Since this creation of this post, Duo has added Box to their Application Catalog and provided detailed setup directions.
How to Configure Duo SSO SAML 2.0 for Box
All docs on this site are unofficial
Prerequisites:
Outline
- What’s been tested
- SSO Configuration Steps
- Implementing SAML JIT Provisioning and Group Push
What’s been tested:
I have tested the following and confirmed they work:
- SP-initiated authentication
- IdP-initiated authentication
- Just In Time (JIT) Provisioning
- SAML Group Push
SSO Configuration Steps
For more information on configuring SAML for Box, see Box’s Setting up Single Sign On (SS) for your Enterprise
Create a Box application in Duo
- Login to your Duo Admin Panel
- Navigate to Protect an Application
- Search for Generic Service Provider and click Protect Note: be sure to select the one for Single Sign-On (hosted by Duo)
- Next to SAML Metadata click Download XML and see the file to your desktop
Configure SSO for Box
- Login to your Box account as a primary administrator
- Click Admin Console
- Navigate to Enterprise Settings - User Settings - Configure Single Sign On (SSO) for All Users, then click Configure
- Since Duo is not part of the Identity Providers dropdown, I selected ADFS instead. Note, you can choose to follow the I don’t see my provider… but that does mean some configuration options below will be different, specifically for JIT Provisioning and SAML Group Push.
- Click Choose File and select your Duo Generic Service Provider XML file and click Submit
- Box will process your metadata file which can take up to 24 hours. Luckily they will email you once everything is ready so you don’t have to continue checking in.
- Once you have been notified by Box that everything is ready, you will have the option to enable SSO. I recommend starting with enabling SSO Test Mode. This will allow you to test your configuration without requiring SSO authentication.
Configure the Box application in Duo
- Navigate back to your new Generic Service Provider application within the Duo Admin panel.
- Next to Service Provider Name input Box
- Next to Entity ID input box.net
- Next to Assertion Consumer Service input https://sso.services.box.net/sp/ACS.saml2
- Scroll down to the SAML Response section
- NameID format should stay as the default: urn.oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- Next to NameID attribute input the attribute that maps to your email address. If possible, I always recommend choosing Duo’s preconfigured attributes, in this case
This will allow you to change Duo SSO Authentication Source in the future, if needed. For example, from AD to a SAML IdP. - Next to Signing options leave both Sign response and Sign assertion checked.
- Scroll down to the Policy section and choose the policy you wish to implement for this application.
- Scroll down to the Settings section and next to Name add Box. You may also want to configure other options under this section, depending on how you have Duo MFA configured for your users.
- Scroll to the bottom and click Save
You are now ready to test SSO authentication into Box!
Configure Just In Time (JIT) Provisioning
- Navigate to your Box application within the Duo Admin Panel
- Scroll down to the SAML Response section
- Next to Map Attributes add the following. Note: again I recommend using Duo’s preconfigured attributes, if possible:
- IdP Attribute: First Name
- SAML Response Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- IdP Attribute: Last Name
- SAML Response Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- IdP Attribute: Email Address
- SAML Response Attribute:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Contact your Box representative and let them know you would like for them to enable SSO Auto Provisioning. In your correspondence you will need to let them know the attributes created above.
Configure SAML Group Push
- Contact your Box representative and let them know you would like for them to enable SAML Group Push. Once enabled login into your Box account and navigate to Enterprise Settings - User Settings - User Groups Settings.
- Check the box next to the options you wish to enable. Note, I enabled all three options: Add new groups upon SSO user login, Add users to groups upon SSO user login and Remove user from groups upon SSO user login.
- Navigate to your Box application within the Duo Admin Panel
- Scroll down to the SAML Response section
- Next to Role Attributes add the following:
- Attribute Name: http://schemas.xmlsoap.org/claims/Group
- Service Provider’s Role: (the name of the group you want created in Box)
- Duo Groups: (the Duo group you want to have populated in the Box group)
- Contact your Box representative and let them know you have configured SAML Group Push as they need to update the Groups SAML attribute on their end.
- Test away!
Note: When mapping Box Groups to Duo Groups, they must be done in a 1:1 relationship. You may create more than one row within the Role Attributes section BUT the groups must remain 1:1