Anyone Integrate with Box.com Before?

[David P]

https://www.box.com/platform/integrate/ 

Odds are we'll be integrating with this cloud storage company soon, so I'm trying to get a jump on their SAML integration. I've only used it with PHP for Gmail connectivity so far. Would the connection set up be essentially the same? We'd be IdP and Box.com would be SP.

[Ian Webb]

Yes. I am integrated with them now. It's very straightforward; just write the config entry yourself instead of trying to use the conversion tool from the metadata they give you. Here is my config from saml20-sp-remote.php, it should work for you without modification. The ACS/SLO URLs are the same for all customers, and Box does NOT support IdP-initiated login. You need to use SP-initiated; shouldn't be a problem, but I'm pointing it out just in case.

$metadata['box.net'] = array(

        'AssertionConsumerService' => 'https://sso.services.box.net/sp/ACS.saml2',

        'SingleLogoutService' => 'https://sso.services.box.net/sp/SLO.saml2',

        'name' => 'Box',

);

You will need to provide Box with your metadata URL so they can load your metadata into their system, and additionally the attribute mapping manually, since SSP doesn't put the attributes in the metadata by default the way, say, Microsoft ADFS2 does. Overall it is a very clean integration; they are one of the easier third-party SAML integrations I've done with our SSP setup.

Cheers,
Ian

On Mon, Jul 23, 2012 at 12:19 PM, David P <david.p...@gmail.com> wrote:

https://www.box.com/platform/integrate/ 

Odds are we'll be integrating with this cloud storage company soon, so I'm trying to get a jump on their SAML integration. I've only used it with PHP for Gmail connectivity so far. Would the connection set up be essentially the same? We'd be IdP and Box.com would be SP.

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To view this discussion on the web visit https://groups.google.com/d/msg/simplesamlphp/-/tGcZ1lmzbv0J.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.

[David P]

Thank you for the snippets. I'll be looking into your comments more as the project approaches.

To unsubscribe from this group, send email to simplesamlphp+unsubscribe@googlegroups.com.

[Scotty Logan]

On Fri, Aug 3, 2012 at 11:02 AM, John Rodkey <rod...@westmont.edu> wrote:
> I am also in the starting stages of this. At this point I am stumped on how
> to transmit group information.

The group attribute ID is "http://schemas.xmlsoap.org/claims/Group".
There are couple of settings you'll need to enable in the enterprise
settings. Also, Box currently only accepts up to 100 groups via SSO
(whichever 100 appear first in the assertion).

Scotty

[Nate Klingenstein]

John,

You may find the following set of documents helpful:

https://www.box.com/s/0at0b0ny425o81i14plf

Thanks,
Nate.

[David P]

Now that this project is starting I can finally start putting this info to use. I am using SSP 1.9.2.

1. If Box.com only works with SP, where does authentication occur? By this logic, I am the IdP (I may just be reading your sentence wrong).
2. If #1 is 'true', then In config.php, I am setting enable.saml20-idp = true? If not, then which?
3. Do we have to use Groups for this application? Or is it entirely based on our setup?

On Monday, July 23, 2012 12:31:29 PM UTC-4, Ian wrote:

[John Rodkey]

1.  Authentication is on your IdP:  we use simplesaml to send the user to our CAS SSO login screen.

2.  yes.

3.  You are not required to pass Groups if  you do not wish to.  It took a little fiddling to get CAS to provide group info.  We are using group information.

To view this discussion on the web visit https://groups.google.com/d/msg/simplesamlphp/-/2E8cV_DSYWsJ.

[David P]

In saml20-sp-remote.php, do you have the following for box.com handshaking (same as originally posted to on this thread)?

$metadata['box.net'] = array(

        'AssertionConsumerService' => 'https://sso.services.box.net/sp/ACS.saml2',

        'SingleLogoutService' => 'https://sso.services.box.net/sp/SLO.saml2',

        'name' => 'Box',

);

Do you not need 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email' as an index at all?

[John Rodkey]

Here's what I have in the metadata/saml20-sp-remote.php:

$metadata['box.net'] = array (

  'entityid' => 'box.net',

  'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',

  'simplesaml.nameidattribute' => 'mail', 

  'simplesaml.attributes'      => true,

  'attributes' => array('givenName','sn','mail','groupMembership'), 

  'contacts' => 

  array (

    0 => 

    array (

      'contactType' => 'administrative',

      'company' => 'Box.net',

      'givenName' => 'Box',

      'surName' => 'Support',

      'emailAddress' => 

      array (

        0 => 'business...@box.com',

      ),

    ),

  ),

  'metadata-set' => 'saml20-sp-remote',

  'expire' => 2347675879,

  'AssertionConsumerService' => 

  array (

    0 => 

    array (

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',

      'Location' => 'https://sso.services.box.net/sp/ACS.saml2',

      'index' => 0,

      'isDefault' => true,

    ),

    1 => 

    array (

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',

      'Location' => 'https://sso.services.box.net/sp/ACS.saml2',

      'index' => 1,

    ),

    2 => 

    array (

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:PAOS',

      'Location' => 'https://sso.services.box.net/sp/ACS.saml2',

      'index' => 2,

    ),

  ),

  'SingleLogoutService' => 

  array (

    0 => 

    array (

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',

      'Location' => 'https://sso.services.box.net/sp/SLO.saml2',

    ),

    1 => 

    array (

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',

      'Location' => 'https://sso.services.box.net/sp/SLO.saml2',

    ),

    2 => 

    array (

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',

      'Location' => 'https://sso.services.box.net/sp/SLO.saml2',

    ),

    3 => 

    array (

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',

      'Location' => 'https://sso.services.box.net/sp/SLO.ssaml2',

    ),

  ),

  'name' => 

  array (

    'en' => 'AttributeContract',

  ),

  'description' => 

  array (

  ),

  'keys' => 

  array (

    0 => 

    array (

      'encryption' => false,

      'signing' => true,

      'type' => 'X509Certificate',

      'X509Certificate' => 'MIICHTCCAYagAwIBAgIGATc5d2+BMA0GCSqGSIb3DQEBBQUAMFIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJTG9zIEFsdG9zMRAwDgYDVQQKEwdCb3gubmV0MRAwDgYDVQQDEwdib3gubmV0MB4XDTEyMDUxMTAxMTU1N1oXDTE0MDUxMTAxMTU1N1owUjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlMb3MgQWx0b3MxEDAOBgNVBAoTB0JveC5uZXQxEDAOBgNVBAMTB2JveC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIf8XpSWiVUWmHgPBCJKE48DhAVpRYnlomeBzHrkhMFyr0i7EKo1qMC9ewQbvp3nguz1bd5r9g75+l/xdfQ/+OOpqw0WicqsNEUpkOeqI/w35q9n6LZL85w0s21PtoGrpI7dV3NDw4qMxI760+oYYRBoj2qxnXLlHfoAWLUJjzEPAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAEimuP4fO2Exrv3QQvkRUpgtWLpLVjOAEwDzD5hdLej0/wICHzT7lgB+wMrEVsZ/76Bxh5C0T5JBtgosqKs9/F/WySV9FSFnRnjh7DUptfJCv4UFhkZdY6l4fja673cX1eITlrMBEgtDrqETmJsqlp2RXv5GSPmhQXFA2tLENHVY=',

    ),

  ),

);

To view this discussion on the web visit https://groups.google.com/d/msg/simplesamlphp/-/5EThJbzEIDQJ.

[David P]

Damn, that's a custom job! Thanks for the info.

Also, where do I find the Metadata XML and/or SAML issuer URL that must be plugged in on their end? 

[John Rodkey]

I got most of that info from 

https://www.box.com/shared/3isa8qvvqn

To view this discussion on the web visit https://groups.google.com/d/msg/simplesamlphp/-/DxfPC4P92E4J.

[David P]

Perfect! I was not aware of this file. Thanks for your input.

[David P]

Ok, after looking at this metadata example, then at the sp-remote file you posted up, I'm confused.  Is the box metadata file they supplied us an example for what we are supposed to supply for them? Or is it an example for how we are supposed to configure our sp-remote file? I'm missing some niggling detail here that's not connecting.

Perhaps asking a different way, what format was the metadata did you send box.com?

[John Rodkey]

I believe I pasted the metadata from that file into an administrative tool which translated it into recognizable information.  I then used that information to create the sp-remote file that I provided.

Was it admin/metadata-converter.php  ?

It's been a while.

John

To view this discussion on the web visit https://groups.google.com/d/msg/simplesamlphp/-/2illrvfSz_EJ.

[David P]

I had no clue about this converter's existence! I am clearly lacking in how much this application has in terms of tools. One bit of knowledge acquired.

Did you modify the x509 certificate code to match one you created on your machine? I would presume so since everyone would have this.

Lastly, what was the format of metadata that you sent to Box.com, or the URL that points to said metadata?

Thanks for your patience in helping me get familiar with this.

[John Rodkey]

I created a box.crt and box.pem according to instructions somewhere...  nothing special, as I recall.

I generated our IdP metadata by doing

cd www/saml2/idp

php metadata.php

John

To view this discussion on the web visit https://groups.google.com/d/msg/simplesamlphp/-/mS7pEh343WkJ.

[David P]

THANK YOU. Life is good now, and I have all the tools I need to get this platform going.

[John Rodkey]

Glad to hear it!!

John

To view this discussion on the web visit https://groups.google.com/d/msg/simplesamlphp/-/ByE2Lm41itwJ.

[David P]

When you initiate the security token by redirecting to https://sso.services.box.net/sp/ACS.saml2, are you passing any POST or GET variables with it?

Based on my work with Gmail, we need to pass some form of unique identifier, but their Powerpoint file just lists the URL and nothing more.

[Ian Webb]

Their system recognizes you based on the RelayState parameter that was provided by Box's system during the first phase of SP-initiated login. That's automatically included in the response.

Cheers,

Ian

To view this discussion on the web visit https://groups.google.com/d/msg/simplesamlphp/-/1Cso3huT1yEJ.

[David P]

What you're saying is that nothing on my end has to change. I'm getting "an unexpected system error" from them when redirecting to their URL, so this is an issue on their end with metadata handshaking?

[Ian Webb]

The "unexpected system error" is on the SP side, so yes, it would be
up to the SP's sysadmins to provide further details. A working config
for using SimpleSamlPHP with Box's service was recently posted in
another thread here; if you are using that config then it's definitely
not on your end.

Cheers,
Ian

> https://groups.google.com/d/msg/simplesamlphp/-/qc7UoODJKmEJ.

[David P]

Just to clear my conscience, the public certificate that they provide for us to sign has to be used in creating the private key and certificate files that we upload and list under saml20-idp-hosted, correct?

Or is creating one from scratch yourself using openssl sufficient?