Dropbox cloud application

You must be signed in as a super administrator for this task.

Using Security Assertion Markup Language (SAML), your users can use their Google Cloud credentials to sign in to enterprise-cloud applications.

Set up SSO via SAML for Dropbox

Here's how to set up SSO via SAML for the Dropbox® application.

Step 1: Set up Dropbox as a SAML 2.0 service provider (SP)

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Security and then Set up single sign-on (SSO).

    To see Security, you might have to click More controls at the bottom. 

  3. Click the Download button to download the Google IdP metadata and the X.509 Certificate.
  4. In a new browser tab, log into your Dropbox application as an administrator.
  5. Click on Admin Console in the left-hand sidebar.
  6. Click on Authentication in the sidebar.
  7. Under Single sign-on, select the Enable single sign-on checkbox.
  8. Choose the Required radio button to make single sign-on required.
  9. Copy the Google Single Sign-On URL (see Step 5 below) from the Google Dropbox cloud application and paste it into the SAML Login URL field.
  10. Filling in the Logout URL field is optional. You can leave it empty. 
  11. Generate the SHA-1 fingerprint from the Google X.509 certificate you downloaded in Step 3.
  12. Click Save changes and proceed to the next section to set up Google as a SAML identity provider (IdP).

Step 2: Set up Google as a SAML identity provider (IdP)

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Click the plus (+) icon at bottom right.
  4. Locate and click Dropbox in the application list. The values on the Google IDP Information page automatically populate.
  5. There are two ways to collect the service provider Setup information:
    You can copy the Entity ID and the Single Sign-On URL field values and download the X.509 Certificate, paste them into the appropriate service provider Setup fields, and then click Next
    or
    You can download the IDP metadata, upload it into the appropriate service provider Setup fields, and then  come back to the admin console and click Next.
  6. In the Basic application information window, the Application name and Description values automatically populate.
  7. Click Next.

Step 3: Enter service provider details in Google Admin console

  1. In the Service Provider Details section, enter the following URLs into the Entity IDACS URL, and Start URL fields:
    • ACS URL: https://www.dropbox.com/saml_login
    • Entity ID: Dropbox
    • Start URL: [leave empty]
  2. Leave Signed Response unchecked.
    When the Signed Response checkbox is unchecked, only the assertion is signed. When the Signed Response checkbox is checked, the entire response is signed.
  3. The default Name ID is the primary email. Multi-value input is not supported. You can change the Name ID mapping as per your requirement. Custom attributes of the user schema can also be used after creating them via Google Admin SDK APIs. The custom attributes for the user schema need to be created prior to setting up the Dropbox SAML application. 
  4. Click Next.
  5. (Optional) Click Add new mapping and enter a new name for the attribute you want to map.
  6. In the drop-down list, first select the Category and then choose a User attribute to map the attribute from the Google profile.
  7. Click Finish.
Step 4: Configure SSO in Dropbox admin console
  1. Open a new browser window.
  2. Sign in to Dropbox.
  3. Select Admin Console.
  4. Select Authentication.
  5. Check the Enable Single sign-on check box.
  6. Select Optional or Required based on your preference. Required enforces single sign-on.
  7. Enter the Sign in URL (paste in the Single Sign-On URL from the identity provider Information window).
  8. Click Choose certificate.
  9. Upload the X.509 certificate .pem file you got earlier from the identity provider.
  10. Click Save.
  11. Create users in Dropbox.
    1. Click Members.
    2. Invite users.
    3. Enter your Google user email address.
    4. Open the Google user mailbox and accept the Dropbox invitation.
Step 5: Enable the Dropbox app
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Select Dropbox.
  4. At the top right of the gray box, click Edit Service Compose.

  5. To apply settings to all organizations, click On for everyone or Off for everyone, and then click Save

  6. To apply settings to individual organizational units, do the following: 

    • At the left, select the organizational unit that contains the users whose settings you want to change.
    • To change the setting, select On or Off.
    • To keep the setting the same, even if the parent setting changes, click Override.
    • If the organization's status is already Overridden, choose an option:
      Inherit—Reverts to the same setting as its parent.
      Save—Saves your new setting (even if the parent setting changes).

    Learn more about the organizational structure.

  7. Ensure that your Dropbox user account email IDs match those in the domain for your Google service.
Step 6: Verify that the SSO is working
  1. Open https://your-domain-name.my.dropbox.com. You should be automatically redirected to the Google sign in page.
  2. Enter your username and password.

After your credentials are authenticated you're redirected back to Dropbox.

Step 7: Set up user provisioning

As a super administrator, you can automatically provision users in the Dropbox application.

Was this helpful?
How can we improve it?