The Box integration enables biometric passwordless authentication via SAML 2.0 for Box Business and Enterprise accounts using the 1Kosmos mobile app, with Box acting as the SAML service provider.
Integration type
SSO
Updated
Overview
1Kosmos integrates with Box as a SAML 2.0 identity provider, allowing users to access Box Business and Enterprise accounts using biometric passwordless authentication via the 1Kosmos mobile app. When a user navigates to Box, they are redirected to 1Kosmos for biometric verification and returned to their Box session after successful authentication. Box acts as the SAML service provider in this flow.
Box SSO configuration is performed in the Box Admin Console under Enterprise Settings → User Settings. Box accepts an IdP metadata XML file during setup, which simplifies configuration by auto-populating the SSO URL and certificate. For identity providers not in Box's built-in list, the configuration is submitted via Box's SSO Setup Support Form, and Box processes the metadata within a few business days.
SSO is available on Box Business and Enterprise plans. Both SP-initiated and IdP-initiated SSO flows are supported.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
Box Business or Enterprise account: Primary administrator access to the Box Admin Console, including Enterprise Settings.
Verified domain in Box: The email domain used by your users must be registered and verified with Box before SSO can be enforced.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for Box:
Field | Where to find it |
|---|---|
SAML Metadata XML file | AdminX → Settings → IdP Configuration → Metadata URL (download or request from 1Kosmos representative) |
SSO Login URL | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID | AdminX → Settings → IdP Configuration → Core Configuration |
Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Fixed Box SP values to enter in AdminX:
Field | Value |
|---|---|
Entity ID (Audience URI) | box.net |
ACS URL | https://sso.services.box.net/sp/ACS.saml2 |
NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
Integration steps
Step 1: Add Box as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.
Enter "Box" as the Application Name, set Instance to Production, and enter your Box URL (https://[subdomain].box.com) as the Application Access URL. Click Next.
Set the NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value toemail.Add claims mappings for
email(Username),firstname(first_name), andlastname(last_name). Click Next.Enter
box.netas the Entity ID andhttps://sso.services.box.net/sp/ACS.saml2as the ACS URL. Set Method to POST and enable Assertion signing. Click Save.Download the 1Kosmos SAML metadata XML file from AdminX → Settings → IdP Configuration → Metadata URL for use in the Box setup step.
Step 2: Configure SSO in the Box Admin Console
Log in to Box as the primary administrator and navigate to Admin Console → Enterprise Settings → User Settings.
In the Configure Single Sign-On (SSO) for All Users section, click Configure.
Select your identity provider from the list. If 1Kosmos does not appear, select the option for an unlisted provider or follow the self-service flow.
Upload the 1Kosmos SAML metadata XML file when prompted. Box will process the metadata to establish the SSO connection.
If Box requires a support form submission for non-listed providers, navigate to the Box SSO Setup Support Form. Complete the form with the following details: Identity Provider as "Other with Metadata," the SAML attribute for user email as "email," and attach the 1Kosmos metadata file. Submit the form. Box typically processes these requests within a few business days.
Step 3: Enable SSO Test Mode
Once Box confirms the SSO connection is active, return to Enterprise Settings → User Settings.
Enable SSO Test Mode. In test mode, users can sign in with either SSO or their Box credentials. This allows validation before enforcing SSO for all users.
Open an incognito browser window and navigate to your Box URL.
Sign in using the SSO option. You will be redirected to the 1Kosmos login screen.
Open the 1Kosmos mobile app, scan the QR code, and complete biometric authentication.
Confirm you are logged into Box as the authenticated user.
Step 4: Enforce SSO for all users
After successful testing, return to Enterprise Settings → User Settings.
In the Configure Single Sign-On (SSO) for All Users section, enable the SSO Required toggle to enforce SSO for all users in the Box enterprise.
Attribute mappings
Source (1Kosmos) | Target (Box) | Description |
|---|---|---|
user.email | email (NameID) | Primary identifier; must match the user's Box account email |
user.firstName | first_name | User first name |
user.lastName | last_name | User last name |
Integration notes
Box processes SSO metadata on their side, which means the connection is not instantaneous after metadata submission. Allow up to a few business days for the Box support team to complete the setup if the self-service SSO flow is not available for your account.
The Entity ID for Box is always the fixed string box.net regardless of your Box subdomain. Do not enable SSO Required until test mode has been fully validated, since once enforced, all users must authenticate through 1Kosmos to access Box.
