{"en":"This page is not currently available in your language.","id":"Halaman ini sekarang belum tersedia dalam bahasa Anda.","ms":"Laman ini kini belum boleh didapati dalam bahasa anda.","es_ES":"Esta página no está disponible en tu idioma en este momento.","da_DK":"Denne side er i øjeblikket ikke tilgængelig på dit sprog.","fr":"Cette page n'est actuellement pas disponible dans votre langue.","de":"Diese Seite ist zurzeit nicht in Ihrer Sprache verfügbar.","en_GB":"This page is not currently available in your language.","pl":"Ta strona aktualnie nie jest dostępna w Twoim języku.","it":"Al momento questa pagina non è disponibile nella tua lingua.","nl_NL":"Deze pagina is momenteel niet beschikbaar in je taal.","nb_NO":"Denne siden er for øyeblikket ikke tilgjengelig på språket ditt.","ru":"На данный момент эта страница недоступна на вашем языке.","zh_TW":"此頁面目前沒有您語言的版本。","sv_SE":"Denna sida är för närvarande inte tillgänglig på ditt språk.","th_TH":"หน้านี้ยังไม่มีให้บริการในภาษาของคุณในขณะนี้","zh_CN":"本页面暂无您所需的语言版本。","ja":"申し訳ありませんが、このページは選択した言語ではご利用になれません。","pt_BR":"Esta página não está disponível no momento em seu idioma.","ko":"현재 이 페이지는 한국어 번역이 제공되지 않습니다.","es":"Esta página aún no está disponible en tu idioma.","uk_UA":"На даний момент ця сторінка недоступна на вашій мові.","en_AU":"This page is not currently available in your language."}

How do I connect Dropbox to AD FS 3.0 for single sign-on (SSO)?

This article provides detailed instructions on how to configure your Dropbox Business account to support SP-initiated SSO relying on Active Directory Federated Services 3.0, often referred to as ADFS 2012 R2.

Your deployment should follow Microsoft’s best-practices for deploying AD FS clusters and proxies—configuring a full AD DS / AD FS deployment is outside the scope of this guide.

Read instructions for connecting Dropbox to Active Directory Federation Services (AD FS)

Important: These instructions apply to SSO only; you'll still need to manually provision and de-provision accounts in the Dropbox Business admin console. This is especially important when users leave the company because the Dropbox desktop and mobile apps keep users logged in indefinitely after their initial SSO authentication.

Some Dropbox customers choose to build custom applications with the Dropbox Business API to automatically provision and de-provision users in response to changes in AD. Please contact your Account Manager if you're interested in API access.

Please also note that these instructions are still in beta. We welcome any feedback or questions as you follow the steps.


  • An AD FS 3.0 instance with an AD FS SAML endpoint that is exposed to the devices that will need to authenticate

Connect Dropbox to AD FS 3.0 for SSO

  1. Create a new relying party trust.
adfs image 1
adfs image 2
  1. Select Enter data about the relying party manually.
Adfs image 3
  1. Enter the Display name and Notes as shown below.
adfs image 4
  1. Use AD FS profile.
adfs image 5
  1. Click Next without altering this page.
adfs image 6
  1. Choose SAML 2.0 and set the service URL to https://www.dropbox.com/saml_login
adfs image 7
  1. Set the relying party identifier to Dropbox.
adfs image 8
  1. Leave Multifactor Authentication at default.
adfs image 9
  1. Choose who should be able to access Dropbox via SSO.
adfs image 10
  1. Click Next to add the relying party trust.
adfs image 11
  1. Close the wizard.
adfs image 12
  1. Add a rule to send LDAP attributes as claims.
adfs image 13
  1. Send LDAP attributes as Claims.
adfs image 14
  1. Add Claim Rules.
adfs image 15
  1. Add another rule.
adfs image 16
  1. Select Transform an Incoming Claim.
adfs image 17
  1. Set up claim rule.
adfs image 18
  1. Apply rules.
adfs image 19
  1. Prepare certificate.
adfs image 20
  1. Copy to file.
adfs image 21
adfs image 22
  1. Base-64 encoded export.
adfs image 23
  1. Enter the file name below.
adfs image 24
adfs image 25
adfs image 26
  1. Configure Dropbox to use your AD FS server for SSO: Read the final steps required to configure SSO in the Dropbox admin console.

Notes for step 27:

  • You'll upload the certificate you exported in as your X.509 certificate
  • Your sign-in URL will be your AD FS SAML endpoint
  • We recommend first configuring SSO in Optional mode, and then moving to Required mode once you have tested that SSO is working properly and prepared your users for the switch

Other useful articles:

We’re sorry to hear that. Let us know how we can improve:

Thanks for your feedback! Let us know how this article helped:

Thanks for your feedback!

Community answers

    Other ways to get help


    Twitter support

    Contact support