Enable SSO for Dropbox using Cloudflare Access

I’m setting up my first Access application and I’m unable to proceed on the Dropbox side of things because I am getting the following error. Still pretty new to configuring these things…

You must provide an X.509 certificate to enable single sign-on.

Here’s what I’ve done so far: Using the Zero Trust Dashboard, Access >> Applications > Add new Application

  • Application: Dropbox
  • Entity ID: (used the SSO sign-in URL from Dropbox, Settings > Single sign-on)
  • Assertion Consumer Service URL: (used the SSO sign-in URL from Dropbox, Settings > Single sign-on)
  • Name ID Format: email
  • Show application in the App Launcher: yes
  • Identity Providers: Google Workspace (only, removed PIN sign-in)
  • Instant Auth: yes (since I’m only offering one sign-in option)
  • (Moved on to the next page of settings)
  • Add Policies
  • New policy name: Sign-in every 24-hours
  • Rule action: Allow
  • Assign Group(s): (selected relevant groups)
  • Received the following credentials:
    • SSO endpoint: [snip]
    • Access Entity ID or Issuer: [snip]
    • Public key: [snip]

On the Dropbox portal, (Enterprise account): Admin Console >> Settings > Authentication > Single sign-on

  • Single sign-on: Required (this was enabled, off by default.)
  • Identity provider sign-in URL: (entered the Access Entity ID from above)

And then I get to the part I’m not 100% sure about. Cloudflare provided me a public key as part of the setup information for the application, but Dropbox wants an X.509 certificate to enable SSO. That key isn’t going to work.

My suspicion is that since Cloudflare is acting as a proxy for my identity provider (GWS) then I need to generate a certificate with Google and use that public key for Dropbox. Does that sound right or am I veering off-course on that?

Secondly, what is the Public key that Cloudflare Access provided me after configuring the new application used for? I mean that I used the Dropbox application type when adding the new application. I would have expected the fields to be relevant to Dropbox specifically.

Any help and insights are really appreciated. Many thanks!

The x.509 is the public key.

1 Like

It /might/ change the default icon, beyond that there is nothing unique about choosing an application from the drop down list.

Thanks @cscharff! Much appreciate the help. I was thinking about that too but was not able to successfully use the public key provided by Cloudflare as the X.509 certificate. Since Dropbox wants and uploaded file and CF only provides the public key text, it left a bit up in the air for me to interpret. For example:

  • I tried saving the public key as a .pem file and uploading it to Dropbox. It threw the following error “There was an error processing the X.509 certificate. Double-check the certificate and try again.”
  • Next, I tried converting the public to a .pem file using ssh-keygen -f cf_dropbox.pub -e -m pem > cf_dropbox.pem and that threw back Load key "cf_dropbox.pub": invalid format

Then I looked into what an X.509 is exactly and I realized there’s no way the public key provided by Cloudflare matches the X.509 spec. It’s supposed to include fields specifying the subject , issuing CA , and other required information such as the certificate’s version and validity period .

The documentation is kinda vague on this. Thanks again for your suggestions - If you have any other thoughts, happy to check those out. Thanks!

Noting that I was able to figure out the certificate issue. Thanks @cscharff - one of your answers on a different post said the same but you linked a documentation page for configuring AWS that had what I needed.

Link: https://developers.cloudflare.com/cloudflare-one/tutorials/aws-sso-saas
Related post: How do I get the X.509 file from Cloudflare Access?

The Public key must be transformed into a fingerprint. To do that:
Copy the Public Key Value.
Paste the Public Key into VIM or another code editor.
Wrap the value in -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
Set the file extension to .crt and save.

This resolved the issue.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.