Box

Setting up MIRACL Trust SSO SAML as an Identity Provider within Box.com

These instructions are up-to-date at the time of writing, but you should refer back to the Box documentation on SAML IdP access to check for any changes. We cannot guarantee the accuracy of our SP-specific guidance.

To have SSO enabled on your box.com account, you need a Business or an Enterprise Account. After upgrading your account, you need to arrange for box.com support to activate SSO authentication. Below is an example form to request this:

box_sso_form

As you can see from the form above, mail is the attribute used for authentication. The other attributes (first name, last name and group) are not needed.

Configuring your Box.com Service Provider profile with MIRACL Trust SSO SAML

  1. Edit /etc/miracl-sso/service_providers/box.yaml;
profile:
  attribute:
    box: >-
      <AttributeStatement>
        <Attribute Name="primary_email">
          <AttributeValue>{{.SessionUserEmail}}</AttributeValue>
        </Attribute>
      </AttributeStatement>
sp:
  box:
    description: box
    name: Box
    login_url: https://example.account.box.com/login
    logout_url: https://example.app.box.com/logout
    relay_state: ""
    metadata: >-
      <!-- insert downloaded SP metatadata here -->
    sign_response: false
    sign_assertion: true
    encrypt_assertion: false
    authorize:
    - - email: ^[^@]+@example.com$
    profile:
      attribute: box
  1. Note that the name under which the SP is registered in the sp section is used to create your IdP-initiated login url, i.e. https://<yourssoip>/login/box.

  2. Update the SP login_url and logout_url entries with the correct information retrieved from Box.

  3. Box should supply you with your SP metadata which can be pasted into the above metadata field.

Note that, if you are using JSON format for your config file, the downloaded metadata should be saved as an xml file and converted to a single line with the " characters escaped with \ to meet json structure requirements. This can be achieved by running the following command on the downloaded metadata.xml file:

echo -e "\n"$(cat metadata.xml | tr -d '\n' | sed -E 's/"/\\"/g')"\n"

The contents then are output in the terminal in a format that can be pasted into the metadata field of a JSON file.

  1. In the authorize subsection, you can control what users are allowed to attempt login by following one or both of the below steps:
  • Call up an LDAP setup from an ldap.yaml file stored in /etc/miracl-sso/integrations.

  • Configure a regex list of email addresses/domains. The above config shows an example of how you would use email: ^[^@]+@example.com$ to only allow users from a certain email domain to login.

    Note that if this is not set correctly, you receive ‘unauthorized user’ messages.

    For more detailed info on using LDAP, API and regex to control authorized users, please see the authorization menu section.

  1. Save and close the file.

  2. In your /etc/miracl-sso/config.yaml file make sure you add box.yaml to the list of ‘includes’:

includes:
  - core.yaml

# service providers
  - service_providers/box.yaml
  1. As always after config changes, restart the server.

  2. Now your service is configured, you can visit https://<yourssoip>/login/box or https://<yourssoip>/services to login to the service using IdP-initiated login, or visit the Box login page and SP-initiated login are triggered automatically.

  3. You are able to login using the in-browser PIN pad or with the MIRACL Trust app. When logging in to your SSO service for the first time you are asked to register an email address so as to confirm your identity and register you as a user.