| This topic describes how to configure OneLogin to provide SSO for Box using SAML. (If you want to set up SSO for Box with form-based authentication, see Adding a Form-Based Application.)
- Log in to OneLogin and go to Apps > Add Apps.
- Search for Box and select it.
-
On the initial Configuration tab, select SAML2.0 - user provisioning.
-
Click Save to add the app to your Company Apps and display additional configuration tabs.
-
On the Parameters tab, map Box user attributes to OneLogin attributes.
Some parameters are included in the SAML assertion during SSO, others are used when provisioning users to Box using the API. For SSO using SAML, you should accept the defaults, unless otherwise noted:
|
Box Field
|
Default OneLogin Value
|
SAML or Provisioning?
|
Notes
|
|
First Name
|
First Name
|
SAML and Provisioning
|
---
|
|
Folder
|
- No default -
|
Provisioning
|
See Provisioning Users to Box.
|
|
Group
|
MemberOf
|
SAML
|
Box allows just-in-time user provisioning through SAML, enabling you to create users in Box using the attributes included in the SAML assertion. Using the Group parameter, you can provision a user as a member of a Box group.
For example, if you want to provision users to groups based on their membership in Active Directory security groups, leave Value set to MemberOf.
Alternatively, you can set this to any other available user attribute that makes sense for your organization. For example, setting Value to Department will provision each user to a group with the same name as their OneLogin Department.
In Box, you'll need to manually create groups based on the user attribute you set in the Value field. For example, if you set Value to MemberOf, you’d create groups based on MemberOf values in OneLogin.
For provisioning of group membership using the Box API, use the Groups parameter instead. See Provisioning Users to Box.
|
|
Groups
|
- No value -
|
Provisioning
|
See Provisioning Users to Box.
|
|
Last Name
|
Last Name
|
SAML and Provisioning
|
---
|
|
Role
|
- No value -
|
Provisioning
|
See Provisioning Users to Box.
|
|
User ID
|
Email
|
SAML and Provisioning
|
Leave Value set to Email. Most Box implementations use email as the user ID.
|
-
On the Access tab, assign the OneLogin roles that should have access to Box and provide any app security policy that you want to apply to Box.
You can also go to Users > All Users to add the app to individual user accounts, and return to this app configuration page to complete SSO configuration.
- Click Save.
-
On the SSO tab, copy the SAML settings that you will provide to the Box support team.
Copy the Issuer URL and the SAML2.0 Endpoint (HTTP) URL and download the X.509 PEM Certificate, then go to More Actions on the top-right and download your SAML Metadata.
To download the X.509 PEM certificate, click View Details and select X.509 PEM from the drop-down below the X.509 Certificate field.
If you want a different certificate, click Change, select the new certificate, and follow the above instructions. You can create new X.509 certificates for selection by going to Settings > Certificates and clicking New.
- Contact your Box support team and provide them with the SAML HTTP Endpoint, Issuer URL, and X.509 certificate.
-
Test the SAML connection.
- Make sure you are logged out of Box.
- Give yourself access to the Box app in OneLogin.
- Log in to OneLogin.
-
Click the Box icon on your OneLogin dashboard.
If you are able to access Box, then SAML works.
Next steps:
Provisioning Users to Box |