How to Configure SAML 2.0 for Box


Supported Features

The Okta/Box SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.

Configuration Steps

For more configuration information, see Box's Setting Up Single Sign On (SSO) for your Enterprise.

  1. Login to your Box account as a primary administrator.

  2. Click Admin Console, go to Enterprise Settings > User Settings > Configure Single Sign On (SSO) for All Users, then click Configure.

  3. Enter the following:

    • Identity Provider: Select Okta.

    • SSO Metadata File: Save the following file as metadata.xml, then locate it by clicking Choose File.

      Sign into the Okta Admin dashboard to generate this value.

    • Click Submit:

    Enter SAML config values

  4. Box will process your metadata file which can take up to 24 hours.

  5. Once you have been notified that your SSO connection was successfully created, you can enable SSO for your enterprise. Begin by enabling SSO Test Mode. In Test Mode, you can log in using SSO credentials or your Box credentials. Verify that you can log out and in again using SSO credentials before you continue.

    Enable SSO test mode and test SSO credentials

  6. (OPTIONAL): Once you have verified that you can sign in and out of Box successfully using SSO, you are ready to completely secure your account. Complete your SSO activation by making SSO required for all users. Users will not be able to log in with their Box credentials.

    Note: Be sure that you have tested the SSO log in flow before enabling this setting. If you do not test that your SSO credentials are working correctly, there is a possibility that you will be locked out of your Box account.

  7. Done!


SP-initiated SSO

  1. Go to https://[your-subdomain].box.com

  2. Click Continue.

SAML Group Push

  1. After the SSO Groups feature is enabled by your Box contact, the following settings will be available in the Admin Console > Enterprise Settings > User Settings. Below is a brief description of each setting:

    • Add new groups upon SSO user login: If a group is sent over with a user and there isn’t an exact name match to a group within Box, this group will be added as a new Box group. Permissions must be manually assigned to this group in the Admin Console. This setting can be used to bring the exact names of multiple groups under an admin account.

    • Add user to groups upon SSO user login: If a group is sent over in the login SAML assertion which matches the name of an existing Box group, the user will be added to that Box group. When this setting and the next setting ("Remove User") are enabled, your user store's group memberships will update the Box user's group memberships upon every login.

    • Remove user from groups upon SSO user login: If the user is currently in an existing Box group and the group is not sent over in the login SAML assertion, the user will be removed from that Box group. When this setting and the previous setting (Add User) are enabled, your user store's group memberships will update the Box user's group memberships upon every login.

    Note: When all three SSO Groups options are enabled, your user store will be the system of truth for group creation and membership in Box.

    SSO groups feature options

  2. In Okta Select the Sign On tab for the Box app, then click Edit.

    • Push Groups via SAML?: check this option.

    • Group Filter: Enter an expression that will be used to filter groups.

    • Click Save:

  3. A user’s group now will be sent as part of the SAML assertion to Box.