Multi attribute check during SSO login flow
We do not currently have a mail Exchange server (we use 3rd party for email). Therefore our ADFS mail address attribute is "informational only" and can be changed by local admins or end users. We cannot rely on this attribute for securely logging into Box via SSO.
WE propose Box change the SSO login flow to have the ability to check for multiple claims, i.e. the existing mail attribute AND another (non-writable) AD attribute which we can trust.
We have one AD but delegate management of users to local teams and manage hundreds of sub-companies (around 600 email domains).
These companies tend to re-brand once every year or two and this becomes challenging in Box as they would need to update the users email domains.
We suggest you use a fixed ID for login and then send mail attribute as a secondary claim for information only.
AdminPeter Rocks
(Admin, Box)
shared this idea