Skip to main content

Hi all — looking for guidance and confirmation on a BC/DR pattern for Box SSO.

Current state (redacted):

  • Box Enterprise with SAML SSO enabled. Primary IdP = a third-party SAML provider (not Okta).

  • “SSO Required” is OFF so password logins remain possible.

  • Two Box admin accounts have SSO bypass enabled and strong passwords (tested at https://account.box.com/login).

  • A standby Okta SAML configuration is pre-staged in Enterprise Settings → Authentication (uploaded Okta IdP metadata & SHA-256 signing cert).

  • Okta app uses NameID = EmailAddress; app username = email; standard givenName/sn claims.

  • No change to the production IdP yet—we only want an emergency fallback.

  • SCIM provisioning from Okta is not enabled (SSO only).

What we want to do during an IdP outage:

  1. Admins enter via password (SSO bypass).

  2. Optionally flip SSO Provider in Box from the primary IdP → Okta to keep SSO for users.

  3. Keep SSO Required = OFF during the flip; validate with pilots; later flip back to the primary IdP.

Questions for the community:

  1. Is this pattern (two SSO-bypass admins + pre-staged alternate SAML provider kept on file but not enforced) a supported/best-practice approach for Box?

  2. When switching SSO Provider (Primary ↔ Okta), is the change immediate? What happens to active sessions—are users forced to re-authenticate?

  3. Any metadata caching/TTL or propagation delay that could affect a quick flip?

  4. Any limits or caveats to keeping multiple SSO certs/configs stored (primary + standby) while only one provider is active?

  5. For validation: recommendations on SSO Test Mode vs simply leaving SSO Required = OFF?

  6. Security/audit: best way to monitor password logins (SSO bypass) during incidents; which events should we watch in Box logs? Any way to limit password logins to specific admins/IPs beyond per-user bypass?

  7. Role requirements: which admin roles/permissions are needed to (a) enable SSO bypass for a user and (b) change the SSO Provider setting?

  8. Confirm that SCIM/API provisioning can be enabled later independently of SSO and does not alter the active IdP.

Appreciate any tips, gotchas, or a short runbook others have used for this scenario!

Be the first to reply!
Terms & ConditionsCookie settingsAccessibility statement