Page created: 30 Jun 2021 |
Page updated: 14 Dec 2021
Learn how to configure SAML SSO with Box and PingFederate.
The following table details the required and optional attributes to be configured in the assertion attribute contract.
|Attribute Name||Description||Required / Optional|
The following configuration is untested and is provided as an example. Additional steps might be required.
Create a PingFederate SP
connection for Box:
- Download the Box metadata from https://cloud.app.box.com/s/9y0zm1sqgvkxe8ha2qa3dfhwoivpoyy4.
- Sign on to the PingFederate administrative console.
Using the metadata that you downloaded, create an SP connection in
- Configure using Browser SSO profile SAML 2.0.
- Enable the following SAML Profiles:
- IdP-Initiated SO
- SP-Initiated SSO
- IdP-Initiated SLO
- SP-Initiated SLO
- In Assertion Creation: Attribute Contract, set the Subject Name Format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
- Extend the contract with the following
- In the Assertion Creation: Attribute Contract
- Map the attribute SAML_SUBJECT to the attribute mail.
- Map the optional attribute givenName to the attribute for the user's first name.
- Map the optional attribute memberOf to the attribute for the user's Box roles.
- Map the optional attribute Sn to the attribute for the user's surname or family name.
- In Protocol Settings:
- In Assertion Consumer Service URL, delete Artifact and PAOS Bindings.
- In SLO Service URLs, delete Artifact and SOAP bindings.
- In Allowable SAML Bindings, enable Redirect and POST.
- Export the metadata for the newly-created SP connection.
Export the signing certificate public key.
Configure the PingFederate
IdP connection for Box:
Sign on to the Box Admin Console as an administrator.
- Click Enterprise Settings.
- Click the User Settings tab.
In the Configure Single Sign On (SSO) for All
Users section, click
- Click ‘I don’t see my provider, or don’t have a metadata file.’
Complete the Box SSO Setup Support Form:
- Review the request form and the For faster service please read section.
- Complete all of the required fields.
- For Who is your Identity Provider, select Other with Metadata.
- For What is the attribute for the user's email?, select SAML_SUBJECT.
- For What is the attribute for groups?, select memberOf.
- For What is the attribute for the user's first name?, select givenName.
- For What is the attribute for the user's last name?, select Sn.
- Attach the metadata that you downloaded from the PingFederate configuration.
- After the Box support team completes the configuration, follow any provided instructions and test the integration.
- Sign on to the Box Admin Console as an administrator.