How do I set up single sign-on (SSO) for my Business account?
The new Dropbox Business API helps IT administrators create new integrations and new partnerships with great third-party technologies like eDiscovery, Data Loss Prevention (DLP), Security Information & Event Management (SIEM), and more. Team admins can use the API to build a suite of security and compliance tools to manage analytics, content safety, and on-premises backups, and even build custom apps.
If you're the administrator of a Dropbox Business account, you can let team members access Dropbox by signing in to a central identity provider.
Single sign-on (SSO) makes life easier and more secure for everyone. You can put the identity provider you already trust in charge of authentication, while team members can access Dropbox without another password to manage.
Configure your identity provider
To get started, go to your identity provider's site and follow the provider's instructions to configure single sign-on.
Dropbox has partnered with many identity providers to offer a pre-configured app that contains the correct settings. See which identity providers we've partnered with.
- Dropbox uses SAML2 with the HTTP Redirect binding for SP to IdP and expects the HTTP Post binding for IdP to SP.
- The Dropbox post-back URL (also called the Assertion Consumer Service URL) is https://www.dropbox.com/saml_login
- Dropbox requires that the NameID contain the user’s email address. Technically we are looking for: Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
- Your identity provider may ask if you want to sign the SAML assertion, the SAML response, or both. Dropbox requires the SAML response to be signed. You can choose signed or unsigned for the SAML assertion.
You'll need to find two pieces of information to give Dropbox:
- A sign-in page URL (also called a login URL)
- An X.509 certificate. This is a security certificate that you usually get from your identity provider and must be in the .pem, .cer, or .crt formats. Below is a sample of an encoded certificate:
- Sign in to Dropbox with your admin account and click on Admin Console in the left-hand sidebar.
- In the Admin Console, click on Authentication in the sidebar.
- Under Single sign-on, select the Enable single sign-on checkbox.
- Choose whether to make single sign-on optional or required:
- Enter the Sign in URL you got earlier from the identity provider.
- Click the Choose certificate button. Upload the X.509 certificate .pem file you got earlier from the identity provider.
- Click the Save changes button.
Prepare your users
If you make single sign-on required, Dropbox will automatically notify team members by email. If you make single sign-on optional, you'll need to notify them yourself. You can download an email template from the single sign-on section of the Admin Console.
Accessing the website
Once single sign-on is turned on, users can sign in to Dropbox by entering just their email address. This will redirect them to your identity provider's sign-in page, where they can enter their work credentials.
As part of SSO setup, we'll provide you with a custom Dropbox URL. This URL will enable users to go directly to their Dropbox account online if they've already signed in to your identity provider.
Linking computers and mobile devices
All computers and mobile devices that are currently linked to Dropbox accounts will continue to work as normal. However, if users need to relink a device or link a new one, they'll need the latest versions of the desktop application and mobile app in order for single sign-on to work. If they haven't signed in to your identity provider, they'll be automatically redirected to do so. They'll also be prompted to take a few other simple steps:
- When users link a computer, Dropbox will direct them to copy a special link code from the website and paste it into the application.
- When users link a mobile device, they'll be asked to approve a request to connect the app to their account.
For details, see our instructions for end users.