Name: DottSign
Address: BR

This guide is for users and administrators troubleshooting problems with Single Sign-On (SSO) login on DottSign.

SSO is available on the Enterprise plan only. If you're not sure whether your organisation uses SSO, contact your IT department.

Error: "No SSO configuration found for this email domain"

Cause: DottSign looked up the domain in your email address (e.g., @yourcompany.com) and didn't find an SSO configuration associated with it.

Possible reasons:

SSO has not been configured for your organisation yet
You entered a different email domain from the one registered with DottSign (e.g., using a personal email instead of your work email)
The SSO configuration was recently changed or deleted by your admin

What to do:

Confirm you're using your work email (the one registered with your organisation's identity provider)
Ask your DottSign administrator to verify the SSO configuration in Settings → Security → SSO
If SSO is not yet set up, contact support@dottsign.com for setup assistance

Cause: The authentication attempt was completed at your identity provider (IdP) but DottSign couldn't verify the response.

Common causes and fixes:

Cause	Fix
Certificate mismatch	Admin should re-download the IdP metadata and re-upload it in DottSign SSO settings
Clock skew between servers	Ensure your IdP server's clock is synchronised (NTP), SAML assertions are time-sensitive
Incorrect ACS URL	The Assertion Consumer Service URL in your IdP should be `https://app.dottsign.com/auth/sso/{your-org-slug}/callback` (replace `{your-org-slug}` with your organisation's DottSign slug, visible in the SSO settings page)
User not provisioned in IdP	Check that the user exists and is active in your identity provider
Missing email attribute	The IdP's SAML response must include the user's email. Check the attribute mapping in your IdP configuration

Cause: Your organisation's DottSign account has SSO enforcement enabled, users cannot log in with passwords or Google, only via SSO.

This is by design. Use the SSO flow:

On the login page, click Continue with SSO
Enter your work email
You'll be redirected to your company's login page

If SSO is not working, contact your IT team, they control the identity provider.

Setting Up SSO for the First Time (Admins)

DottSign supports SAML 2.0 and OIDC identity providers, including:

Okta
Microsoft Azure AD / Entra ID
Google Workspace
Auth0
OneLogin

SAML Setup steps

Log in to DottSign as an Owner or Admin
Go to Settings → Security → SSO Configuration
Download the DottSign SAML metadata file
Import it into your IdP as a new application/service provider
Configure attribute mapping, your IdP must send:
- email (required)
- firstName (recommended)
- lastName (recommended)
Copy the IdP metadata URL from your IdP
Paste it into DottSign's SSO configuration and click Save
Click Test SSO to validate the connection before enforcing it

Enabling SSO enforcement

Once SSO is working, you can enforce it so all users must log in via SSO:

Settings → Security → SSO → Enforce SSO → toggle on

Test SSO with your own account before enforcing, if the configuration is broken, enforcement can lock all users out.

Users Can't Access DottSign After SSO Enforcement

If SSO enforcement was enabled and now users can't log in:

The Account Owner can always log in using their email and password (SSO enforcement doesn't affect the Owner)
The Owner can temporarily disable SSO enforcement in Settings → Security → SSO
Fix the IdP configuration and test again before re-enabling

If the Owner is also locked out, contact support@dottsign.com with your account's domain name and we'll assist with emergency access restoration.

Automatic User Provisioning (JIT)

With SSO enabled, users who don't yet have a DottSign account are automatically provisioned the first time they log in via SSO, no manual invitation needed.

Their role defaults to Member. An Admin can change their role after their first login.

SSO Login Issues