Dropbox: Deploying Forcepoint ONE SSE as a SAML IdP

This section will guide you through configuring Forcepoint ONE SSE as a SAML Identity provider for Dropbox single sign-on (SSO) authentication. This will ensure visibility and access control of Dropbox via Forcepoint ONE SSE CASB.

The Dropbox mobile app or desktop sync client cannot be proxied so control can only support Direct App Access or Deny when access occurs via a client app.

1. Navigate to Protect > Policies page and select the Dropbox app. Under the app instance make sure that SAML SSO cutoff is enable for Web, Client apps. Back on the settings page select Setup Web SSO to go the Dropbox Single Sign-On page.
   
   
   
   
   
2. Keep the Single Sign-On page open as you will need some of the information from this guide page for configuring your settings in Dropbox. Download the Assertion Signing Certificate and save it somewhere you can locate easily.
   
   
   
3. Login to Dropbox as an administrator, click in the Admin Console link, navigate to the Authentication section.
4. Check the Enable single sign-on checkbox.
5. Paste the copied Login URL from the page we access in step 2 above into the Sign In URL field.
6. Upload your saved Assertion Signing Certificate as the X.509 certificate.
   
   
   
7. Once you are done with the setup navigate back to Forcepoint ONE SSE and to the Protect > Policies page and scroll down to the Dropbox application. Before setting up a policy line to send users through Secure App Access (reverse proxy) you will need to setup one policy line for Direct App Access and have an admin or a user login directly once to validate the SAML SSO setup. Once done you can then adjust your policies to start sending people through the Forcepoint ONE SSE proxy.