This site requires JavaScript to be enabled
External Customer KB > General > Provisioning Users to Dropbox
Provisioning Users to Dropbox
Article: KB0010380 Published: 05/07/2020 Last modified: 05/07/2020

This article describes how to use OneLogin to provision users with Dropbox using the Dropbox API.

For a quick overview, check out this video:

 

Note: User provisioning via the Dropbox API requires a subscription to the OneLogin Unlimited plan. Contact OneLogin Sales for more details.

Alternatively, you can perform just-in-time user provisioning via SAML SSO. This method allows provisioning of a limited number of user attributes. See Configuring SAML SSO for Dropbox.

Prerequisites

Configure SAML SSO for Dropbox

Enabling Provisioning

  1. Go to Apps > Company Apps and select the Dropbox app to which you want to provision users.

  2. Go to the Configuration tab to connect to the Dropbox API.

  3. Click Authenticate.

  4. At the prompt, click the link to go to Dropbox.

  5. Enter and submit your Dropbox credentials.

  6. Grant access to Dropbox.

    OneLogin returns you to the Dropbox app configuration page.

    You can also confirm that the authorization was successful by going to the Configuration tab and confirming that the Clear Token button appears.

    You can click the Clear Token button if you ever need to reauthenticate with the Dropbox API.

  7. (Optional) Select the Silent Provisioning option if you want to prevent Dropbox from sending invitation emails to new users when they are provisioned to Dropbox from OneLogin.

    Note. Regardless of what you set here, an invitation email is required to activate a user in Dropbox. If you select this option, you still need to send an invitation, either using the Dropbox admin portal or the API.

  8. Go to the Provisioning tab.

  9. Select Enable provisioning for Dropbox. Once you enable this option and give users access to the app, the provisioning process will begin.

    Note: You must select this option now to enable options required to complete subsequent steps. To ensure that you do not inadvertently provision users to Dropbox before you are ready, enable the action controls described in the next step.

  10. Choose the provisioning actions for which you want to require administrator approval. For example, based on the settings in the screenshot above, any time a user is created, deleted, or updated, a OneLogin administrator will need to go to Users > Provisioning to manually approve or ignore each of these actions.

    Enabling these action options is useful especially before you intend to start provisioning because with the Enable provisioning for Dropbox option selected, you may trigger provisioning during the course of setup and testing. With this safeguard enabled, a OneLogin administrator can choose to ignore any inadvertent provisionings.

    Once you are done configuring and testing provisioning, you can update the settings to leave one or more action options clear if you want OneLogin to make the provisioning change in Dropbox without requiring administrative approval.

  11. Select what happens to a user in Dropbox when that user is deleted from OneLogin. Select Delete or Do Nothing.

  12. Under Entitlements, click Refresh.

    Refreshing entitlements populates Dropbox Groups values accessible from the Parameters tab and updates the values available when you configure Rules.

  13. Click Save.

Mapping Dropbox Attributes to OneLogin Attributes

In this task, you'll map Dropbox user attributes to OneLogin user attributes. These mappings tell OneLogin how to populate user attribute values to Dropbox when provisioning users from OneLogin. If you have a OneLogin attribute value that you want to send over to populate a Dropbox field, you'll define it in this task.

  1. Go to Applications > Applications and select the Dropbox app to which you want to provision users.

  2. Go to the Parameters tab.

  3. Select Configured by admin.

  4. For Email, leave Value set to Email. While you can use a macro or another value here, Dropbox does an excellent job of parsing email values into usernames so we recommend that you set Value to Email.

  5. Use the Groups parameter to provision users to Dropbox groups using the Dropbox API. Groups provisioning is performed using safe entitlements.

    Note: If a user has not accepted her Dropbox invitation at the time of provisioning, per Dropbox functionality, OneLogin will create the user in Dropbox, but will be unable to assign the user to any Dropbox groups.

  • If you want to provision all of your users to one or more existing Dropbox groups, configure provisioning using the Groups parameter alone. To do this, click the Groups parameter row and move the Dropbox groups to which you want to provision users from the Available values column to the Selected values column. This configuration will provision all of your users to each of the selected groups.

    Note: To have your Dropbox groups display as available values when configuring provisioning, you must first refresh entitlements. To do this, in your Dropbox app, go to the Provisioning tab and click Refresh.

    Scroll down to select the Include in user provisioning option and click Save.

  • If you want to provision subsets of your users to one or more existing or new Dropbox user groups, configure provisioning using the Groups parameter, as described above, as well as rules. See Using Rules to Provision Users to Dropbox Groups.

  • If you do not want to provision to groups, be sure to leave the Include in User Provisioning option shown above clear.

  • Click Save.

Using Rules to Provision Users to Dropbox Groups

You can define rules to provision subsets of your OneLogin users into Dropbox groups. For example, you can define a subset of users by filtering on a specific OneLogin user attribute value and then define an action that provisions the subset of users to a specific Dropbox group.

Note: If a user has not accepted her Dropbox invitation at the time of provisioning, per Dropbox functionality, OneLogin will create the user in Dropbox, but will be unable to assign the user to any Dropbox groups.

  1. Go to Applications > Applications. Search for and select your Dropbox app.

  2. Go to the Rules tab.

  3. Click New rule to open the New Mapping dialog, where you can set the conditions and actions that determine which users will be provisioned from from OneLogin to specific Dropbox groups.

    Note: To have your Dropbox groups display as available values when configuring provisioning, you must first refresh entitlements. To do this, in your Dropbox app, go to the Provisioning tab and click Refresh.

  4. Give your rule a name.

  5. In the Conditions area, click + to add a condition. Use the fields to define a condition that defines a subset of users to be acted upon by the rule. Conditions are based on OneLogin user attribute values.

    For examples, see Rule Mapping Examples below.

  6. In the Actions area, click + to add an action. Use the fields to define the action that will be performed on users by the rule. Available actions include:

    • Create a new Dropbox group and provision users to it

    • Provision users to an existing Dropbox group

    For examples, see Rule Mapping Examples below.

  7. Click Save.

  8. To add another provisioning rule, click New rule.

  9. The order in which rules are applied matters and can impact provisioning results. Drag and drop the rule rows to put them in the order that produces correct results. To test results, see the next step, as well as Testing Provisioning.

  10. Click Show Affected Users to see which users will be affected by the provisioning rule as configured. Review the list to ensure that only intended users are listed.

  11. Click Save.

  12. Go to the More Actions menu and click Reapply Provisioning Mappings to apply the new rule.

    Important! You must reapply mappings any time you create or update rules!

Rule Mapping Examples

Here are some rule configuration examples that address common implementation scenarios.

Provision Members of an AD/LDAP Security Group to New Dropbox Groups

To do this, define a rule mapping like this one:

 

CONDITIONS

For use cases like this one in which you are provisioning users to new Dropbox groups, no conditions need to be set. All settings are configured in the Actions area.

ACTIONS

  1. In the first drop-down, select Set Groups in Dropbox App Name to provision OneLogin users to groups in Dropbox.

  2. Select the Map from OneLogin option to provision users to new Dropbox groups created based on information in OneLogin.

  3. Select a For each value of member_of to provision users to Dropbox based on their member_of user attribute value.

    The OneLogin member_of user attribute value is populated by Active Directory (AD) and reflects the user's membership in an AD/LDAP security group.

  4. To identify the AD/LDAP security groups that will be used to create groups in Dropbox and provision users to them, provide a regular expression (regex) in the adjacent field.

    Provisioning will parse through AD/LDAP security group data and apply the regex. For each matching value, a group will be created in Dropbox. Any users who are members of a matching AD/LDAP security group in OneLogin will be provisioned to the newly created group in Dropbox.

    For key regex guidance and examples, see Using Regex to Provision Members of AD/LDAP Groups to New App Groups.

Using Rules to Provision Users to Existing Dropbox Groups

To do this, define a rule mapping like this one:

CONDITIONS

  1. In the first drop-down, select MemberOf to provision users based on their member_of user attribute value. The OneLogin member_of attribute value is populated by AD and reflects the user's membership in an AD/LDAP security group.

  2. Use the two adjacent fields to write a condition to select the AD/LDAP security groups that contain the users that you want to provision to Dropbox.

ACTIONS

  1. In the first drop-down, select Set Groups in Dropbox to provision users in the selected AD/LDAP security groups.

  2. Select the From Existing option to provision users to an existing Dropbox group.

  3. Select the existing Dropbox group to which you want to provision the users who are members of the selected AD/LDAP security group.

    If you selected a subset of Dropbox groups on the Parameters tab as discussed in Mapping Dropbox at Work Attributes to OneLogin Attributes, only that subset of groups will be selectable here.

Testing Provisioning

Test your provisioning setup to confirm that provisioning from OneLogin to Dropbox is working.

  1. Go to Applications > Applications. Search for and select your Dropbox app.

  2. Go to the Provisioning tab. Ensure that the following options are selected for reasons described in Enabling Provisioning.

    • Enable provisioning for Dropbox

    • Create user

    • Delete user

    • Update user

  3. Click Save.

  4. Navigate away from the application to your OneLogin Roles. In the top left of the Administration page, go to Users > Roles.

  5. Create a test role and add your Dropbox app to it.

  6. Click Save.

  7. Access the test role you just created.

  8. Go to the Users tab.

  9. Under Add Users to Role Manually, add your test user(s).

  10. Click Save. This will trigger provisioning of the test user to your Dropbox app.

  11. Per the settings in step 2, you must approve the provisioning action before it can proceed. To do this, go to Users > Provisioning. Use search and filters to locate your provisioning task. It is Pending status, as shown below:

  12. Click the row. Click Ignore or Approve, depending on your test case.

  13. If the provisioning row shows up as Failed on the Provisioning page, click the row to view a reason for the failure. Click Retry to try again.

  14. When the user has been successfully provisioned according to OneLogin, go to Dropbox and confirm that the new user has been added.

  15. Continue to test for user updates and user deletions.


Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo