How to enable single sign-on for your team

If you're the admin of a Dropbox Business team on an Advanced or Enterprise plan, you can enable single sign-on (SSO) for your team. Single sign-on allows team members to access Dropbox by signing in to a central identity provider. This means your team can access Dropbox without having to remember another password.

How to enable single sign-on

1. Go to your identity provider's site and follow the instructions to configure single sign-on.
   • Many large identity providers offer preconfigured settings for Dropbox. If your identity provider is not supported, you can configure your own identity provider solution for SSO.
2. Download a copy of the X.509 certificate and make a note of the sign-in URL—you’ll need this in step 8.
3. Sign in to Dropbox using your admin credentials.
4. Click Admin Console in the sidebar.
5. Click Settings in the sidebar.
6. Under Authentication, click Single sign-on.
7. Toggle the Single sign-on setting from Off to either Optional or Required.
   • If you choose Required, team members must sign in to Dropbox using SSO, and their Dropbox password will no longer work. However, admins can still use their Dropbox admin credentials to sign in.
   • If you choose Optional, your team can sign in to Dropbox using SSO or their Dropbox password.
8. Click Add sign-in URL and enter the URL you noted in step 2. 
   • Optional: you can click Add sign-out URL to add a sign-out URL.
9. Click Upload certificate to upload the X.509 certificate .pem file you downloaded earlier.
10. Click Apply changes.
11. Notify your team.
    • If you chose to require single-sign on, Dropbox will notify team members by email.
    • If you made single-sign on optional, you’ll need to notify the team yourself.

Once you turn on single sign-on, you can share these instructions for the rest of your team.

All devices that are linked to Dropbox accounts will continue to work. Admins won't be able to reset passwords through Dropbox or require two-step verification since passwords and sign in-related security are now controlled by your identity provider.

How to find your team’s custom SSO sign-in URL

If team members have already signed in to your identity provider, they can go directly to their Dropbox account using the custom link. To find your team’s custom SSO sign-in URL:

1. Sign in to Dropbox using your admin credentials.
2. Click Admin console.
3. Click Settings. 
4. Click Single sign-on.
5. In the SSO sign-in URL section, click Copy link. 

Seeing a SAML assertion error when you log in?

Learn how to resolve the error message: “Could not validate SAML assertion.”