{"en":"This page is not currently available in your language.","id":"Halaman ini sekarang belum tersedia dalam bahasa Anda.","ms":"Laman ini kini belum boleh didapati dalam bahasa anda.","es_ES":"Esta página no está disponible en tu idioma en este momento.","da_DK":"Denne side er i øjeblikket ikke tilgængelig på dit sprog.","fr":"Cette page n'est actuellement pas disponible dans votre langue.","de":"Diese Seite ist zurzeit nicht in Ihrer Sprache verfügbar.","en_GB":"This page is not currently available in your language.","pl":"Ta strona aktualnie nie jest dostępna w Twoim języku.","it":"Al momento questa pagina non è disponibile nella tua lingua.","nl_NL":"Deze pagina is momenteel niet beschikbaar in je taal.","nb_NO":"Denne siden er for øyeblikket ikke tilgjengelig på språket ditt.","ru":"На данный момент эта страница недоступна на вашем языке.","zh_TW":"此頁面目前沒有您語言的版本。","sv_SE":"Denna sida är för närvarande inte tillgänglig på ditt språk.","th_TH":"หน้านี้ยังไม่มีให้บริการในภาษาของคุณในขณะนี้","zh_CN":"本页面暂无您所需的语言版本。","ja":"申し訳ありませんが、このページは選択した言語ではご利用になれません。","pt_BR":"Esta página não está disponível no momento em seu idioma.","ko":"현재 이 페이지는 한국어 번역이 제공되지 않습니다.","es":"Esta página aún no está disponible en tu idioma.","uk_UA":"На даний момент ця сторінка недоступна на вашій мові.","en_AU":"This page is not currently available in your language."}

eduGAIN, InCommon, and configuring Dropbox SSO

Dropbox is a sponsored partner of eduGAIN and InCommon, and supports these standards. This article details how to enable eduGAIN- or InCommon-supported SSO for your Dropbox Business account.

What is InCommon and eduGAIN?

eduGain describes itself as "…a global interfederation service that interconnects multiple identity federations, both technically and legally. It allows a user from one identity federation to access services in another identity federation." (Source)

InCommon Federation, commonly shortened to InCommon, is a framework for trustworthy shared management of access to online resources. It is specific to the US market.

InCommon is often confused as an identity provider (IdP). In reality, InCommon is a protocol that your IdP may support to provide specific security enhancements to abide by the InCommon Standard.

The Dropbox version of single sign-on (SSO) abides by both the eduGAIN and InCommon frameworks.

How do I enable supported SSO with eduGAIN or InCommon?

If you're a Dropbox Education admin, contact your account team and request that they turn on the required eduGAIN or InCommon attribute setting. Once this setting is on, follow the steps under each of the three sections in this article to complete the setup process.

Note: The following instructions won't work unless your account team has enabled this setting.

Configuring Shibboleth IdP to comply with eduGAIN or InCommon

  1. If you're a Dropbox Education admin, contact your account team and request that they turn on the required eduGAIN or InCommon attribute setting. 
  2. Retrieve eduGAIN or InCommon metadata.
  3. Set up the attribute filter.
    • For US-based customers, Dropbox accepts the InCommon recommended essential attribute bundle.
      • Dropbox uses the email part of this bundle to identify users
      • Dropbox also requires that the transient ID is released
    • Learn how to configure the InCommon essential attribute bundle.
      • In the attribute-filter.xml (/opt/shibboleth-idp/conf/attribute-filter.xml) file, make sure the attribute requester string value is https://dropbox.com/sp.
    • 
      afp:AttributeFilterPolicy id="DROPBOX_INCOMMON"
             afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
                value="https://dropbox.com/sp"/
      
      Scroll right to see the full InCommon code snippet

Prepare needed information

To configure SSO in the Dropbox admin console, you'll need two pieces of information: the sign-in URL and the X.509 certificate.

The sign-in URL can be found in the eduGAIN or InCommon metadata under your organization's IdPSSODescriptor, and looks similar to this example:

   SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
   Location="https://shibidp.university.edu/idp/profile/SAML2/Redirect/SSO"/
Scroll right to see the full code snippet

In this case the URL needed for Dropbox is below, which is also the URL that leads to the authentication portal.

https://shibidp.university.edu/idp/profile/SAML2/Redirect/SSO

The X.509 certificate is located in the credentials folder and is usually called idp.crt. A typical file path to this certificate is /opt/shibboleth-idp/credentials/idp.crt.

Dropbox admin console configuration

  1. Sign in to dropbox.com with your Dropbox Business admin account.
  2. Open the Admin Console.
  3. Click Settings.
  4. Under Authentication, select Single sign-on.
  5. Enable SSO in Optional or Required mode. (Optional mode is for testing and Required mode is for production.)
  6. Paste the sign-in URL (collected earlier in this article).
  7. Upload the X.509 certificate (collected earlier in this article).
  8. Under SAML NameID Format, select Transient ID + Email Assertion.

We’re sorry to hear that. Let us know how we can improve:

Thanks for your feedback! Let us know how this article helped:

Thanks for your feedback!

Community answers

    Other ways to get help

    Community

    Twitter support

    Contact support