Azure

  1. In AD FS Management, right-click on Application Groups and select Add Application Group.

  2. On the Application Group Wizard, for the name enter Dovetail and under Standalone applications select the Server application template. Click Next.

  3. Copy the Client Identifier value. Keep a note of it as it will be inserted later into Dovetail.

  4. Add the following for Redirect URI: - https://dovetailapp.com/users/oauth2/callback. Click Add. Click Next.

  5. Check the box beside Generate a shared secret, copy the Secret as this will also be used in Dovetail. Click Next twice, then close.

  6. Double-click on your newly created Application Group, click Add application, under Standalone application choose the Web API template. Click Next.

  7. In Identifier add the Client Identifier from step 3, also add the URI https://dovetailapp.com. Click Next.

  8. For Choose an access control policy, select Permit everyone. Click Next

  9. For Permitted Scopes, select allattclaims and openid. Click Next twice then Close.

  10. Double click on the newly created Web API Application. Click on the Issuance Transform Rules tab. Click Add Rule.

  11. For Claim rule template, choose Send LDAP Attributes as Claims. Click Next.

  12. For Claims rule name: Email claims. Attribute store choose: Active Directory. LDAP Attribute choose: E-Mail-Addresses. Outgoing Claim Type: email. Click Finish.

  13. Add another rule, this time for Claim rule template choose: Send Claims Using a Custom Rule. Click Next.

  14. For Claim rule name: Skip userinfo. Custom rule => issue(Type = "skip_userinfo", Value = "true");

  15. Click Finish and restart the AD FS service to ensure all new settings are applied.

Enable SSO in Dovetail

  • Open your Dovetail workspace to add the Client ID, Client secret, and Discovery URL in ⚙️ Settings > Authentication > Authentication options.

    • For this, add AD FS application’s Discovery URL (https://YOUR_ADFS_DOMAIN/adfs/.well-known/openid-configuration where  YOUR_ADFS_DOMAIN is the domain of the AD FS Issuer), Client ID and Client secret values.

Auth0

Create a new application in Auth0

  1. Login to your Auth0 admin dashboard and click Applications.

  2. Select Create Application, enter application name Dovetail, select Application type: Regular Web Applications and click Create.

  3. Navigate to Settings to upload Dovetail logo by pasting the following URL within Application Properties > Application Logo : https://static-assets.dovetailapp.com/logotype.png

  4. Navigate to Application URIs:

    1. Insert the following URL within the Allowed Callback URLs section

      https://dovetailapp.com/users/oauth2/callback

    2. Under Allowed Web Origins, input the following URL https://dovetailapp.com/

  5. Click Save Changes. The Dovetail application is now successfully set up in Auth0.

Enable SSO in Dovetail

  • Open your Dovetail workspace to add the Client ID, Client secret, and Discovery URL in ⚙️ Settings > Authentication > Authentication options.

    • For this, add Auth0’s Discovery URL (https://YOUR_AUTH0_DOMAIN/.well-known/openid-configuration where 

      YOUR_AUTH0_DOMAIN is the domain of the Auth0 application’s Issuer), Client ID, and Client secret values.

Microsoft Entra ID (Azure Active Directory)

  1. Enable Microsoft as an authentication method by navigating to Settings > Authentication > Authentication methods.

  2. From a new session in your browser, sign in to your workspace by pressing Continue with Microsoft.

  3. If prompted, select Work or school account from the sign in dialog.

  4. Check Consent on behalf of your organization, and press Accept.

If these steps have been completed successfully, the Dovetail application will be automatically added to your Entra/Azure Directory, and can be found under Enterprise applications.

Please note

You don't need to enable or manually configure SSO through your Dovetail workspace. You only need to have Microsoft enabled as an authentication method.

Google Workspace

Create a new application in Google Workspace

  1. Go to the Google API Console.

  2. From the projects list, Create a new project.

  3. Configure the project’s consent screen:

    1. Click OAuth consent screen in the sidebar.

    2. Select Internal, and click Create.

    3. Enter an Application name, and click Create.

  4. Create credentials

    1. Click Credentials in the sidebar.

    2. Click Create credentials > OAuth client ID.

    3. In Application type select Web application and enter a Name.

    4. In Authorized JavaScript origins, click Add URI and enter https://dovetailapp.com.

    5. In Authorized redirect URIs, click Add URI and enter https://dovetailapp.com/users/oauth2/callback.

    6. Click Create

    7. Copy your Client ID and secret in the dialog that appears. The Dovetail application is now successfully set up in G Suite.

Enable SSO in Dovetail

Okta

Users can authenticate to Dovetail using Okta SSO. Learn how to generate required values from Okta and how to add these values to Dovetail. Installing the Dovetail Okta integration can be found at Dovetail Okta integration.

Create a new application in Okta

  1. Login to your Okta admin dashboard

  2. Click Applications, select Browse App Catalog, and locate "Dovetail" in the Okta app catalog.

  3. Select the Dovetail app and click Add integration.

  4. Enter your Dovetail subdomain and click Done.

  5. Once the app is installed, click Sign-on and select Edit.

  6. Change Application username format from Okta username to Email and Save.

  7. Navigate to Okta > Assignments tab and assign users and groups to Dovetail.

Enable SSO in Dovetail

  • Open your Dovetail workspace to add the Client ID, Client secret, and Discovery URL in ⚙️ Settings > Authentication > Authentication options.

  • For this, add Okta’s Discovery URL (https://YOUR_OKTA_DOMAIN/.well-known/openid-configuration replacing YOUR_OKTA_DOMAIN with the domain of the Okta application’s Issuer), Client ID and Client secret values.

For example

If your Okta dashboard URL is dovetail.okta.com, you would enter https://dovetail.okta.com/.well-known/openid-configuration

FAQs

Troubleshooting Azure configuration

Below you will find some general errors that you or your users may see when trying to log in with Azure AD. If your error does not match any of the following, please reach out to us and we'll be able to help out!

Email not verified

This error is generally caused if your domain has not been added as a verified email domain. To resolve this, a workspace admin will need to enter it by opening ⚙️ Settings > Authentication > Verified email domains.

Invalid authentication details

This error appears when Dovetail cannot validate specific user data provided by Azure. Most commonly, when there is no email assigned to the user in your Azure Active Directory.

To resolve this, your Azure Active Directory admin will need to:

  1. Navigate to the Users section of your directory and select the user with the missing email.

  2. Select Edit properties.

  3. Navigate to Contact information.

  4. Enter the user's email and press Save.

Give us feedback

Was this article useful?

Last updated 11 December 2024

Next article

Authentication settings

Streamline and manage authentication in Dovetail.

Last updated: 3 February 2025

Log in or sign up

Get started for free

or

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. By clicking “Continue with Google / Email” you agree to our User Terms of Service and Privacy Policy