Purpose
With Practice Protect as your identity service, you can choose single-sign-on (SSO) access to the Dropbox web application with IdP-initiated SAML SSO (for SSO access through the Idaptive User Portal) or SP-initiated SAML SSO (for SSO access directly through the Dropbox web application) or both. Providing both methods gives you and your users maximum flexibility.
It can be useful to open the web application and Admin Portal simultaneously and have them both open, perhaps side by side. As part of the SSO configuration process, you’ll need to copy and paste settings between the two browser windows.
When you require SSO for Dropbox, two-step verification is automatically disabled to avoid overlapping settings.
Prerequisites
- Administrator Access in Practice Protect
- Administrator Access in Dropbox for Business
- Dropbox for Business Advanced Subscription (SSO is only enabled in this subscription)
- Dropbox login should have exact loginnames in
Practice Protect.
- If the user already has PPO login, ensure that the Dropbox login is exactly the same as the PPO loginname. Rename the dropbox login if necessary so it will be exactly the same as the PPO login
Instructions
1. Login to Practice Protect and switch to Admin portal.
2. Go to Roles > Add Role > Under Description, type name of the Role on the Name field i.e. “Dropbox SAML Users”. You can also create roles according to the group membership in Dropbox (Marketing, Administrator, Design, etc.)
3. Click on Members > Click Add > Add the dropbox users and Click Save. If you have multiple Groups you may create these groups accordingly and repeat steps 2-3.
**Please ensure that the loginname in PPO is exactly the same as their respective Dropbox login.
4. Go to Apps > Web Apps > Click on Add Web Apps > On the search field type “Dropbox” > Select Dropbox Web – SAML + Provisioning then click Add. Click Close.
5. Click on Trust > On Identity Provider Configuration select Manual Configuration > Click on Signing Certificate and click Download. This will download the certificate on your local PC which you will need on the succeeding instructions. Copy the Sign in URL and Single Logout URL on a notepad. You will also need this details on the succeding instructions. On Service Provider Configuration, select Manual Confguration then click Save.
6. Click on Permissions > Click Add > Select the role created on step 2 i.e. “Dropbox SAML Users”. Click Save.
7. The status of the application will change from Ready to Deploy into Deployed. This means that the newly added app will now appear on the user portal for all users that are members of the role (i.e. “Dropbox SAML Users”)
8. Login to Dropbox using the Administrator Account and go to Admin console.
9. Click on Settings > Under Authentication select Single sign-on.
10. On Single sign-on select Required. This will require all users to sign-in using their PPO login to access Dropbox. On Identity provider sign-in URL and Identity provider sign-out URL (optional), add the Sign-in URL and Single Logout URL respectively from step 5. On X.509 certificate, upload the certificate that was downloaded from Step 5. Click Save.
11. Once saved, this will update the details in the Single sign-on settings.
12. Single Sign-on is now enabled, the next step is to enable provisioning. This means that you can create users in PPO and will automatically provision users in Dropbox. Once auto provisioning is enabled you do not need to create the user in dropbox manually as it will just sync the users from PPO provided that you have enough license in dropbox.
13. Go back to PPO admin portal.
14. Apps > Web Apps > Click on Dropbox Web – SAML + Provisioning > Click on Provisioning > tick the box beside Enable provisioning for this application then click on Authorize.
15. This opens a new window where you need to login using an administrator account to authorize Idaptive to provision users.
16. Click Allow when prompted.
17. Wait for a few minutes to complete the Authorization.
18. Close the window and Click Save. You may need logout and relogin from the admin portal.
19. Apps > Web Apps > Click on Dropbox Web – SAML + Provisioning > Click on Provisioning > On Sync Options: Select Sync (overwrite) users to target application when existing users are found with the same principal name. Leave Do not de-provision (deactivate or delete) users in target application when the users are removed from mapped role ticked.
20. On Role Mappings, select Assign destination groups to each role user is a member of (role order has no effect). Click Add. Select the respective Role (i.e. Dropbox SAML Design users – this is the equivalent group in PPO), Destination Role (this is the role equivalent in Dropbox, selections are the ff: user, team admin, user management admin and support admin), Destination Group (this specifies the equivalent group in Dropbox) and Access type.
21. Click Save.
22. Go to Settings > Click Users > Click on Outbound Provisioning > Tick the box Run synchronization daily for all enabled applications > On Sync Start Time (UTC / local time), select the time to run the synchronization. The synchronization runs daily on the specified time.
23. Click Save.
24. This completed the setup of SAML for Dropbox with provisioning in Practice Protect.
25. You can run a manual synchronization. Go to Provisioning Enabled Application > Select Dropbox, then Click on Start Sync.
26. You can view the real time status of synchronization by clicking on View Syncrhonization Job Status and Reports. Once the Synchronization completes any changes in Practice Protect Online will reflect in the Dropbox Admin Console.
27. Test if it is working by logging into a User account at Dropbox Login,Once you type the user name the system will know that SSO (Single sign-on is enabled). Click Continue.
28. You will be redirected to the Practice Protect login page. Enter your Practice Protect credentials.
29. Once the authentication is successful, you should be able to access your Dropbox.
