--- title: Provisioning Box with PingOne description: Provision Box in PingOne. component: pingone page_id: pingone:integrations:p1_provisioning_connection_box canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_provisioning_connection_box.html revdate: April 10, 2026 section_ids: provisioning-capabilities: Provisioning capabilities before-you-begin: Before you begin steps: Steps result: Result: validation: Validation box-directory-attributes: Box directory attributes box-provisioning-known-limitations: Box provisioning known limitations --- # Provisioning Box with PingOne Box is a cloud-based content management and file-sharing service for organizations. By using the Box connection in PingOne, you can provision users, groups, and memberships between your Box account and PingOne, which ensures seamless access control and identity management. ## Provisioning capabilities The following table summarizes the inbound and outbound provisioning capabilities for each resource type: | Resource | Capability | Description | Inbound | Outbound | | ---------- | -------------- | ------------------------------------------------------------ | ------- | -------- | | User | Create | Generates a new user record in the destination. | Yes | Yes | | | Read | Retrieves or polls user attributes for synchronization. | Yes | Yes | | | Update | Modifies existing attributes, such as `job title`. | Yes | Yes | | | Delete | Deletes a user or temporarily suspends an account. | Yes | Yes | | Group | Create | Provisions a new group in the target application. | No | Yes | | | Rename | Updates the display name or identifier of an existing group. | No | Yes | | | Delete | Removes a group from the target application. | No | Yes | | Membership | Add and remove | Adds or removes users from groups. | No | Yes | ## Before you begin Make sure that you have: * A Box administrative account. Learn more about [Box admin basics](https://support.box.com/hc/en-us/articles/20663788432275-Getting-Started-Box-Admin-Basics) in the Box documentation. * The following from your Box account for OAuth authentication: * **Client ID** * **Client Secret** * **Box Subject Type** * **Box Subject ID** * **Token Endpoint** * Users assigned to a specific population or group in PingOne designated for Box provisioning. Learn more in [Adding a user](../directory/p1_adduser.html) and [Managing groups](../directory/p1_managing_groups.html). ## Steps 1. Create a Box connection: 1. In the PingOne admin console, go to **Integrations > Provisioning**. 2. Click **[icon: plus, set=fa]**and then click **New Connection**. 3. Click **Select** for **Identity Store**. 4. Click **Select** for the **Box** connection, and click **Next**. 5. Enter a **Name** and **Description** for this provisioning connection. 6. Click **Next**. 7. []()In the **Configure Authentication** section, enter the following configurations that apply to your Box account: * **Service URI**: Enter the base URL for the Box API endpoint, such as `https://api.box.com/2.0`. * **Authentication Method**: Select one of the following: * **OAUTH**: Enter the following: | Configuration | Example | | -------------------- | ---------------------------------- | | **Client ID** | `a44ka4f0ecdftw6pozqq7bydvaaj0dja` | | **Client Secret** | `2KWhUn2tbxMm5UfCIbJSmYwh3raFeSK0` | | **Token Endpoint** | `https://api.box.com/oauth2/token` | | **Grant Type** | `client_credentials` | | **Box Subject Type** | `enterprise` | | **Box Subject ID** | `870769` | * **TOKEN**: Enter the **Bearer Token**, such as `8lBWsMIimT8IojkQ4FT7ymvvQXqs5g4y`. 8. Click **Test Connection** to verify that PingOne can establish a connection to the Box resource. ### Result: If there are any issues with the connection, a **Test Connection Failed** modal opens. Click **Next** to resume the setup with an invalid connection. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can't use the connection for provisioning until you've established a valid connection to Box. If the connection fails, click **Cancel** in the **Test Connection Failed** modal, verify that you have entered the configuration details in [step g](#p1_configure_authenication_step) correctly, and try again. | 9. Click **Next**. 10. In the **User Actions** section, select the following as needed: | Field | Description | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Enable users creation** | Creates a user in the target identity store when the user is created in the source identity store. | | **Enable users updation** | Updates user attributes in the target identity store when the user is updated in the source identity store.If **Enable users updation** is selected, you can choose to select **Enable users disable**, which disables a user in the target identity store when the user is disabled in the source identity store. | | **Enable users deprovision** | Deprovisions a user in the target identity store when the user is deprovisioned in the source identity store. If **Enable users deprovision** is selected, the following options appear:- **Remove Action**: Removes or disables a user in the target identity store when the user is deleted in the source identity store. Select **Delete** or **Disable**. Remove Action is only available if you select Enable users disable. - **Deprovision on rule deletion**: Deprovisions users if the associated provisioning rule is deleted. | 11. Click **Save**. 12. To enable the connection, click the toggle at the top of the details panel to the right (blue). | | | | - | ------------------------------------------------------------------------- | | | You can disable the connection by clicking the toggle to the left (gray). | 2. Create an [inbound](p1_create_provisioning_rule_inbound.html) or [outbound](p1_create_provisioning_rule_outbound.html) rule and select the existing Box connection as the target or source. You can optionally add [attribute mappings](#box-directory-attributes). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For Box inbound rules, enabling the **Sync Only Active Users** configuration in the **Onboarding Settings** panel triggers an immediate full resync. Any users currently in PingOne who were previously provisioned by this specific rule, but don't have an **Active** status, will be deleted from PingOne. | ## Validation Confirm users and groups are successfully provisioned to Box. View the [sync status](p1_view_sync_status.html) to review synchronization results and any errors. You can find examples in [Outbound provisioning sync summary examples](p1_outbound_group_provisioning_sync_summary_examples.html). ## Box directory attributes The following table lists common Box attributes that can be mapped for user provisioning: | Attribute | Description | | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `login` | The user's sign-on email address. Typically mapped to **Username**. | | `name` | The full name of the user. | | `status` | The account status such as active, or inactive. Requires an expression to convert into a Boolean conversion. Directly mapping the PingOne Enabled attribute Boolean to the Box status attribute String causes a schema error. To prevent this, PingOne provides a default, optional attribute mapping that uses a Spring Expression Language (SpEL) expression to convert the values, such as mapping true to active. | | `phone` | The primary telephone number for the user. | | `job_title` | The user's professional title. | | `address` | The user's physical mailing address. | ## Box provisioning known limitations The following limitations apply to Box provisioning: * Currently, user filtering isn't supported for inbound rules. All users from the source Box instance will be provisioned to PingOne. * For inbound provisioning, data updates once a day. The sync occurs daily at the time the initial full-sync completed. Manual syncs don't change this schedule. Changes in the source appear in PingOne after the daily update. * Using both inbound and outbound sync rules for the same application can cause issues, such as duplicate users, because the rules operate independently.