NEED: SAML SSO for enterprises with multiple EIDs
Hi! In our enterprise, we have multiple Box instances/EIDs to support our development and testing processes - e.g. separate dev, test, uat, and prod instances of Box.
We would like to setup SAML SSO with all of these Box instances - so that security and sign in convenience is the same across all environments. We have separate prod and non-prod IDPs and would like to tie all of our non-prod Box instances into our non-prod IDP. We do this with several other cloud apps by having each app instance use a different SP Entity ID. However, this is not supported in Box. Each Box instance uses the same SP Entity ID - "box.net". Our IDP (Azure AD), like most IDPs requires SP entity IDs to be unique. And therefore we cannot setup separate app instances in the IDP for the dev, test, and uat Box instances.
Box Support indicated that they can handle multiple Box instances tied to a single IDP entity ID - and sign the user in to a Box instance that matches a custom attribute value provided in the SAML response sent to Box. i.e. this SAML attribute may contain the Box instance EID or environment names like "dev" that can be mapped by Box to a specific EID. Unfortunately, we would typically leverage such a capability by setting up multiple apps in the IDP and hard coding what value is passed in that custom SAML attribute - and this leads us back to the original problem: the IDP will not let us setup multiple apps with the same SP Entity ID.
This is quite frustrating - and I'd like to see Box adopt the same approach used by numerous other clod app providers, which is to permit setting custom SP entity ID values for each Box instance.
-
The requirement for unique SP Entity IDs by Azure AD is indeed a common one among IDPs, and the inability to set up multiple apps with the same SP Entity ID can be challenging.However, there might be a workaround. Azure AD supports app multi-instancing, which allows you to configure multiple instances of a single cloud application for use in different environments, such as development, testing, and production. Official Website It’s important to note that while this approach aligns with the capabilities of Azure AD and the guidance provided by Box Support, it would be best to consult with both Box and Azure AD support to ensure that this setup will work as expected and to get assistance with the configuration.
-
It sounds like you're facing a challenge with setting up SAML SSO for multiple Box instances tied to a single IDP entity ID, due to the limitation of each Box instance using the same SP Entity ID ("box.net"). While Box Support has indicated a potential solution involving custom attributes in the SAML response, this approach may not align with your preferred method of configuration using separate app instances in the IDP with unique SP Entity IDs.
Here are a few suggestions and considerations:
- Engage with Box Support: Continue working closely with Box Support to explore alternative solutions or workarounds that align with your requirements. They may be able to provide further guidance or offer additional options for configuring SAML SSO with multiple Box instances.
- Request Feature Enhancement: Consider reaching out to Box's product team or submitting a feature enhancement request to suggest adding support for custom SP Entity IDs for each Box instance. Providing feedback directly to Box can help influence their product roadmap and prioritize features that are important to customers.
- Evaluate Workarounds: While the current limitation may be frustrating, Official Website consider evaluating potential workarounds or alternative approaches to achieve your desired outcome. This could involve modifying your IDP configuration, leveraging custom attributes in the SAML response as suggested by Box Support, or exploring other integration options.
- Explore Third-Party Solutions: Investigate whether there are third-party identity management solutions or middleware platforms that can help bridge the gap between your IDP and Box instances, providing additional flexibility and customization options for SAML SSO configuration.
- Stay Informed: Keep an eye on updates and announcements from Box regarding new features, enhancements, and integrations. Box may address this limitation in future releases or provide alternative solutions that better meet your needs.
By actively engaging with Box Support, providing feedback to Box, and exploring alternative approaches, you can work towards finding a solution that enables seamless SAML SSO integration with multiple Box instances in your enterprise.
Please sign in to leave a comment.
Comments
3 comments