Box API & SSO

Box API & SSO

Many Box Enterprises use Single Sign On (SSO) to authenticate Managed Users logging in to Box. The way applications built on Box Platform interact with the SSO provider depends on the type of application being built.

Custom Apps with Client-side Authentication

When users authenticate with a Custom App configured to use client-side [OAuth 2.0] Box will detect if a user's enterprise is configured to use SSO. If so, Box will redirect the user's browser to their own enterprise's configured SSO log-in screen.

SSO Enabled vs Required

Enterprises on Box can be configured to use SSO in two ways: SSO Required or SSO Enabled.

In an enterprise that has set SSO only as enabled, users will have the option to either use a regular Box username and password or to be redirected to their SSO provider.

In an enterprise that has SSO set to be required, Box will force users to log in with their enterprise's configured SSO provider. In this case, any user that tries to log in must already have both a Box account and an account with their SSO provider. Without either of these the log in will fail as either Box won't know what SSO provider to send a user to, or the SSO provider won't recognize the user's login.

It is not possible to exempt a user from SSO in an enterprise with SSO set to be required, even if it is only used for platform use cases.

Custom Apps with Server-side Authentication

For Custom Apps that use JWT or Limited Access Apps that use App Token authentication, SSO is not used to authenticate with Box.

Custom apps using server-side authentication only use server-to-server API calls to communicate with Box. In this scenario, the way in which an end user is authenticated is determined by the application and not by Box.

In other words, end user authentication with the application is determined by the application, while application's authorization to Box is a different matter completely.

In these use cases the application authenticates not as a regular Managed User but as a Service Account or App User. These user types do not have access to any Managed User's data by default. For these applications to have access to other Managed User's data they will need explicit admin approval.

Custom Skills

Custom Skills are authenticated in a unique way where the application is provided with a unique set of access tokens for every skill event.

In this case, the application does not directly interact with the users and therefore SSO is not involved.

Even when using Skills, a user uploading a file to a folder that might trigger a Skill event would still need to log in to the web or mobile app. This log in would require them to use SSO where needed.