Single sign-on (SSO) for Dropbox

The ability to move files around in a secure way is something enterprises have come to depend on. Dropbox is a popular software-as-a-service (SaaS) app that makes this possible. Using its cloud storage, files can be shared from a central location, with controlled and audited access, integration with Microsoft applications, and support for larger file transfers.

Since many teams use Dropbox alongside other SaaS apps, most organizations choose to deploy it via single sign-on (SSO). This allows employees to authenticate themselves to Dropbox and other network services through the convenience of a single credential.

However, the deployment stage of SSO is not always seamless. It usually requires unexpected extra infrastructure and security systems.

Clearly, SSO has limitations. One is that, in on-premises setups, SSO often doesn’t remove the need for employees to have separate workstation, VPN, RDP, or IIS credentials. Employees may be able to SaaS credentials using SSO, but still face managing other credentials on their own. 

Secondly, SSO requires additional infrastructure, which is not always cheap or easy to put in place. If organizations aren’t careful, these services can add cost and complexity to a technology that was supposed to make life simpler.

What SSO does do well is tame SaaS sprawl, solving a major disadvantage of SaaS: each application has its own credentials. As teams use more apps, employees risk getting overwhelmed.

The outcome is bad security. To cope, users resort to reusing credentials or using weak passwords, creating invisible pathways behind an organization’s defenses that criminals can exploit.

With SSO, users only need one credential to access SaaS apps, instead of lots of different ones across services. This is obviously more convenient for users, but it helps security teams, too. There's only one credential to defend using stronger security policies and monitoring.

Many hold out on implementing SSO because of the inherent security risks. For one, it can create a single point of failure. If compromised, a single credential can give attackers access to data across multiple resources.

That’s why teams offering SSO always implement it with additional security layers, such as strong password policies and multi-factor authentication (MFA) to reduce the chance of a compromise.

Organizations running AD environments must choose which identity system will be used for SSO authentication. The most common answer is often to integrate with a cloud identity provider (IdP), but this requires organizations to hand over authentication to an external identity provider. For some organizations, relying on an external provider for such an important security function isn’t ideal. Importantly, it can also increase the cost of SSO implementation, not to mention the upcharges for essential security protections such as MFA.

In on-prem AD environments, SSO also doesn’t always remove the need to enter a separate password for other, non-SaaS resources, such as workstations or VPNs.

High per-seat IdP charges for SSO are only the first part of the implementation bill. The next is MFA, which is usually a separate cost.

Why does this happen? Largely because in the Windows platform, services such as SSO and MFA have always been seen as add-ons that are necessary only for high-risk users.

Today, most IT security experts view these security measures as essential across most or all accounts, but the old model persists. If you want the convenience of SSO or the security of MFA, you usually need to arrange (and pay for it) yourself.

UserLock SSO was designed for organizations that would prefer to implement SSO through their existing on-premises AD infrastructure.

After all, you already have an in-house authentication platform in the form of Windows Active Directory (AD), which makes it unnecessary to pay for or use an external IdP.

At the core of on-premises networks is Active Directory (AD), used to authenticate users when they log in. Implementing UserLock SSO allows organizations to continue using this directory service, hugely simplifying the time and cost of any integration with a third-party platform.

Admins can configure Active Directory SSO using UserLock SSO’s built-in configuration wizard, turning a potentially onerous setup into a manageable project. Importantly, teams don’t have to go elsewhere to add essential security layers such as granular MFA and user access control, which are included in UserLock out of the box.

With UserLock SSO, your end users no longer need to go through Dthe ropbox login. Instead, the permission to access Dropbox is granted via the employee’s network login. This strong, on-premises authentication gives them access to multiple SaaS resources using their one AD credential.

Here's how to enable UserLock SSO for Dropbox:

1. Enable Dropbox as a provider in the UserLock SSO console’s single sign-on configuration before restarting the service.

2. Navigate to Dropbox Admin Console → Settings → Single sign-on and add the values listed in the UserLock SSO configuration guide.