Showing results for 
Show  only  | Search instead for 
Did you mean: 
Check out the Dropbox cheat sheet for getting started in 2021 here!

Dropbox teams & admins

Got a question about your Dropbox Business account? Get help from users like you. Post a question to get started.

Showing results for 
Show  only  | Search instead for 
Did you mean: 

SAML SSO for DropBox team based account

SAML SSO for DropBox team based account

New member | Level 2



Dropbox allows team admins to configure SAML SSO without verifying domain ownership. Most other SaaS providers like G Suite, Office 365 etc require admins to verify ownership of their business domain (e.g. before they're allowed to configure SAML SSO. I can think of an attack scenario with Dropbox's current model


  1. A non-IT admin creates a Dropbox team using her corporate email
  2. invites and to join her Dropbox team
  3. and accept the invite and become members of Dropbox team
  4., who is the team admin of Dropbox team, sets up SSO for their Dropbox team but configures it to connect to their own Identity Provider instead of’s Identity Provider. doesn’t have permissions to update settings at’s Identity Provider because isn’t an IT admin of but they have complete control over their personal Identity Provider they configured SSO with.
  5. creates dummy users and in their personal Identity Provider using passwords known to
  6. logs into Dropbox account of or using SSO password which is already known to her and can access personal content of or

Basically DropBox team admin is able to invite other users from their company to their Dropbox team and log into their account by configuring SSO with their personal Identity Provider instead of corporate Identity Provider.


Is this not a security / privacy issue with allow SAML SSO to be configured without domain verification? If not then why do some SaaS providers require domain verification to be performed before configuring SSO while some (like Dropbox) don't. Or am I missing something?


Thanks in advance for your help! 

2 Replies 2

Re: SAML SSO for DropBox team based account


Hi @testuser12345, thanks for posting today!


As this is a detailed set of steps to follow, I'm going to look into this matter further with my colleagues and get back to you on this matter.


Thanks for your patience!

Community Moderator @ Dropbox

Heart Did this post help you? If so, please give it a Like below.
Still stuck? Ask me a question!
Tips & Tricks Find new ways to stay in flow or share your tips on how you work smarter with Dropbox.

Re: SAML SSO for DropBox team based account

Hi there,
With regards to the scenario outlined, Alice is already a Dropbox team admin. She'd be able to access the content for the work users Jane and Bob already. The use of SAML here doesn't provide any new avenue for attack.
You can review the "Dropbox Business Teams" heading at https:confused face:/ Specifically:
Your team admin can manage team members' work Dropbox accounts. Your team admin can access your account using the "sign in as user" feature.
Hope this helps!
Are you starting new work habits this year?

Work Smarter with Dropbox

The way we work is changing. Share and discover new ways to work smarter with Dropbox in our community.

Sound good? Let's get started.
Who's talking

Top contributors to this post

What do Dropbox user levels mean?
Need more support?