SSO Users Are Prompted To Reset Their Passwords

Single Sign-On allows Box Users to access their Box accounts using their company credentials rather than a Box-specific password. In some cases, SSO users may still receive email notifications alerting them that they are required to reset their Box passwords, which brings some confusion.


Why It Happens


Even if SSO is enabled for your account, the option to create a Box-specific password still exists. This allows users to log in to Box via third-party apps that do not support Single Sign-On, like FTP or WebDAV. This means that Password Settings are still available in the Admin Console.


If a setting in the Box account requires a reset of the Box-specific password, users will receive a notification. This includes the option to “Require users to reset passwords every X days” and Global Password Resets.


What To Do Next


If SSO Enabled (but not required):

  • These settings will apply to all users because users can log in using company or Box credentials.
  • It is recommended to keep these settings enabled to ensure that best practices for password management are used.


If SSO Required:

  • Whether to keep these settings enabled should be determined by how Box is accessed:
    • If users require FTP and WebDAV access, admins may want to keep the settings enabled to ensure good password management.
    • If not, disable these settings as users will not have a Box-specific password.
Version history
Revision #:
1 of 1
Last update:
‎07-25-2017 02:14 PM
Updated by: