Configure Active Directory Federation Services (AD FS)
Business and Enterprise only
This feature is only available on our business and enterprise plans. Business and enterprise workspaces come with additional features and support to meet your organization’s needs. Check out our pricing page for more information on business and enterprise.
Users can authenticate to Dovetail using Active Directory Federation Services.
Tested on AD FS 2016.
Create an Application Group in AD FS
In AD FS Management, right-click on Application Groups and select Add Application Group.
On the Application Group Wizard, for the name enter Dovetail and under Standalone applications select the Server application template. Click Next.
Copy the Client Identifier value. Keep a note of it as it will be inserted later into Dovetail.
Add the following for Redirect Uri: - https://dovetailapp.com/users/oauth2/callback. Click Add. Click Next.
Check the box beside Generate a shared secret, copy the Secret as this will also be used in Dovetail. Click Next twice, then close.
Double-click on your newly created Application Group, click Add application, under Standalone application choose the Web API template. Click Next.
In Identifier add the Client Identifier from step 3, also add the URI https://dovetailapp.com. Click Next.
For Choose an access control policy, select Permit everyone. Click Next
For Permitted Scopes, select allattclaims and openid. Click Next twice then Close.
Double click on the newly created Web API Application. Click on the Issuance Transform Rules tab. Click Add Rule.
For Claim rule template, choose Send LDAP Attributes as Claims. Click Next.
For Claims rule name: Email claims. Attribute store choose: Active Directory. LDAP Attribute choose: E-Mail-Addresses. Outgoing Claim Type: email. Click Finish.
Add another rule, this time for Claim rule template choose: Send Claims Using a Custom Rule. Click Next.
For Claim rule name: Skip userinfo. Custom rule
=> issue(Type = "skip_userinfo", Value = "true");
Now restart the AD FS service to ensure all new settings are applied.
Add values to Dovetail
Using the AD FS application’s Client Identifier and Secret values you can Configure OpenID Connect directly in Dovetail.
In the Discovery URL input, enter https://YOUR_ADFS_DOMAIN/adfs/.well-known/openid-configuration where YOUR_ADFS_DOMAIN is the domain of the AD FS Issuer. For example, if Issuer was https://fs.your-company.com you would enter https://fs.your-company.com/adfs/.well-known/openid-configuration.