Team Admin

Dropzone provides multiple login options to meet your security policy needs.

Method

MFA

User Management

Username/Password

Yes, via TOTP, e.g. Google Authenticator

Invite and manage users via the Dropzone UI

Enforced at Google per your policies

Invite and manage users via the Dropzone UI

Enforce at Microsoft per your polices

Invite and manage users via the Dropzone UI

Custom SAML provider

Enforce at your SAML provider per your polices

Manage users and roles via your Identity Provider (IDP)

Each of the options above may be enabled or disabled independently. For example you could decide to support only Google logins and not username/password.

Note that the "Sign in with Microsoft" option works with Microsoft 365 / Entra ID organizations. If you use on-prem Active Directory then you will need to use a custom SAML provider.

Dropzone AI users are assigned a role that determines what access they have to the Dropzone environment.

The following table describes the roles and permissions available to Dropzone AI users:

Role Name

Permissions

Admin

Full write access; create and update integration configuration; create response automation; manage users; create and update custom strategies

Member

Minimal write access; create context memory, add investigation feedback; ask questions of the AI

Restricted Read Only

Read-only access; view investigations and dashboards; view custom strategies; no ad-hoc chat

Role Source

Dropzone AI users get their role from one of two places

If logging in via a SAML/SSO provider, Dropzone uses the role provided by your IDP (Identity Provider)
If logging in via username/password, federated Google, or Microsoft buttons Dropzone uses the role set in the Team Admin

Most Dropzone customers who enable SAML/SSO will disable federated Google/Microsoft login and username/password authentication. This is the preferred configuration as it lets your IDP (Identity Provider) stay in charge of what access an individual has.

Role changes via the "Team Admin" are overridden by SAML settings when a user logs in.

Managing Users via Team Admin

The following details how to manage users via the Team Admin interface.

If you are using SAML/SSO, then see the instructions for setting up your specific SAML system, e.g. Google Workspace or Okta. When using SAML/SSO you do not need to do any local Team Admin.

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
Click your person icon on the far right and select Team Admin

From the Team Admin page you see the users who have accounts on into this Dropzone environment

If you use SAML/SSO then this list may be incomplete - it will only show the users you've explicitly invited via Team Admin and those who have logged into Dropzone via SAML. It could be there are more users that your IDP will allow who have not logged in yet, and they will not appear here.

Adding a user

To add a user

From the Team Admin page, click the "Add User" button
Input the name and email address of the user you want to invite
Select the role from the dropdown
Click "Save" to invite the user

Once you've invited a user via the Team Admin page the user may log in.

Which authentication methods you've allowed determines how the user logs in:

If you allow password authentication then the user will receive an email with a one-time link to accept the invite and set up a password
If you no not allow password authentication then they will need to log in with a federated Google or Microsoft button

Activating / Deactivating users

Users appear here in one of two possible states

Active
- Are able to log in
- Click Deactivate to deactivate them and prevent login
Deactivated
- Are not able to log in
- Click Reactivate to allow them to log in again

Deleting users

Dropzone does not allow you to delete a user currently. Instead you may Deactivate it.

Keeping the user in the system allows previous actions by the user to still be properly accounted for in audit logs, etc.

Managing Users With SAML/SSO

Dropzone AI supports most SAML Identity Providers (IDPs). When using SAML your Identity Provider enforces both "authn" and "authz". An individual clicks a SAML login button, is authenticated against your IDP, and then your IDP sends them back to Dropzone along with cryptographically-signed information indicating who they are and what role they should have.

When using SAML, we suggest not simultaneously allowing logins via username/password or the Google/Microsoft federation buttons to assure user management and role management is consistent.

SAML Attributes

Your SAML provider must provide the following attributes:

Attribute

Purpose

Possible Values

Example

first_name

First Name

any string

Wendell

last_name

Last Name

any string

Bagg

dropzone_role

Dropzone Role for access control

admin, member, or restricted-read-only

admin

Your IDP must send the user's email address as the "Name ID" field, in EMAIL format.

SAML Configuration

All SAML connections require that the IDP (your SAML provider) and the SP (the Dropzone environment) exchange some values to establish security.

Provided by

Value

Example

Also known as

Dropzone

ACS URL

https://login.dropzone.ai/samlv2/acs

Dropzone

Entity ID

https://login.dropzone.ai/samlv2/sp/11111111-1111-1111-1111-111111111111

Customer IDP

SSO URL

https://accounts.google.com/o/saml2/idp?idpid=C04ultrav

SAML Endpoint, Login URL

Customer IDP

Certificate in PEM form

-----BEGIN CERTIFICATE----- MIIDdDCCAlygAwIBAgIGAYYlaUolMA0G...

IDP Certificate, X.509 Certificate, Signing Certificate

These can be exchanged via your support representative.

Getting Help

If you have any questions about which login options are right for you, engage your Dropzone AI support representative.

PreviousDropzone Administraton NextGoogle Workspace SAML

Last updated 3 days ago

Was this helpful?

Login Options