This topic describes how to configure OneLogin to provide single sign-on (SSO) for your Dropbox users using SAML. (If you want to set up SSO for Dropbox with form-based authentication, see Adding a Form-Based Application.)
For a quick overview, check out this video:
Log in to OneLogin and go to Apps > Add Apps.
Search for Dropbox and select it.
On the initial Configuration tab, select SAML2.0 - user provisioning.
Click Save to add the app to your Company Apps and display additional configuration tabs.
On the Parameters tab, map Dropbox user attributes to OneLogin attributes.
Some parameters are included in the SAML assertion during SSO, others are used when provisioning users to Dropbox using the API. For SSO using SAML, you should accept the defaults, unless otherwise noted:
Default OneLogin Value
SAML or Provisioning?
SAML and Provisioning
Leave Value set to Email. Most Dropbox implementations use email as the user ID.
Groups - No value - Provisioning See Provisioning Users to Dropbox.
You can also go to Users > All Users to add the app to individual user accounts, and return to this app configuration page to complete SSO configuration.
On the SSO tab, copy the two SAML values that you'll need to provide in Dropbox: SAML2.0 Endpoint (HTTP) URL and X.509 Certificate.
To download the X.509 certificate, click View Details and select X.509 PEM from the drop-down below the X.509 Certificate field.
If you want to use a different certificate, go back to the SSO tab, click Change, select the new certificate, and follow the above instructions.
Alternatively, you can create an entirely new X.509 certificate for selection by going to Settings > Certificates and clicking New.
Go to Dropbox and sign in as an admin. In the left panel, click Admin Console.
Select the Enable single sign-on option.
Choose to make SSO option or required:
Select Optional to allow users to log in with SAML or their Dropbox Username and Password.
Select Required to require authentication via OneLogin.
In the Sign in URL field, paste the SAML2.0 Endpoint (HTTP) value from OneLogin.
Under X.509 Certificate, click Choose Certificate and upload the x.509 PEM Certificate you downloaded from OneLogin.
Test the SAML connection.
- Make sure you are logged out of Dropbox.
- Give yourself access to the Dropbox app in OneLogin.
- Log in to OneLogin.
- Click the Dropbox icon on your OneLogin dashboard. If you are able to access Dropbox, then SAML works.
If you're not using the same Email in Dropbox as in OneLogin, do the following:
- Go to Apps > Company Apps.
- Edit the Dropbox application.
- Navigate to the Logins tab.
- Locate and select your user.
- Type a different email in the Email field and click Save.
- Navigate to the portal and re-test by clicking the Dropbox icon.