If you're the admin of a Dropbox Business team on an Advanced or Enterprise plan, you can let team members access Dropbox by signing in to a central identity provider.
With single sign-on (SSO), you can put the identity provider you already trust in charge of authentication, and team members can access Dropbox without another password to manage.
To get started, go to your identity provider's site and follow the provider's instructions to configure single sign-on.
Dropbox has partnered with many identity providers to offer a pre-configured app that contains the correct settings. See which identity providers we've partnered with.
You'll need to find two pieces of information to give Dropbox:
If you make single sign-on required, Dropbox will automatically notify team members by email. If you make single sign-on optional, you'll need to notify them yourself. You can download an email template from the single sign-on section of the Admin Console.
Once single sign-on is turned on, users can sign in to Dropbox by entering just their email address. This will redirect them to your identity provider's sign-in page, where they can enter their work credentials.
As part of SSO setup, we'll provide you with a custom Dropbox URL. This URL will enable users to go directly to their Dropbox account online if they've already signed in to your identity provider.
All computers and mobile devices that are currently linked to Dropbox accounts will continue to work as normal. However, if users need to relink a device or link a new one, they'll need the latest versions of the desktop application and mobile app in order for single sign-on to work. If they haven't signed in to your identity provider, they'll be automatically redirected to do so. They'll also be prompted to take a few other simple steps:
For details, see our instructions for end users.
Dropbox uses the secure and widely adopted industry standard Security Assertion Markup Language (SAML), which means our implementation of SSO integrates easily with any large identity provider that supports SAML. If you've built your own SAML-based federated authentication process, we integrate with that too. We support service-provider-initiated SAML and identity-provider-initiated SAML.
The following identity providers offer preconfigured settings for Dropbox:
If you’d like to configure your own solution or use a different identity provider, here are the parameters you'll need:
An X.509 certificate is a security certificate that's used to verify your identity. It usually comes from your identity provider. It can come in a variety of formats, but Dropbox only accepts the .pem, .cer, or .crt formats. Below is a sample of an encoded certificate:
If your team members are seeing an error when trying to use SSO to sign in, you may need to update your X.509 certificate. To do so, locate and download the most recent certificate with your identity provider and upload the new certificate in the admin console.
In optional mode, all users will be able to sign in using either their Dropbox or single sign-on password. This mode is ideal if you're doing a gradual rollout of SSO and want to test it first without disrupting the activity of the team.
In required mode, all users must sign in to your central identity provider in order to access Dropbox. The Dropbox password they've used before will no longer work, and Dropbox will not store their single sign-on credentials. Use this option if you're ready to switch over completely to your identity provider for authentication.
If you've turned on SSO in required mode, you'll need to make sure that the new user's email address is registered with your identity provider. Otherwise, the user will not be able to sign in and access Dropbox. In optional mode, the user will be asked to create a Dropbox password and can sign in with it as usual.
When you set up SSO in required mode, your identity provider becomes the entire basis for authenticating end users. Whatever process, policies, and security features you've set up with your identity provider will apply for a user to access Dropbox. Security features that Dropbox itself provides, such as two-step verification or the ability to reset passwords, will no longer be in effect because your identity provider is now handling all aspects of authentication. This enables you to add more layers of security through your identity provider.
If you set up SSO in optional mode, end users can still use Dropbox's two-step verification and reset their Dropbox password.
As an admin for the Business account, you'll be able to sign in to the Dropbox website with your email address and Dropbox password. You can then turn off SSO or set it to optional mode as needed.
To sign in to Dropbox with your SSO credentials, just leave the password field blank. If you enter anything in the password field, Dropbox will assume you're trying to sign in with your Dropbox credentials instead.
If you're an admin and you use your Dropbox password to sign in, you’ll still be able to use two-step verification with your Dropbox account.
All computers and mobile devices that are already linked to Dropbox accounts will continue to work normally when you enable single sign-on. However, if users need to relink a device or link a new one, they'll need the latest versions of the desktop application and mobile app in order for single sign-on to work.
InCommon Federation, commonly shortened to InCommon, is a framework for trustworthy shared management of access to online resources. With Dropbox, this means that our version of SSO abides by the InCommon standard. Learn more about setting up SSO to support InCommon.