To configure a connection for outbound provisioning to Box, follow the instructions in this section.
Outbound provisioning details are managed within an SP connection. You can configure outbound provisioning with or without Browser SSO, WS-Trust STS, or both when you create a new SP connection. You can also add outbound provisioning to an existing SP connection.
-
On the Connection Template screen, select the Use
a template for this connection option and choose Box
Connector from the Connection Template
drop-down list. You will be asked to provide the boxmetadata.xml
file you obtained earlier in Download Box SAML 2.0 metadata file.
Tip: If this selection is not available, verify the connector installation and restart PingFederate. -
On the General Info screen, the default values are taken
from the metadata file you selected in step 2. We recommend using the metadata
default values.
-
On the Target screen, enter the values for each field as
required by the Box Connector.
Field Name Description Client ID The client ID for the application created in Box.
For more information on obtaining a client ID, see Obtain client ID and secret from Box.
Client Secret The client secret generated during application creation for Box.
For more information on obtaining a client secret, see Obtain client ID and secret from Box.
OAuth Access Token The OAuth access token generated by the OAuth Configuration Service.
For more information on obtaining authorized OAuth tokens, see Generate OAuth access and refresh tokens.
OAuth Refresh Token The OAuth refresh token generated by the OAuth Configuration Service. For more information on obtaining authorized OAuth tokens, see Generate OAuth access and refresh tokens.
Token Management Datastore Select where tokens will be stored:
Flatfile (default) – Tokens will be stored in a flatfile namedboxoauthtoken.conflocated at<pf_install>/server/default/data/adapter-config.Note: The flatfile option is only available when running in Standalone mode, since the flatfile cannot be accessed by multiple nodes. The flatfile option cannot be used in a clustered environment even if only one node is used for provisioning.Database – Tokens can also be stored in a database. If you have set up databases in PingFederate, they will appear in the dropdown as options. If you have a multi-node PingFederate configuration for clustered or failover use cases, tokens must be stored in a database.
The
saas_connection_fieldstable must be first created in the database using the appropriate supplied script. The same database used for PingFederate provisioning can be used to create thesaas_connection_fieldstable. This must be completed before configuring the Box Connector. During configuration, choose the database that contains thesaas_connection_fieldstable.Group Provenance (Optional) Optional and for group provisioning only. This allows you to keep track of which external source this group is coming from (for example, "Active Directory", "Google Groups", "Facebook Groups"). This field should be a human-readable identifier up to 255 characters long. Setting this will also prevent Box users from editing this group directly through Box. This is desirable for one-way syncing of groups. Group Name Source Possible values:
- Group Common Name (default) – When selected, groups will be provisioned in Box with the name equal to the common name of the group in Active Directory.
- Group Distinguished Name – When selected, groups will be provisioned in Box with the name equal to the distinguished name of the group in Active Directory.
Provisioning Options User Create True (default) – Users will be created in Box.
False – Users will not be created in Box.
Note: The provisioner.log will display a warning within the create user workflow that the user was not created in Box.User Update True (default) – Users will be updated in Box.
False – Users will not be updated in Box.Note: The provisioner.log will display a warning within the update user workflow that the user was not updated in Box.User Disable/Delete True (default) – Users will be disabled or deleted in Box .
Note: A disabled user can only be re-enabled if User Update is true.False – Users will not be disabled or deleted in Box.
Note: The provisioner.log will display a warning indicating that the user was not disabled or deleted in Box.Provision Disabled Users This option is only relevant if User Create is true.
True (default) – If a disabled user in the user store is targeted for provisioning, it will be created in a disabled state in Box.
False – Box users will not be created in a disabled state. This is desirable for scenarios where there are disabled users in the data store, not intended for creation in Box during initial synchronization.
Note: The provisioner.log will display a warning within the create user workflow indicating that the user was not created in BoxPersonal Folders Create Personal Folders False (default) – Personal folders will not be created.
True – On the creation of a new user, a personal Box folder will be created for the user. The new folder will be created in a parent folder you must specify on this page (see Parent Folder ID), and its name will be the value of the user’s Personal Folder Name attribute. See Attribute index for details.
Note: If an issue occurs during the creation of the personal folder, the server.log will display a warning indicating that the user’s personal folder was not created in Box. If you have applied Additional logging changes, this will be shown in the provisioner.log.Parent Folder ID This option is required if Create Personal Folders is true.
The ID of the parent folder in which new personal folders will be created. The administrator account used when obtaining the client ID and client secret must be the owner of this folder.
You can easily find the ID of a folder by navigating to the desired parent folder in the Box web portal and copying the string of numbers at the end of the url. For example, the ID of the folder located at:- https://myconnector.app.box.com/folder/12345678910
12345678910.Personal Folder Permission Levels This option is only relevant if Create Personal Folders is true.
Admin as Owner - User as Co-Owner (default) – When a new personal folder is created, the admin will be the owner of the folder, and the user will be a co-owner.
Admin as Owner - User as Editor – When a new personal folder is created, the admin will be the owner of the folder, and the user will be an editor.
User as Owner – When a new personal folder is created, the user will be the owner, and the admin will have no permissions on or visibility into that folder.
Deprovisioning Remove User Action Select a deprovision method (Suspend or Delete). Deprovisioning is triggered when previously provisioned users no longer meet the condition set in the Source Location screen, or when a user has been suspended or deleted from the data store. This option is only applicable if User Disable/Delete is set to true.
Suspend (default) – when selected, if you delete a user from Active Directory, the user will be suspended in Box (also known as a soft delete).
Delete – when selected, if you delete a user from Active Directory, the user will be deleted in Box (also known as a hard delete).
Box Account Email For Transferring Deleted User’s Content Optional and only relevant when User Disable/Delete is true and Remove User Action is Delete.
The email associated with a valid and active Box account. When this is specified, if a user is deleted, their content (for example, files) would be transferred to the specified Box account instead of being deleted with the user.
Force Delete Managed Content This option is only relevant if User Disable/Delete is true, Remove User Action is Delete, and the Box Account Email For Transferring Deleted User’s Content is valid.
False - Users with managed content will not be deleted (default) – Attempts to delete users who own files will fail unless the files can be transferred to another account. If a value has been provided for Box Account Email For Transferring Deleted User’s Content field then the user will be deleted after the data is transferred. The provisioner.log will show an error and retry on the next provisioning cycle.
True - CAUTION: Users and their managed content will be deleted – Attempts to delete users will proceed regardless of whether they own files. Any content owned by the user, including folders and files, will be permanently deleted from Box. If a value has been provided for the Box Account Email For Transferring Deleted User’s Content field, then the transfer of files will be attempted prior to the user and content being deleted. Only select this option if revoking user access to content is of a higher priority than preserving the content.
Important:Once PingFederate is restarted, these and subsequent authorized OAuth tokens are stored in either the flatfile or the database, depending on the Token Management Datastore choice.
If these values in your SP connection require updating at any time in the future, follow the steps in Updating Box OAuth tokens.