Okta SAML
This document details configuring Okta SAML for authentication with Dropzone. This is more advanced than using federated buttons such as "Log in with Google" and "Log in with Microsoft" but offers more customization, especially useful for customers with more than one Dropzone environment.
Enabling SAML with Okta involves the following steps:
Adding Dropzone Role Attribute to User Profile
Assigning Dropzone Role Attributes to users
Creating the SAML application in Okta
Assigning Users to the Dropzone Application
Providing your SAML IDP details to your Dropzone support representative
Updating your SAML application with details from your Dropzone support representative
Create the Dropzone Role on User Profile
Dropzone needs to know which role a user should receive when logging into your tenant. There are multiple ways you can configure this, but the most common is to add a field to the user profile or to the Okta application profile.
Here we show you how to add the field to the user Okta profile.
Go do Directory > Profile Editor
Select the "User (default)" profile
Click the "Add Attribute" button
Set the values as follows
Data type: string
Display name:
dropzone_role
Variable name:
dropzone_role
Description: Dropzone AI Access Level
Select the Enum "Define enumerated list of values" checkbox
In the "Attribute Members" section, create the following new values:
admin
admin
member
member
restricted-read-only
restricted-read-only

Click Save
Assign Dropzone Role Attributes to Users
Next, set the dropzone_role
profile value for users who will have access to the Dropzone AI platform.
Go to Directory > People
Select a person
Select "Profile"
Click Edit

Scroll to the bottom of the screen and find
dropzone_role
and select the access level for this user

Click Save
Repeat for all users who should have Dropzone access
Create the Okta Application
Go to Applications > Applications
Click Create App Integration
Select SAML 2.0
In General Settings, set
App name: Dropzone AI
App Logo: provide one of your own, or use one of these Dropzone icons:
Click "Do not display application icon to users"
Be sure you do not enable an Okta tile (application icon) for this Application. Dropzone AI does not support IDP-initiated login flows, so the tile will not function properly.
However you can make an Okta "Bookmark Application" that will enable single-click logins to your Dropzone tenant - see Direct Login Links for details.
Click Next
Enter values in the "SAML Settings" section of the "Create SAML Integration" page
Single sign-on URL:
If you have received a "Dropzone SAML ACL Url" from Dropzone, paste it here
Likely it is https://login.dropzone.ai/samlv2/acs
Audience URI:
If you have received a "Dropzone SAML Entity ID" from Dropzone, paste it here
If not, put a placeholder of https://login.dropzone.ai/samlv2/sp/00000000-0000-0000-0000-000000000000
Default RelayState: leave blank
Name ID format: EmailAddress
Application Username: Email
If you wish to use a different field such as Okta Username, or if you have a custom value for this, select it instead
Leave all values in "advanced" as-is

Enter values in the "Attribute Statements" section of the "Create SAML Integration" page
You must create attributes for
first_name
,last_name
, anddropzone_role
If you've applied the role to the user's profile then these values will be as follows
first_name
user.firstName
last_name
user.lastName
full_name
user.fullName
dropzone_role
user.dropzone_role

Click Next
On the next page, click "This is an internal app we have created"
Click Finish
Assign Users to the Dropzone Application
Configure which users are allowed to log into Dropzone.
Go to the newly created application in Okta
Click on the "Assignments" tab at the top
Click "Assign" and then the "Assign to People" or "Assign to Groups" button as appropriate
Repeat until you've added all the people/groups who should have access
Gather Application Data for Dropzone
Dropzone needs two pieces of information from your Okta environment to enable the SAML trust.
Go to the newly created application in Okta
Click on the "Sign On" tab at the top
Click on the "View SAML setup instructions" on the right
Find the following two pieces of information:
Identity provider Single Sign-On URL
This is a url, typically on an .okta.com domain
X.509 Certificate
This is a multi-line string, starting with
-----BEGIN CERTIFICATE-----
and ending with-----END CERTIFICATE-----

Provide these to your Dropzone support representative. (Typically this is done via the Dropzone SAML Request form.)
Update Your SAML Application
Dropzone will enable SAML and provide you two values to add to the "SAML Settings" in the "General" tab of your SAML app:
ACS URL - paste this into "Single Sign-On URL" field
Entity ID - paste this into the "Audience URI (SP Entity ID)" field
Update these values in your Okta Application and save.
Advanced Okta
Okta has powerful configuration capabilities, including Okta Expression Language which can be used to simplify your Dropzone role provisioning, as an alternative to manually setting roles on a user's profile directl.
This section is here as a reference, not a requirement. Use whatever method you're most comfortable with that balances your administration duties and meets your security standards.
Advanced Okta - Drozone Role via Group Membership
Some customers use Okta Groups coupled with Okta Expression language to populate the dropzone_role
attribute automatically. As an example, say you had the following groups:
access-dropzone-admin
access-member
access-read-only
You could use the following
user.isMemberOfGroupName("access-dropzone-admin") ? "admin" :
user.isMemberOfGroupName("access-dropzone-member") ? "member" :
user.isMemberOfGroupName("access-dropzone-read-only") ? "restricted-read-only" :
null
The values (e.g. admin
, member
, restricted-read-only
on the right side above) must match exactly the values we expect, however the groups can be anything that matches your internal naming standands.

dropzone_role
attributeGetting Help
If you have any errors or questions, engage your Dropzone AI support representative.
Last updated
Was this helpful?