How do I connect Dropbox to AD FS 2.0 for single sign-on (SSO)?

This article provides detailed instructions on how to connect Dropbox to Active Directory Federation Services (AD FS) 2.0 for single sign-on (SSO).

Read more instructions on connecting Dropbox to Active Directory Federation Services (AD FS) 3.0.

Important: These instructions apply to SSO only; you'll still need to manually provision and de-provision accounts in the Dropbox Business admin console. This is especially important when users leave the organization because the Dropbox desktop and mobile apps keep users logged in indefinitely after their initial SSO authentication.

Some Dropbox customers choose to build custom applications with the Dropbox Business API to automatically provision and de-provision users in response to changes in AD. Please contact your Account Manager if you're interested in API access.

Please also note that these instructions are still in beta. We welcome any feedback or questions as you follow the steps.

Prerequisites

  • An AD FS 2.0 instance that has Rollup 3 or later installed
  • An AD FS SAML endpoint that is exposed to the devices that will need to authenticate

You can learn more about installing AD FS Update Rollup 3 on Microsoft's support site.

Connect Dropbox to AD FS for SSO

  1. In the AD FS 2.0 Console, under Actions, select Add Relying Party Trust....
Add Relying Party Trust
  1. This will take you to the Add Relying Party Trust Wizard. Click Start.
Add Relying Party Trust Wizard
  1. In the Select Data Source section, select Enter data about the relying party manually and click Next.
Select Data Source
  1. In the Specify Display Name section, enter Dropbox Business under Display name and click Next.
Specify Display Name
  1. In the Choose Profile section, choose AD FS 2.0 profile and click Next.
Choose Profile
  1. In the Configure Certificate section, do not specify a token encryption certificate—just click Next.
Configure Certificate
  1. In the Configure URL section, check the option Enable support for the SAML 2.0 Web SSO protocol. Add the following URL for Relying party SAML 2.0 SSO service URL:
    https://www.dropbox.com/saml_login
    Click Next.
Configure URL
  1. In the Configure Identifiers section, add Dropbox as a trust identifier, then click Next.
Configure Identifiers
  1. In the Choose Issuance Authorization Rules section, select Permit all users to access this relying party and click Next.
Choose Issuance Authorization Rules
  1. In the Ready to Add Trust section, just click Next.
Ready to Add Trust
  1. In the Finish section, check the option Open the Edit Claim Rules dialog for this relying party trust when the wizard closes, then click Close.
Open Edit Claim Rules
  1. Next you'll be taken to the Edit Claim Rules for Dropbox Business panel. From the Issuance Transform Rules tab, click Add Rule…
Add Rule
  1. From the Choose Rule Type section, set the Claim rule template drop-down menu to Send LDAP Attributes as Claims, then click Next.
Choose Rule Type
  1. From the Configure Claim Rule section, under Claim rule name, type Email LDAP query.
    Underneath Attribute store, select Active Directory.
    Under mapping of LDAP attributes to outgoing claim types, map LDAP Attribute E-Mail Addresses to Outgoing Claim Type E-Mail Address.
    Click Finish.
Configure Claim Rule
  1. Add another rule from the Edit Claim Rules for Dropbox Business panel. From the Choose Rule Type section, set the Claim rule template drop-down menu to Transform Incoming Claim.
Transform Incoming Claim
  1. From the Configure Claim Rule section, type the following Claim rule name:
    Transform email address as NameID
    For Incoming claim type, select E-Mail Address.
    For Outgoing claim type, select Name ID.
    For Outgoing name ID format, select Email.
    Select Pass through all claim values.
    Click Finish.
Transform Email Address
  1. At this point, you should be back at the Edit Claim Rules for Dropbox Business window. Click Apply, then OK.
Edit Claim Rules Finish
  1. Under Token-signing, right-click on CN=ADFS and click View certificate…
Token Signing
  1. From the Details tab, ensure Show is set to All. Click Copy to File…
Details Show All
  1. You'll then be taken to the Certificate Export Wizard. Click Next.
Certificate Export Wizard
  1. From Export File Format, under Select the format you want to use, select Base-64 encoded X.509 (.CER)
Export File Format
  1. Browse to an accessible location such as the Desktop. You'll be using this certificate to complete SSO setup in the Dropbox admin console. Click Next.
Export File Location
  1. Click Finish.
Finish Export Wizard
  1. Read the final steps required to configure SSO in the Dropbox admin console can be found in. You'll upload the certificate you exported in step 23 as your X.509 certificate. Your sign-in URL will be your AD FS SAML endpoint.

Troubleshooting tips

  • We recommend that you first configure SSO in Optional mode for testing purposes. Try an SSO login at www.dropbox.com/sso while you're already signed in. This way you can get detailed error messaging in the team activity log. Once you've confirmed that SSO is working properly and have prepared your users for the switch, you can change SSO to Required mode.
  • This setup relies on the email address in the Email field of users in Active Directory. You'll need to make sure this field is populated in Active Directory and matches the email addresses of the Current members listed in your Dropbox Business admin console.
How helpful was this article?

We’re sorry to hear that.
Let us know how we can improve:

Thanks for your feedback!
Let us know how this article helped:

Thanks for your feedback!

Related articles
Related articles

Other ways to get help

Community
Twitter support
Contact support