This article provides detailed instructions on how to configure your Dropbox Business account to support SP-initiated SSO relying on Active Directory Federated Services 3.0, often referred to as ADFS 2012 R2.
Your deployment should follow Microsoft’s best-practices for deploying AD FS clusters and proxies—configuring a full AD DS / AD FS deployment is outside the scope of this guide.
Important: These instructions apply to SSO only; you'll still need to manually provision and de-provision accounts in the Dropbox Business admin console. This is especially important when users leave the company because the Dropbox desktop and mobile apps keep users logged in indefinitely after their initial SSO authentication.
Some Dropbox customers choose to build custom applications with the Dropbox Business API to automatically provision and de-provision users in response to changes in AD. Please contact your Account Manager if you're interested in API access.
Please also note that these instructions are still in beta. We welcome any feedback or questions as you follow the steps.
- An AD FS 3.0 instance with an AD FS SAML endpoint that is exposed to the devices that will need to authenticate
Connect Dropbox to AD FS 3.0 for SSO
- Create a new relying party trust
- Select Enter data about the relying party manually
- Enter the Display name and Notes as shown below
- Use AD FS profile
- Click Next without altering this page
- Choose SAML 2.0 and set the service URL to https://www.dropbox.com/saml_login
- Set the relying party identifier to Dropbox
- Leave Multifactor Authentication at default
- Choose who should be able to access Dropbox via SSO
- Click next to add the relying party trust
- Close the wizard
- Add a rule to send LDAP attributes as claims
- Send LDAP attributes as Claims
- Add Claim Rules
- Add another rule
- Select Transform an Incoming Claim
- Set up claim rule
- Apply rules
- Prepare certificate
- Copy to file
- Base-64 encoded export
- Enter the file name below
- Configure Dropbox to use your AD FS server for SSO: Read the final steps required to configure SSO in the Dropbox admin console.
Notes for step 27:
- You'll upload the certificate you exported in as your X.509 certificate
- Your sign-in URL will be your AD FS SAML endpoint
- We recommend first configuring SSO in Optional mode, and then moving to Required mode once you have tested that SSO is working properly and prepared your users for the switch