cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Tell us what you want to see on the Community here!
Close

Dropbox teams & admins

Got a question about your Dropbox Business account? Get help from users like you. Post a question to get started.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: SAML SSO for DropBox team based account

Highlighted

SAML SSO for DropBox team based account

New member | Level 2

Hello,

 

Dropbox allows team admins to configure SAML SSO without verifying domain ownership. Most other SaaS providers like G Suite, Office 365 etc require admins to verify ownership of their business domain (e.g. mycompany.com) before they're allowed to configure SAML SSO. I can think of an attack scenario with Dropbox's current model

 

  1. A non-IT admin creates a Dropbox team using her corporate email alice@mycompany.com
  2. alice@mycompany.com invites jane@mycompany.com and bob@mycompany.com to join her Dropbox team
  3. jane@mycompany.com and bob@mycompant.com accept the invite and become members of Dropbox team
  4. alice@mycompany.com, who is the team admin of Dropbox team, sets up SSO for their Dropbox team but configures it to connect to their own Identity Provider instead of mycompany.com’s Identity Provider. alice@mycompany.com doesn’t have permissions to update settings at mycompany.com’s Identity Provider because alice@mycompany.com isn’t an IT admin of  mycompany.com but they have complete control over their personal Identity Provider they configured SSO with.
  5. alice@mycompany.com creates dummy users jane@mycompany.com and bob@mycompany.com in their personal Identity Provider using passwords known to alice@mycompany.com.
  6. alice@mycompany.com logs into Dropbox account of jane@mycompany.com or bob@mycompany.com using SSO password which is already known to her and can access personal content of jane@mycompany.com or bob@mycompany.com

Basically DropBox team admin is able to invite other users from their company to their Dropbox team and log into their account by configuring SSO with their personal Identity Provider instead of corporate Identity Provider.

 

Is this not a security / privacy issue with allow SAML SSO to be configured without domain verification? If not then why do some SaaS providers require domain verification to be performed before configuring SSO while some (like Dropbox) don't. Or am I missing something?

 

Thanks in advance for your help! 

2 Replies 2
Highlighted

Re: SAML SSO for DropBox team based account

Dropboxer

Hi @testuser12345, thanks for posting today!

 

As this is a detailed set of steps to follow, I'm going to look into this matter further with my colleagues and get back to you on this matter.

 

Thanks for your patience!


Jay
Community Moderator @ Dropbox
https://dropbox.com/support


Heart Did this post help you? If so, please give it a Like below.
Still stuck? Ask me a question!
Tips & Tricks Find new ways to stay in flow or share your tips on how you work smarter with Dropbox.

Highlighted

Re: SAML SSO for DropBox team based account

Dropboxer
Hi there,
 
With regards to the scenario outlined, Alice is already a Dropbox team admin. She'd be able to access the content for the work users Jane and Bob already. The use of SAML here doesn't provide any new avenue for attack.
 
You can review the "Dropbox Business Teams" heading at https://help.dropbox.com/teams-admins/team-member/admin-control. Specifically:
 
Your team admin can manage team members' work Dropbox accounts. Your team admin can access your account using the "sign in as user" feature.
 
Hope this helps!

Work Smarter with Dropbox

The way we work is changing. Share and discover new ways to work smarter with Dropbox in our community.

Sound good? Let's get started.
Need more support?