This article describes how to integrate RSA with Dropbox using SAML Relying Party.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as Relying Party to Dropbox.
Procedure

1. Sign in to RSA Cloud Administration Console. 
2. On the Authentication Clients menu, click Relying Parties.                                                                                             
3. Click Add a Relying Party.      
4. On the Relying Party Catalog page, click Add corresponding to Service Provider SAML.                                                                 
5. On the Basic Information page, enter the name for the application in the Name field and click Next Step.                                            
6. On the Authentication page, choose SecurID manages all authentication.
7. Select a Primary Authentication Method and Access Policy as required and click Next Step.                                                            
8. Provide the Service Provider details in the following format: 
   1. ACS URL: < Dropbox ACS URL >
   2. Service Provider Entity ID: < Dropbox Entity ID >
      See the Notes section for the instructions on how to obtain ACS URL and Entity ID.                                                                  
9. In the SAML Response Protection section, choose IdP signs entire SAML response.
10. Download the certificate by clicking Download Certificate.                                                                                                                     
11. Click Show Advanced Configuration.
12.  Under the User Identity section, configure Identifier Type and Property. For example, Identifier Type: emailAddress and Property: mail.                                                                                                                                      
13. Click Save and Finish.
14. On the My Relying Parties page, click the Edit drop-down list and select Metadata option to download the metadata.                          

Notes

• The Dropbox post-back URL (also called the Assertion Consumer Service URL) is https://www.dropbox.com/saml_login.
• The Service Provider Entity ID (Dropbox Entity ID) is Dropbox.
• Dropbox requires that the NameID contain the user’s email address: Format="urn: oasis: names:tc: SAML:1.1: nameid-format: emailAddress".
• Dropbox requires the entire SAML response to be signed.

Configure Dropbox

1. Sign in to Dropbox using Advanced or Enterprise credentials - https://www.dropbox.com/login.
2. Click Admin console.                                                                                                                                                                                      
3. Navigate to Settings > Authentication > Single sign-on.                                                                                                                             
4. To enable Single sign-on, click the Single sign-on drop-down list and select the Optional or Required option.                                       
5. Add the Identity provider sign-on URL and X.509 certificate:
   1. Identity provider sign-on URL: This URL can be obtained from your Identity Provider.
   2. X.509 Certificate: Upload the certificate generated by the Identity Provider.                                                                                  
6. Click Save.