Box

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) and user provisioning for Box.

About Box

Box (formerly Box.net), is an online file sharing and content management service for businesses. It uses a freemium business model to provide cloud storage and file hosting for personal accounts and businesses.

After integrating Box with Oracle Identity Cloud Service:

  • Users can access Box using their Oracle Identity Cloud Service login credentials.
  • Users can launch Box using the Oracle Identity Cloud Service My Apps console.
  • Admins can assign and revoke user access to the Box app using the Oracle Identity Cloud Service administration console.

What Do You Need?

  • An Oracle Identity Cloud Service account with authorization rights to manage apps and users (Identity Domain Administrator or Application Administrator).
  • A Box account with authorization rights to configure federated authentication and user provisioning.
  • Identity Provider metadata. You can use the following URL to access the metadata: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/metadata and save the metadata in a text file. Use this file later to obtain the support ticket from Box in the "Configuring SSO for Box" section.

Configuring SSO for Box

The SSO configuration for Box is done by the Box support team. To request SSO federation with Box, you must create a support ticket using the following steps.

  1. Log in to your Box account using the URL: https://accounts.box.com/login. The Box sign in page appears.

  2. In the upper-right corner of the All Files page, click the user name icon, and then select Help from the drop-down list. The Box Community page appears.

  3. In the header, select the Support tab, and then locate and click Submit a case. The Submit a Case page appears.

  4. Select SSO Set-up Only (Use the Product Question/Issue Option for All Other Needs) from the Select Area drop-down list. The Submit a SSO Case page appears.

  5. Use the table to update the attributes, and then click Submit.

    Attribute Value
    Subject Enter a subject. For example: <yourcompanyname> SAML integration.
    Do you have a Box Consulting package? Select an option from the drop-down list according to your package.
    Company Box Subdomain Enter your company subdomain name. This is the company subdomain name used while initiating SSO from the service provider in the "Verifying Service Provider Initiated SSO from Box" section.
    Who is your Identity Provider? Select Other with Metadata from the drop-down list.
    Metadata Upload the identity provider metadata that you obtained earlier in the "What Do You Need?" section.
    SAML Attribute: User's email Enter email.
    SAML Attribute: User's first name: (optional) Enter firstname.
    SAML Attribute: User's last name: (optional) Enter lastname.

    Note: Wait for the Box Support team to complete the configuration. The SSO connection may take up to three weeks if you do not have an active consulting package. For more information about active consulting packages, visit https://www.box.com/resources/services-and-support.

Obtaining Service Provider Signing Certificate in .pem Format

Use this section to obtain the service provider certificate from the service provider metadata.

  1. Access the service provider metadata using the URL: https://cloud.app.box.com/s/3isa8qvvqn.

  2. In the metadata file, locate the ds:X509Certificate tag.

  3. Copy the content between the ds:X509Certificate tags into a text file.

Image img1.png displays the metadata content with ds:X509Certificate and ds:X509Certificate tags highlighted.

  1. Add -----BEGIN CERTIFICATE----- at the beginning of the content.

  2. Add -----END CERTIFICATE----- at the end of the content.

  3. Save the text file in .pem format. This is the service provider signing certificate.

    Note: Use this service provider certificate later while registering and activating the Box app in Oracle Identity Cloud Service. See the "Registering and Activating the Box App" section.

Configuring Box in Oracle Identity Cloud Service

Use this section to register and activate Box, and to enable provisioning and synchronization for Box.

Registering and Activating the Box App

  1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.

  2. Click App Catalog.

  3. Search for Box, click Add and then click Next.

  4. In the SSO Configuration tab, under the General section, upload the service provider Signing Certificate that you obtained in the "Obtaining Service Provider Signing Certificate in .pem Format" section.

  5. Click Next. Oracle Identity Cloud Service displays the Provisioning page.

Enabling Provisioning and Synchronization for Box

Use this section to enable provisioning and synchronization for managing user accounts in Box through Oracle Identity Cloud Service.

Enabling Provisioning

  1. On the Provisioning page, select Enable Provisioning.

  2. Under the Configure Connectivity section, click Authorize with Box. The Log in to grant access to Box window appears.

  3. Enter the Box admin credentials and click Authorize.

  4. Click Grant access to Box to configure the connectivity between the Box account and Oracle Identity Cloud Service. You are redirected to the Oracle Identity Cloud Service Provisioning page. A success message is displayed stating that the authorization is completed successfully.

  5. Click the Actions drop-down list and select Test to verify the connectivity. A success message is displayed stating that the connection is successful.

  6. To view predefined attribute mappings between the user account fields defined in Box and the corresponding fields defined in Oracle Identity Cloud Service, click Attribute Mapping, and then click OK.

    Note: To add a new attribute for provisioning, click Add Row, specify the attributes in the User and Box Account columns, and then click OK. For example, if you want to add the External ID field, enter $(user.externalId) in the User column, and then select the corresponding field from the drop-down list in the Box Account column.

  7. Specify the provisioning operations that you want to enable for Box:

    Note: By default, the Create Account, Update Account, De-activate Account, and Delete Account check boxes are selected.

    Create Account: Automatically creates a Box account when Box access is granted to the corresponding user in Oracle Identity Cloud Service.

    When the user account is created, the user receives an invitation through an email to verify the account. After the account is verified, the user is permitted to log in to Box.

    Update Account: Automatically updates a Box account when the corresponding user account is edited in Oracle Identity Cloud Service.

    De-activate Account: Automatically deactivates or activates a Box account when the Box access is deactivated or activated for the corresponding user in Oracle Identity Cloud Service.

    Delete Account: Automatically removes an account from Box when Box access is revoked from the corresponding user in Oracle Identity Cloud Service.

Enabling Synchronization

  1. On the Provisioning page, select Enable Synchronization.

  2. From the User Identifier drop-down list, define a matching rule that links a record fetched from Box with an existing record in Oracle Identity Cloud Service:

    Note: By default, the Primary Email Address option is selected from the drop-down list. It is recommended to leave this default attribute for accurate synchronization of user records.

    Primary Email Address: Primary email address of the Oracle Identity Cloud Service user.

    User Name: User name of the Oracle Identity Cloud Service user.

  3. To match a Box account attribute with the existing Oracle Identity Cloud Service user, select an attribute from the Application Identifier drop-down list.

    Note: By default, the name option is selected that represents the login attribute of the Box account. It is recommended not to change this default option.

  4. From the When exact match is found drop-down list, select one of the following actions to be performed when a matching Oracle Identity Cloud Service user is found for an account:

    Link and confirm: Automatically links and confirms the matched accounts to the corresponding Oracle Identity Cloud Service users based on the defined user identifier.

    Link but do not confirm: Automatically links all the matched accounts to the corresponding Oracle Identity Cloud Service users based on the defined user identifier. You need to manually confirm the linked accounts.

  5. In the Max. number of creates field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be created during the synchronization run.

  6. In the Max. number of deletes field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be revoked during the synchronization run.

    After enabling provisioning and synchronization for Box, you can synchronize the existing account details from Box and link them to the corresponding Oracle Identity Cloud Service users. For more information on performing synchronization tasks, see the Importing User Accounts from a Software as a Service Application section in Administering Oracle Identity Cloud Service.

    You can also manage Box accounts through Oracle Identity Cloud Service. For more information on performing provisioning tasks, see the Managing Oracle Identity Cloud Service Users and Managing Oracle Identity Cloud Service Groups sections in Administering Oracle Identity Cloud Service.

  7. Click Finish, and Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Verifying the Integration

Use this section to verify that SSO works when initiated from Oracle Identity Cloud Service (IdP initiated SSO) and Box (SP initiated SSO).

Verifying Identity Provider Initiated SSO from Oracle Identity Cloud Service

  1. Access the Oracle Identity Cloud Services My Profile console using the URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.

  2. Log in using credentials for a user that is assigned to the Box app. Oracle Identity Cloud Service displays a shortcut to Box under My Apps.

  3. Click Box. The Box home page appears.

  4. In the upper-right corner, click the user name icon, select View Profile from the drop-down list, and then confirm that the user that is logged in is the same for both Box and Oracle Identity Cloud Service.

    This confirms that SSO that is initiated from Oracle Identity Cloud Service works.

Verifying Service Provider Initiated SSO from Box

  1. Access Box using the URL: https://<Company_Box_Subdomain>.account.box.com/login. The login page appears.

    Note: This is the Company Box Subdomain name that you entered while performing the steps in the "Configuring SSO for Box" section.

  2. Enter the email address, click Next, and then click Sign In with SSO. You are redirected to the Oracle Identity Cloud Service login page.

  3. Log in using credentials for a user that is assigned to the Box app. The Box home page appears.

  4. In the upper-right corner, click the user name icon, select View Profile from the drop-down list, and then confirm that the user that is logged in is the same for both Box and Oracle Identity Cloud Service.

    This confirms that SSO that is initiated from Box works.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

Box displays the message, "This account has been deactivated"

Cause: The user account assigned to Box is deactivated in Oracle Identity Cloud Service under the Box application's Users tab, and the user attempts to initiate single sign-on from Box.

Solution: Ensure that the user account is activated under the Users tab of the Box application in Oracle Identity Cloud Service. For more information on activating the user account for Box, see the "Enabling Provisioning" section.

Box displays the message, "Invalid login credentials"

Cause: When the user accounts are synchronized, the user account imported from Box is linked to an incorrect user account in Oracle Identity Cloud Service. In addition, this error appears when auto provisioning is not enabled for the Box user account.

Solution: Contact either the Box CSM or the Box Product Support team to enable auto provisioning for the Box user account.

Oracle Identity Cloud Service displays the message, "You are not authorized to access the app. Contact your system administrator."

Cause 1: The SAML 2.0 integration between the Oracle Identity Cloud Service Box app and Box is deactivated.

Solution 1:

  • Access the Oracle Identity Cloud Service administration console, select Applications, and then select Box.
  • In the App Details section, click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Cause 2: The administrator revokes access for the user at the same time that the user tries to access the Box app using Oracle Identity Cloud Service.

Solution 2:

  • Access the Oracle Identity Cloud Service administration console, select Applications, and then select Box.
  • In the App Details section, select Users, and then click Assign to re-assign the user.

Unknown Issues

For unknown issues, contact Oracle Support:

  1. Go to https://support.oracle.com.

  2. Select Cloud Support, and then sign in with your support credentials.

  3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

  4. Select Oracle Identity Cloud Service as the service type.

  5. Complete your service request.