Skip to main content
McAfee Enterprise MVISION Cloud

Configure SSO for Box with Okta through Reverse Proxy

To integrate MVISION Cloud and Box, you must configure a reverse proxy with Okta as the IdP.

 Prerequisites

  • You must have a Box Business or Enterprise account. A Box Developer account does NOT support SSO.
  • Before you integrate Box with MVISION Cloud, check to see if users log in to your Box instance using a vanity URL such as account.box.com and Okta.
  • If you have any custom URLs provided by Box, and if users log in using those URLs, provide the domains to MVISION Cloud Support, as they must add these domains to the tenant configuration. You can't integrate Box with MVISION Cloud until these domains are added. 
  • Make sure an IP is allocated to your tenant to integrate Box.

Add Box in MVISION Cloud

  1. In MVISION Cloud go to Settings > Service Management
  2. If you haven't already added a Box instance, click Add Service Instance, select Box, give the instance a unique name, and click Done
  3. If you have already added a Box instance, select it. To edit the instance name, click Actions > Edit Instance Name
  4. On the Setup tab, under Proxy, click Get Started
  5. Under Configure Proxy, click Configure. Or if your proxy is already configured, click Review
  6. For Select Proxy Location, keep the default of MVISION Cloud, then click Next 
  7. For Set up Proxy Domain, enter the following:
    • Host Name. Enter box.com
    • Proxy Domain. The Proxy Domain is set by default to MVISION Cloud Aliased Domain. Enter a custom domain name below. 
    • Email. Not required. 
      box_proxy.png
  8. Click Done
  9. When the proxy is set up correctly, the Proxy URL is shown in the details pane. 
    box_proxy_url.png
     

Access Box via the Proxied URL

Now make sure that you can access Box via the proxied URL. It looks like this:
box_proxied.png

If the domains have not been added to the tenant back-end, you see the following error:

box_proxied_error.png

Configure the SAML Proxy

Now you need to integrate the new URL with Okta, so that once users are authenticated, they are redirected to Box through MVISION Cloud. 

To integrate, create a custom app in Okta. The default Box app doesn’t provide options to configure Single Sign-On, Recipient URL, and Destination URL, which uses the following format: 

Format: https://sso.services.box.net.<proxied-URL>/sp/ACS.saml2?shnsaml 

So, in this example, it is: https://sso.services.box.net.box.boxtest.arun.myshn.net/sp/ACS.saml2?shnsaml

Export the Okta Certificate and Upload it to MVISION Cloud

Once you have created the custom app in Okta, export the Okta certificate and then upload it to MVISION Cloud. 

This can be done in two ways:

  1. In Okta, on the Sign-On tab, click the link Identity Provider Metadata. Then copy the certificate from the pop-up tab and save it in a separate certificate file. 
    box_identity_provider_metadata.png
  2. In the General tab, click SAML Settings. Then click Download Okta Certificate.
    box_okta_saml_cert.png
  3. In MVISION Cloud, go to Settings > Service Management
  4. Select your Box instance.
  5. Under Set up SAML, click Configure
  6. Click Upload

Export the Box Certificate and Upload it to MVISION Cloud

  1. To download the Box certification, see Box documentation, What you need from Box to set up your connection.
  2. Either download the Public Certificate or copy the certificate from the Box Metadata File.
  3. Now upload it to MVISION Cloud. 
    clipboard_e7be1869738515fc3e832dd6833ed4bf5.png
  4. Export the metadata from Okta, and then replace the certificate inside the metadata with the certificate of the MVISION Cloud managed URL. 
  5. To export the MVISION Cloud proxy certificate, click Download SAML certificate. 
    clipboard_e95c5b688dd037321718d9bd57b1208bb.png
  6. Open the exported metadata in a text editor. You see the certificate between the tag: <ds:X509Certificate> .
  7. Replace this certificate with the one downloaded from the MVISION Cloud proxy certificate.
  8. Rename the file MVISION-Okta-Box-Metadata.xml
  9. Go to Box in Admin console > Enterprise Settings >  User Settings.
  10. Scroll to Configure Single Sign On (SSO) for All Users and upload the file.

For more information about Box, see Setting Up SSO on your own.  

IMPORTANT: Do not renew the proxy certificate without engaging Box support, as the changes to Box SSO can take a while to propagate in Box.

  • Was this article helpful?