Dropbox

Dropbox accepts the IdP sign-in URL and X.509 signing certificate as the primary configuration inputs. The SP values for Dropbox are fixed: the Entity ID is the string Dropbox and the ACS URL is https://www.dropbox.com/saml_login. SSO can be set to Optional (users choose SSO or password) or Required (SSO only), with Optional being the recommended mode during initial testing.

SSO is available on Dropbox Business Advanced, Business Plus, and Enterprise plans. Two-step verification in Dropbox is automatically disabled when SSO Required is enabled to avoid conflicting authentication settings.

Prerequisites

• Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.

• Dropbox Business plan: Team administrator access on an Advanced, Business Plus, or Enterprise plan. SSO is not available on lower-tier Dropbox plans.

• Matching user email addresses: Dropbox identifies SAML-authenticated users by their email address. All team members must have Dropbox accounts with email addresses that match their 1Kosmos directory records.

• 1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.

Configuration values

Values to collect from 1Kosmos AdminX (IdP) for Dropbox:

Fixed Dropbox SP values to enter in AdminX:

Integration steps

Step 1: Add Dropbox as a SAML application in AdminX

• Log in to the AdminX portal and navigate to Applications → Add Application.

• Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.

• Enter "Dropbox Business" as the Application Name, set Instance to Production, and enter https://www.dropbox.com as the Application Access URL. Click Next.

• Set NameID Format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and NameID Value to email. Add a claim for email (Username). Click Next.

• Enter Dropbox as the SP Entity ID and https://www.dropbox.com/saml_login as the ACS URL. Enable Assertion signing and click Save.

Step 2: Configure SSO in the Dropbox Admin Console

• Log in to dropbox.com as an administrator and click Admin console in the left sidebar.

• Navigate to Settings → Security (or Settings → Authentication, depending on your console version) and locate the Single sign-on (SSO) section.

• Click Add sign-in URL and paste the 1Kosmos SSO Login URL into the Identity provider sign-in URL field.

• Upload the 1Kosmos X.509 signing certificate (PEM format) using the certificate upload option.

• Set the Single sign-on dropdown to Optional to enable testing without locking out all users. Click Save.

Step 3: Test the integration

• Navigate to https://www.dropbox.com/login and enter a team member's email address. Dropbox automatically detects SSO is enabled and redirects to 1Kosmos.

• Authenticate biometrically using the 1Kosmos mobile app.

• Confirm you are returned to Dropbox as an authenticated team member with access to team folders.

• After successful testing, change the SSO setting to Required if you want to enforce SSO for all team members.

Attribute mappings

Integration notes

The Dropbox SP Entity ID is the literal string Dropbox, not a URL. Entering a URL here will cause the SAML assertion to fail validation. When SSO Required is enabled, Dropbox disables two-step verification for all team members.

If your security policy requires both MFA and SSO, 1Kosmos biometric authentication satisfies the MFA requirement within the SSO flow, so separate two-step verification in Dropbox is not needed. The admin account used to configure SSO retains password-based access as a fallback even after Required mode is enabled.