How to configure single sign-on using GakuNin IdP
What is GakuNin?
The Academic Access Management Federation in Japan (GakuNin) is a federation associated with the National Institute of Informatics (NII). GakuNin consists of universities and research institutes that are users of academic e-resources and providers of such e-resources. By mutually trusting policy stipulated by the Federation, organizations can enable federated access between each other.
How to enable GakuNin IdP-initiated SSO
To enable GakuNin IdP-initiated SSO, follow the steps below.
1. Join GakuNin and eduGAIN
These procedures require that the GakuNin IdP join eduGAIN. If necessary, refer to this link to join eduGAIN.
If you are unable to join eduGAIN or are not a participant in GakuNin, refer to the link to procedures for general SSO.
2. Enable GakuNin in Dropbox
The setting for allowing connections from GakuNin must be enabled in Dropbox. To enable GakuNin for your Dropbox team, contact your Customer Success Manager. The following instructions for configuring the Dropbox admin console won't work unless this setting has been enabled.
3. Configuring Shibboleth IdP attribute filter
Complete the step below to configure the filter to send the mail attribute from IdP to Dropbox.
Add the code below to the attribute-filter.xml (/opt/shibboleth-idp/conf/attribute-filter.xml) file.
<AttributeFilterPolicy id="PolicyforDROPBOX">
<PolicyRequirementRule xsi:type="Requester"
value="https://dropbox.com/sp"/>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
</AttributeFilterPolicy>4. Prepare needed information
To configure SSO in the Dropbox admin console, you'll need two pieces of information: the sign-in URL and the X.509 certificate.
Use the value from IdPSSODescriptor in the IdP metadata for the sign-in URL. Refer to the example below.
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://idp.gakunin.nii.ac.jp/idp/profile/SAML2/Redirect/SSO"/>https://idp.gakunin.nii.ac.jp/idp/profile/SAML2/Redirect/SSOThe file in the IdP folder can be used for the X.509 certificate. A typical file path for this certificate is /opt/shibboleth-idp/credentials/server.crt
5. Dropbox admin console configuration
- Log in to dropbox.com with your admin credentials.
- Click Admin console.
- Click Settings.
- Under Authentication, select Single Sign-on.
- Enable SSO in Optional or Required mode. (Optional mode is for testing and Required mode is for production.)
- Paste the sign-in URL (collected earlier in this article).
- Upload the X.509 certificate (collected earlier in this article).
- Under SAML NameID Format, select Transient ID + Email Assertion and save. (If GakuNin is not enabled, this item is not displayed.)
FAQs
How can I use this SSO framework with an existing personal account?
SSO can be used with Dropbox Advanced, Enterprise, and Education. To use SSO with a personal account, you'll need to join an SSO-enabled Dropbox team or Education team and become a team member.
If you are a team admin of a Dropbox team or Education team, you can enable single sign-on for your team.
How do I join a team with a personal account?
The team administrator invites personal accounts to join. A user with a personal account who has been invited to join a team has the following options:
- Accept the invitation as-is and join the team with all files.
- Move personal files to another environment (another Dropbox account, another cloud service, hard drive, etc.) and join the team with the files you want to bring along.
- Change the email address for your personal account to a different one and join the team as a new user.
If I accept an invitation to a team, will the contents of my personal account be visible to other users?
Joining a team will not make your files visible to other users. Your files and folders will remain accessible only to you as long as you do not invite other users to a folder and make it a shared one or put your files in a team folder managed by the team. The same goes for files and folders on your computer. However, team admins do have the ability to log in as users within the team and can also view operation logs.
Learn more about what files your team members and admins have access to.
Can an account that has already joined another team be invited?
Accounts cannot join multiple teams. If you are invited by a team other than one you have already joined, you will not be able to join it unless you leave the team you are on.
