--- title: Configure PingFederate for SSO description: The following section describes the steps for configuring single sign-on (SSO) to Box. Configuring SAML SSO involves configuring both the PingFederate SP connection and Box. component: box page_id: box:setup:pf_box_connector_configure_pf_for_sso canonical_url: https://docs.pingidentity.com/integrations/box/setup/pf_box_connector_configure_pf_for_sso.html revdate: June 27, 2024 section_ids: about-this-task: About this task steps: Steps --- # Configure PingFederate for SSO ## About this task The following section describes the steps for configuring single sign-on (SSO) to Box. Configuring SAML SSO involves configuring both the PingFederate SP connection and Box. | | | | - | ------------------------------------------------------ | | | Configuring SSO is optional for outbound provisioning. | ## Steps 1. Create a new SP connection or select an existing SP connection from the **SP Configuration** menu. 2. On the **Connection Template** screen, select the **Use a template for this connection** option and choose **Box Connector** in the **Connection Template** list. You will be asked to provide the `boxmetadata.xml` file you obtained earlier in [Download Box SAML 2.0 metadata file](pf_box_connector_download_box_saml_20_metadata_file.html). ![An image of the Connection Template screen.](_images/igc1563995181315.png) 3. On the **Connection Type** screen, ensure that the **Browser SSO Profiles** check box is selected. 4. On the **General Info** screen, the default values are taken from the metadata file you selected in step 2. We recommend using the metadata default values. ![An image of the General Info screen.](_images/vev1563995186742.png) 5. Click **Next** to continue the Browser SSO configuration. Learn more in the following sections under [Identity provider SSO configuration](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_ident_provid_sso_config.html): * [Managing IdP adapters](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_managing_idp_adapters.html) * [Configure IdP Browser SSO](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_spconnectionconfigtasklet_spbrowserssostate.html) * [Configuring credentials](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_spconnectionconfigtasklet_credentialsstate.html) 6. On the authentication adapter's **Attribute Contract Fulfillment** screen, map SAML\_SUBJECT to email address. 7. On the **Protocol Settings > Allowable SAML Bindings** screen, ensure that both **POST** and **SOAP** are selected. 8. On the **Credentials** screen, click **Configure Credentials**. 9. On the **Back-Channel Authentication** screen, click **Configure**. 10. On the **Inbound Authentication Type** screen, select **Digital Signature (Browser SSO profile only)** and click **Done**. 11. On the **Credentials > Digital Signature Settings** screen, select the signing certificate. 12. On the **Signature Verification Settings** screen, click **Manage Signature Verification Settings**. 13. On the **Trust Model** screen, ensure **Unanchored** is selected and click **Next**. 14. On the **Signature Verification Certificate** screen, select the Box certificate as the primary certificate and click **Next**. ![An image of the Box Signature Verification Certificate.](_images/ogf1563995187462.png) 15. On the **Activation & Summary** screen, set **Connection Status** to Active, then click **Save**.