Box Single Sign-On Integration

The Box Single Sign-on (SSO) Integration creates a client application that uses Auth0 for authentication and provides SSO capabilities for Box. Your users log in to Box with Auth0 identity providers, which means the identity provider performs the identity credentials verification.

Prerequisites

Before you begin:

  • Sign up for a Box Enterprise account.
  • Set up a connection, which is a source of users. Connections can be databases, social identity providers, or enterprise identity providers, and can be shared among different applications. You may set up more than one connection for use with SSO integrations.
  1. Navigate to Auth0 Dashboard > Applications > SSO Integrations, and click + Create SSO Integration. Create SSO Integration

  2. Select Box. Select Service

  3. Click Continue to grant the integration access to the listed permissions. Authorize Service

Configure Auth0 SSO Integration

Enter a name for your SSO Integration, and click Save. Save Integration

Configure integration with Box

To configure the integration with Box, follow the instructions listed in the Tutorial view.

Box SSO integration

The following steps only work for Box Enterprise accounts.

Before you continue, make sure you have your SSO integration Client ID. You will use the Client ID to replace the SSO_CLIENT_ID placeholders.

Locate Client ID

Configuring SAML SSO with Box requires you to call their support team. They will ask for a few pieces of information:

  1. Your Auth0 signing certificate.

  2. The EntityID: urn:YOUR_DOMAIN.

  3. The identifier that maps to Box usernames. By default we use the emailaddress claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  4. The Redirect URL, which is the login endpoint in Auth0 (be sure to replace the SSO_CLIENT_ID placeholder with the Client ID of your SSO Integration): https://YOUR_DOMAIN/samlp/SSO_CLIENT_ID

  5. OPTIONAL: If you would like your Box user accounts to be created automatically, request that the Box support team enable automatic account provisioning for your account. To do so, you will need to provide the claims that we use for first name and last name. By default, we use givenname as the first name and surname as the last name.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Enable connections

Choose the connections to use with your SSO integration. Users in enabled connections will be allowed to log in to Box. By default, all configured connections are enabled.

  1. Select the Connections view.

  2. Toggle the sliders next to connection names to enable or disable them. Enable/Disable Connections