1. I don't know if it is possible to get an OAuth2 token from a SAML assertion -- I'd think that it isn't -- but you can pretty easily configure a Box application to support your company's SSO. The first step of Box's OAuth2 authorization process is to redirect the user's browser to a URL similar to:
https://www.box.com/api/oauth2/authorize?response_type=code&client_id=MY_CLIENT_ID
On this page the user can log into Box with whatever credentials they chose and authorize your application to touch their files. In order to take advantage of your company's SSO integration, you will instead redirect the user to:
https://sso.services.box.net/sp/startSSO.ping
?PartnerIdpId=<YOUR_IDP_URN>
&TargetResource=https%3A%2F%2Fwww.box.com%2Fapi%2Foauth2%2Fauthorize%3Fresponse_type%3Dcode%26client_id%3DMY_CLIENT_ID
Where:
- The
PartnerIdpId
is the URN of your company's IdP. - The
TargetResource
is the HTTP-encoded version of the default OAuth2 authorization URL that was described above.
This will tell Box to bounce the user over to your IdP for authorization instead of prompting the user to log in with Box credentials. The OAuth2 process will then carry on as normal.
2. I don't know that this is possible either, but with a valid OAuth2 token you can easily tap into the Box Search API.