Enabling SAML SSO on Dropbox Sign
Admins on a Premium plan can enable SAML SSO in their account settings or the admin console.
In order to complete setup, you’ll need the following information from your IDP:
- Identity Provider Single Sign-On URL
- Identity Provider Issuer
- X.509 Certificate
How to enable SAML SSO
In your account settings:
- Sign in to your account.
- Hover over your email address in the upper-right corner.
- Select My Settings from the dropdown menu.
- Click Team in the left sidebar and scroll to SAML SSO.
- Enter the information from your IDP and click Save.
In the admin console:
- Sign in to your admin account.
- Hover over your email address in the upper-right corner.
- Select Admin Console from the dropdown menu.
- Click Security in the left sidebar and locate SSO.
- Enter the information from your IDP and click Save.
Notes:
- When setting up SAML for the first time, leave the Allow standard logins for admins option checked, so you can log in with a username and password if the setup is unsuccessful. If you don’t, you could be locked out of your account.
- Dropbox Sign does not currently support SCIM.
Optional settings
Allow standard logins for admins (recommended while testing).
Even after SAML SSO is enabled, admins can continue to log in to Dropbox Sign with their username and password. This is recommended during testing. Once the SAML SSO connection is verified to function properly, you can disable this for optimal security.
IDP Side Setup
IDP setup flows and default values vary. See below for an example using Okta.
1. Create a new SAML 2.0 web application and name it “Dropbox Sign”.
2. Your IDP will require the following pieces of information exactly as typed below (capitalization matters.)
- Signon URL (ACS URL): https://app.hellosign.com/account/ssoLogIn
- Audience URI (SP Entity ID): https://app.hellosign.com
- Name ID Format: EmailAddress
- Application username: Email
- Attributes Statements:
- - FirstName --> user.firstName
- - LastName --> user.LastName
3. (Optional) Encrypt the SAML assertion and upload the PEM certificate file. The PEM certificate file is at the bottom of this article under Attachments. You can leave the standard defaults as displayed in the screenshot.
OneLogin
If OneLogin is your organization's SAML SSO provider, please note the following:
- ACS Consumer URL and Recipient fields
- The ACS(Consumer) URL Validator field
- ^https:\/\/app\.hellosign\.com\/account\/ssoLogIn$
Microsoft Azure AD
Dropbox Sign Settings
- Identity Provider Single Sign-On URL:
-
https://login.microsoftonline.com/xxxxxxx-xxxx-xxxx-xxxx-xxxxxx/saml2
- Referred to as "Login URL" in AzureAD
- Identity Provider Issuer:
-
https://sts.windows.net/xxxxxxx-xxxx-xxxx-xxxx-xxxxxx/
- Referred to as "Azure AD Identifier" in AzureAD
- X.509 Certificate:
- Use "Certificate (Base64)"
- WITHOUT "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" as single line string (no line breaks)
Azure AD Settings
- Identifier (Entity ID):
- https://app.hellosign.com
- Reply URL (Assertion Consumer Service URL):
- https://app.hellosign.com/account/ssoLogIn
- Sign on URL: [empty]
- Relay State: [empty]
- User Attributes & Claims:
Testing
Once both setups are complete, navigate to your IDP and assign the newly created Dropbox Sign application to the Dropbox Sign admin who initially setup SAML. Open the Dropbox Sign app in a new tab and ensure you are logged out. Then go back to the IDP and click on the SSO link for Dropbox Sign. You should be automatically logged into Dropbox Sign as that admin account.
You can repeat the process for other test "member" accounts. Once your testing has concluded and you are ready to switch over, you can uncheck the Allow standard logins for admins option and save your SSO settings.
Comments
0 comments
Article is closed for comments.