This article refers to the process for switching SSO providers when your organization has an existing connection. If you are looking to set up SSO for the first time, please see this article. If you are looking to submit an updated Signing Certificate, please use this form.
Changing your Identity Provider can be a good way to introduce new security or user management features for your identity team. Here are the steps to making that switch successful for your Box users.
Create the new connection
- Share the metadata file for the new Identity Provider with the Product Support team.
- Test the new connection with an SP initiated link, provided by Box Product Support.
- This link is NOT exposed to end users. Only users with this link can log in using the new Identity Provider; all other users will continue to log in as normal.
- Work with a user that has credentials for the new Identity Provider has been given access to Box within the Identity Provider. Have them log into Box by clicking the provided link.
- Report back to your Product Support contact about the success of this test.
Prepare for the switchover
- Determine if there are any major changes in functionality in the switch to the new Identity Provider. For example, ADFS -> Azure where SAML Groups is no longer supported or Okta -> Azure where the de-provisioning behavior is different.
- If necessary, implement a process to accommodate the upcoming changes in functionality.
- Schedule a time with your Product Support agent to perform the switchover. Box's recommendation is to do the switch at the end of the day or any other time when users are less likely to be logging in.
- Note: the switch will impact users that are attempting to log in going forward; it will not impact users that are already logged in.
- Communicate the upcoming changes to all the relevant users.
- Ensure all the relevant users have credentials for the new Identity Provider.
- Ensure all the relevant users have access to Box via the new Identity Provider.
- Upon switchover, test the new connection by having a user log into web application, Box Drive, and mobile.
- Test with each type of user that may be impacted by the change (users with different domains, for example).
- Report back to your Product Support contact about the success of the switchover.
- If there is an error, please identify the problem users and validate that how many other users may be impacted. Take a screenshot of the error and sent this information to your Product Support contact.
- If necessary, the Product Support team can revert the changes.