I’m setting up my first Access application and I’m unable to proceed on the Dropbox side of things because I am getting the following error. Still pretty new to configuring these things…
You must provide an X.509 certificate to enable single sign-on.
Here’s what I’ve done so far: Using the Zero Trust Dashboard, Access >> Applications > Add new Application
Application: Dropbox
Entity ID: (used the SSO sign-in URL from Dropbox, Settings > Single sign-on)
Assertion Consumer Service URL: (used the SSO sign-in URL from Dropbox, Settings > Single sign-on)
Name ID Format: email
Show application in the App Launcher: yes
Identity Providers: Google Workspace (only, removed PIN sign-in)
Instant Auth: yes (since I’m only offering one sign-in option)
(Moved on to the next page of settings)
Add Policies
New policy name: Sign-in every 24-hours
Rule action: Allow
Assign Group(s): (selected relevant groups)
Received the following credentials:
SSO endpoint: [snip]
Access Entity ID or Issuer: [snip]
Public key: [snip]
On the Dropbox portal, (Enterprise account): Admin Console >> Settings > Authentication > Single sign-on
Single sign-on: Required (this was enabled, off by default.)
Identity provider sign-in URL: (entered the Access Entity ID from above)
And then I get to the part I’m not 100% sure about. Cloudflare provided me a public key as part of the setup information for the application, but Dropbox wants an X.509 certificate to enable SSO. That key isn’t going to work.
My suspicion is that since Cloudflare is acting as a proxy for my identity provider (GWS) then I need to generate a certificate with Google and use that public key for Dropbox. Does that sound right or am I veering off-course on that?
Secondly, what is the Public key that Cloudflare Access provided me after configuring the new application used for? I mean that I used the Dropbox application type when adding the new application. I would have expected the fields to be relevant to Dropbox specifically.
Any help and insights are really appreciated. Many thanks!
Thanks @cscharff! Much appreciate the help. I was thinking about that too but was not able to successfully use the public key provided by Cloudflare as the X.509 certificate. Since Dropbox wants and uploaded file and CF only provides the public key text, it left a bit up in the air for me to interpret. For example:
I tried saving the public key as a .pem file and uploading it to Dropbox. It threw the following error “There was an error processing the X.509 certificate. Double-check the certificate and try again.”
Next, I tried converting the public to a .pem file using ssh-keygen -f cf_dropbox.pub -e -m pem > cf_dropbox.pem and that threw back Load key "cf_dropbox.pub": invalid format
Then I looked into what an X.509 is exactly and I realized there’s no way the public key provided by Cloudflare matches the X.509 spec. It’s supposed to include fields specifying the subject , issuing CA , and other required information such as the certificate’s version and validity period .
The documentation is kinda vague on this. Thanks again for your suggestions - If you have any other thoughts, happy to check those out. Thanks!
Noting that I was able to figure out the certificate issue. Thanks @cscharff - one of your answers on a different post said the same but you linked a documentation page for configuring AWS that had what I needed.
The Public key must be transformed into a fingerprint. To do that:
Copy the Public Key Value.
Paste the Public Key into VIM or another code editor.
Wrap the value in -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
Set the file extension to .crt and save.