Platform Apps with Client-side Authentication
When users authenticate with a Platform App configured to use OAuth 2.0 Box will detect if the enterprise is configured to use SSO. If it is, Box will redirect the user to their browser and display the enterprise’s configured SSO log-in screen.SSO Enabled vs Required
Enterprises can configure their SSO in one of two ways: SSO Required or SSO Enabled. When SSO is enabled but not required, managed users will have the option to either:- log in with a Box username and password
- log in with their SSO provider
Platform Apps with Server-side Authentication
For Platform Apps that use JWT or Client Credentials Grant and Limited Access Apps that use App Token authentication, SSO is not used to authenticate with Box. Platform Apps using server-side authentication only use server-to-server API calls to communicate with Box. In this scenario, the way in which an end user is authenticated is determined by the application and not by Box. In other words, end user authentication with the application is determined by the application, while application’s authorization to Box is a different matter completely. In these use cases the application authenticates not as a regular Managed User but as a Service Account or App User. These user types do not have access to any Managed User’s data by default. For these applications to have access to other Managed User’s data they will need explicit admin approval.Custom Skills
Custom Skills are authenticated in a unique way where the application is provided with a unique set of access tokens for every skill event. In this case, the application does not directly interact with the users and therefore SSO is not involved.Even when using Skills, a user uploading a file to a folder that might trigger
a Skill event would still need to log in to the web or mobile app. This log in
would require them to use SSO where needed.