Enable Single Sign-On to Box with UserLock

This guide explains how to integrate Box with UserLock Single Sign-On (SSO) using the SAML 2.0 protocol.

Once enabled, Box logins are authenticated by UserLock. This provides users with a consistent sign-in process and gives administrators the ability to enforce UserLock access policies (MFA, time, machine, or location restrictions) on SSO sessions.

🚩️ Before starting:

• You need a Box Enterprise admin account.

• UserLock SSO must already be installed and configured.

1. In the UserLock console, go to ⚙️ Server settings ▸ Single Sign-On

2. Click on the Box row.

3. Enter the Email domain to be used for user logins.

4. Save the profile.

1. Go to UserLock console▸ ⚙️ Server Settings▸ Single Sign-On

2. Click on Download ▸ Metadata file.

3. Submit an SSO configuration request to Box following the official procedure:
   👉️ Box Help: Setting Up SSO for Your Enterprise

4. When asked to upload metadata, use the downloaded file.

Once Box has enabled SSO for your account:

1. Connect to Box with an Administrator account.

2. Go to Admin Console ▸ Enterprise Settings ▸ User Settings.
   
   

   

3. Under User Settings, locate Configure Single Sign On (SSO) and select SSO Test Mode.
   
   

   

4. When SSO is ready, disconnect the session and try logging in via Single Sign-On.

For common issues, see Troubleshooting SSO.
If the problem persists, please contact IS Decisions Support.

Box does not provide a built-in fallback if SSO is unavailable. To prevent lockout, you can:

• Contact Box support and request to temporarily switch your SSO configuration back to Test Mode

• Ensure that a second SSO provider is configured as a backup.

When logging in, Box may receive the wrong email address from SSO if users have multiple accounts under the same email domain (e.g. testuser@mydomain.com and myuser@mydomain.com).

By default, SSO provides the first address in alphabetical order.

• Change the Box user account email to match the one sent by SSO.

• Remove unused duplicate email addresses from the user if not required by other apps.

You can extend the security of SSO sessions by applying UserLock access policies in addition to authentication.

• Apply MFA on SaaS connections to require stronger authentication.

• Hour restrictions: define when users are allowed to connect.

• Geolocation rules: enforce access policies based on user location.

• Session limits: allow or deny SaaS logins entirely for specific users.