Configuring Single Sign-On for Dropbox Business with WSO2 Identity Server

Dropbox Business is a platform that offers powerful storage, sharing, and collaboration tools and it is used by many organizations world-wide. While a file management system is an important system used in an organization, there can be a large number of other systems/applications that are used to cater the requirements of the organization. Hence, having to manage separate sets of credentials for each such application can be a very difficult thing to do. That is why organizations look for Single Sign-On (SSO) solutions that allow the users to access all the applications used by an organization by signing in to a central identity provider.

WSO2 Identity Server (WSO2 IS) is an open source identity and access management solution used by a large number of organizations to provide SSO to a huge variety of applications using standard SSO protocols such as SAML, OAuth2/OpenID Connect, WS-Federation, CAS etc. When you enable SSO for your applications, the users can use a single set of credentials managed by WSO2 IS to log in to all the applications which you have enabled SSO for. This saves the users from the nightmare of remembering a large number of different sets of credentials, and the administrators from the hassle of managing all those credentials.

If your organization use Dropbox Business, you can enable single sign-on for Dropbox with WSO2 Identity Server using the SAML SSO protocol with a small number of steps. In this article, I will walk you through the steps to enable SSO for Dropbox using WSO2 IS 5.11.0. Note that even though I used WSO2 IS 5.11.0 which is the latest release of the product, you can do this same configuration in any of the WSO2 IS versions.

The following are the prerequisites that should be met before proceeding further.

  • You should be an admin of a Dropbox Business team on an Advanced or Enterprise plan. If you want to try out this Dropbox-WSO2 IS SSO configuration with a trial plan, you can get a 30-day trial to Dropbox Business from here.
  • You should have access to WSO2 Identity Server with admin privileges (You can download the latest WSO2 IS release from here).

Configuring WSO2 Identity Server for SSO

  1. Sign in to the Management Console of WSO2 IS.
  2. On the Main menu, go to Identity >Service Providers > Add to add a new service provider by a name that you prefer. Optionally you can provide a brief description about the service provider too. Then click Register.

3. Expand the Inbound Authentication Configuration drop-down under the Service Provider configuration and click on Configure under SAML2 Web SSO Configuration.

4. Under the Manual Configuration, configure the details as given below. Leave the other fields as they are. Refer WSO2 IS documentation on configuring SAML inbound authentication for more details about these configurations.

  • Issuer : Dropbox
  • Assertion Consumer URL : https://www.dropbox.com/saml_login (Click on ADD to add this value as the default assertion consumer URL)
  • NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • Untick Signature Validation in Authentication Requests and Logout Requests

5. After configuring the above details, scroll down the configuration form and click on Download IDP Metadata button which is available in the bottom of the page. This will download an xml file with the SAML IDP metadata. Store this file as we will be using thin in a later step if this configuration.

6. Click on Register to save the configuration.

7. Expand the Claim Configuration drop-down under the Service Provider configuration and set Subject Claim URI to http://wso2.org/claims/emailaddress by selecting that value from the drop-down. Click update to save the configuration.

Now we have finished configuring WSO2 IS for single sign-on with Dropbox. It’s time to configure Dropbox side.

Configuring Dropbox Business for SSO

  1. Sign in to Dropbox using the admin credentials, and go to the Admin Console from the left side panel.
  2. Click on Settings in the side panel. Under Authentication section, you will see an option as Single sign-on. Click on that option.

3. From the drop-down see under Single sign-on, select either Optional or Required based on your requirement.

  • If Optional is selected the users can sign in to Dropbox using either the SSO credentials or Dropbox credentials.
  • If Required is selected, the users must use sign in to Dropbox using the SSO password all the type. However, the admin users can still use the Dropbox credentials.

4. Click on Add sign-in URL link under Identity provider sign-in URL. In the pop-up window that is displayed, enter the value SAML SSO URL of WSO2 Identity Server in the format https://<IS_HOSTNAME>:<IS_PORT>/samlsso (ex : https://localhost:9443/samlsso) as the Identity provider sign-in URL. Click on Done.

5. Now we need to extract the x.509 certificate from the metadata file we saved in step 5 under ‘Configuring WSO2 Identity Server for SSO’ section above. To do that, open the downloaded metadata.xml file and copy the content in the <X509Certificate> tag form that file. We need to create a separate file in file with the certificate in pem format to be uploaded to Dropbox configuration. Note that the pem file should contain the `BEGIN CERTIFICATE` and `END CERTIFICATE`headers as well. You can use this tool to format the x.509 certificate. Click on Upload certificate and upload the x.509 certificate in the pem format.

6. Click on Apply changes.

Now we have successfully configured both WSO2 IS and Dropbox Business sides for single sign-on. Let’s test whether our configurations are working.

In order to do that, you need to have a user in your Dropbox Business team. There should be an account in WSO2 IS for that user with the email set to the Dropbox Business username. Now, we can try lo login to Dropbox Business by clicking on this link. There, provide the username (This value corresponds to the email of the user account created in WSO2 IS). If there exists a user with the given username in a Dropbox business team where SSO is enabled, you will see the a note saying ‘Single sign-on enabled’. Click on Continue.

Now you will be sent to the WSO2 IS login page. Provide the username and password of the WSO2 IS account and click continue.

Upon successful authentication, you should be redirected to the Dropbox Business homepage.

Now you have successfully configured SSO for Dropbox Business with WSO2 IS. If you want to know more about how you can integrate many other applications that support SSO with standard protocols such as SAML, Oauth2/OIDC, WS-Federation, CAS etc. with WSO2 Identity Server for single sign-on, you can refer to the official WSO2 documentation.