Dropbox Authenticator

admin 11/22/2021
26 Comments
  1. Dropbox Authenticator Not Working
  2. Dropbox Authenticator App

With the recent announcements of the availability of SSO for Dropbox, I wanted to see if it was possible to configure this against our ADFS 2.0 installation. Read on to see how I did it.

The following tutorial shows how to create a Dropbox App in the App Console, to get an authentication token needed by Iperius to authenticate and make a remote backup on Dropbox. Create a Dropbox App and get the authentication token (SUB ITA-ENG).

Overview

  1. How to enable Two factor authentication for Dropbox Login and protect your dropbox.
  2. Dropbox oauth authenticator that can be used with any Java-based Web API - curityio/dropbox-authenticator.
  3. The big problem with Google's app is that you can't backup your data, meaning that, if you lose your device or need to wipe it, you get trapped in a jungle of backup codes and telephone calls. This app solves that issue by allowing backup to Dropbox and Google Drive. This was a lifesaver for me.
  4. The authentication API that I know of requires that the user be logged into their Dropbox account, and that they authenticate the app on the Dropbox website. Is there some way around this?-Edit-So I know that we can use Google/Facebook's authentication API such that the user is prompted to allow/deny the app within the same window (SO does this).

At Blue Rooster, our designers primarily use Macs, and Dropbox is a heavily used utility for sharing and collaborating on large design files. We have a business account, and have been utilizing Dropbox native accounts with our company email addresses as our account names. Managing these accounts has all of the traditional problems with external systems – different passwords, removing people when they leave the company, etc.

With the recent announcements of Dropbox Single Sign On capabilities, I wanted to see if it was possible to further leverage our ADFS infrastructure to provide SSO integration with Dropbox. While they don’t list ADFS as a turn-key supported provider (vendors like Ping, OneLogin, etc. are supported), it is all just SAML 2.0 after all and should work. Turns out it was pretty easy, here are the steps I took.

Step 1 – Export your Token Signing Certificate

On the SSO help page for DropBox, it has the following paragraph about certificates and encryption:

  • Your identity provider may ask if you want to sign the SAML assertion, the SAML response, or both. Dropbox requires the SAML response to be signed. You can choose signed or unsigned for the SAML assertion.
Dropbox

I scratched my head for a bit trying to grok this, but really all this means is that ADFS already signs its tokens (response), so you just need to export your token signing certificate from ADFS and provide that to Dropbox.

Authenticator

To export your certificate, follow the steps below (for Windows Server 2012):

  1. Open the ADFS management console and navigate to Services > Certificates.
  2. Click your Token Signing Certificate, and then click View Certificate.
  3. Click on the Details tab and click Copy to File.
  4. For the format, choose DER Encoded Binary. If prompted to export the private key, opt to not do that.
  5. Choose a file name and save it somewhere.
  6. Dropbox requires the cert in PEM format. You can easily convert the cert online. Go to https://www.sslshopper.com/ssl-converter.html. Provide your cert, choose DER/Binary for the source format, and Standard PEM for the target format, and then click Convert Certificate. It’ll ask you to download the file (with a .CRT extension).
  7. Change the file extension to .pem.
Dropbox Authenticator

Step 2 – Enable SSO in Dropbox

Dropbox Authenticator Not Working

Next step is to turn on SSO within Dropbox. Go to the Dropbox Admin console, and click on the Authentication link. Choose Enable SSO, and tick the Optional radio button.This is fantastic, because users can login totally normally while you test the SSO implementation.

You’ll see a text box for the Sign In Url. Dropbox SSO is a bit unintelligent, so you have to force Dropbox to tell ADFS who the request is coming from by specifying its identity in the url. Your url should look something like the following: https://adfs.contoso.com/adfs/ls/IdpInitiatedSignOn.aspx?logIntoRP=https://www.dropbox.com/saml_login.

For the certificate, upload your PEM file you created from Step 1 above.

Step 3 – Create the Relying Party in ADFS

The last step is to tell ADFS about Dropbox. Follow the steps below to create the RP:

Dropbox Authenticator App

  1. Open the ADFS Management Console. Click on Trust Relationships > Relying Party Trusts > Add Relying Party Trust.
  2. Choose to Enter the data about the relying party manually.
  3. For the name, type Dropbox or something similar. Click Next.
  4. Choose the ADFS profile with SAML 2.0 support.
  5. Skip configuring a certificate, you don’t need it.
  6. On the Configure URL screen, check the box for Enable support for the SAML 2.0 WebSSO protocol. In the url box, enter the following url: https://www.dropbox.com/saml_login.
  7. For the relying party trust identifier, enter the following url: https://www.dropbox.com/saml_login.
  8. Choose to permit all users to use this relying party.
  9. Next and Finish!

Finally, you need to add a claim rule/mapping to provide Dropbox with your user’s email address as the Name ID.

  1. Click on your newly created Relying Party Trust, and click Edit Claim Rules…
  2. Under the Issuance Transform Rules tab, click the Add Rule button.
  3. On the first page of the wizard, choose the Send LDAP Attributes as Claims option.
  4. On the next page, give your rule a name, something like Get Attributes.
  5. Choose Active Directory as the attribute store.
  6. On the left side, choose Email-Addresses. On the right side, choose Name ID. Should look like the screen shot below:

Step 4 – Try it out

Now that everything is setup, go to www.dropbox.com to try it out. When in optional SSO mode, you can use SSO if you enter your company email address, and leave the password box blank. This will tell Dropbox that you want to use SSO, and will redirect you to your ADFS servers for authentication. After being prompted for authentication, you’ll get taken back to Dropbox, where if everything went well, you’ll see the lovely screen below: