Box

Box offers both IdP-initiated SAML SSO (for SSO access through the user portal or Idaptive mobile applications) and SP-initiated SAML SSO (for SSO access directly through the Box web application). You can configure Box for either or both types of SSO.

Plan ahead for Box to have time to receive your support request and process it. This process may take a few days or so.

Box requirements for SSO

Before you configure the Box web application for SSO, you need the following:

  • Your own domain registered and verified with Box.
  • A signed certificate. You can either download one from the Admin Portal or use your organization’s trusted certificate.

Configuring Box for SSO

The following steps are specific to this application and are required in order to enable SSO. For information on optional configuration settings available in the IdaptiveAdmin Portal, see Optional configuration settings.

Configuring this app in the Admin Portal for SSO requires contact with a representative from the service provider. The time it takes to configure this application varies depending on the service provider's response time.

To add and configure the Box application in the Admin Portal

  1. (Optional) Change the issuer field if you are using multiple Box deployments.

    The Idaptive Identity Service generates this field automatically for you. In most cases, leave this field as is. The only reason to change this URL is if you are using multiple Box deployments and you need each deployment to have a different Issuer.

    If you plan on deploying this application for use in a Samsung KNOX container, in order for users to launch the application using SSO, you must edit the application name to be “Box.” This way, the SSO Service inside the Samsung KNOX container recognizes the application.

  2. Click Download Identity Provider SAML Metadata and save the file to your computer.

    If you are using your own certificate, you must upload it before downloading the SAML metadata.

  3. Open a support request with Box and ask them to upload the Identity Provider SAML Metadata file that you downloaded from Admin Portal.
  4. Enable the Box DNS domain for Cross-Origin Resource Sharing (CORS) to ensure SSO works for native applications.

    For example, from the Admin Portal navigate to Settings > Authentication > Security Settings and add sso.services.box.net to the list of trusted DNS domains.

    For more information, refer to How to set authentication security options.

Box provisioning

The Admin Portal provisions users for Box by mapping an Admin Portal role (and all the users in it) to new or existing accounts in Box with the Box roles and groups that you specify.

When you change any role mappings, the Idaptive Identity Service automatically synchronizes any user account or role mapping changes. If the user accounts in the Idaptive Identity Service and the target application match for the fields that make a Box user unique, then the Idaptive Identity Service handles the user account updates according to the role mappings. In many applications, the user’s email address or Active Directory userPrincipalName is the primary field used to identify a user—and in many cases, the userPrincipalName is the email address. You can look at the application’s provisioning script to see the fields that the Idaptive Identity Service uses to match user accounts.

Before configuring the Box application for provisioning, you must install, configure, and deploy the app.

To configure Box in the Admin Portal for automatic provisioning

  1. Specify how the Idaptive Identity Service handles situations when the Idaptive Identity Service determines that the user already has an account in the target application.

    The Idaptive Identity Service determines there is a duplicate account if the user accounts in the Identity Service and the target application match for the fields that make a user unique. In many applications, the user’s email address or Active Directory userPrincipalName is the primary field used to identify a user—and in many cases, the userPrincipalName is the email address. You can look at the application’s provisioning script to see the fields that the Idaptive Identity Service uses to match user accounts.

    • Sync (overwrite): Updates account information in the target application (this includes removing data if the target account has a value for a user attribute that is not available from the Idaptive Identity Services).
    • Do not sync (no overwrite): Keeps the target user account as it is; Idaptive Identity Services skips and does not update duplicate user accounts in the target application.
    • Do not de-provision (deactivate or delete): The user's account in the target application is not de-provisioned when a role membership change that would trigger a de-provisioning event occurs.
    • Sync groups from local directory to target application (this option overrides any destination group selection in Role Mappings: Provisions groups with an email address and the group members from the local directory to target application.

      Groups may be filtered via the provisioning script using the reject function. Note that if you enable this option, then any specification of destination group under role mapping will be ignored.

    • Deprovision (deactivate or delete) users in this application when they are disabled in the source directory: Deprovisions users in the target application according to your specified options (disable or delete).
  2. Configure the behavior for deprovisioning users.

    These options are only applicable if you are deprovisioning users based on either a role change or disabling the users in the source directory.

    • Disable user: disables the user in Box if the user is disabled in the source directory or if the user's role membership changes.

    • Delete user: deletes the user in Box if the user is disabled in the source directory or if the user's role membership changes.

      If you choose to delete deprovisioned Box users, you need to decide what to do with the user's files:

      • Delete Files: Permanently removes all files owned by the Box user.
      • Transfer files to a Box admin account: Transfers all files owned by the Box user to the specified Box admin or co-admin account.

        If the specified admin or co-admin account is not found when the deprovisioning job runs, the user will be disabled instead of deleted.

        If the deprovisioned user owns a large number of files, the request to move the files might time out. If the request times out, Idaptive leaves the user untouched and you will have to delete the user from Box manually.

      Check the sync report in the job history to see results of the deprovisioning - Reviewing the job history.

  3. Select whether you want to assign destination groups mapped to each role the user is a member of, or if you want to assign a single destination group based on role mapping order.

    For example:

    • Destination groups based on order: If a user is a member of two roles mapped to separate destination groups, the user is assigned the destination group or groups mapped to the role that is higher in the role mapping list.
    • Destination groups for all mapped roles: If a user is a member of two roles mapped to separate destination groups, the user is assigned to both destination groups.

      If you selected Sync groups from local directory to target application to provision Active Directory groups, destination group settings are ignored. Refer to Provisioning Active Directory Groups for Box for more information.

  4. In the Role Mappings section, click Add to add role mappings and specify which users get provisioned to this application.

    The Role Mapping dialog box opens.

  5. To map user accounts in Admin Portal to Box user accounts, select a Admin Portal role and a Destination Role (Box).

    For the Destination Role in Box, select either user or co-admin. The co-admin role has a limited set of administrative privileges.

    For best results, assign roles where users are only in one role.

  6. Continue adding role mappings, as desired.

    • To change a mapping, select the role mapping and click Modify.
    • To remove a mapping, select the role mapping and click Delete.
    • To change the order of the role mappings, select the role mapping that you want to move higher in the list and click Move Up.

    Provisioning assigns users access and assignments based on the top-most role mapping. The order in which the roles display in the Role Mappings section matters. The role at the top of the list has priority when provisioning users. For instance, if a user is in multiple roles that you’ve mapped for provisioning, the Idaptive Identity Service provisions the user based on the role nearer the top of the list.
    For best results, assign roles where users are only in one role. If users are in multiple roles, rearrange the order of role mappings as desired.
    For more details, see Setting up app-specific provisioning.

    The provisioning script is intended for advanced users who are familiar with editing server-side JavaScript code.

  7. When you’re done, click Save to save the provisioning details.

    Any time that you make changes to the provisioning role mapping, the Idaptive Identity Service automatically synchronizes the changes.

Provisioning Active Directory Groups for Box

If you already organized your users into AD groups, it might be more efficient to provision AD groups to Box rather than creating the groups individually in the application. Provisioning an AD group and its members to Box consists of the following steps, which can be performed in any order.

  • Provision AD groups to Box using the Sync groups from local directory to target application option. If there are any AD groups you wish to exclude from provisioning, you can do so with the Provisioning Script. Any members of the group that have not already been provisioned through role mapping are listed in the dirsync report.
  • Provision members of the AD group to Box using Role Mapping. Refer to Box for more information.
  • If you have Sync groups from local directory to target application enabled, the Destination Group setting in Role Mappings is ignored and the user’s are provisioned into the synced AD groups.

Note the following about provisioning AD groups for Box:

  • An email address is required for the AD group.
  • Provisioning nested groups is not supported.
  • If an AD group has the same name as an existing Box group, the Idaptive Identity Services recognizes the same name in the existing group during provisioning and updates it with the AD group’s attributes.
  • If you use the option to provision AD groups to Box, the Idaptive Identity Services ignores the Destination Group setting in Role Mappings. Provisioning AD groups and provisioning users to existing Box groups using role mapping are mutually exclusive.
  • You can not deprovision the groups by disabling or deleting them in Active Directory.

If you want to provision AD groups to Box, you need to deploy a new Box application in Admin Portal; the feature is not backwards compatible with previously deployed applications.

Creating personal home folders with the Provisioning Script Editor

The Box provisioning script includes a sample script to create personal home directories for your users. You can set the following attributes.

  • directory name
  • parent directory
  • directory permissions
  • whether the folders are synced to Box clients