Single Sign-On (SSO) is an authentication method that lets users access multiple applications with one set of credentials, which are stored securely in a centralized cloud directory. This reduces password fatigue, strengthens security, and simplifies login management across your organization. There are several standards for implementing SSO, including Security Assertion Markup Language (SAML), OpenID, and OAuth. Each has its own specifications and is not interchangeable. Databox currently supports the SAML 2.0 standard.
- Go to Account Management > Advanced security > Single sign-on.
- Switch the toggle at the top to Enabled (or back to Disabled if you want to turn SSO off).
To complete the setup, you'll need to exchange information between Databox and your Identity Provider (IdP). Databox supports the Service Provider (SP) initiated flow by default. The Identity Provider (IdP) initiated flow can be enabled on request, though it is less secure and discouraged unless necessary.
Service Provider (SP) initiated flow
Identity Provider (IdP) initiated flow
Use the table below to map Databox fields to the terms used by your IdP:
| Field name | Synonyms | Provider | Action |
|---|---|---|---|
| Callback URL | Assertion Consumer Service (ACS) URL | Databox | Copy from Databox and paste into your IdP. |
| Issuer | Entity ID, Audience URI, SP Entity ID | Databox | Copy from Databox and paste into your IdP. |
| Metadata URL | Federation Metadata URL, SAML Metadata | Databox | Copy from Databox and paste into your IdP (if required). |
| Single Sign-On URL | IdP Login URL, SAML Endpoint, Identity Provider SSO URL | Identity Provider | Copy from IdP and paste into Databox. |
| X.509 Certificate | IdP Certificate, Public Key, Signing Certificate | Identity Provider | Copy from IdP and paste into Databox. |
| Managed Domain(s) | Domain Restriction, Allowed Domains | You define | Enter domains (e.g., company.com). Only users with matching email domains can log in with SSO. |
Account administrators can enforce SSO authentication for every user in the account. In agency accounts, this setting applies only to agency account users—client users are not affected.
To require SSO for all users:
- Go to Account Management > Advanced security > Single sign-on.
- Switch the Require SSO for all users toggle to Enabled.
- Confirm in the pop-up by clicking Yes.
- Click Save changes.
FAQ
Can I connect multiple Identity Providers to Databox?
No. Only one Identity Provider can be configured per Databox account, whether it's an Agency Account or a standard account. If you need support for multiple Identity Providers, you can submit a request using our Roadmap Request form.
Does Databox support automatic user provisioning?
No. Service Provider (SP) provisioning is not supported. Users must first be created in Databox before they can authenticate via the IdP.
How are users identified for SSO in Databox?
Users are identified by their email address. The email address in Databox must match the email stored in the identity provider (IdP) character for character, including uppercase and lowercase letters.
Which Identity Provider apps are available for Databox?
Databox has a verified application in the Okta Integration Network, making setup simple for Okta users. For other Identity Providers, such as Azure Active Directory, OneLogin, or Ping Identity, you can configure Databox manually using the SAML 2.0 standard.
