Box Provisioner

Known issues and limitations

  • Due to a limitation with PingFederate 8.1 and earlier versions, when configuring two SP connections with the same provisioner, the second connection built may be pre-populated with the channel from the first connection. To avoid conflicts, delete this pre-populated channel and create a unique channel for each connection.

  • User attributes cannot be cleared once set.

  • Version 2.2 and later enables updating a user’s login. However, the user has to have logged in previously for the update to succeed.

  • The provenance attribute is the only supported attribute for group provisioning.

  • The provenance attribute cannot be cleared once set for a group.

  • The Inactive Status Default user attribute will have no effect if the Box connector is configured to delete (hard delete) instead of disable (soft delete) for user deprovisioning. Additionally, deleting a user in LDAP will always set that user as inactive in Box.

  • When an LDAP user is deleted in a targeted group distinguished name (DN), the provisioning connector does not propagate the deletion until a new user is added to the group. This limitation is compounded when the User Create provisioning option is disabled. For solutions, see SaaS provisioner does not remove the user in the Knowledge Base.

  • A Box API limitation prevents logins of different letter case (but otherwise the same), from being updated by the provisioner. In scenarios where the letter case differs, the login will be omitted from the API operation. For example, USER@TEST.COM in Box, cannot be updated to user@test.com. In an update operation, the login would be omitted, but any other attributes that may have changed would be provisioned and updated.

  • Due to Box API requirements, only primary, validated email addresses can be used to sync users.

Box token failover support limitations

  • Tokens entered during SP connection configuration will be invalidated and replaced with new tokens upon first use. Afterwards, they will be updated with new tokens once they expire.

  • If a SP connection is re-configured to change the connection datasource from a database to a flatfile, or vice versa, any pre-existing entries in the new datasource for the given client ID must be deleted before the SP connection is updated.

Performance limitations

  • Enabling personal folder functionality will diminish initial synchronization provisioning performance.