Karim Elatov

RSA SecurID Access SAML DropBox Rich Client Setup

Blog Post created by Karim Elatov Employee on Oct 10, 2015

Dropbox Setup

Looking over the documentation of dropbox it mentions that after setting Required mode for the SSO configuration, Rich Clients (like Desktop clients and Mobile Clients) should still work (What happens when I add a new user to the Business account?):

If you've turned on SSO in required mode, you'll need to make sure that the new user's email address is registered with your identity provider. Otherwise, the user will not be able to sign in and access Dropbox. In optional mode, the user will be asked to create a Dropbox password and can sign in with it as usual.

To make sure we are only using SSO and not the standard dropbox password let's make sure Dropbox is set for Required mode.

Confirm Required Mode is enabled

I logged into dropbox as the Administrator, navigated to Authentication, and confirmed that Required mode is enabled:

dropbox-required-enabled.png

Initial Registration

After an administrator invites you to dropbox, you will receive an email:

dropbox-invite-email.png

Upon clicking on the link you can enter your email address and it will take you to the IdP:

dropbox-sso-sign-up.png

And then you will be forwarded back to dropbox:

drop-box-logged-in.png

Desktop Client

Login to dropbox and click on YOUR_NAME -> Install:

db-dropdown-install.png

And it will allow you to download the client:

db-download-desk-client.png

Download it and start the installer:

db-installer.png

After the installer was finished, the application launched, and I saw the following:

dropbox-rc-user-dialog.png

I just entered my email for the username, left the password blank, and clicked "Sign In". It figured out that I have SSO enabled and I saw the following:

db-rc-sso-enabled.png

Then upon clicking Get your link code a web browser opened up to the IdP:

db-forward-to-idp.png

We also had step-up enabled so I had to go through that:

db-idp-steup.png

After I was authenticated and authorized at the IdP side, it forwarded me to dropbox which showed me the link code:

db-link-code-wb.png

I then copied that and pasted it back at the Dropbox Rich Client and it congratulated me on a successful setup:

db-rc-setup-done.png

Then I clicked "Open my Dropbox folder" and it showed me the contents:

db-rc-folder-synced.png

So it worked out quite well. Once the link is established we won't be able to use step up again, so it's a one time setup and then dropbox doesn't have to re-login to the IdP. From the same page (What's the difference between optional mode and required mode?):

Users' existing desktop and mobile clients will remain linked to their accounts. This includes any desktop or mobile client that was connected to their account before they joined Dropbox for Business. All new desktop and mobile clients must use single sign-on.

Mobile Client

Now let's try the same thing on a mobile device. First let's install the app:

db-install-app.png

After it's installed, launch the app and you will see the initial page:

db-app-sign-in.png

I then click on Sign In and on the sign-in page I only entered the email and no password:

db-app-sign-login.png

At this point it forwarded me to a browser and I logged into my IdP:

db-app-forward-wb.png

After I logged in and showed me the step-up page:

db-wb-step-up.png

After going through the step-up successfully, it forwarded me back to dropbox, and asked me if I wanted to complete the sign in:

db-app-signed-in.png

After clicking Allow, the app was able to showed the dropbox content:

db-app-logged-in.png

And I saw my files:

db-app-files.png

Same thing with this app, after you login and use step-up you won't do it again, unless you unlink the device.

Linked Device Emails

Throughout my testing, I kept receiving email of successfully linking devices:

db-comp-linked.png

and here is the android phone one:

db-and-linked-em.png

Outcomes