As a Dovetail Admin, your role is to ensure your team can access the tools they need securely and efficiently. A robust authentication strategy is the foundation of a secure and scalable workspace. It reduces risk, saves administrative time, and provides a seamless experience for your users. In this lesson, you will learn how to integrate Dovetail with single sign-on (SSO) solutions to centralize user authentication and manage access at scale.

What authentication methods are available in Dovetail?

By default, a user can sign up and log in to a workspace with:
  • Password - Use email address and create password for log in.
  • Google - Use your Google account email address and password for log in for sign up and log in to Dovetail
  • Microsoft - Use your Microsoft account email address and password for sign up and log in to Dovetail.
Business and Enterprise workspaces have an additional authentication method available.
  • SSO via an identity provider - Use your identity provider for sign up and log in to Dovetail.
Admins of Enterprise workspaces can enforce which of these methods users can use to sign up and log in to their workspace by navigating to ⚙️ SettingsAuthentication .

Decide whether to enable automatic account creation

You want to encourage broad adoption of Dovetail so knowledge about your customer’s an be widely consumed, but you don’t want a manual approval bottleneck for every new user who just wants to view a project. At the same time, you can’t have an uncontrolled free-for-all. Workspace admins have the option to enable automatic account creation, which will allow anyone with an approved email domain to join your workspace when they create a Dovetail account. For example, if your organization has approved the email domain @acme.com, anyone that signs up to Dovetail with that domain can sign up as a viewer to that workspace.
  • If you haven’t already, enter an allowed email address domain under Domains.
  • From there, to enable automatic account creation, navigate to ⚙️ Settings → Authentication and toggle on or off Automatic account creation. Anyone who signs up to Dovetail with an email address that has an approved domain will be able to log into this workspace automatically as a viewer.
This provides the perfect middle ground. It guarantees that only people from your organization can join, maintaining a secure perimeter. By defaulting them to ‘viewer’ status, it empowers them to discover and consume research safely without creating administrative work for you. This fosters a culture of self-service and transparency while ensuring governance is maintained.

Set up SSO for your workspace

Managing separate passwords for each application is a major security risk (weak/reused passwords) and an administrative burden. Manually provisioning Dovetail accounts for new hires and, crucially, deprovisioning them for leavers, is time-consuming and prone to human error. A forgotten account is a significant security hole. There are three single sign-on options that you can enable for your workspace: your identity provider, Google workspace, and Microsoft. These all aim to solve three core admin challenges at once.

Enhanced security

  4. Eliminates weak, Dovetail-specific passwords and enforces your company’s central security policies (like MFA) on Dovetail access.

Automated provisioning

  3. User access is managed centrally. When an employee is deactivated in your IdP, their access to Dovetail is instantly and automatically revoked, closing the offboarding security gap.

Reduced overhead

  4. Removes password reset requests and automates the onboarding/offboarding lifecycle, freeing up valuable admin time.

With your identity provider

It is common for organizations to use an SSO identity provider (IdP) to centralize access control, consolidate apps, and streamline user management. Integrate Dovetail with your company’s Identity Provider (IdP) and enforce it as the sole method of authentication. If you are currently using SSO at your organization, learn how to activate SSO for your Dovetail workspace. Once activated, you can enforce SSO as the only log in method for all users.
  • To do this, open ⚙️ Settings → Authentication.
  • First, ensure your organization’s email domain is added under Allowed email address domains.
  • From there, navigate to Authentication methods and toggle off Password, Google and Microsoft while leaving SSO via identity provider toggled on.
If you’re unsure whether this is required for your workspace, reach out to your company’s IT or security team and share our SSO set-up guide with them.

With Google workspace or Microsoft

If your company uses Google Workspace or Microsoft 365 as its primary identity system, you can leverage it for a simpler, more secure login experience than passwords. Once activated, you can enforce Google or Microsoft as the only login method.
  • To do this, open ⚙️ Settings → Authentication.
  • First, ensure your organization’s email domain is added under Allowed email address domains.
  • From there, navigate to Authentication methods and disable Password while leaving Google or Microsoft enabled.
This acts as a “lite” SSO. It centralizes authentication to a single, trusted corporate account that already has security policies in place. This improves your security posture by removing password risk, without requiring a separate IdP implementation.
Discuss internally how you want people from your organization logging in to the workspace. From there, enforce your organization’s preferred log in method in Authentication settings. Configure authentication for your workspace →