Step by Step – Box SSO with PhenixID Authentication Services


This document will guide you through the steps to provide Single-Sign-On to Box using SAML with PhenixID Authentication Services as SAML IdP.

System Requirements

  • PhenixID Authentication Services 2.0 or higher
  • corporate domain


  1. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
  2. Download the SAML IdP Metadata as a file.
  3. Distribute the SAML IdP Metadata file to Box. This is a manual process. Instructions will be provided by your Box contact.
  4. Download the Box SP metadata file from
  5. Add the Box SP metadata file to the <PhenixID_Authentication_Services>/resources folder
  6. Restart PhenixID Authentication Services.
  7. Logon to PhenixID Authentication Services Configuration Manager
  8. Click on the Configuration tab
  9. Click “SAML Meta loading”
  10. Add Box SAML SP metadata by adding this configuration snippet:
            “id”: “”,
            “resource”: “boxmetadata.xml”
  11. Click “Stage changes” and then “Commit changes”
  12. Configure the authentication method(s) to be used for the Box federation.
  13. Click on the Configuration tab
  14. Click on Pipes
  15. Modify the pipe(s) connected to the authenticators.
    1. Fetch email, givenName, sn from the user data source:
      “name”: “LDAPSearchValve”,
      “config”: {
      “connection_ref”: “MyAD”,
      “base_dn”: “ou=demo,DC=demo,DC=phenixid,DC=net”,
      “scope”: “SUB”,
      “size_limit”: “0”,
      “filter_template”: “(&(objectClass=user)(samaccountname={{request.username}}))”,
      “attributes”: “mail,givenName,sn”
    2. Rename mail attribute
                      “name”: “PropertyCopyValve”,
                      “config”: {
                          “source”: “mail”,
                          “dest”: “primary_email”
    3. Configure SAML assertion
                      “name”: “AssertionProvider”,
                      “config”: {
                          “targetEntityID”: “PhenixID_IdP_BOX”,
                          “nameIDAttribute”: “mail”,
                          “misc”: {
                              “excludeSubjectNotBefore”: “true”,
                              “signMessage”: “false”,
                              “signAssertion”: “true”
                          “sourceID”: “”,
                          “additionalAttributes”: “primary_email,givenName,sn”
  16. Click “Stage changes” and then “Commit changes”



  1. Browse to your box domain.
  2. Click Continue
  3. This should result in a redirect to PhenixID Authentication Services
  4. Select authentication method
  5. Authenticate
  6. You should now be logged in to Box.




Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID -