This topic details the steps to configure Box and configure a reverse proxy with Okta as the IDP.
- You must have a Box Business or Enterprise account. A Box Developer account does NOT support SSO.
- Before you integrate Box with MVISION Cloud, check to see if users log in to your Box instance using a vanity URL such as account.box.com and Okta.
- If you have any custom URLs provided by Box, and if users log in using those URLs, provide the domains to MVISION Cloud Support, as they must add these domains to the tenant configuration. You cannot integrate Box with MVISION Cloud until these domains are added.
- Make sure an IP is allocated to your tenant in order to integrate Box.
Add Box in MVISION Cloud
- In MVISION Cloud go to Settings > Service Management.
- If you haven't already added a Box instance, click Add Service Instance, select Box, give the instance a unique name, and click Done.
- If you've already added a Box instance, select it. To edit the instance name, click Actions > Edit Instance Name.
- On the Setup tab, under Proxy, click Get Started.
- Under Configure Proxy, click Configure. Or if your proxy is already configured, click Review.
- For Select Proxy Location, keep the default of MVISION Cloud, then click Next.
- For Set up Proxy Domain, enter the following:
- Host Name. Enter box.com.
- Proxy Domain. The Proxy Domain is set by default to MVISION Cloud Aliased Domain. Enter a custom domain name below.
- Email. Not required.
- Click Done.
- When the proxy is set up correctly, the Proxy URL is shown in the details pane.
Access Box via the Proxied URL
Now make sure that you can access Box via the proxied URL. It should look like this:
If the domains have not been added to the tenant backend, you will see the following error:
Configure the SAML Proxy
Now you need to integrate the new URL with Okta, so that once users are authenticated, they are redirected to Box through MVISION Cloud.
To integrate, you'll need to create a custom app in Okta. The default Box app doesn’t provide options to configure Single Sign-On, Recipient URL, and Destination URL, which should be in the following format:
So, in this example, it will be: https://sso.services.box.net.box.boxtest.arun.myshn.net/sp/ACS.saml2?shnsaml
Export the Okta Certificate and Upload it to MVISION Cloud
Once you've created the custom app in Okta, you'll need to export the Okta certificate and then upload it to MVISION Cloud.
This can be done in two ways:
- In Okta, on the Sign-On tab, click the link Identity Provider Metadata. Then copy the certificate from the pop-up tab and save it in a separate .cert file.
- In the General tab, click SAML Settings. Then click Download Okta Certificate.
- In MVISION Cloud, go to Settings > Service Management.
- Select your Box instance.
- Under Set up SAML, click Configure.
- Click Upload.
Export the Box Certificate and Upload it to MVISION Cloud
- To download the Box certification, refer to Box documentation, What you need from Box to set up your connection.
- Either download the Public Certificate or copy the certificate from the Box Metadata File.
- Now upload it to MVISION Cloud.
- Export the metadata from Okta, and then replace the certificate inside the metadata with the certificate of the MVISION Cloud managed URL.
- To export the MVISION Cloud proxy certificate, click Download SAML certificate.
- Open the exported metadata in a text editor. You'll see the certificate between the tag: <ds:X509Certificate> .
- Replace this certificate with the one downloaded from the MVISION Cloud proxy certificate.
- Rename the file MVISION-Okta-Box-Metadata.xml.
- Go to Box in Admin console > Enterprise Settings > User Settings.
- Scroll to Configure Single Sign On (SSO) for All Users and upload the file.
For more information on Box, see Setting Up SSO on your own.
IMPORTANT: Do not renew the proxy certificate without engaging Box support, as the changes to Box SSO may take a while to propagate in Box.