How to configure single sign-on using GakuNin IdP

Q: How can I use this SSO framework with an existing personal account?

SSO can be used with Dropbox Advanced, Enterprise, and Education. To use SSO with a personal account, you'll need to join an SSO-enabled Dropbox team or Education team and become a team member. If you are a team admin of a Dropbox team or Education team, you can <a href="/content/dropbox/www/en-us/help/teams-admins/admin/sso-admin.html" target="_blank">enable single sign-on for your team</a>.

Q: How do I join a team with a private account?

The team administrator invites personal accounts to join. A user with a personal account who has been invited to join a team has the following options: <ul><li>Accept the invitation as-is and join the team with all files.</li><li>Move personal files to another environment (another Dropbox account, another cloud service, hard drive, etc.) and join the team with the files you want to bring along.</li><li><a href="/content/dropbox/www/en-us/help/accounts-billing/settings-sign-in/change-email.html" target="_blank">Change the email address for your personal account</a> and join the team as a new user.</li></ul><a href="https://help.dropbox.com/teams-admins/team-member/join-business-team?fallback=true" target="_blank">Learn how to join a Dropbox team</a>.<a href="https://help.dropbox.com/teams-admins/team-member/join-business-team?fallback=true"></a>

Q: If I accept an invitation to join a team, will the content of my private account be visible to other users?

When you join a team, your files won't be visible to other users. Your files and folders will remain accessible only to you unless you invite other users to a folder, share it, or place your files in a team-managed team folder. The same applies to files and folders on your computer. However, team admins can log in as users to the team and also view operational logs.<a href="https://help.dropbox.com/teams-admins/team-member/team-access-to-files?fallback=true" target="_blank">Learn more about which files your team members and admins have access to</a>.

Q: Can an account holder who has already joined another team be invited again?

Account owners can’t join multiple teams. If you’re invited by a team other than the one you've already joined, you won't be able to join unless you <a href="https://help.dropbox.com/teams-admins/team-member/account-deleted-from-team?fallback=true" target="_blank">leave the team</a> you're on.

Updated Jul 03, 2025

The information in this article applies to admins on Dropbox Standard, Business, Advanced, Business Plus, and Enterprise.

Dropbox supports single sign-on (SSO) using IdPs participating in the Academic Access Management Federation in Japan (GakuNin). This article explains how to enable GakuNin IdP-initiated SSO for Dropbox team accounts.

What is GakuNin?

The Academic Access Management Federation in Japan (GakuNin) is a federation associated with the National Institute of Informatics (NII). GakuNin consists of universities and research institutes that are users of academic e-resources and providers of such e-resources. By mutually trusting policy stipulated by the Federation, organizations can enable federated access between each other.

How to enable GakuNin IdP-initiated SSO

To enable GakuNin IdP-initiated SSO, follow the steps below.

1. Join GakuNin and eduGAIN

These procedures require that the GakuNin IdP join eduGAIN. If necessary, refer to this link to join eduGAIN.

If you’re unable to join eduGAIN or aren’t a participant in GakuNin, refer to the link to procedures for general SSO.

2. Enable GakuNin in Dropbox

The setting for allowing connections from GakuNin must be enabled in Dropbox. To enable GakuNin for your Dropbox team, contact your Customer Success Manager. The following instructions for configuring the Dropbox admin console won't work unless this setting has been enabled.

3. Configuring Shibboleth IdP attribute filter

Complete the step below to configure the filter to send the mail attribute from IdP to Dropbox.

Add the code below to the attribute-filter.xml (/opt/shibboleth-idp/conf/attribute-filter.xml) file.

<AttributeFilterPolicy id="PolicyforDROPBOX">
    <PolicyRequirementRule xsi:type="Requester"
        value="https://dropbox.com/sp"/>
    <AttributeRule attributeID="mail">
        <PermitValueRule xsi:type="ANY"/>
    </AttributeRule>
</AttributeFilterPolicy>

4. Prepare needed information

To configure SSO in the Dropbox admin console, you'll need two pieces of information: the sign-in URL and the X.509 certificate.

Use the value from IdPSSODescriptor in the IdP metadata for the sign-in URL. Refer to the example below.

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
    Location="https://idp.gakunin.nii.ac.jp/idp/profile/SAML2/Redirect/SSO"/>

In this case, the sign-in URL required for Dropbox is as follows:

https://idp.gakunin.nii.ac.jp/idp/profile/SAML2/Redirect/SSO

The file in the IdP folder can be used for the X.509 certificate. A typical file path for this certificate is /opt/shibboleth-idp/credentials/server.crt

5. Dropbox admin console configuration

Log in to dropbox.com with your admin credentials.
Click Admin console in the left sidebar.
Click Settings.
Click the Security tab.
Under Authentication, click the dropdown to the right of Single sign-on (SSO) and select either:
- Optional (for testing).
- Required (for production).
Click Add to the right of Identity provider sign-in URL, enter the copied login URL (See step 4), then click Done.
Click Add to the right of X.509 certificate, then upload the X.509 certificate you downloaded (See step 4).
Under SAML Format of NameID, select Temporary ID and Email Address and save. (If GakuNin isn’t enabled, this content won’t be displayed.)
Click Save.