Additional configuration options

When configuring the Okta integration with Box, you can add additional attributes to the Box profile. These attributes can be used to import and push attributes to users of Box. Other configuration options include pushing groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. created in Okta to Box, managing Box groups with push groups using SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated., and assign group membership as a user attribute.

Add additional attributes to the Box profile

Box supports Schema DiscoveryAbility to import additional attributes to Okta; therefore, you can customize attributes available to the Box application profile. These can be used to import and push attributes to users of Box.

To add additional attributes to the Box profile:

  1. Go to Directory > Profile Editor.
  2. Click FILTERS > Apps and then select the desired Box appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. instance.

  3. Click Profile for the desired Box app.

    The Box attributes are listed in the Profile Editor page. The following are the base Box attributes:

    • userName
    • firstName
    • lastName
    • role
  4. If you require Box attributes that are not part of the base ones, then specify custom Box attributes.

    1. Click Add Attribute.

    2. From the Add Attribute dialog, specify required information and then click Save or Save and Add Another.

With the desired attributes added to Box, you can now import these attributes from Box or push these attributes to Box.

Manage groups with Box

There are three ways to manage your groups when using Box. The method you choose depends on whether you have preexisting groups in Box, whether you want to manage groups in Okta or Box, and whether certain caveats with each method apply to your deployment.



If you choose not to import groups, then group functionality will not be available to you.

The following are the three group-management methods:

  • Group push — Push groups created in Okta are pushed to Box using the Box API. If a group is also assigned to the Box application, then this process also adds Okta members of pushed groups to Box.

  • Push groups using SAML — Use a SAML assertion of groups from Okta, including groups that were created in Okta and groups that were imported.
  • Assigning group membership as a user attribute — Add Okta users to groups that were imported using the Box API.

Before you configure group management in Box, you can integrate Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) as a source of both groups and users. AD integration requires that you install the AD AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. (see Install and configure the Okta Active Directory (AD) agent).

Manage box groups with group push

You can manage your Box groups by adding groups to your Box app in Okta and then configuring a group push.

When to use this method

Use group push if you want AD or Okta managing groups and group memberships in Box.

Box supports the latest version of group push — enhanced group push. This feature enables you to push groups in Okta to existing groups in Box, even if the Okta groups have the same name as those in Box.

So if you have a Box app that has existing groups configured, and you want either AD or Okta to manage these groups or group memberships, you would migrate the Box groups into Okta. Next, you would link the Okta groups with their counterparts in Box, which results in the Okta groups having mastery over the Box groups. In this scenario, you no longer use Box to manage groups or group membership.

If you do not want to perform this migration, you can push groups using SAML instead (see Use SAML-based push groups to manage Box groups).

Add your groups to Box

To add groups to Box:

  1. From the Administrator Dashboard, select Applications > Applications and then the desired Box app instance.
  2. From the Assignments tab, select Assign > Assign to Groups.

  3. From the Assign Box to Groups dialog, assign the desired groups to Box in order to grant users access to Box.

  4. Click the Push Groups tab.

  5. From the Push Groups drop-down, select Find groups by name or Find groups by rule.

    If you chose to use a rule to locate a group, you have to set up parameters for your rule. Okta will then push any group that matches the rule into Box.

  6. Enter the name of the Okta group you want to push to Box and then click Save.

    Okta creates counterpart groups in Box.

Add preexisting Box groups to Okta

For a Box group, you can import the group into Okta and then link it with an Okta group that has the same name, making the Box group Okta mastered. This enables Okta to handle all the group memberships automatically without you having to manually add and remove people from the group in Box.



In order to import a Box group into Okta, it's not necessary to create a new Okta group having the same name as a Box group and then link the two. However, if you should link an Okta group to a Box group, the Box group is mastered by the new Okta group and takes on the name of the Okta group.

If you want your Box group to retain its name, then making a new, counterpart Okta group with the same name is the better method. If you don't mind if a Box group name changes in the Box app, then link an existing Okta group with a unique name to the desired group in Box.

  1. Create an Okta group with the same name as the target group in Box.

    1. Choose Directory > Groups and then click Add Group.
    2. From the Add Group dialog, specify the group name and description and then click Add Group.
  2. Populate the new Okta group with all the users that should have access to Box and with the users already in the target group in Box.

    1. Click the new Okta group.
    2. Click Manage People.
    3. Select the desired users and then click Save.

  3. Import existing Box groups to Okta.

    1. Go to Applications > Applications and then click the desired Box app instance.
    2. Click the Import tab and then click Import Now.

      Okta imports user groups from Box and provides status in the Import Results page.

  4. There are now two groups in Okta with the same name. One designated with an "O" for Okta and the other with a "B" for Box.

  5. Click the Push Groups tab and then choose Push Groups > Find groups by name.

  6. Enter the name of the new Okta group.

  7. The new Okta group is returned in the search with a Match found status. In this example, "Box Users" is the new Okta group.

  8. Click Save.

    The new Okta group and the counterpart group in Box by the same name are automatically linked, with the Okta group having mastery.

    If the new Okta group has no counterpart in Box, you have one of the following options:

    • Create a group in Box with the same name as the new Okta group.

      Choose No Match found > Create Group and then specify the same name as the new Okta group.

    • Master an existing, imported Box group with the new Okta group.

      1. Choose No Match found > Link Group.
      2. From the Select a group drop-down, select the desired Box group that you imported into Okta.

        Because the name of the existing Box group does not match that of the new Okta group, a warning message displays.

      3. Click Save.

        Okta renames the group in Box to match that of the new Okta group. In this example, the "Box Senior Users" group is renamed to "Box Classic".

The new Okta group now has mastery over the preexisting Box group. Any changes to the new Okta group are pushed down to the counterpart group in Box.

Use SAML-based push groups to manage Box groups

You can manage your Box groups by configuring push groups using SAML.

When to use this method

Use this method when you have preexisting groups in Box and want to do the following:

  • Add users to your preexisting groups.
  • Create new groups in Box.
  • Manage group membership in Box.

Configure push groups using SAML

  1. From the Administrator Dashboard, select Applications > Applications and then the Box app.
  2. Select the Sign On tab and then click Edit.
  3. Configure SAML 2.0 for

    1. Ensure SAML 2.0 is selected and leave the Default Relay State field blank.
    2. Click View Setup Instructions and perform the customized procedure that opens.
  4. To configure push groups using SAML to remove group memberships from Box, see SAML assertions to remove users from groups in Box.

With push groups configured to use SAML, group memberships in Okta are updated in Box whenever an Okta user signs into Box using SAML. Box assigns new users to the appropriate groups or, when the group does not already exist, it creates a new group and assigns the user to it.

Assign group membership as a user attribute

You can assign group membership as a user attribute when you have preexisting groups in Box and you want to be able to add users to these groups.

Important Note


This method does not support the ability to create new groups in Box and is not recommended for most scenarios.

To assign group membership as a user attribute:

  1. Ensure provisioning is configured and enabled.

    See Enable Okta Provisioning.

  2. Import groups from Box.

    See Add preexisting Box groups to Okta.

  3. From the Edit User Assignment dialog, make the desired selections from the Group check boxes and then click Save.

    Group is a base attribute of Box.

    See Add preexisting Box groups to Okta.

  4. Click Save.

Add Okta users to box groups

With Box provisioning configured, Okta can import preexisting group information from Box. When you assign the Box app to an Okta user, you must select which preexisting groups you want provisioned to the Okta user in Box.