Setting up MIRACL Trust SSO as an Identity Provider within Dropbox
These instructions are up-to-date at the time of writing, but you should refer back to the Dropbox page on SAML IdP access to check for any changes. We cannot guarantee the accuracy of our SP-specific guidance.
Log in to your Dropbox for Business account.
Click on Admin Console.
The ‘Dropbox Admin Console’ is launched in a new browser tab.
Click on Settings.
The following page is displayed:
Click on Single sign-on
Set the Sign in URL as the
https://<myssoip>/ssoendpoint on your IdP server. If you are running a local test it will be
Upload your X.509 certificate. To do this you can just upload the public certificate generated earlier - (idp.crt) in the command given above. This file is in newline format and begins with
-----BEGIN CERTIFICATE-----and ends with
-----END CERTIFICATE-----. Dropbox also receives certificates in .pem format.
Configuring a Dropbox Service Provider profile with MIRACL Trust SSO
sp: dropbox: description: Dropbox is a cloud storage provider relay_state: "" login_url: https://www.dropbox.com/login logout_url: https://www.dropbox.com/logout metadata: >- <?xml version="1.0" encoding="UTF-8"?> <!-- dropbox doesnt provide a link to download its sp metadata, so this is hand-crafted --> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="Dropbox"> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.dropbox.com/saml_login" index="0"/> </md:SPSSODescriptor> </md:EntityDescriptor> sign_response: true sign_assertion: false encrypt_assertion: false authorize: - - email: ^[^@]+@example.com$ profile: nameid: email
Note that sp name is used to create your IdP-initiated login url, i.e.
login_url and logout_url are the standard SP URLs which Dropbox makes available for SAML IdPs to use.
Do not make any changes to the SP metadata. It is handcrafted for Dropbox.
Note that, if you are using JSON format for your config file, the handcrafted metadata should be saved as an xml file and converted to a single line with the " characters escaped with \ to meet json structure requirements. This can be achieved by running the following command on the handcrafted metadata.xml file:
echo -e "\n"$(cat metadata.xml | tr -d '\n' | sed -E 's/"/\\"/g')"\n"
The contents will then be output in the terminal in a format that can be pasted into the metadata field of a JSON file.
- In the authorize subsection, you can control what users are allowed to attempt login by following one or both of the below steps:
- Call up an LDAP setup from an
ldap.yamlfile stored in
- Configure a regex list of email addresses/domains. The above config shows an example of how you would use
email: ^[^@]+@example.com$"to only allow users from a certain email domain to login.
Note that if this is not set correctly, you will receive ‘unauthorized user’ messages.
For more detailed info on using LDAP and regex to control authorized users, please see the LDAP and authorization menu section
Save and close the file.
/etc/miracl-sso/config.yamlfile make sure you add
dropbox.yamlto the list of ‘includes’:
includes: - core.yaml # service providers - service_providers/dropbox.yaml
As always after config changes, restart the server with
sudo service miracl-sso restart
Now your service is configured, you can visit
https://<yourssoip>/servicesto login to the service using IdP-initiated login, or visit the Dropbox login page and SP-initiated login will be triggered automatically.
You will be able to login using the in-browser PIN pad or with the MIRACL Trust app. When logging in to your SSO service for the first time you will be asked to register an email address so as to confirm your identity and register you as a user.