Configure Box for UserLock Single-Sign On
Procedure
Enable Box in UserLock SSO
In the UserLock console, Navigate to Single Sign-On → Configuration.
- Select Add configuration, then select Box as the provider to be configured.
- When prompted with the Email Domain, enter the domain of the email you want to be used to allow users to log into.
NOTE: The SSO service needs to be restarted in order to use this profile
Submit a configuration request to Box
- Download the SAML metadata file available at: https:// <SSO.domain.com> /metadata
- To submit this request, follow the procedures listed in the link below : https://support.box.com/hc/en-us/articles/360043696514-Setting-Up-Single-Sign-On-SSO-for-Your-Enterprise
Configure Box for Single Sign-On
Once Box has set Single Sign-On for your account:
- Connect to Box using an Administrator account
-
Navigate to Admin Console → Enterprise Settings → User Settings
-
Under User Settings locate Configure Single Sign On (SSO) then select SSO Test Mode
- Once completed and SSO is ready and running, disconnect the session and try to connect via Single Sign-On. NOTE: It is still possible to be able to connect with your regular credentials as long as SSO Test mode is active.
<Important!> If SSO is unavailable
Since Box doesn't provide any backdoor/bypass to Single Sign-On, Two options are proposed to recover access during SSO downtime :
- Contact support requesting to temporarily redefine your SSO configuration in "Test mode", in order to gain access to the credential login.
- Ensure a second SSO provider is used as a backup
Known Issues
When logging into Box, you could be presented with the following situation:
This scenario often occurs when SSO provides the wrong email address to Box; for example, If users have multiple email addresses corresponding to the same email domain. ex : testuser@mydomain.com and myuser@mydomain.com
By default, SSO will provide the first email address listed by alphabetical order.
As a workaround, you can either change the Box user account email address to the one that SSO is trying to use, or remove the email from the user if it is not used by another application.