Dropbox Sign SAML SSO configuration

Enabling SAML SSO on Dropbox Sign

Admins on a Premium plan can enable SAML SSO in their account settings or the admin console.

In order to complete setup, you’ll need the following information from your IDP:

• Identity Provider Single Sign-On URL
• Identity Provider Issuer
• X.509 Certificate

How to enable SAML SSO 

In your account settings:

1. Log in to your account.
2. Hover over your email address in the top-right corner.
3. Select My Settings from the dropdown menu. 
4. Click Team in the left sidebar and scroll to SAML SSO.
5. Enter the information from your IDP and click Save. 

In the admin console:

1. Log in to your admin account.
2. Hover over your email address in the top-right corner.
3. Select Admin console from the dropdown menu.
4. Click Security in the left sidebar and locate SSO.
5. Enter the information from your IDP and click Save. 

Optional settings

Allow standard logins for admins (recommended while testing).

Even after SAML SSO is enabled, admins can continue to log in to Dropbox Sign with their username and password. This is recommended during testing. Once the SAML SSO connection is verified to function properly, you can disable this for optimal security.

IDP Side Setup

IDP setup flows and default values vary. See below for an example using Okta.

1. Create a new SAML 2.0 web application and name it “Dropbox Sign”.

2. Your IDP will require the following pieces of information exactly as typed below (capitalization matters.)

• Signon URL (ACS URL): https://app.hellosign.com/account/ssoLogIn
• Audience URI (SP Entity ID): https://app.hellosign.com
• Name ID Format: EmailAddress
• Application username: Email
• Attributes Statements:
• - FirstName --> user.firstName
• - LastName --> user.LastName

3. (Optional) Encrypt the SAML assertion and upload the PEM certificate file. The PEM certificate file is at the bottom of this article under Attachments. You can leave the standard defaults as displayed in the screenshot.

OneLogin

If OneLogin is your organization's SAML SSO provider, please note the following:

1. ACS Consumer URL and Recipient fields
   • https://app.hellosign.com/account/ssoLogIn
2. The ACS(Consumer) URL Validator field
   • ^https:\/\/app\.hellosign\.com\/account\/ssoLogIn$

Microsoft Azure AD

Dropbox Sign Settings

1. Identity Provider Single Sign-On URL: 
2. https://login.microsoftonline.com/xxxxxxx-xxxx-xxxx-xxxx-xxxxxx/saml2 
   
   1. Referred to as "Login URL" in AzureAD
3. Identity Provider Issuer: 
4. https://sts.windows.net/xxxxxxx-xxxx-xxxx-xxxx-xxxxxx/ 
   
   1. Referred to as "Azure AD Identifier" in AzureAD
5. X.509 Certificate:
   
   1. Use "Certificate (Base64)"
   2. WITHOUT "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" as single line string (no line breaks)

Azure AD Settings

1. Identifier (Entity ID): 
2. https://app.hellosign.com 
3. Reply URL (Assertion Consumer Service URL): 
4. https://app.hellosign.com/account/ssoLogIn
5. Sign on URL: [empty]
6. Relay State: [empty]
7. User Attributes & Claims:

Testing

Once both setups are complete, navigate to your IDP and assign the newly created Dropbox Sign application to the Dropbox Sign admin who initially setup SAML. Open the Dropbox Sign app in a new tab and ensure you are logged out. Then go back to the IDP and click on the SSO link for Dropbox Sign. You should be automatically logged into Dropbox Sign as that admin account.

You can repeat the process for other test "member" accounts. Once your testing has concluded and you are ready to switch over, you can uncheck the Allow standard logins for admins option and save your SSO settings.

Attachments

• prod.hellosign-saml-cert-2024.pem

Important: This certificate is expiring on June 17, 2025. Please plan to rotate to the updated 2025 SAML encryption certificate prior to this date to avoid any service disruptions.