How do I connect Dropbox to AD FS 3.0 for single sign-on (SSO)?

This article provides detailed instructions on how to configure your Dropbox Business account to support SP-initiated SSO relying on Active Directory Federated Services 3.0, often referred to as ADFS 2012 R2.

Your deployment should follow Microsoft’s best-practices for deploying AD FS clusters and proxies—configuring a full AD DS / AD FS deployment is outside the scope of this guide.

Read instructions for connecting Dropbox to Active Directory Federation Services (AD FS)

Important: These instructions apply to SSO only; you'll still need to manually provision and de-provision accounts in the Dropbox Business admin console. This is especially important when users leave the organization because the Dropbox desktop and mobile apps keep users logged in indefinitely after their initial SSO authentication.

Some Dropbox customers choose to build custom applications with the Dropbox Business API to automatically provision and de-provision users in response to changes in AD. Please contact your Account Manager if you're interested in API access.

Please also note that these instructions are still in beta. We welcome any feedback or questions as you follow the steps.

Prerequisites

  • An AD FS 3.0 instance with an AD FS SAML endpoint that is exposed to the devices that will need to authenticate

Connect Dropbox to AD FS 3.0 for SSO

  1. Create a new relying party trust.
adfs image 1
  1.  
adfs image 2
  1. Select Enter data about the relying party manually.
Adfs image 3
  1. Enter the Display name and Notes as shown below.
adfs image 4
  1. Use AD FS profile.
adfs image 5
  1. Click Next without altering this page.
adfs image 6
  1. Choose SAML 2.0 and set the service URL to https://www.dropbox.com/saml_login
adfs image 7
  1. Set the relying party identifier to Dropbox.
adfs image 8
  1. Leave Multifactor Authentication at default.
adfs image 9
  1. Choose who should be able to access Dropbox via SSO.
adfs image 10
  1. Click Next to add the relying party trust.
adfs image 11
  1. Close the wizard.
adfs image 12
  1. Add a rule to send LDAP attributes as claims.
adfs image 13
  1. Send LDAP attributes as Claims.
adfs image 14
  1. Add Claim Rules.
adfs image 15
  1. Add another rule.
adfs image 16
  1. Select Transform an Incoming Claim.
adfs image 17
  1. Set up claim rule.
adfs image 18
  1. Apply rules.
adfs image 19
  1. Prepare certificate.
adfs image 20
  1. Copy to file.
adfs image 21
  1.  
adfs image 22
  1. Base-64 encoded export.
adfs image 23
  1. Enter the filename below.
adfs image 24
  1.  
adfs image 25
  1.  
adfs image 26
  1. Configure Dropbox to use your AD FS server for SSO: Read the final steps required to configure SSO in the Dropbox admin console.

Notes for step 27:

  • You'll upload the certificate you exported in as your X.509 certificate
  • Your sign-in URL will be your AD FS SAML endpoint
  • We recommend first configuring SSO in Optional mode, and then moving to Required mode once you have tested that SSO is working properly and prepared your users for the switch

Other useful articles:

How helpful was this article?

We’re sorry to hear that.
Let us know how we can improve:

Thanks for your feedback!
Let us know how this article helped:

Thanks for your feedback!