Hi! In our enterprise, we have multiple Box instances/EIDs to support our development and testing processes - e.g. separate dev, test, uat, and prod instances of Box.
We would like to setup SAML SSO with all of these Box instances - so that security and sign in convenience is the same across all environments. We have separate prod and non-prod IDPs and would like to tie all of our non-prod Box instances into our non-prod IDP. We do this with several other cloud apps by having each app instance use a different SP Entity ID. However, this is not supported in Box. Each Box instance uses the same SP Entity ID - "box.net". Our IDP (Azure AD), like most IDPs requires SP entity IDs to be unique. And therefore we cannot setup separate app instances in the IDP for the dev, test, and uat Box instances.
Box Support indicated that they can handle multiple Box instances tied to a single IDP entity ID - and sign the user in to a Box instance that matches a custom attribute value provided in the SAML response sent to Box. i.e. this SAML attribute may contain the Box instance EID or environment names like "dev" that can be mapped by Box to a specific EID. Unfortunately, we would typically leverage such a capability by setting up multiple apps in the IDP and hard coding what value is passed in that custom SAML attribute - and this leads us back to the original problem: the IDP will not let us setup multiple apps with the same SP Entity ID.
This is quite frustrating - and I'd like to see Box adopt the same approach used by numerous other clod app providers, which is to permit setting custom SP entity ID values for each Box instance.
Please sign in to leave a comment.