To integrate Skyhigh CASB and Box, you must configure a reverse proxy with Okta as the IdP.
- You must have a Box Business or Enterprise account. A Box Developer account does NOT support SSO.
- Before you integrate Box with Skyhigh CASB, check to see if users log in to your Box instance using a vanity URL such as account.box.com and Okta.
- If you have any custom URLs provided by Box, and if users log in using those URLs, provide the domains to Skyhigh CASB Support, as they must add these domains to the tenant configuration. You can't integrate Box with Skyhigh CASB until these domains are added.
- Make sure an IP is allocated to your tenant to integrate Box.
Add Box in Skyhigh CASB
- In Skyhigh CASB go to Settings > Service Management.
- If you haven't already added a Box instance, click Add Service Instance, select Box, give the instance a unique name, and click Done.
- If you have already added a Box instance, select it. To edit the instance name, click Actions > Edit Instance Name.
- On the Setup tab, under Proxy, click Get Started.
- Under Configure Proxy, click Configure. Or if your proxy is already configured, click Review.
- For Select Proxy Location, keep the default of Skyhigh CASB, then click Next.
- For Set up Proxy Domain, enter the following:
- Host Name. Enter box.com.
- Proxy Domain. The Proxy Domain is set by default to Skyhigh CASB Aliased Domain. Enter a custom domain name below.
- Email. Not required.
- Click Done.
- When the proxy is set up correctly, the Proxy URL is shown in the details pane.
Access Box via the Proxied URL
Now make sure that you can access Box via the proxied URL. It looks like this:
If the domains have not been added to the tenant back-end, you see the following error:
Configure the SAML Proxy
Now you need to integrate the new URL with Okta, so that once users are authenticated, they are redirected to Box through Skyhigh CASB.
To integrate, create a custom app in Okta. The default Box app doesn’t provide options to configure Single Sign-On, Recipient URL, and Destination URL, which uses the following format:
So, in this example, it is: https://sso.services.box.net.box.boxtest.arun.myshn.net/sp/ACS.saml2?shnsaml
Export the Okta Certificate and Upload it to Skyhigh CASB
Once you have created the custom app in Okta, export the Okta certificate and then upload it to Skyhigh CASB.
This can be done in two ways:
- In Okta, on the Sign-On tab, click the link Identity Provider Metadata. Then copy the certificate from the pop-up tab and save it in a separate certificate file.
- In the General tab, click SAML Settings. Then click Download Okta Certificate.
- In Skyhigh CASB, go to Settings > Service Management.
- Select your Box instance.
- Under Set up SAML, click Configure.
- Click Upload.
Export the Box Certificate and Upload it to Skyhigh CASB
- To download the Box certification, see Box documentation, What you need from Box to set up your connection.
- Either download the Public Certificate or copy the certificate from the Box Metadata File.
- Now upload it to Skyhigh CASB.
- Export the metadata from Okta, and then replace the certificate inside the metadata with the certificate of the Skyhigh CASB managed URL.
- To export the Skyhigh CASB proxy certificate, click Download SAML certificate.
- Open the exported metadata in a text editor. You see the certificate between the tag: <ds:X509Certificate> .
- Replace this certificate with the one downloaded from the Skyhigh CASB proxy certificate.
- Rename the file SkyhighCASB-Okta-Box-Metadata.xml.
- Go to Box in Admin console > Enterprise Settings > User Settings.
- Scroll to Configure Single Sign On (SSO) for All Users and upload the file.
For more information about Box, see Setting Up SSO on your own.
IMPORTANT: Do not renew the proxy certificate without engaging Box support, as the changes to Box SSO can take a while to propagate in Box.