How to enable eduGAIN or InCommon-supported SSO for Dropbox

Updated Nov 17, 2023

Dropbox is a sponsored partner of eduGAIN and InCommon, and supports these standards. This article details how to enable eduGAIN or InCommon-supported single sign-on (SSO) for your Dropbox team account.

What are InCommon and eduGAIN?

eduGAIN

eduGAIN is an interfederation service that enables the secure exchange of identity, authentication and authorization info between participating federations.

InCommon

InCommon Federation, commonly shortened to InCommon, is a framework for trustworthy shared management of access to online resources. It is specific to the US market.

InCommon is often confused as an identity provider (IdP). In reality, InCommon is a protocol that your IdP may support to provide specific security enhancements to abide by the InCommon Standard.
 

How do I enable supported SSO with eduGAIN or InCommon?

Step 1: Configuring Shibboleth IdP to comply with eduGAIN or InCommon

  1. If you're a Dropbox Education admin, contact your account team and request that they turn on the required eduGAIN or InCommon attribute setting. 
  2. Retrieve eduGAIN or InCommon metadata.
  3. Set up the attribute filter. 
afp:AttributeFilterPolicy id="DROPBOX_INCOMMON"
       afp:PolicyRequirementRule 
xsi:type="basic:AttributeRequesterString"
          value="https://dropbox.com/sp"/

Step 2: Prepare needed information

To configure SSO in the Dropbox admin console, you'll need two pieces of information: the sign-in URL and the X.509 certificate.

The sign-in URL can be found in the eduGAIN or InCommon metadata under your organization's IdPSSODescriptor, and looks similar to this example:

SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
   Location="https://shibidp.university.edu/idp/profile/SAML2/Redirect/SSO"/

In this case the URL needed for Dropbox is below, which is also the URL that leads to the authentication portal.

https://shibidp.university.edu/idp/profile/SAML2/Redirect/SSO
 

The X.509 certificate is located in the credentials folder and is usually called idp.crt. A typical file path to this certificate is /opt/shibboleth-idp/credentials/idp.crt.

Step 3: Configure Dropbox admin console

  1. Log in to dropbox.com with your Dropbox admin credentials.
  2. Open the Admin console.
  3. Click Settings.
  4. Under Authentication, select Single sign-on.
  5. Enable SSO in Optional or Required mode. (Optional mode is for testing and Required mode is for production.)
  6. Paste the sign-in URL (collected earlier in this article).
  7. Upload the X.509 certificate (collected earlier in this article).
  8. Under SAML NameID Format, select Transient ID + Email Assertion.
Was this article helpful?

Let us know how why it didn't help:

Thanks for letting us know!

Thanks for your feedback!

Community answers

Related Articles

How to configure your team’s desktop with GPO

Admins

Admins of Dropbox teams can configure their team members’ Dropbox desktop app preferences using Group Policy Object (GPO). Learn how.

View article

FAQs about macOS 12.3 and Apple silicon for admins

Admins

If you're a Dropbox admin, macOS 12.3 (Monterey) and Apple silicon may impact your team and online-only files. Learn more with our FAQs.

View article

Firewall configuration

If your Dropbox captcha is blocked, you can adjust your firewall, security, ESET, and software permissions on your desktop to allow Dropbox. Learn how.

View article

How to connect the Dropbox desktop app to a proxy server

You can connect the Dropbox desktop application to a proxy server, if there’s one available, in your desktop app preferences. Learn how.

View article

Other ways to get help

Icon depicting two people
Community
Twitter Icon
X
Icon depicting a speech bubble
Contact support