How do I connect Dropbox to AD FS 3.0 for single sign-on (SSO)?

This article provides detailed instructions on how to configure your Dropbox Business account to support SP-initiated SSO relying on Active Directory Federated Services 3.0, often referred to as ADFS 2012 R2.

Your deployment should follow Microsoft’s best-practices for deploying AD FS clusters and proxies—configuring a full AD DS / AD FS deployment is outside the scope of this guide.

Read instructions for connecting Dropbox to Active Directory Federation Services (AD FS)

Important: These instructions apply to SSO only; you'll still need to manually provision and de-provision accounts in the Dropbox Business admin console. This is especially important when users leave the company because the Dropbox desktop and mobile apps keep users logged in indefinitely after their initial SSO authentication.

Some Dropbox customers choose to build custom applications with the Dropbox Business API to automatically provision and de-provision users in response to changes in AD. Please contact your Account Manager if you're interested in API access.

Please also note that these instructions are still in beta. We welcome any feedback or questions as you follow the steps.

Prerequisites

  • An AD FS 3.0 instance with an AD FS SAML endpoint that is exposed to the devices that will need to authenticate

Connect Dropbox to AD FS 3.0 for SSO

  1. Create a new relying party trust
    adfs image 1

  2. adfs image 2
  3. Select Enter data about the relying party manually
    adfs image 3
  4. Enter the Display name and Notes as shown below
    adfs image 4
  5. Use AD FS profile
    adfs image 5
  6. Click Next without altering this page
    adfs image 6
  7. Choose SAML 2.0 and set the service URL to https://www.dropbox.com/saml_login
    adfs image 7
  8. Set the relying party identifier to Dropbox
    adfs image 8
  9. Leave Multifactor Authentication at default
    adfs image 9
  10. Choose who should be able to access Dropbox via SSO
    adfs image 10
  11. Click next to add the relying party trust
    adfs image 11
  12. Close the wizard
    adfs image 12
  13. Add a rule to send LDAP attributes as claims
    adfs image 13
  14. Send LDAP attributes as Claims
    adfs image 14
  15. Add Claim Rules
    adfs image 15
  16. Add another rule
    adfs image 16
  17. Select Transform an Incoming Claim
    adfs image 17
  18. Set up claim rule
    adfs image 18
  19. Apply rules
    adfs image 19
  20. Prepare certificate
    adfs image 20
  21. Copy to file
    adfs image 21

  22. adfs image 22
  23. Base-64 encoded export
    adfs image 23
  24. Enter the file name below
    adfs image 24

  25. adfs image 25

  26. adfs image 26
  27. Configure Dropbox to use your AD FS server for SSO: Read the final steps required to configure SSO in the Dropbox admin console.

  28. Notes for step 27:

    • You'll upload the certificate you exported in as your X.509 certificate
    • Your sign-in URL will be your AD FS SAML endpoint
    • We recommend first configuring SSO in Optional mode, and then moving to Required mode once you have tested that SSO is working properly and prepared your users for the switch

Other useful articles:

Did this article answer your question?

We’re sorry to hear that. Let us know how we can improve:

Thanks for your feedback!

Community answers
    Community answers

      Other ways to get help

      Community

      Twitter support

      Guided help