Configuration Guides

Configuring SAML SSO with Box and PingOne for Enterprise

Learn how to configure SAML SSO with Box and PingOne for Enterprise.

About this task

The following table details the required and optional attributes to be configured in the assertion attribute contract.

Attribute Name Description Required / Optional

SAML_SUBJECT

Email

Required

givenName

First Name

Optional

sn

Last Name

Optional

memberOf

Groups

Optional

The following configuration is untested and is provided as an example. Additional steps might be required.

Create a PingOne for Enterprise application for Box

  1. Download the Box metadata from https://cloud.app.box.com/s/9y0zm1sqgvkxe8ha2qa3dfhwoivpoyy4.

  2. Sign on to PingOne for Enterprise and click Applications.

  3. On the SAML tab, click Add Application.

    Screen capture of the My Applications tab in PingOne for Enterprise with the drop down list from the Add Application button displaying the following options: Search Application Catalog, New SAML Application, and Request Ping Identity add a new application to the application catalog.

  4. Click Search Application Catalog and search for Box.

  5. Click the Box row.

    Screen capture of PingOne for Enterprise Application table. The Box row is expanded, detailing the icon, name, description, and category of the application with a Setup button in the bottom right corner.

  6. Click Setup.

  7. Select the appropriate signing certificate.

  8. Review the steps, and note the PingOne for Enterprise SaaS ID, IdP ID, Initiate Single Sign-on (SSO) URL, and Issuer values.

    Screen capture of PingOne for Enterprise SSO Instructions with the PingOne for Enterprise SaaS ID, IdP ID, Initiate Single Sign-on (SSO) URL, and Issuer values redacted.

    1. Click Continue to Next Step.

    2. In the Upload Metadata section, click Select File, and upload the Box metadata file that you downloaded.

    3. Ensure that ACS URL is set to https://sso.services.box.net/sp/ACS.saml2 and Entity ID is set to box.net.

    Screen capture of PingOne for Enterprise Connection Configuration section with a sample XML file uploaded in the Upload Metadata field and the ACS URL and Entity ID filled out in accordance with the above instructions.

  9. Click Continue to Next Step.

  10. In the Attribute Mapping section, in the Identity Bridge Attribute or Literal Valuecolumn of the SAML_SUBJECTrow, select the attribute SAML_SUBJECT.

  11. Complete the remaining attribute mappings for givenName, sn, memberOf, and title.

    Screen capture of PingOne for Enterprise Attribute Mapping section with the SAML_SUBJECT, givenName, sn, memberOf, and title fields input to the Application Attribute table.

  12. Click Continue to Next Step.

  13. Update the Name, Description, and Category fields as required.

    Screen capture of PingOne for Enterprise App Customization - Box section with the Name, Description, and Category fields filled out.

  14. Click Continue to Next Step.

  15. Add suitable user groups for the application.

    Screen capture of PingOne for Enterprise Group Access section with a search bar to search for applicable groups and add them to the table below it.

  16. Click Continue to Next Step.

  17. Review the settings.

    Screen capture of PingOne for Enterprise Review Setup section with all the previously populated Box application information displayed for reference and verification.
    Continuing from the previous screen capture, this screen capture of PingOne for Enterprise Review Setup page displays the Application Attribute table with columns for Description and Identity Bridge Attribute or Literal Value.

  18. Copy the Single Sign-On (SSO) URL value to a temporary location.

    This is the IdP-initiated SSO URL that you can use for testing.

  19. On the SAML Metadata row, click Download. You will use this for the Box configuration.

  20. Click Finish.

Configure the PingOne for Enterprise IdP connection for Box

  1. Sign on to the Box Admin Console as an administrator.

    Screen capture of Box Developer Plan homepage with the Settings icon on the left sidebar highlighted in red.

  2. Click Enterprise Settings.

  3. Click the User Settings tab.

  4. In the Configure Single sign-on (SSO) for All Users section, click Configure.

    Screen capture of Box User Settings and the Configure button under Configure Single Sgn On (SSO) for All Users both highlighted in red.

  5. Click I don’t see my provider, or don’t have a metadata file.

  6. Complete the Box SSO Setup Support Form:

    • Review the request form and the For faster service please read section.

    • Complete all the required fields.

      • For Who is your Identity Provider, select Other with Metadata.

      • For What is the attribute for the user’s email?, select SAML_SUBJECT.

      • For What is the attribute for groups?, select memberOf.

      • For What is the attribute for the user’s first name?, select givenName.

      • For What is the attribute for the user’s last name?, select Sn.

      • Attach the metadata that you downloaded from the PingOne for Enterprise configuration.

    • Click Submit.

      Screen capture of Box SSO Setup Support Form.

  7. After the Box support team completes the configuration, follow any provided instructions and test the integration.