This article provides detailed instructions on how to connect Dropbox to Active Directory Federation Services (AD FS) 2.0 for single sign-on (SSO).
Important: These instructions apply to SSO only; you'll still need to manually provision and de-provision accounts in the Dropbox Business admin console. This is especially important when users leave the company because the Dropbox desktop and mobile apps keep users logged in indefinitely after their initial SSO authentication.
Some Dropbox customers choose to build custom applications with the Dropbox Business API to automatically provision and de-provision users in response to changes in AD. Please contact your Account Manager if you're interested in API access.
Please also note that these instructions are still in beta. We welcome any feedback or questions as you follow the steps.
- An AD FS 2.0 instance that has Rollup 3 or later installed
- An AD FS SAML endpoint that is exposed to the devices that will need to authenticate
You can learn more about installing AD FS Update Rollup 3 on Microsoft's support site.
Connect Dropbox to AD FS for SSO
- In the AD FS 2.0 Console, under Actions, select Add Relying Party Trust....
- This will take you to the Add Relying Party Trust Wizard. Click Start.
- In the Select Data Source section, select Enter data about the relying party manually and click Next.
- In the Specify Display Name section, enter
Dropbox Businessunder Display name and click Next.
- In the Choose Profile section, choose AD FS 2.0 profile and click Next.
- In the Configure Certificate section, do not specify a token encryption certificate—just click Next.
- In the Configure URL section, check the option Enable support for the SAML 2.0 Web SSO protocol. Add the following URL for Relying party SAML 2.0 SSO service URL:
- In the Configure Identifiers section, add Dropbox as a trust identifier, then click Next.
- In the Choose Issuance Authorization Rules section, select Permit all users to access this relying party and click Next.
- In the Ready to Add Trust section, just click Next.
- In the Finish section, check the option Open the Edit Claim Rules dialog for this relying party trust when the wizard closes, then click Close.
- Next you'll be taken to the Edit Claim Rules for Dropbox Business panel. From the Issuance Transform Rules tab, click Add Rule...
- From the Choose Rule Type section, set the Claim rule template drop-down menu to Send LDAP Attributes as Claims, then click Next.
- From the Configure Claim Rule section, under Claim rule name, type
Email LDAP query.
Underneath Attribute store, select Active Directory.
Under mapping of LDAP attributes to outgoing claim types, map LDAP Attribute E-Mail Addresses to Outgoing Claim Type E-Mail Address.
- Add another rule from the Edit Claim Rules for Dropbox Business panel. From the Choose Rule Type section, set the Claim rule template drop-down menu to Transform Incoming Claim.
- From the Configure Claim Rule section, type the following Claim rule name:
Transform email address as NameID
For Incoming claim type, select E-Mail Address.
For Outgoing claim type, select Name ID.
For Outgoing name ID format, select Email.
Select Pass through all claim values.
- At this point, you should be back at the Edit Claim Rules for Dropbox Business window. Click Apply, then OK.
- Under Token-signing, right-click on CN=ADFS and click View certificate...
- From the Details tab, ensure Show is set to All. Click Copy to File...
- You'll then be taken to the Certificate Export Wizard. Click Next.
- From Export File Format, under Select the format you want to use, select Base-64 encoded X.509 (.CER)
- Browse to an accessible location such as the Desktop. You'll be using this certificate to complete SSO setup in the Dropbox admin console. Click Next.
- Click Finish.
- Read the final steps required to configure SSO in the Dropbox admin console can be found in. You'll upload the certificate you exported in step 23 as your X.509 certificate. Your sign-in URL will be your AD FS SAML endpoint.
- We recommend that you first configure SSO in Optional mode for testing purposes. Try an SSO login at www.dropbox.com/sso while you're already signed in. This way you can get detailed error messaging in the team activity log. Once you've confirmed that SSO is working properly and have prepared your users for the switch, you can change SSO to Required mode.
- This setup relies on the email address in the Email field of users in Active Directory. You'll need to make sure this field is populated in Active Directory and matches the email addresses of the Current members listed in your Dropbox Business admin console.