Configure single sign-on
If you already use an identity provider or Active Directory at your company, single sign-on (SSO) makes life easier and more secure for your business.
Dropbox uses the secure and widely adopted industry standard Security Assertion Markup Language 2.0 (SAML 2.0), which means our implementation of SSO integrates easily with any large identity provider that supports SAML 2.0. We also support AD FS.
Dropbox has partnered with several identity providers, including Ping Identity, OneLogin, Okta, and Centrify, to offer a pre-configured app that makes setup easy.
Of course, since Dropbox uses SAML 2.0, you can still use SSO with any SAML-supported identity provider, or you can even create your own SSO implementation.
Note: Only team admins can configure SSO.
Configuring SSO with one of Dropbox's partners
To get started, go to your identity provider's site and follow the instructions to configure single sign-on.
Once you've gone through your identity provider's setup:
- Sign in to Dropbox with your admin account and click on Admin Console in the left-hand sidebar.
- In the Admin Console, click on Authentication in the sidebar.
- Under Single sign-on, select the Enable single sign-on checkbox.
- Choose whether to make single sign-on optional or required.
- Enter the Sign in URL you got earlier from the identity provider.
- Click the Choose certificate button. Upload the X.509 certificate .pem file you got from the identity provider earlier.
- Click the Save changes button.
Here's some important information about SSO once you have it configured:
Prepare your users
If you make single sign-on required, Dropbox will automatically notify team members by email. If you make single sign-on optional, you'll need to notify them yourself. You can download an email template from the single sign-on section of the Admin Console.
Accessing the website
Once single sign-on is turned on, users can sign in to Dropbox by entering just their email address and leaving the password field blank. This will redirect them to your identity provider's sign-in page, where they can enter their work credentials.
As part of SSO setup, we'll provide you with a custom Dropbox URL. This URL will enable users to go directly to their Dropbox account online if they've already signed in to your identity provider.
Linking computers and mobile devices
All computers and mobile devices that are currently linked to Dropbox accounts will continue to work as normal. If they haven't signed in to your identity provider, they'll be automatically redirected to do so. They'll also be prompted to take a few other simple steps:
- When users link a computer, Dropbox will direct them to copy a special link code from the website and paste it into the application.
- When users link a mobile device, they'll be asked to approve a request to connect the app to their account.
Configuring SSO with an alternate identity provider
If you'd like to configure your own solution or use a different identity provider, here are the parameters you'll need:
- Dropbox uses SAML2 with the HTTP Redirect binding for SP to IdP and expects the HTTP Post binding for IdP to SP.
- The Dropbox post-back URL (also called the Assertion Consumer Service URL) is https://www.dropbox.com/saml_login
- Dropbox requires that the NameID contain the user's email address. Technically we are looking for: Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
- Your identity provider may ask if you want to sign the SAML assertion, the SAML response, or both. Dropbox requires the SAML response to be signed. You can choose signed or unsigned for the SAML assertion.
You'll need to find two pieces of information to give Dropbox:
- A sign-in page URL (also called a login URL).
- An X.509 certificate. This is a security certificate that you usually get from your identity provider and must be in the .pem format.
Use the Active Directory Connector to keep your team in sync with Dropbox Business
Save time with the Active Directory Connector (AD Connector). The AD Connector can handle both provisioning and deprovisioning of licenses on your Dropbox Business team, and can manage this sync automatically.
- The AD Connector can (optionally) sync Active Directory groups and group members to your Dropbox Business team
- All team members must be active members in a single AD environment and forest to use the AD Connector
- PowerShell 4.0 or higher is required
- Windows Server 2008 (or later) is required
- Remote Server Administrative Tools is required
- We recommend creating a single group called "Dropbox" that contains all the members you’d like to provision. You can place both users and groups within the Dropbox group
- The AD Connector only syncs changes that originate from AD; we recommend installing the AD connector on a server with read-only access
- The AD Connector is currently available in English only
Get started using the AD Connector
First, download the AD Connector. Then:
- Locate and run the Dropbox-AD-Connector.msi installer.
- Click Next to continue through the install wizard.
- Check the box to accept the terms, and click Next.
- Click Next to install to the default path.
- Click Install, and then choose Yes if User Account Control (UAC) prompts you.
- Getting Started is checked by default — if you already have this guide open, uncheck it.
- Select Finish to complete the installation.
- Click Done to send the email invitations and to return to the File requests screen.
Note: Click here to view detailed setup instructions for the Configure AD Connector tool.