Use SAML Single Sign-On to obtain OAuth access tok

2019-02-14 14:19发布

问题:

We have SAML-based single sign-on (SSO) enabled between our company's Intranet Portal and Box so that the users do not use username and passwords to login to Box.com. They just click on a button on Intranet Portal which posts a SAML assertion to Box.com to authenticate.

We would like to provide the ability to our users to search their Box documents directly from the Intranet Portal and the Box.com API looks like a perfect fit. However, it requires OAuth access token.

The question is:

  1. Is there any way to obtain the OAuth token from SAML assertion?

  2. The Box Embed allows embedding of folders view on to other sites. Is there any way to embed just the search results. In other words, I am looking for a way to do this <iframe src="https://www.box.com/....?search=keywords"></iframe> where it would just display the search results in iframe.

回答1:

1. I don't know if it is possible to get an OAuth2 token from a SAML assertion -- I'd think that it isn't -- but you can pretty easily configure a Box application to support your company's SSO. The first step of Box's OAuth2 authorization process is to redirect the user's browser to a URL similar to:

https://www.box.com/api/oauth2/authorize?response_type=code&client_id=MY_CLIENT_ID

On this page the user can log into Box with whatever credentials they chose and authorize your application to touch their files. In order to take advantage of your company's SSO integration, you will instead redirect the user to:

https://sso.services.box.net/sp/startSSO.ping
     ?PartnerIdpId=<YOUR_IDP_URN>
     &TargetResource=https%3A%2F%2Fwww.box.com%2Fapi%2Foauth2%2Fauthorize%3Fresponse_type%3Dcode%26client_id%3DMY_CLIENT_ID

Where:

  • The PartnerIdpId is the URN of your company's IdP.
  • The TargetResource is the HTTP-encoded version of the default OAuth2 authorization URL that was described above.

This will tell Box to bounce the user over to your IdP for authorization instead of prompting the user to log in with Box credentials. The OAuth2 process will then carry on as normal.

2. I don't know that this is possible either, but with a valid OAuth2 token you can easily tap into the Box Search API.