Configure Box

The configuration of the Okta integration with Box can optionally include setting up SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones., configuring personal Box folders, and configuring Box offboarding.

SAML 2.0 and Box

Box supports SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. 2.0 for federated single sign-on (SSO). Box SAML supports both service provider (SPAn acronym for service provider. Generally, an SP is a company, usually providing organizations with communications, storage, processing, and a host of other services. Within Okta, it is any website that accepts SAML responses as a way of signing in users, and has the ability to redirect a user to an IdP (e.g., Okta) to begin the authentication process.) initiated and identity provider (IDPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.) initiated SAML negotiations, such as initiated by Okta.

For SP-initiated SAML, a user clicks a deep link that is tied to their tenant. The link does not enable Box to determine to which IDP the user belongs. Box displays a sign-in page and if SAML is enabled, the user is only required to enter a username.

For IDP-initiated SAML, an assertion is sent from Okta when a user tries to access Box by clicking the appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. icon on the Okta home page.

Enable SSO

Security Assertion Markup Language (SAML) is a standard for logging into applications. This single sign-on (SSO) login standard is more secure and convenient than using a username and password.

To enable SSO for Box:

  1. From Okta, choose Applications > Applications, select, and then click the Sign On tab.
  2. Select SAML 2.0 and then click View Setup Instructions.

Enable Okta Provisioning

To enable Okta ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. for Box:

  1. From Okta, choose Applications > Applications > Active and then select Box.

  2. Click the Provisioning tab and then Configure API Integration.

  3. Select the Enable API Integration check box and then click Authenticate with Box.

    The API integration between Okta and Box utilizes Oauth. This integration makes use of the Box adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. credentials in order to perform actions on behalf of Okta.

  4. From the Box window, enter your Box admin credentials and then click Authorize.

  5. Click Grant access to Box to complete the authorization process.

  6. From the Provisioning tab, click Save.

  7. Select To App in the Settings panel and then click Edit.

  8. Enable desired provisioning features and then click Save.

    To learn more about the Create Users option, see Configure personal Box folders.

    To learn more about the Deactivate Users option, see Configure Box offboarding.

Configure personal Box folders

When you provision new-user accounts in Box, Okta enables you to automatically create a personal shared folder for your users.

To configure personal Box folders:

  1. From the Provisioning tab, ensure that Create Users is enabled.

  2. Select the Create personal Box folder when new user account is provisioned check box.

  3. From the Owner of the Box Personal Folder drop-down, choose the desired owner.

    • Admin as Owner (default) — For this option, the owner of the Box personal folder is the Box admin who authenticated Okta to the Box API. This admin is assigned to the newly provisioned user account having a permission level either as editor or co-owner. For this option, you also need to specify in the Full path to parent folder where you want the folder to be created in your Box tenant (example: All Files/Parent Folder).

    • User as Owner — For this option, the owner of the folder is the user provisioned to Box. You do not to need to specify a folder path as the folder is created in the user's root directory. This option prevents the Box admin from being the owner of a large number of folders, thus preventing any errors caused by the admin being the owner of too many folders.

  4. Specify the personal folder name format.

    Both the Admin as Owner and the User as Owner folder-creation methods enable you to create a personal folder with a name based on the personal folder name format setting. By default, this setting is set to use the Okta Username Prefix, but you can create custom expressions with the help of the Okta Expression Language.

    1. From the Personal folder name format drop-down, select Custom and then click custom expression.

    2. From the Custom Field Mapping Expressions dialog, specify the desired personal folder name format.

Configure Box offboarding

Okta deactivates a user's Box account when the user is deactivated in Okta. In Box, you can delete an account. To do this, sign into Box as an administrator which allows content associated with the user to be transferred to another user. Okta does not delete the user. Okta sets the user to an inactive state, allowing administrators to clean things up before deciding on whether a deletion is necessary. When you set users to a deactivated state, they cannot access their Box accounts.

To configure Box offboarding:

  1. From the Provisioning tab, ensure that Deactivate Users is enabled.

  2. From the Box user status on deactivation drop-down, select Deleted.

  3. From the File management upon user deletion drop-down, choose the desired option.

    • Transfer user’s files to account user — For a deleted user, this file-management option transfers the user files to an account user. Next, you need to enter a valid, active Box account in the Box email address of service account user field to which the user files will be transferred when they are deactivated.

    • Do not delete users with files, create manual de-provisioning task — If this option is selected, users marked for deactivation will only be deleted from Box if they have no files stored in their Box account. Users marked for deactivation that do have files stored in their Box accounts will instead be left active and in tact, and an Okta dashboard task will be generated (Dashboard > Tasks) to alert the Okta administrator that manual action is needed to de-provision the user.

    • Delete all files - are you sure? — When a user account is deactivated, this file-management option permanently deletes the user account, including all the account files.