Frequently asked questions about single sign-on (SSO) for Dropbox Business administrators
- How do I set up single sign-on (SSO) with Dropbox?
- What identity providers do you support?
- I want to set up SSO with a provider that’s not on the list. How do I configure my own identity provider solution for SSO?
- What's an X.509 certificate?
- What's the difference between optional mode and required mode?
- What happens when I add a new user to the Business account?
- How does SSO work with Dropbox's security features, such as two-step verification?
- What happens if there’s a problem with our identity provider?
- As an admin, how is signing in with my SSO credentials different from signing in with my Dropbox credentials?
- What happens to my existing computers and mobile devices that are connected to Dropbox?
- What is InCommon?
How do I set up single sign-on (SSO) with Dropbox?
See detailed instructions on how to set up SSO with Dropbox.
What identity providers do you support?
Dropbox uses the secure and widely adopted industry standard Security Assertion Markup Language (SAML), which means our implementation of SSO integrates easily with any large identity provider that supports SAML. If you've built your own SAML-based federated authentication process, we integrate with that too. We support service-provider-initiated SAML and identity-provider-initiated SAML.
The following identity providers offer preconfigured settings for Dropbox:
- CA Siteminder
- Google Apps
- Ping Identity
- Symantec Identity: Access Manager
I want to set up SSO with a provider that’s not on the list. How do I configure my own identity provider solution for SSO?
If you’d like to configure your own solution or use a different identity provider, here are the parameters you'll need:
- Dropbox uses SAML2 with the HTTP Redirect binding for SP to IdP and expects the HTTP Post binding for IdP to SP.
- The Dropbox post-back URL (also called the Assertion Consumer Service URL) is https://www.dropbox.com/saml_login
- Dropbox requires that the NameID contain the user’s email address. Technically we are looking for: Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
- Your identity provider may ask if you want to sign the SAML assertion, the SAML response, or both. Dropbox requires the SAML response to be signed. You can choose signed or unsigned for the SAML assertion.
What's an X.509 certificate?
An X.509 certificate is a security certificate that's used to verify your identity. It usually comes from your identity provider. It can come in a variety of formats, but Dropbox only accepts the .pem, .cer, or .crt formats. Below is a sample of an encoded certificate:
What's the difference between optional mode and required mode?
In optional mode, all users will be able to sign in using either their Dropbox or single sign-on password. This mode is ideal if you're doing a gradual rollout of SSO and want to test it first without disrupting the activity of the team.
- In order to sign in using single sign-on, users must leave the password field empty. If users try to enter a password, we will treat this as an attempt to sign in with their Dropbox credentials.
- Users can sign in without entering an email by going to your team-specific page. You can find the URL for this page under SSO settings in the Admin Console.
- To avoid overlapping settings, Dropbox's two-step verification will be disabled when using single sign-on.
- Dropbox will not notify users if you turn on single sign-on in optional mode. If you'd like to notify a test group of users, an email template is available from the single sign-on section of the Admin Console.
- Users' existing desktop and mobile clients will remain linked to their accounts. This includes any desktop or mobile client that was connected to their account before they joined Dropbox Business. All new desktop and mobile clients will be able to sign in using either their Dropbox or single sign-on password.
In required mode, all users must sign in to your central identity provider in order to access Dropbox. The Dropbox password they've used before will no longer work, and Dropbox will not store their single sign-on credentials. Use this option if you're ready to switch over completely to your identity provider for authentication.
- Users without single sign-on credentials will not be able to sign in to Dropbox.
- We'll send all users an email letting them know that single sign-on is enabled with instructions on how to sign in.
- When a user tries to sign in to Dropbox, we'll redirect them to your identity provider.
- Users can sign in on the web without entering an email by going to your team-specific page.
- To prevent duplicate security policies, Dropbox's two-step verification will be disabled when using single sign-on.
- Admins won't be able to reset passwords through Dropbox since passwords are now controlled by your identity provider.
- As an administrator, you'll be able to sign in on the web using either your Dropbox or single sign-on password.
- Users' existing desktop and mobile clients will remain linked to their accounts. This includes any desktop or mobile client that was connected to their account before they joined Dropbox Business. All new desktop and mobile clients must use single sign-on.
What happens when I add a new user to the Business account?
If you've turned on SSO in required mode, you'll need to make sure that the new user's email address is registered with your identity provider. Otherwise, the user will not be able to sign in and access Dropbox. In optional mode, the user will be asked to create a Dropbox password and can sign in with it as usual.
How does SSO work with Dropbox's security features, such as two-step verification?
When you set up SSO in required mode, your identity provider becomes the entire basis for authenticating end users. Whatever process, policies, and security features you've set up with your identity provider will apply for a user to access Dropbox. Security features that Dropbox itself provides, such as two-step verification or the ability to reset passwords, will no longer be in effect because your identity provider is now handling all aspects of authentication. This enables you to add more layers of security through your identity provider.
If you set up SSO in optional mode, end users can still use Dropbox's two-step verification and reset their Dropbox password.
What happens if there’s a problem with our identity provider?
As an admin for the Business account, you'll be able to sign in to the Dropbox website with your email address and Dropbox password. You can then turn off SSO or set it to optional mode as needed.
As an admin, how is signing in with my SSO credentials different from signing in with my Dropbox credentials?
To sign in to Dropbox with your SSO credentials, just leave the password field blank. If you enter anything in the password field, Dropbox will assume you're trying to sign in with your Dropbox credentials instead.
If you're an admin and you use your Dropbox password to sign in, you’ll still be able to use two-step verification with your Dropbox account.
What happens to my existing computers and mobile devices that are connected to Dropbox?
All computers and mobile devices that are already linked to Dropbox accounts will continue to work normally when you enable single sign-on. However, if users need to relink a device or link a new one, they'll need the latest versions of the desktop application and mobile app in order for single sign-on to work.
What is InCommon?
InCommon Federation, commonly shortened to InCommon, is a framework for trustworthy shared management of access to online resources. With Dropbox, this means that our version of Single Sign-On (SSO) abides by the InCommon standard.