Skip to main content
Many Box Enterprises use Single Sign On (SSO) to authenticate logging in to Box. The way an application built on Box Platform interact with an SSO provider depends on the type of application being built.

Platform Apps with Client-side Authentication

When users authenticate with a configured to use Box will detect if the enterprise is configured to use SSO. If it is, Box will redirect the user to their browser and display the enterprise’s configured SSO log-in screen.

SSO Enabled vs Required

Enterprises can configure their SSO in one of two ways: SSO Required or SSO Enabled. When SSO is enabled but not required, managed users will have the option to either:
  • log in with a Box username and password
  • log in with their SSO provider
When SSO is enabled and required, Box will force all managed users to log in with their enterprise’s configured SSO provider. In this case, any user that tries to log in must be configured on the SSO side, in addition to having a Box account matching the email address passed via SAML.
It is not possible to exempt a user from SSO in an enterprise with SSO set to required, even if it is only used for platform use cases.

Platform Apps with Server-side Authentication

For that use , SSO is not used to authenticate with Box. Platform Apps using server-side authentication only use server-to-server API calls to communicate with Box. In this scenario, the way in which an end user is authenticated is determined by the application and not by Box. In other words, end user authentication with the application is determined by the application, while application’s authorization to Box is a different matter completely. In these use cases the application authenticates not as a regular Managed User but as a Service Account or App User. These user types do not have access to any Managed User’s data by default. For these applications to have access to other Managed User’s data they will need explicit .