Help Center

  • Sign in
  1. Sharing files and folders
  2. Payments and billing
  3. Security and privacy
  4. Dropbox Business
  5. Syncing and uploads
  6. Sign-in help
  7. Desktop app and dropbox.com
  8. Manage account
  9. Space and storage
  10. Photos and videos
  11. Mobile
  12. Dropbox Paper

InCommon, and configuring Dropbox SSO for InCommon support

Dropbox is a sponsored partner of InCommon, and supports the InCommon standard. This article details what InCommon is and how to enable InCommon-supported SSO for your Dropbox Business account.

What is InCommon?

InCommon Federation, commonly shortened to InCommon, is a framework for trustworthy shared management of access to online resources. With Dropbox, this means that our version of single sign-on (SSO) abides by the InCommon framework.

InCommon is often confused as an identity provider (IdP). In reality, InCommon is a protocol that your IdP may support to provide specific security enhancements to abide by the InCommon Standard.

How do I enable InCommon-supported SSO?

First, contact your Dropbox account team so they can turn on a required InCommon attribute setting. Once you've contacted your Dropbox account team, follow the steps under each of the three subsections below to complete the setup process.

Note: The following instructions won't work unless your account team has enabled this setting.


Configuring Shibboleth IdP to comply with InCommon

  1. Contact your Dropbox account team so they can turn on a required InCommon attribute setting.
  2. Retrieve InCommon metadata.

  3. Set up the attribute filter.

    • Dropbox accepts the InCommon recommended essential attribute bundle.

      • Dropbox uses the email part of this bundle to identify users.
      • Dropbox also requires that the transient ID is released.
    • Learn how to configure the essential attribute bundle.

      • In the attribute-filter.xml (/opt/shibboleth-idp/conf/attribute-filter.xml) file, make sure the attribute requester string value is https://dropbox.com/sp. 
      
afp:AttributeFilterPolicy id="DROPBOX_INCOMMON"
       afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
          value="https://dropbox.com/sp"/
      Scroll to see full code snippet

Prepare needed information

To configure SSO in the Dropbox admin console, you'll need two pieces of information: the sign-in URL and the X.509 certificate.

The sign-in URL can be found in the InCommon metadata under your organization's IdPSSODescriptor, and looks similar to this example:

   SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
   Location="https://shibidp.university.edu/idp/profile/SAML2/Redirect/SSO"/
Scroll to see full code snippet

In this case the URL needed for Dropbox is below, which is also the URL that leads to the authentication portal.

https://shibidp.university.edu/idp/profile/SAML2/Redirect/SSO

The X.509 certificate is located in the credentials folder and is usually called idp.crt. A typical file path to this certificate is /opt/shibboleth-idp/credentials/idp.crt.

Dropbox admin console configuration

  1. Sign in to dropbox.com with your Dropbox Business admin account.
  2. Open the Admin Console.
  3. Click Settings.
  4. Under Authentication, select Single sign-on.
  5. Enable SSO in Optional or Required mode. (Optional mode is for testing and Required mode is for production.)
  6. Paste the sign-in URL (collected earlier in this article).
  7. Upload the X.509 certificate (collected earlier in this article).
  8. Under SAML NameID Format, select Transient ID + Email Assertion.