I have been using rclone with a box enterprise account that uses SSO via OKTA.
The trick is to first launch your browser and go through the SSO to get to box via box’s web interface. Then, once your browser already has a session established with Box and doesn’t need to visit your SSO provider for every new transaction, do the rclone config command and let it us rclone’s own client_id and client_secret. rclone will launch your browser, make sure you select the option to use SSO and provide the email address of the same box account to which you have already logged in, and it should take you to the “accept” page.