If you're a Box primary admin, the SSO certificate settings in the Box Admin Console enable you to manage up to two signing certificates for your Box Enterprise's SSO connection.
The ability to upload a secondary certificate provides seamless rotation between a current expiring certificate and the new secondary certificate, as Box will use both to validate user login. After the connection migrates to the new certificate on the IDP side, you'll need to use the certificate settings in the admin console to remove the matching certificate. This ensures you're ready for your next certificate rotation.
Adding a certificate
To upload the certificate from your computer:
- In your admin console's left sidebar, click Enterprise Settings.
- At the top of the window, click User Settings.
- Scroll to the Configure Single Sign On (SSO) for All Users section.
- Click Select File.
- If the certificate is valid, you'll see the certificate details in a prompt option to Cancel or Add and Activate the certificate.
- If the certificate is invalid, Box displays an error and does not add the certificate for the connection.
- If the certificate is valid, click Add and Activate.
Note:
- Accepted certificate file types are .pem, .cer, .crt, or .der.
- You can configure a maximum of two certificates per SSO connection per Box Enterprise.
Removing a certificate
To remove a certificate:
- In your admin console's left sidebar, click Enterprise Settings.
- At the top of the window, click User Settings.
- Scroll to the Configure Single Sign On (SSO) for All Users section.
- On the certificate you want to remove, click Remove. Box displays the Remove SSO Certificate prompt.
- In the Remove SSO Certificate prompt, click Remove.
IMPORTANT:
You must have at least one SSO certificate configured. Any attempt to remove a certificate without a second configured certificate causes an error.
Expired certificates
Certificate settings indicate when a certificate is expired. You'll need to remove expired certificates from the console as soon as possible.
Enterprise locked out due to expired certificate
If your SSO signing certificate expired before being updated and SSO is enabled, but not required, for your Box enterprise, the Box admin can log into the admin console through the domain account.box.com instead of <your_box_subdomain>.box.com.
- This login bypasses the SSO login flow for your enterprise and allows you to login using box.com credentials.
- This requires the admin to login with Box credentials instead going through the configured SSO provider.
- Use the reset password button if you do not know your box.com password.
If the enterprise is locked out of Box due to an expired signing certificate and SSO is required for login, please contact Box Support to assist with updating your certificate.
Limitations
Customers who have configured multiple connections to a single Box Enterprise are not able to use the certificate settings. If your enterprise has this type of configuration, contact Box Support to assist updating your certificate.