Box SSO with PhenixID Authentication Services
Warning
Please note, this document is using the legacy authenticators - in order to use the new protocol agnostic authenticators, you need to apply relevant modifications to the configuration examples outlined in this article.
Summary
This document will guide you through the steps to provide Single-Sign-On to Box using SAML with PhenixID Authentication Services as SAML IdP.
System Requirements
- PhenixID Authentication Services 2.0 or higher
- Box.net corporate domain
Instruction
Setup PhenixID Authentication Services as a SAML IdP.
Download the SAML IdP Metadata as a file.
Distribute the SAML IdP Metadata file to Box. This is a manual process. Instructions will be provided by your Box contact.
Download the Box SP metadata file from https://cloud.box.com/shared/3isa8qvvqn
Upload the metadata to PAS: SAML SP Metadata Upload
Configure the authentication method(s) to be used for the Box federation: Agnostic vs Legacy Authenticators
Click on the Configuration tab
Click on Pipes
Modify the pipe(s) connected to the authenticators.
Fetch email, givenName, sn from the user data source:
{ "name": "LDAPSearchValve", "config": { "connection_ref": "MyAD", "base_dn": "ou=demo,DC=demo,DC=phenixid,DC=net", "scope": "SUB", "size_limit": "0", "filter_template": "(&(objectClass=user)(samaccountname={{request.username}}))", "attributes": "mail,givenName,sn" } }Rename mail attribute
{ "name": "PropertyCopyValve", "config": { "source": "mail", "dest": "primary_email" } }Configure SAML assertion
{ "name": "AssertionProvider", "config": { "targetEntityID": "PhenixID_IdP_BOX", "nameIDAttribute": "mail", "misc": { "excludeSubjectNotBefore": "true", "signMessage": "false", "signAssertion": "true" }, "sourceID": "box.net", "additionalAttributes": "primary_email,givenName,sn" } }
Click “Stage changes” and then “Commit changes”