Single sign-on (SSO) for Dropbox Business admins

This article discusses a feature that is only available to Dropbox Business teams on an Advanced or Enterprise plan.

Learn more about the new Dropbox Business plans.

If you're the admin of a Dropbox Business team on an Advanced or Enterprise plan, you can let team members access Dropbox by signing in to a central identity provider.

Single sign-on (SSO) makes life easier and more secure for everyone. You can put the identity provider you already trust in charge of authentication, and team members can access Dropbox without another password to manage.

Sections in this article:

How do I set up single sign-on (SSO) with Dropbox?

Configure your identity provider

To get started, go to your identity provider's site and follow the provider's instructions to configure single sign-on.

Dropbox has partnered with many identity providers to offer a pre-configured app that contains the correct settings. See which identity providers we've partnered with.

If you’d like to configure your own solution or use a different identity provider, review the required parameters.

You'll need to find two pieces of information to give Dropbox:

Configure Dropbox

  1. Sign in to Dropbox with your admin account.
  2. Click Admin Console in the sidebar.
  3. Click Settings in the sidebar.
  4. Under Authentication settings, click Single sign-on.
  5. Choose whether to make single sign-on optional or required:
Optional or required mode
6. Enter the Identity provider sign-in URL you got earlier from the identity provider.
Enter the sign-in URL
7. Enter an Identity provider sign-out URL (note: this step is optional).
Enter the sign-out URL
8. Click Upload certificate to upload the X.509 certificate .pem file you got earlier from the identity provider.
Upload certificate
9. Click Apply changes.
Apply changes

Prepare your users

If you make single sign-on required, Dropbox will automatically notify team members by email. If you make single sign-on optional, you'll need to notify them yourself. You can download an email template from the single sign-on section of the Admin Console.

Accessing the website

Once single sign-on is turned on, users can sign in to Dropbox by entering just their email address. This will redirect them to your identity provider's sign-in page, where they can enter their work credentials.

As part of SSO setup, we'll provide you with a custom Dropbox URL. This URL will enable users to go directly to their Dropbox account online if they've already signed in to your identity provider.

Linking computers and mobile devices

All computers and mobile devices that are currently linked to Dropbox accounts will continue to work as normal. However, if users need to relink a device or link a new one, they'll need the latest versions of the desktop application and mobile app in order for single sign-on to work. If they haven't signed in to your identity provider, they'll be automatically redirected to do so. They'll also be prompted to take a few other simple steps:

  • When users link a computer, Dropbox will direct them to copy a special link code from the website and paste it into the application.
  • When users link a mobile device, they'll be asked to approve a request to connect the app to their account.

For details, see our instructions for end users.

Return to the top of the article

What identity providers do you support?

Dropbox uses the secure and widely adopted industry standard Security Assertion Markup Language (SAML), which means our implementation of SSO integrates easily with any large identity provider that supports SAML. If you've built your own SAML-­based federated authentication process, we integrate with that too. We support service­-provider-initiated SAML and identity­-provider-initiated SAML.

The following identity providers offer preconfigured settings for Dropbox:

  • Auth0
  • Bitium
  • CA Siteminder
  • Centrify
  • G Suite
  • MobileIron Access
  • OneLogin
  • Okta
  • Ping Identity
  • Salesforce
  • Symantec Identity: Access Manager
  • Symplified

Return to the top of the article

I want to set up SSO with a provider that’s not on the list. How do I configure my own identity provider solution for SSO?

If you’d like to configure your own solution or use a different identity provider, here are the parameters you'll need:

  • Dropbox uses SAML2 with the HTTP Redirect binding for SP to IdP and expects the HTTP Post binding for IdP to SP.
  • The Dropbox post-back URL (also called the Assertion Consumer Service URL) is https://www.dropbox.com/saml_login
  • Dropbox requires that the NameID contain the user’s email address. Technically we are looking for: Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
  • Your identity provider may ask if you want to sign the SAML assertion, the SAML response, or both. Dropbox requires the SAML response to be signed. You can choose signed or unsigned for the SAML assertion.

Return to the top of the article

What's an X.509 certificate?

An X.509 certificate is a security certificate that's used to verify your identity. It usually comes from your identity provider. It can come in a variety of formats, but Dropbox only accepts the .pem, .cer, or .crt formats. Below is a sample of an encoded certificate:

An example of an encoded X.509 certificate

Return to the top of the article

What's the difference between optional mode and required mode?

In optional mode, all users will be able to sign in using either their Dropbox or single sign-on password. This mode is ideal if you're doing a gradual rollout of SSO and want to test it first without disrupting the activity of the team.

  • In order to sign in using single sign-on, users must leave the password field empty. If users try to enter a password, we will treat this as an attempt to sign in with their Dropbox credentials.
  • Users can sign in without entering an email by going to your team-specific page. You can find the URL for this page under SSO settings in the Admin Console.
  • To avoid overlapping settings, Dropbox's two-step verification will be disabled when using single sign-on.
  • Dropbox will not notify users if you turn on single sign-on in optional mode. If you'd like to notify a test group of users, an email template is available from the single sign-on section of the Admin Console.
  • Users' existing desktop and mobile clients will remain linked to their accounts. This includes any desktop or mobile client that was connected to their account before they joined Dropbox Business. All new desktop and mobile clients will be able to sign in using either their Dropbox or single sign-on password.

In required mode, all users must sign in to your central identity provider in order to access Dropbox. The Dropbox password they've used before will no longer work, and Dropbox will not store their single sign-on credentials. Use this option if you're ready to switch over completely to your identity provider for authentication.

  • Users without single sign-on credentials will not be able to sign in to Dropbox.
  • We'll send all users an email letting them know that single sign-on is enabled with instructions on how to sign in.
  • When a user tries to sign in to Dropbox, we'll redirect them to your identity provider.
  • Users can sign in on the web without entering an email by going to your team-specific page.
  • To prevent duplicate security policies, Dropbox's two-step verification will be disabled when using single sign-on.
  • Admins won't be able to reset passwords through Dropbox since passwords are now controlled by your identity provider.
  • As an administrator, you'll be able to sign in on the web using either your Dropbox or single sign-on password.
  • Users' existing desktop and mobile clients will remain linked to their accounts. This includes any desktop or mobile client that was connected to their account before they joined Dropbox Business. All new desktop and mobile clients must use single sign-on.

Return to the top of the article

What happens when I add a new user to the Business account?

If you've turned on SSO in required mode, you'll need to make sure that the new user's email address is registered with your identity provider. Otherwise, the user will not be able to sign in and access Dropbox. In optional mode, the user will be asked to create a Dropbox password and can sign in with it as usual.

Return to the top of the article

How does SSO work with Dropbox's security features, such as two-step verification?

When you set up SSO in required mode, your identity provider becomes the entire basis for authenticating end users. Whatever process, policies, and security features you've set up with your identity provider will apply for a user to access Dropbox. Security features that Dropbox itself provides, such as two-step verification or the ability to reset passwords, will no longer be in effect because your identity provider is now handling all aspects of authentication. This enables you to add more layers of security through your identity provider.

If you set up SSO in optional mode, end users can still use Dropbox's two-step verification and reset their Dropbox password.

Return to the top of the article

What happens if there’s a problem with our identity provider?

As an admin for the Business account, you'll be able to sign in to the Dropbox website with your email address and Dropbox password. You can then turn off SSO or set it to optional mode as needed.

Return to the top of the article

As an admin, how is signing in with my SSO credentials different from signing in with my Dropbox credentials?

To sign in to Dropbox with your SSO credentials, just leave the password field blank. If you enter anything in the password field, Dropbox will assume you're trying to sign in with your Dropbox credentials instead.

If you're an admin and you use your Dropbox password to sign in, you’ll still be able to use two-step verification with your Dropbox account.

Return to the top of the article

What happens to my existing computers and mobile devices that are connected to Dropbox?

All computers and mobile devices that are already linked to Dropbox accounts will continue to work normally when you enable single sign-on. However, if users need to relink a device or link a new one, they'll need the latest versions of the desktop application and mobile app in order for single sign-on to work.

Return to the top of the article

What is InCommon?

InCommon Federation, commonly shortened to InCommon, is a framework for trustworthy shared management of access to online resources. With Dropbox, this means that our version of SSO abides by the InCommon standard. Learn more about setting up SSO to support InCommon.

Return to the top of the article

We’re sorry to hear that. Let us know how we can improve:

Thanks for your feedback! Let us know how this article helped:

Thanks for your feedback!

Community answers
    Community answers

      Other ways to get help

      Community

      Twitter support

      Guided help

      Other ways to get help

      Community

      Twitter support

      Guided help

      Other ways to get help

      Community

      Twitter support

      Contact support