Help docs
Get in touch

Go to app
Log inTry for free


InsightsAnalysisAutomationIntegrationsEnterprisePricingLog in


About us

© Dovetail Research Pty. Ltd.

TermsPrivacy Policy
Help centerBusiness and EnterpriseArticle

Configure single sign-on (SSO)

Last updated23 August 2023
Read time5 min

Admins of Business and Enterprise workspaces can enforce users to authenticate to Dovetail using OpenID Connect SSO.

This page includes instructions to set up SSO in your identity provider including AD FS, Auth0, Azure Active Directory, Google Workspace and Okta.

Table of contents

Business and Enterprise only

This feature is only available on our business and enterprise plans. Business and enterprise workspaces come with additional features and support to meet your organization’s needs. Check out our pricing page for more information on business and enterprise.

Pricing page

Set up SSO

The process for configuring SSO will depend on your specific identity provider. We've outlined the general process for implementing SSO below.

Create a new application

  • Set up SSO in your identity provider - You must generate a Client ID, Client secret and Discovery URL in your chosen provider. On your provider, set the application's 

    Redirect URI or Callback URI to be

Enable SSO in Dovetail

  • Open your Dovetail workspace to add the Client ID, Client secret and Discovery URL in ⚙️ Settings > Authentication > Authentication options.

Just-in-time provisioning

Dovetail supports just-in-time (JIT) provisioning when domain-restricted sign up is enabled for your SSO domain. When domain-restricted sign-up is enabled, a user that tries to log in when they don't have an account will automatically have a new viewer account created for them.

If your identity provider supports custom JWT claims at a per-user level you can optionally override the default viewer role they are first granted on a per-product basis by providing the key

with a values of either "MANAGER", "CONTRIBUTOR", OR "VIEWER".

Active Directory Federation Services (AD FS)

Create a new application in Azure

  1. In AD FS Management, right-click on Application Groups and select Add Application Group.

  2. On the Application Group Wizard, for the name enter Dovetail and under Standalone applications select the Server application template. Click Next.

  3. Copy the Client Identifier value. Keep a note of it as it will be inserted later into Dovetail.

  4. Add the following for Redirect URI: -
    . Click Add. Click Next.

  5. Check the box beside Generate a shared secret, copy the Secret as this will also be used in Dovetail. Click Next twice, then close.

  6. Double-click on your newly created Application Group, click Add application, under Standalone application choose the Web API template. Click Next.

  7. In Identifier add the Client Identifier from step 3, also add the URI
    . Click Next.

  8. For Choose an access control policy, select Permit everyone. Click Next

  9. For Permitted Scopes, select

    . Click Next twice then Close.

  10. Double click on the newly created Web API Application. Click on the Issuance Transform Rules tab. Click Add Rule.

  11. For Claim rule template, choose Send LDAP Attributes as Claims. Click Next.

  12. For Claims rule name: Email claims. Attribute store choose: Active Directory. LDAP Attribute choose: E-Mail-Addresses. Outgoing Claim Type:

    . Click Finish.

  13. Add another rule, this time for Claim rule template choose: Send Claims Using a Custom Rule. Click Next.

  14. For Claim rule name: Skip userinfo. Custom rule

    => issue(Type = "skip_userinfo", Value = "true");

  15. Click Finish and restart the AD FS service to ensure all new settings are applied.

Enable SSO in Dovetail

  • Follow steps at the top of this article under Enable SSO in Dovetail to add AD FS application’s Discovery URL (

     is the domain of the AD FS Issuer), Client ID and Client secret values.


Create a new application in Auth0

  1. Login to your Auth0 admin dashboard and click Applications.

  2. Select Create Application, enter application name Dovetail, select Application type: Regular Web Applications and click Create.

  3. Navigate to Settings to upload Dovetail logo by pasting the following URL within Application Properties > Application Logo :

  4. Navigate to Application URIs:

    1. Insert the following URL within the Allowed Callback URLs section

    2. Under Allowed Web Origins, input the following URL

  5. Click Save Changes. The Dovetail application is now successfully set up in Auth0.

Enable SSO in Dovetail

  • Follow steps at the top of this article under Enable SSO in Dovetail to add Auth0’s Discovery URL (


     is the domain of the Auth0 application’s Issuer), Client ID and Client secret values.

Azure Active Directory

  1. Enable Microsoft as an authentication method by navigating to Settings > Authentication > Authentication methods.

  2. From a new session in your browser, sign in to your workspace by pressing Continue with Microsoft.

  3. If prompted, select Work or school account from the sign in dialog.

  4. Check Consent on behalf of your organization, and press Accept.

If these steps have been completed successfully, the Dovetail application will be automatically added to your Azure Active Directory, and can be found under Enterprise applications.

Please note

You don't need to enable or manually configure SSO through your Dovetail workspace. You only need to have Microsoft enabled as an authentication method.

Google Workspace

Create a new application in Google Workspace

  1. Go to the Google API Console.

  2. From the projects list, Create a new project.

  3. Configure the project’s consent screen:

    1. Click OAuth consent screen in the sidebar.

    2. Select Internal, and click Create.

    3. Enter an Application name, and click Create.

  4. Create credentials

    1. Click Credentials in the sidebar.

    2. Click Create credentials > OAuth client ID.

    3. In Application type select Web application and enter a Name.

    4. In Authorized JavaScript origins, click Add URI and enter

    5. In Authorized redirect URIs, click Add URI and enter

    6. Click Create

    7. Copy your Client ID and secret in the dialog that appears. The Dovetail application is now successfully set up in G Suite.

Enable SSO in Dovetail


Users can authenticate to Dovetail using Okta SSO. Learn how to generate required values from Okta and how to add these values to Dovetail. Installing the Dovetail Okta integration can be found at Dovetail Okta integration.

Create a new application in Okta

  1. Login to your Okta admin dashboard

  2. Click Applications, select Browse App Catalog and locate "Dovetail" in the Okta app catalog.

  3. Select the Dovetail app and click Add integration.

  4. Enter your Dovetail subdomain and click Done.

  5. Once the app is installed, click Sign-on and select Edit.

  6. Change Application username format from Okta username to Email and Save.

Enable SSO in Dovetail

  • Follow steps at the top of this article under Enable SSO in Dovetail and add Okta’s Discovery URL (

    replacing YOUR_OKTA_DOMAIN with the domain of the Okta application’s Issuer), Client ID and Client secret values.

  • In Okta > Assignments tab, you can now assign users and groups to Dovetail.


Troubleshooting Azure configuration

Below you will find some general errors that you or your users may see when trying to log in with Azure AD. If your error does not match any of the following, please reach out to us and we'll be able to help out!

Email not verified

This error is generally caused if your domain has not been added as a verified email domain. To resolve this, a workspace admin will need to enter it by opening ⚙️ Settings > Authentication > Verified email domains.

Invalid authentication details

This error appears when Dovetail cannot validate specific user data provided by Azure. Most commonly, when there is no email assigned to the user in your Azure Active Directory.

To resolve this, your Azure Active Directory admin will need to:

  1. Navigate to the Users section of your directory and select the user with the missing email.

  2. Select Edit properties.

  3. Navigate to Contact information.

  4. Enter the user's email and press Save.

Give us feedback

Was this article useful?

Your customer insights hub

Turn data into actionable insights. Bring your customer into every decision.

Try for free


InsightsAnalysisAutomationIntegrationsEnterprisePricingLog in


About us

© Dovetail Research Pty. Ltd.
TermsPrivacy Policy