Symbol image for the new SSO and SCIM feature of Boxcryptor, the only cloud encryption solution with zero knowledge encryption that offers SSO.
Monday, July 4, 2022

Use Boxcryptor with SSO: The Setup at a Glance

Boxcryptor Enterprise offers your company all the features for secure and encrypted collaboration. Since 2017, our premium tariff has also included user authentication via Single Sign-on (SSO). Thanks to “ready-to-start” setups, its setup has now become even easier. In this article, read about the requirements for Boxcryptor SSO and how we continue to deliver on our zero-knowledge promise - despite centralized key management.

Table of Contents

How Boxcryptor Works with SSO

How Boxcryptor with SSO works in detail and which security issues we successfully solved during development, you can read in our detailed blogpost. A crucial difference to the SSO integration of many other software products is the use of an external Key Management System and the Crypto Server developed by Boxcryptor. These two components take care of the key management (which is more complex compared to conventional Boxcryptor setups). Thanks to the Crypto Server, we can keep our zero-knowledge promise even when using SSO: Keys in plaintext never reach the Boxcryptor server.

Illustration of how Single Sign-On with zero knowledge guarantee works at Boxcryptor.

Components of the SSO Setup

To be able to set up Boxcryptor with Single Sign-on, we need three components in your company’s infrastructure. Our solution engineers will of course support you in the selection and setup process of the appropriate services:

  • Identity Provider (IdP) for authentication of the users
  • Key Management System (KMS) for generating and managing keys to which Boxcryptor has no access
  • Boxcryptor Crypto Server for communication with IdP, KMS and the local Boxcryptor clients

The use of the Crypto Server on the part of the corporate infrastructure makes it possible, among other things, to provide keys via the KMS without the Boxcryptor server—and therefore Boxcryptor itself—being able to and having to access these keys. Like the KMS, the Crypto Server can be cloud-based or on-premises. By introducing the Crypto Server, Boxcryptor fulfills the necessary requirements to support as many different identity providers and key management systems as possible. This gives companies more flexibility and - if a certain IdP or KMS is already in use - they can also work with existing infrastructure.

NEW: Configurations for Quick Setup Available Now

The setup of Boxcryptor with SSO is guided by our experienced solution engineers. We enable many custom setups, ranging from cloud-based to hybrid to on-prem solutions.

To further simplify the SSO process, a faster, “ready-to-start” setup is also available for certain configurations now. The following combinations are available for this purpose:

Cloud-based

  • Azure AD + Azure Key Vault + Azure App Services
  • IdP + AWS Key Management System + AWS Elastic Container Service
  • IdP + OTC Key Management System + OTC Cloud Container Engine

On-Premises

  • IdP + pre-configured HashiCorp Vault (KMS) and Crypto Server deployed on a Docker host machine.

Other custom configurations are still possible but may require further effort and support from our Solution Engineers depending on the level of customization.

Good to know: No matter what setup is used, the password keys remain exclusively on the systems of the respective company and never end up in clear text on the Boxcryptor server.

The following providers for the individual components can currently be used for the Boxcryptor SSO:

Identity-Provider

All IdPs supporting the SAML protocol can be used, including

  • Azure Active Directory (Azure AD)
  • Active Directory Federation Services (ADFS)
  • Google Workspace
  • Okta
  • JumpCloud

Key Management Systems/Crypto Server

  • Azure
  • AWS
  • Open Telekom Cloud
  • On-Premises

Maximum Cloud Security for Companies

More and more companies are recognizing the many benefits of cloud-based data storage and are moving away from servers in their own basements. Boxcryptor helps them achieve the best possible protection for their cloud data. Thanks to strong end-to-end encryption, documents and folders are not only available from anywhere and at any time, but also always protected from unauthorized access.

Boxcryptor allows you and your team to enjoy a secure and convenient cloud experience. Our encryption happens exclusively in the background and fits seamlessly into familiar workflows. With our plans for enterprises, you also benefit from many other features, including activity auditing, the company-wide Master Key, and our integration with Microsoft Teams - including message encryption.

Contact us

Create an appointment with our experts and discuss all the issues concerning Boxcryptor.

We are looking forward to e-meeting you.

Contact us now
Share this post