Installing SSO for Dropbox MS Azure
Sicheres einmaliges Anmelden (SSO) mit Microsoft Azure
We often get asked in Dropbox if it's possible to assign more than one Dropbox team to a single Microsoft Azure instance. Yes, this is entirely possible.
I'm gonna click on my enterprise applications, and you'll see here I have more than one Dropbox Business app. These are associated with different teams. The first one I installed has everything set as default. Now, in order to install a second app for a second Dropbox team without them interfering with each other, you'll need to change one parameter in the single sign-on configuration.
Click into the single sign-on configuration, where you want to edit the basic SAML configuration, and update the identifier ID. This should be a unique string. The default is Dropbox or Dropbox.com. This string needs to be communicated to Dropbox team members, backend, so that they can update the team variable with this external ID. Reach out to TSS, your channel partner manager, or Dropbox support to get a value added for the team you want to configure for single sign-on.
Once that's configured and saved, those users, when signing in, will be redirected to the correct app within your Azure instance.
There is one other thing to think about when you are working with multiple teams in Azure, and that is user provisioning. If you are not assigning users manually and you are instead doing it by group membership or some other attribute, you need with provisioning to be able to authorize the app to manage those users.
When you choose to authorize the app to do so, you normally click "authorize," and you'll fill in a username and a password associated with the team admin of that Dropbox team. If you are already logged into Dropbox, you may have a session cookie that might already be used, and you'll not see the login window. So there is a chance that if you've logged in previously with a different Dropbox team, and then you come to authorize, you'll just use that token.
The recommendation is always to make sure you are logged out. Click on authorize, and you'll see this window open. If you already have single sign-on set up, but your team admin has not been associated with the app, you may need to use your credentials in this instance. So I'm gonna use those credentials, log in, and then I should see an authorization successful message, allowing me to provision users to the correct team.
So those are the two things you need to be aware of when you're configuring multiple Dropbox teams to the same Azure instance. Thanks for watching.