How to configure Dropbox MFA using ADSelfService Plus

In this article

• Objective
• Prerequisites
• Dropbox (service provider) configuration steps
• ADSelfService Plus (identity provider) configuration steps
• Dropbox MFA configuration steps
• Validation and confirmation
• Related topics and articles
• How to reach support

Objective

This article provides step-by-step instructions on configuring Dropbox multi-factor authentication (MFA) using ADSelfService Plus. By the end of this guide, administrators will be able to enable and enforce MFA, also commonly referred to as Dropbox 2FA or Dropbox two-factor authentication, to strengthen Dropbox security and protect user access.

Prerequisites

Before configuring Dropbox MFA, ensure that single sign-on (SSO) is set up for Dropbox in ADSelfService Plus:

1. Log in to ADSelfService Plus as an administrator.
2. Navigate to Configuration > Self-Service > Password Sync/Single Sign On > Add Application and select Dropbox from the applications displayed.

   Note: You can also find the application that you need from the search bar located on the left pane or the alphabet-wise navigation option on the right pane.

3. Click IdP Details in the top-right corner of the screen.
4. In the pop-up that appears (Fig. 1), copy the Login URL and Logout URL and download the SSO certificate by clicking the Download X.509 Certificate link.

   

   Figure 1. Accessing the IdP details to copy the Login URL and Logout URL and download the X.509 certificate.

Dropbox (service provider) configuration steps

1. Log in to Dropbox, the service provider (SP), with administrator credentials.
2. Click Admin console on the left pane.
3. In the tab that opens (Fig. 2), click Settings on the left pane and select Single sign-on.

   

   Figure 2. Navigating to the SSO settings in the Dropbox admin console.

4. From the drop-down next to Single sign-on, select either Optional or Required based on your requirements. Selecting Optional will allow users to log in to Dropbox with SSO or their Dropbox password. Selecting Required will only allow users to log in through SSO.
5. Click the Add sign-in URL button in the Identity provider sign-in URL field and provide the Login URL copied in step 4 of the prerequisites.
6. Optionally, click the Add sign-out URL button in the Identity provider sign-out URL (optional) field and provide the Logout URL copied in step 4 of the prerequisites.
7. Click Upload certificate in the X.509 certificate field (Fig. 3) and upload the X.509 certificate downloaded in step 4 of the prerequisites.

   

   Figure 3. Providing the IdP sign-in and sign-out URLs and uploading the certificate in Dropbox for SSO configuration.

8. Copy the SSO sign-in URL (Fig. 4). This will be required in the following steps.
9. Click Save.

   

   Figure 4. Copying the SSO sign-in URL in Dropbox to complete the configuration.

ADSelfService Plus (identity provider) configuration steps

1. Now, switch to the Dropbox configuration page (Fig. 5) in ADSelfService Plus, the identity provider (IdP).

   

   Figure 5. Accessing the Dropbox configuration page in ADSelfService Plus to continue the SSO setup.

2. Enter the Application Name and Description.
3. In the Assign Policies field, select the policies for which SSO needs to be enabled.

   Note: ADSelfService Plus allows you to create OU- and group-based policies for your AD domains. To create a policy, navigate to Configuration > Self-Service > Policy Configuration > Add New Policy.

4. Select Enable Single Sign-On.
5. Enter the Domain Name of your Dropbox account. For example, if you use johndoe@thinktodaytech.com to log in to Dropbox, then thinktodaytech.com is the domain name.
6. Enter the SSO sign-in URL copied in step 8 of the SP configuration in the SP Login Initiate URL field.
7. In the Assertion Consumer Service URL field, enter https://www.dropbox.com/saml_login.
8. In the Name ID Format field, choose the format for the user login attribute value as required by Dropbox.

   Note: Use Unspecified as the default option if you are unsure about the format of the login attribute value.

9. Click Add Application.

Your users should now be able to sign in to Dropbox through ADSelfService Plus.

Note: For Dropbox, both SP- and IdP-initiated flows are supported.

Dropbox MFA configuration steps

To enhance Dropbox security using MFA, follow the steps below:

1. Navigate to Configuration > Self-Service > Multi-factor Authentication.
2. Select a policy from the Choose the Policy drop-down and configure the required authentication methods for that policy.
3. Navigate to MFA for Endpoints.
4. In the MFA for Enterprise Applications section, select Enable __ authentication factor(s) for application logins (Fig. 6).

   

   Figure 6. Configuring Dropbox MFA in ADSelfService Plus.

5. Enter the number of authentication methods to be enforced.
6. Select the desired authentication methods from the drop-down.
7. Click the asterisk (*) symbol next to an authentication method to set it as mandatory.
8. You can also reorder the authenticators by dragging them into the preferred sequence.
9. Click Save Settings.

Validation and confirmation

To validate the Dropbox MFA setup, attempt to access the Dropbox application. When the SSO process is initiated, ADSelfService Plus will prompt the user to complete the configured MFA methods before access is granted. After successfully completing the required authentication methods, the user will be seamlessly redirected to their Dropbox account, confirming that MFA enforcement is functioning as expected.

Related topics and articles

• Configuring MFA for web applications
• Configuring SSO and MFA for Cisco Adaptive Security Appliance
• Configuring SSO for SAML-enabled custom enterprise applications

How to reach support

For further assistance, contact our support team here.

Last updated on: Dec. 11, 2025