Configure SAML group push for Box

Use SAML group push when you want to add users to existing Box groups, create new groups in Box, or manage group membership in Box.

If a user is a member of only one group in Okta or Active Directory (AD) and they are removed from the group, the group membership removal does not occur in Box.

If a user is not assigned to any Okta or AD groups, the <groups> element is omitted from the Okta SAML assertion. Without a <groups> element to inspect, Box does nothing to its groups and the user's last group membership remains until you manually remove it.

1. If you have an existing Box instance you want to configure, go to step 2. To configure SAML group push for a new Box app:

   1. In the Admin Console, go to ApplicationsApplications.

   2. Click Add Application.
   3. Enter Box in the search field.
   4. Select Box and click Add.
   5. Complete the fields on the General Settings page and click Next.
   6. In the Sign On Methods section of the Sign-On Options page, select SAML 2.0.
   7. Leave the Default Relay State field blank, click View Setup Instructions and follow the instructions.
   8. Click Done.
2. To configure SAML group push for an existing Box app:

   1. In the Admin Console, go to ApplicationsApplications.

   2. Select Box in the list of applications.
   3. Click the Sign On tab and click Edit.
   4. In the Sign On Methods section of the Sign-On Options page, select SAML 2.0.
   5. Leave the Default Relay State field blank, click View Setup Instructions and follow the instructions.
   6. Click Done.
3. Optional. To remove group memberships from Box:
   1. Open your Box instance and go to Admin ConsoleEnterprise Settings.
   2. Click the Users Settings tab.
   3. Clear the Remove user from groups upon SSO user login check box.
   4. Click Save.