Availability
Admins
All accounts
Feature exclusive to select subscription plans and add-ons
Single Sign-On (SSO) is an authentication method that lets users access multiple applications with one set of credentials, which are stored securely in a centralized cloud directory. This reduces password fatigue, strengthens security, and simplifies login management across your organization. There are several standards for implementing SSO, including Security Assertion Markup Language (SAML), OpenID, and OAuth. Each has its own specifications and is not interchangeable. Databox currently supports the SAML 2.0 standard.
Set up Single Sign-On
Enable or disable SSO
- Go to Account Management > Advanced security > Single sign-on
- Switch the toggle at the top to Enabled (or back to Disabled if you want to turn SSO off).
Exchange configuration details
To complete the setup, you’ll need to exchange information between Databox and your Identity Provider (IdP). Databox supports the Service Provider (SP) initiated flow by default. The Identity Provider (IdP) initiated flow can be enabled on request, though it is less secure and discouraged unless necessary.
Note: To enable the IdP-initiated flow, contact Databox Support via live chat or at help@databox.com.
Use the table below to map Databox fields to the terms used by your IdP:
| Databox field | Also called in other tools | Where it comes from | What to do |
|---|---|---|---|
| Callback URL | Assertion Consumer Service (ACS) URL | Databox | Copy from Databox and paste into your IdP. |
| Issuer | Entity ID, Audience URI, SP Entity ID | Databox | Copy from Databox and paste into your IdP. |
| Metadata URL | Federation Metadata URL, SAML Metadata | Databox | Copy from Databox and paste into your IdP (if required). |
| Single Sign-On URL | IdP Login URL, SAML Endpoint, Identity Provider SSO URL | Identity Provider | Copy from IdP and paste into Databox. |
| X.509 Certificate | IdP Certificate, Public Key, Signing Certificate | Identity Provider | Copy from IdP and paste into Databox. |
| Managed Domain(s) | Domain Restriction, Allowed Domains | You define | Enter domains (e.g., company.com). Only users with matching email domains can log in with SSO. |
Require Single Sign-On for all users
Account administrators can enforce SSO authentication for every user in the account. In agency accounts, this setting applies only to agency account users—client users are not affected.
To require SSO for all users:
- Go to Account Management > Advanced security > Single sign-on
- Switch the Require SSO for all users toggle to Enabled.
- Confirm in the pop-up by clicking Yes.
- Click Save changes.
Warning: Enforcing SSO deletes all stored passwords. If SSO is later disabled, users must reset their passwords to log in again.
Frequently Asked Questions
Can I connect multiple Identity Providers to Databox?
No. Only one Identity Provider can be configured per Databox account, whether it’s an Agency Account or a standard account. If you need support for multiple Identity Providers, you can request this feature on the Roadmap.
Does Databox support automatic user provisioning?
No. Service Provider (SP) provisioning is not supported. Users must first be created in Databox before they can authenticate via the IdP.
How are users identified for SSO in Databox?
Users are identified by their email address. The email in Databox must exactly match the email stored in the IdP.
Which Identity Provider apps are available for Databox?
Databox has a verified application in the Okta Integration Network, making setup simple for Okta users. For other Identity Providers, such as Azure Active Directory, OneLogin, or Ping Identity, you can configure Databox manually using the SAML 2.0 standard.
Still need help?
Visit our community, send us an email, or start a chat in Databox.