WebsiteTest DriveStatus

Managing Users with SAML/SSO

Dropzone AI supports most SAML Identity Providers (IDPs). When using SAML your Identity Provider enforces both "authn" and "authz". An individual clicks a SAML login button, is authenticated against your IDP, and then your IDP sends them back to Dropzone along with cryptographically-signed information indicating who they are and what role they should have.

When using SAML, we suggest not simultaneously allowing logins via username/password or the Google/Microsoft federation buttons to assure user management and role management is consistent.

SAML Attributes

Your SAML provider must provide the following attributes:

Example SAML Settings

Your IDP must send the user's email address as the "Name ID" field, in EMAIL format.

SAML Configuration

All SAML connections require that the IDP (your SAML provider) and the SP (the Dropzone environment) exchange some values to establish security.

Example SAML Config

These can be exchanged via your support representative.

SAML troubleshooting

Debugging SAML logins is tricky because so much of what happens is inside large XML encoded blobs in HTTP. We suggest using the SAML Chrome Panel to help debug.

  • Install the chrome extension

  • Open the chrome developer tools panel

  • Go to your tenant, e.g. https://mycompany.dropzone.app/

  • The "SAML" panel should open in the developer tools - click it

  • Click your SSO login button

  • Look in the SAML control panel to see what data your IDP is sending to Dropzone ** It must have your email address in the saml2:Subject section ** It must include all the attributes listed in the table above, first_name, dropzone_role, etc

Here we have a user Wendell Bagg with email address [email protected] logging in. He will receive the admin role on Dropzone AI. (You may need to click the images to see more details.)

SAML Chrome Panel showing the subject being sent to Dropzone

You may find when working on SAML that it is easiest to start testing with hard-coded attributes on a user's profile before moving to group-based algorithms that select attributes.

SAML Chrome Panel showing the Attributes being sent to Dropzone

SAML settings always override any locally applied settings in Team Admin. This means that if you are not properly sending dropzone_admin then when a user logs in with SSO it will remove their role, which is equivalent to being denied access.

We suggest testing SSO with just one user and making it work before encouraging others.

Getting Help

If you have any questions about which login options are right for you, engage your Dropzone AI support representative at [email protected]

PreviousDirect Login Links/Local AuthNextSigning in with Okta

Last updated

Was this helpful?