See detailed instructions on how to set up SSO with Dropbox.
Dropbox uses the secure and widely adopted industry standard Security Assertion Markup Language (SAML), which means our implementation of SSO integrates easily with any large identity provider that supports SAML. If you've built your own SAML-based federated authentication process, we integrate with that too. We support service-provider-initiated SAML and identity-provider-initiated SAML.
The following identity providers are officially supported:
If you’d like to configure your own solution or use a different identity provider, here are the parameters you'll need:
An X.509 certificate is a security certificate that's used to verify your identity. It usually comes from your identity provider. It can come in a variety of formats, but Dropbox only accepts the .pem format. Below is a sample of an encoded certificate:
In optional mode, all users will be able to sign in using either their Dropbox or single sign-on password. This mode is ideal if you're doing a gradual rollout of SSO and want to test it first without disrupting the activity of the team.
In required mode, all users must sign in to your central identity provider in order to access Dropbox. The Dropbox password they've used before will no longer work, and Dropbox will not store their single sign-on credentials. Use this option if you're ready to switch over completely to your identity provider for authentication.
If you've turned on SSO in required mode, you'll need to make sure that the new user's email address is registered with your identity provider. Otherwise, the user will not be able to sign in and access Dropbox. In optional mode, the user will be asked to create a Dropbox password and can sign in with it as usual.
When you set up SSO in required mode, your identity provider becomes the entire basis for authenticating end users. Whatever process, policies, and security features you've set up with your identity provider will apply for a user to access Dropbox. Security features that Dropbox itself provides, such as two-step verification or the ability to reset passwords, will no longer be in effect because your identity provider is now handling all aspects of authentication. This enables you to add more layers of security through your identity provider.
If you set up SSO in optional mode, end users can still use Dropbox's two-step verification and reset their Dropbox password.
As an admin for the Business account, you'll be able to sign in to the Dropbox website with your email address and Dropbox password. You can then turn off SSO or set it to optional mode as needed.
To sign in to Dropbox with your SSO credentials, just leave the password field blank. If you enter anything in the password field, Dropbox will assume you're trying to sign in with your Dropbox credentials instead.
If you're an admin and you use your Dropbox password to sign in, you’ll still be able to use two-step verification with your Dropbox account.
All computers and mobile devices that are already linked to Dropbox accounts will continue to work normally when you enable single sign-on. However, if users need to relink a device or link a new one, they'll need the latest versions of the desktop application and mobile app in order for single sign-on to work.