This guide provides the steps required to configure Provisioning for Dropbox Business, and includes the following sections:
Invited User Administration is supported for the Dropbox Business application.
This enables Okta to:
Update user profiles for users who are in an invited state in Dropbox Business
Add invited users to groups while they are in invited state in Dropbox Business
Remove users from Dropbox Business while they are in invited state in Dropbox Business
The following provisioning features are supported:
Push New Users
New users created through OKTA will also be created in Dropbox Business.
Push Profile Updates
Updates made to the user's profile through OKTA will be pushed to Dropbox Business.
Push User Deactivation
Deactivating the user or disabling the user's access to the application through OKTA will deactivate the user in Dropbox Business.
Note: For this application, deactivating a user means removing all of that user's data and removing the user's account. Users can also be suspended, leaving the data intact but the user unable to sign in.
Import New Users
New users created in Dropbox Business will be downloaded and turned in to new AppUser objects, for matching against existing OKTA users.
Import Profile Updates
Updates made to a users profile in Dropbox Business will be downloaded and applies to the profile fields stored locally in Okta.
Push Groups
Groups and their members can be pushed to remote systems. For more about using group push operations (including Group Push enhancements) see Using Group Push.
Reactivate Users
User accounts can be reactivated in the application.
Note: If the user account was suspended, it will be reactivated with access to their existing Dropbox file. If the user was deactivated, a new account will be created.
Off-boarding (file transfer upon user deactivation)
This feature gives you granular control over off-boarding actions. See the Migration section for details.
Silent Provisioning
Allows you to silently provision users to Dropbox Business, preventing Dropbox Business from sending welcome emails to new users provisioned via Okta. See the Migration section for details.
Before you configure provisioning for Dropbox Business, make sure you have configured the General Settings and any Sign-On Options for the Dropbox Business app.
Note: Under Sign-On Options you can select the Silent Provisioning. If you select this, you are preventing Dropbox Business from sending welcome emails to new users being provisioned into Dropbox Business from Okta. This feature is mainly to be used with SAML authentication, as users will not receive an email with their Reset Password link.
In order to use the Silent Provisioning feature you must:
Setup SSO in the Dropbox Business admin console. SSO must be set to required in Dropbox.
Claim your corporate domain with Dropbox Business in the Dropbox Business admin console (someone with authority to claim the domain, such as the IT admin can manually verify the domain on Dropbox Business. Verification is done once for each domain).
Once the above steps are complete, the flow from the Okta side is:
The Okta admin provisions Dropbox Business users with Silent Provisioning enabled.
Dropbox Business captures existing personal Basic or Pro users on the corporate domain if it's enabled in the Domain Management tool in the Dropbox Business admin console. For more information, visit the Dropbox Help Articles for Invite Enforcement and Account Capture.
If the user does not already exist in Dropbox Business, they are directed to https://www.dropbox.com/sso to login where they need to get their accounts activated. As these users are not already on Dropbox Business, and Okta hasn’t sent them invitations by email, they need to be notified of this URL by some other means, or they can click on the Dropbox Business application in Okta.
By default the Silent Provisioning option is disabled. That means new users will receive a welcome email. You may switch options at any time.
Note: This option works only if provisioning is enabled.
Click Next to take you back to the Provisioning tab.
Configure your Provisioning settings for Dropbox Business as follows:
Check the Enable provisioning features box.
API Authentication:
Click the Authenticate with Dropbox Business button:
You will be redirected to Dropbox Business page, which prompts you to enter your credentials:
You are then redirected back to OKTA to continue application configuration.
Scroll down and select the Provisioning Features you want to enable.
If you enable the Deactivate Users provisioning feature, you will see additional Dropbox Business off-boarding features. This off-boarding functionality gives you granular control over user off-boarding and allows you to manage a user's files from Okta.
Note: By default, Okta removes users from Dropbox Business, wipes their data from linked devices, and does not transfer user's files.
Under Dropbox user deactivation type, you can select whether you want to suspend or remove users upon deactivation in Okta. It is highly recommend that you suspend users.
Check Wipe data from linked devices, if you want to remove files from a user's Dropbox Business linked devices upon deactivation.
If you selected to Remove users from Dropbox Business upon deactivation, a File management upon user deletion option appears.
Select Manage file transfer directly in Dropbox Business if you do not want Okta to perform any action on user's files and prefer to manage files directly in Dropbox Business.
Select Transfer files to destination team member account if you want to manage file transfer from Okta.
This process cannot be undone, so it is not generally recommended. The transfer can only happen once.
If you select this option, you also have to provide the following:
Destination team member account to transfer files to.
Admin notification account: A person to notify about transfer errors. This must be a team admin.
Note: Both fields are mandatory and must be active team members.
Click Next.
You can now assign people to the app (if needed) and finish the application setup.
The Dropbox Business App supports Invited User Administration. This means that invited users (including those who have not accepted invitations) can be updated and added to groups via Okta. This functionality was not supported in the old Dropbox Business application.
What are the feature differences between the old Dropbox application and the new Dropbox Business application?
Feature |
Dropbox |
Dropbox Business |
|---|---|---|
Import New Users |
X |
X |
Push Groups |
X |
|
Import Profile Updates |
X |
X |
Push New Users |
X |
X |
Push Profile Updates |
X |
X |
Push User Deactivation |
X |
X |
Reactivate Users |
X |
|
Off-boarding (file transfer upon user deactivation) |
X |
|
Silent Provisioning |
X |
What attributes are supported by the old Dropbox application vs. those supported by the Dropbox Business application?
Attribute |
Dropbox |
Dropbox Business |
|---|---|---|
username |
X |
X |
firstName |
X |
X |
lastName |
X |
X |
X |
X |
|
permissions |
X |
Here's a quick glance at the additional features offered in the Dropbox Business integration:
Push Groups: Groups and their members can be pushed to remote systems. For more about using group push operations, see Using Group Push.
Silent provisioning: The Dropbox Business integration gives you the added ability to silently provision users to Dropbox Business. When this feature is selected, it prevents Dropbox Business from sending welcome emails to new users provisioned via Okta. This feature requires SAML SSO mode and provisioning to be enabled.
Off-boarding: Keep your corporate content secure when users leave your organization with new offboarding workflows. This functionality gives you granular control over off-boarding actions when a user is deactivated, suspended, or unassigned the application in Okta:
You can control whether to suspend, or remove a user in Dropbox Business when a user is deactivated or unassigned the application in Okta.
Wipe user access on linked devices to prevent data leaks upon user deactivation.
Manage file transfer to system account, or another team member account from Okta upon deactivation.
Permissions: Dropbox Business integration supports the permissions attribute. You can select from the following options:
If you are migrating from the old Dropbox application to the Dropbox Business Application in Okta, follow the recommended migration steps below:
Disable provisioning for old DropBox (at a minimum, turn off user deactivation under the Provisioning tab).
Configure new DropBox Business app instance and enable provisioning for the same new Dropbox org.
Select Advanced: Configure Import Matching Rules, then in the EXACT IMPORT MATCH section, select Auto-confirm match.
Go to your new DropBox Business app and perform an import new user. All existing users will be auto-confirmed.
If Silent Provisioning is enabled, new users can go to https://www.dropbox.com/sso, or can click on the Dropbox Business application in Okta to get their accounts activated.
Users without First Name or/and Last Name in their Dropbox Business profiles cannot be imported to Okta as new users.