1. Sharing files and folders
  2. Payments and billing
  3. Security and privacy
  4. Dropbox Business
  5. Syncing and uploads
  6. Sign-in help
  7. Desktop client and web app
  8. Manage account
  9. Space and storage
  10. Photos and videos
  11. Mobile
  12. Dropbox Paper

Frequently asked questions about single sign-on (SSO) for Dropbox Business administrators

If you're the administrator of a Dropbox Business account, you can let team members access Dropbox by signing in to a central identity provider.

Single sign-on (SSO) makes life easier and more secure for everyone. You can put the identity provider you already trust in charge of authentication, and team members can access Dropbox without another password to manage.

How do I set up single sign-on (SSO) with Dropbox?

Configure your identity provider

To get started, go to your identity provider's site and follow the provider's instructions to configure single sign-on.

Dropbox has partnered with many identity providers to offer a pre-configured app that contains the correct settings. See which identity providers we've partnered with.

If you’d like to configure your own solution or use a different identity provider, review the required parameters.

You'll need to find two pieces of information to give Dropbox:

Configure Dropbox

  1. Sign in to Dropbox with your admin account and click Admin Console in the left-hand sidebar.
  2. In the Admin Console, click on Authentication in the sidebar.
  3. Under Single sign-on, select the Enable single sign-on checkbox.
  4. Choose whether to make single sign-on optional or required:
Optional or required mode
  1. Enter the Sign in URL you got earlier from the identity provider.
  2. Enter the Sign in URL
  3. Click the Choose certificate button. Upload the X.509 certificate .pem file you got earlier from the identity provider.
  4. The Choose certificate button
  5. Click the Save changes button.

Prepare your users

If you make single sign-on required, Dropbox will automatically notify team members by email. If you make single sign-on optional, you'll need to notify them yourself. You can download an email template from the single sign-on section of the Admin Console.

Accessing the website

Once single sign-on is turned on, users can sign in to Dropbox by entering just their email address. This will redirect them to your identity provider's sign-in page, where they can enter their work credentials.

As part of SSO setup, we'll provide you with a custom Dropbox URL. This URL will enable users to go directly to their Dropbox account online if they've already signed in to your identity provider.

Linking computers and mobile devices

All computers and mobile devices that are currently linked to Dropbox accounts will continue to work as normal. However, if users need to relink a device or link a new one, they'll need the latest versions of the desktop application and mobile app in order for single sign-on to work. If they haven't signed in to your identity provider, they'll be automatically redirected to do so. They'll also be prompted to take a few other simple steps:

  • When users link a computer, Dropbox will direct them to copy a special link code from the website and paste it into the application.
  • When users link a mobile device, they'll be asked to approve a request to connect the app to their account.

For details, see our instructions for end users.

Return to the top of the article


What identity providers do you support?

Dropbox uses the secure and widely adopted industry standard Security Assertion Markup Language (SAML), which means our implementation of SSO integrates easily with any large identity provider that supports SAML. If you've built your own SAML-­based federated authentication process, we integrate with that too. We support service­-provider-initiated SAML and identity­-provider-initiated SAML.

The following identity providers offer preconfigured settings for Dropbox:

  • Auth0
  • Bitium
  • CA Siteminder
  • Centrify
  • Google Apps
  • OneLogin
  • Okta
  • Ping Identity
  • Salesforce
  • Symantec Identity: Access Manager
  • Symplified

Return to the top of the article


I want to set up SSO with a provider that’s not on the list. How do I configure my own identity provider solution for SSO?

If you’d like to configure your own solution or use a different identity provider, here are the parameters you'll need:

  • Dropbox uses SAML2 with the HTTP Redirect binding for SP to IdP and expects the HTTP Post binding for IdP to SP.
  • The Dropbox post-back URL (also called the Assertion Consumer Service URL) is https://www.dropbox.com/saml_login
  • Dropbox requires that the NameID contain the user’s email address. Technically we are looking for: Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
  • Your identity provider may ask if you want to sign the SAML assertion, the SAML response, or both. Dropbox requires the SAML response to be signed. You can choose signed or unsigned for the SAML assertion.

Return to the top of the article


What's an X.509 certificate?

An X.509 certificate is a security certificate that's used to verify your identity. It usually comes from your identity provider. It can come in a variety of formats, but Dropbox only accepts the .pem, .cer, or .crt formats. Below is a sample of an encoded certificate:

An example of an encoded X.509 certificate

Return to the top of the article


What's the difference between optional mode and required mode?

In optional mode, all users will be able to sign in using either their Dropbox or single sign-on password. This mode is ideal if you're doing a gradual rollout of SSO and want to test it first without disrupting the activity of the team.

  • In order to sign in using single sign-on, users must leave the password field empty. If users try to enter a password, we will treat this as an attempt to sign in with their Dropbox credentials.
  • Users can sign in without entering an email by going to your team-specific page. You can find the URL for this page under SSO settings in the Admin Console.
  • To avoid overlapping settings, Dropbox's two-step verification will be disabled when using single sign-on.
  • Dropbox will not notify users if you turn on single sign-on in optional mode. If you'd like to notify a test group of users, an email template is available from the single sign-on section of the Admin Console.
  • Users' existing desktop and mobile clients will remain linked to their accounts. This includes any desktop or mobile client that was connected to their account before they joined Dropbox Business. All new desktop and mobile clients will be able to sign in using either their Dropbox or single sign-on password.

In required mode, all users must sign in to your central identity provider in order to access Dropbox. The Dropbox password they've used before will no longer work, and Dropbox will not store their single sign-on credentials. Use this option if you're ready to switch over completely to your identity provider for authentication.

  • Users without single sign-on credentials will not be able to sign in to Dropbox.
  • We'll send all users an email letting them know that single sign-on is enabled with instructions on how to sign in.
  • When a user tries to sign in to Dropbox, we'll redirect them to your identity provider.
  • Users can sign in on the web without entering an email by going to your team-specific page.
  • To prevent duplicate security policies, Dropbox's two-step verification will be disabled when using single sign-on.
  • Admins won't be able to reset passwords through Dropbox since passwords are now controlled by your identity provider.
  • As an administrator, you'll be able to sign in on the web using either your Dropbox or single sign-on password.
  • Users' existing desktop and mobile clients will remain linked to their accounts. This includes any desktop or mobile client that was connected to their account before they joined Dropbox Business. All new desktop and mobile clients must use single sign-on.

Return to the top of the article


What happens when I add a new user to the Business account?

If you've turned on SSO in required mode, you'll need to make sure that the new user's email address is registered with your identity provider. Otherwise, the user will not be able to sign in and access Dropbox. In optional mode, the user will be asked to create a Dropbox password and can sign in with it as usual.

Return to the top of the article


How does SSO work with Dropbox's security features, such as two-step verification?

When you set up SSO in required mode, your identity provider becomes the entire basis for authenticating end users. Whatever process, policies, and security features you've set up with your identity provider will apply for a user to access Dropbox. Security features that Dropbox itself provides, such as two-step verification or the ability to reset passwords, will no longer be in effect because your identity provider is now handling all aspects of authentication. This enables you to add more layers of security through your identity provider.

If you set up SSO in optional mode, end users can still use Dropbox's two-step verification and reset their Dropbox password.

Return to the top of the article


What happens if there’s a problem with our identity provider?

As an admin for the Business account, you'll be able to sign in to the Dropbox website with your email address and Dropbox password. You can then turn off SSO or set it to optional mode as needed.

Return to the top of the article


As an admin, how is signing in with my SSO credentials different from signing in with my Dropbox credentials?

To sign in to Dropbox with your SSO credentials, just leave the password field blank. If you enter anything in the password field, Dropbox will assume you're trying to sign in with your Dropbox credentials instead.

If you're an admin and you use your Dropbox password to sign in, you’ll still be able to use two-step verification with your Dropbox account.

Return to the top of the article


What happens to my existing computers and mobile devices that are connected to Dropbox?

All computers and mobile devices that are already linked to Dropbox accounts will continue to work normally when you enable single sign-on. However, if users need to relink a device or link a new one, they'll need the latest versions of the desktop application and mobile app in order for single sign-on to work.

Return to the top of the article


What is InCommon?

InCommon Federation, commonly shortened to InCommon, is a framework for trustworthy shared management of access to online resources. With Dropbox, this means that our version of SSO abides by the InCommon standard. Learn more about setting up SSO to support InCommon.

Return to the top of the article