Team Admin
Last updated
Was this helpful?
Last updated
Was this helpful?
Dropzone provides multiple login options to meet your security policy needs.
Username/Password
Yes, via TOTP, e.g. Google Authenticator
Invite and manage users via the Dropzone UI
Sign in with Google
Enforced at Google per your policies
Invite and manage users via the Dropzone UI
Sign in with Microsoft
Enforce at Microsoft per your polices
Invite and manage users via the Dropzone UI
Custom SAML provider
Enforce at your SAML provider per your polices
Manage users and roles via your Identity Provider (IDP)
Each of the options above may be enabled or disabled independently. For example you could decide to support only Google logins and not username/password.
Note that the "Sign in with Microsoft" option works with Microsoft 365 / Entra ID organizations. If you use on-prem Active Directory then you will need to use a custom SAML provider.
Dropzone AI users are assigned a role that determines what access they have to the Dropzone environment.
The following table describes the roles and permissions available to Dropzone AI users:
Admin
Full write access; create and update integration configuration; create response automation; manage users
Member
Minimal write access; create context memory, add investigation feedback; ask questions of the AI
Restricted Read Only
Read-only access; view investigations and dashboards; no ad-hoc chat
Dropzone AI users get their role from one of two places
If logging in via a SAML/SSO provider, Dropzone uses the role provided by your IDP (Identity Provider)
If logging in via username/password, federated Google, or Microsoft buttons Dropzone uses the role set in the Team Admin
Most Dropzone customers who enable SAML/SSO will disable federated Google/Microsoft login and username/password authentication. This is the preferred configuration as it lets your IDP (Identity Provider) stay in charge of what access an individual has.
Role changes via the "Team Admin" are overridden by SAML settings when a user logs in.
The following details how to manage users via the Team Admin interface.
If you are using SAML/SSO, then see the instructions for setting up your specific SAML system, e.g. Google Workspace or Okta. When using SAML/SSO you do not need to do any local Team Admin.
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click your person icon on the far right and select Team Admin
From the Team Admin page you see the users who have accounts on into this Dropzone environment
If you use SAML/SSO then this list may be incomplete - it will only show the users you've explicitly invited via Team Admin and those who have logged into Dropzone via SAML. It could be there are more users that your IDP will allow who have not logged in yet, and they will not appear here.
To add a user
From the Team Admin page, click the "Add User" button
Input the name and email address of the user you want to invite
Select the role from the dropdown
Click "Save" to invite the user
Once you've invited a user via the Team Admin page the user may log in.
Which authentication methods you've allowed determines how the user logs in:
If you allow password authentication then the user will receive an email with a one-time link to accept the invite and set up a password
If you no not allow password authentication then they will need to log in with a federated Google or Microsoft button
Users appear here in one of two possible states
Active
Are able to log in
Click Deactivate to deactivate them and prevent login
Deactivated
Are not able to log in
Click Reactivate to allow them to log in again
Dropzone does not allow you to delete a user currently. Instead you may Deactivate it.
Keeping the user in the system allows previous actions by the user to still be properly accounted for in audit logs, etc.
Dropzone AI supports most SAML Identity Providers (IDPs). When using SAML your Identity Provider enforces both "authn" and "authz". An individual clicks a SAML login button, is authenticated against your IDP, and then your IDP sends them back to Dropzone along with cryptographically-signed information indicating who they are and what role they should have.
When using SAML, we suggest not simultaneously allowing logins via username/password or the Google/Microsoft federation buttons to assure user management and role management is consistent.
Your SAML provider must provide the following attributes:
first_name
First Name
any string
Wendell
last_name
Last Name
any string
Bagg
dropzone_role
Dropzone Role for access control
admin, member, or restricted-read-only
admin
Your IDP must send the user's email address as the "Name ID" field, in EMAIL format.
All SAML connections require that the IDP (your SAML provider) and the SP (the Dropzone environment) exchange some values to establish security.
Dropzone
ACS URL
https://login.dropzone.ai/samlv2/acs
Dropzone
Entity ID
https://login.dropzone.ai/samlv2/sp/11111111-1111-1111-1111-111111111111
Customer IDP
SSO URL
https://accounts.google.com/o/saml2/idp?idpid=C04ultrav
SAML Endpoint, Login URL
Customer IDP
Certificate in PEM form
-----BEGIN CERTIFICATE----- MIIDdDCCAlygAwIBAgIGAYYlaUolMA0G...
IDP Certificate, X.509 Certificate, Signing Certificate
These can be exchanged via your support representative.
If you have any questions about which login options are right for you, engage your Dropzone AI support representative.
