Installing SSO for Dropbox Okta
Okta による安全な SSO
In this video, we're going to install and configure single sign-on for Dropbox using Okta. You'll need to add the Dropbox integration by going to the application catalog within Okta. Click on "Browse app catalog" and search for Dropbox. Select it and add the integration into Okta. You'll also need access to the Dropbox admin console, so make sure you're doing this as a team admin.
Now, we can change this label. I'm going to make it the name of my name, and then the rest of the options here are completely optional. I'm going to leave them as default and click next.
Next, we have our single sign-on options. You want to change this to SAML 2.0, and then we have some information that we can put in here. The relay state information is copied from Dropbox, so we'll copy this link and paste it in here.
Now, we need to configure SAML 2.0. We have setup instructions here. If you click on this when you're logged into Okta, it will actually generate the codes that you need to copy over. So in this case, if I copy this, I'll be able to paste it in here and click done. Then I need to change the certificate.
To replace this certificate, I'm going to come back to my single sign-on configuration, and I can download the certificate from here. So you'll see I've done this for. I'm downloading this version of Okta certificates. I'll click certificate, and then I'm going to search for "okta dot cert." I'll replace the certificate and then click save.
Those settings are changed. I'm leaving this optional to give myself a backup in case the configuration doesn't work for some of my users.
Now that that has been configured, we can choose whether or not we want to use silent provisioning. This will prevent Dropbox from sending emails to newly created users. I'm going to do that so that my users don't get emails right away. Then I want to choose the user format for Dropbox. Dropbox always uses an email for the user logins. We need to switch from the Okta username. We want to be able to manage the user attributes in case the username changes in Okta, it will also change in Dropbox.
Okay. I'm going to click done. Now I can get into some more nuanced aspects of configuration, such as assigning to users, turning on provisioning, and reviewing single sign-on.
If I click on single sign-on, we can see the relay state here. I can see the settings that have been configured. I can see that I changed from SHA-1 to SHA-256. That's the Okta certificate. I can also add in any required sign-on policy. So if you have different policies that define who can access this application and under what conditions, they can be configured from here. For now, I'm going to leave this as default.
When we look at provisioning, we see that provisioning is not yet enabled. So I'm going to configure the API integration, and then I need to authenticate with Dropbox Business. This is why you need to be a team admin because you need to grant permissions to manage users, create, read, update, and delete them. This will now open a window for me to authenticate. I've already logged in, so my cookie may persist, and I can see now that that is configured. Okay? So I can save that. If you weren't already logged in, you would be asked to log in and provide your details.
Now we can see how provisioning can work. The settings to the application or to Okta. Okta supports two-way provisioning, so you can actually create Okta users and update them based on their existence inside of Dropbox. So, I click edit. We want to be able to create users, we want to be able to update the attributes, and we want to be able to deactivate users. What happens when a user gets deactivated in Okta or unassigned? Well, we can either choose to remove that user, which is essentially deleting them, or suspend them. If you choose to remove that user, then you can decide how their data is going to be transferred. Do you want to go into the Dropbox admin and choose a specific user, or do you want to set up a system account user so that all those deactivated users' data will be moved to? I'm going to leave it as suspend for now.
Okay. Under here, you have the attribute mappings. You want to leave this as standard. If you look at the profile editor, you can then see what those mappings are, and we really only care about the first name, last name, and the email address. Those are the only ones that are going to get mapped to Dropbox. So there's no point in configuring anything else. If you look at the mappings, and you look at the Dropbox to Okta mappings, we only care about those attributes.
So now we can, I'm going to go back to the application, and you'll see a dropdown here. Now, this hasn't been assigned to anyone yet, so we want to think about assigning it. There's a couple of different ways you can do this. You can go to the people here and you can assign to users or you can assign to groups. Assigning to a user is just assigning to a user one at a time, and you can also assign to groups. So you'll notice here from previous integrations, I've been able to actually sync users from Dropbox into Okta, and I could assign this to those users that are members of those groups if I'm allowed. In this case, I am going to provision to my Dropbox users. So I can assign to them, and then I can decide what permissions they should have. Currently, Okta supports member, team admin, user management admin, and support admin. I'll make them members.
Now, anyone who is a member of that group will be automatically provisioned to Dropbox if they're not already there, and they'll also be able to perform a single sign-on because they've been assigned to the app inside of Okta. You can also assign to users, and another way that you could do this is by going to the directory, going to a group, finding the group that you want, and then, for example, if I go to sub-admins, I think it's a group. So I'm only going to look for all my Okta groups, and here's an Okta Sub-admin group. I want to assign this group to this user, and I can assign it to the application. In this case, I'm assigning it to the Dropbox application, and in this case, I'm going to make them a user management admin.
Okay. Save and go back and done. So now you see two ways of assigning the app in Okta. You can assign it from the app choosing a user or a group, or you can go to a group and assign to an application. That's how you configure single sign-on using Okta with Dropbox. Thanks for watching.