I’m setting up my first Access application and I’m unable to proceed on the Dropbox side of things because I am getting the following error. Still pretty new to configuring these things…
You must provide an X.509 certificate to enable single sign-on.
Here’s what I’ve done so far: Using the Zero Trust Dashboard, Access >> Applications > Add new Application
- Entity ID: (used the SSO sign-in URL from Dropbox, Settings > Single sign-on)
- Assertion Consumer Service URL: (used the SSO sign-in URL from Dropbox, Settings > Single sign-on)
- Name ID Format:
- Show application in the App Launcher:
- Identity Providers:
Google Workspace(only, removed PIN sign-in)
- Instant Auth:
yes(since I’m only offering one sign-in option)
- (Moved on to the next page of settings)
- Add Policies
- New policy name:
Sign-in every 24-hours
- Rule action:
- Assign Group(s): (selected relevant groups)
- Received the following credentials:
- SSO endpoint: [snip]
- Access Entity ID or Issuer: [snip]
- Public key: [snip]
On the Dropbox portal, (Enterprise account): Admin Console >> Settings > Authentication > Single sign-on
- Single sign-on:
Required(this was enabled, off by default.)
- Identity provider sign-in URL: (entered the Access Entity ID from above)
And then I get to the part I’m not 100% sure about. Cloudflare provided me a public key as part of the setup information for the application, but Dropbox wants an X.509 certificate to enable SSO. That key isn’t going to work.
My suspicion is that since Cloudflare is acting as a proxy for my identity provider (GWS) then I need to generate a certificate with Google and use that public key for Dropbox. Does that sound right or am I veering off-course on that?
Secondly, what is the Public key that Cloudflare Access provided me after configuring the new application used for? I mean that I used the Dropbox application type when adding the new application. I would have expected the fields to be relevant to Dropbox specifically.
Any help and insights are really appreciated. Many thanks!