Configure Single Sign On in the Company Admin Tool

Objective

To configure Single Sign On (SSO) in the Company level Admin tool.

Background

Procore supports both SP- and IdP-initiated SSO:

Identity Provider Initiated (IdP-initiated) SSO. With this option, your end users must log into your Identity Provider's SSO page (e.g. Okta, OneLogin or Microsoft Azure AD) and then click an icon to log into and open the Procore web application. To configure this solution, see Configure IdP-Initiated SSO for Microsoft Azure AD, Configure Procore for IdP-Initated Okta SSO, or Configure IdP-Initiated SSO for OneLogin.
OR
Service Provider Initiated (SP-initiated) SSO. Referred to as Procore-initiated SSO, this option gives your end users the ability to sign into the Procore Login page and then sends an authorization request to the Identify Provider (e.g. Okta, OneLogin or Microsoft Azure AD). Once the IdP authenticates the user's identify, the user is logged into Procore. To configure this solution, see Configure Procore-Initiated SSO for Microsoft Azure Active Directory, Configure Procore-Initiated SSO for Okta, or Configure Procore-Initiated SSO for OneLogin.

To assist you with understanding the terms discussed below, here are some definitions:

Identity Provider (IdP). This is the service that verifies the identity of your end users (e.g. Okta, OneLogin or Microsoft Azure AD).
Issuer URL (Entity ID). A unique string that identifies the provider issuing a SAML request.
SAML. Short for Security Assertion Markup Language.
Service Provider (SP). Procore
Target URL. The IdP URL that will receive SAML requests from Procore.
x509 Certificate. This is an encrypted digital certificate that contains the required values that allow the SSO service to verify the identities of your users.

Things to Consider

Required User Permission:
- 'Admin' level permission on the Company level Admin tool.
Prerequisites:
- Configure the Procore application in your identity provider's SSO software or service (e.g. Okta, OneLogin or Microsoft Azure AD):
- Obtain the required SSO Settings from your specific identity provider's SSO software or solution ((e.g. Okta, OneLogin or Microsoft Azure AD).
Additional Information:

Steps

Navigate to the Company level Admin tool.
Under 'Company Settings,' click Single Sign On Configuration.
Note: The data you enter on the page below is always obtained from the issuer (e.g. Okta, OneLogin or Microsoft Azure AD).
Enter the Single Sign On Issuer URL.
- Azure
  - For SP-Initiated SSO, enter the SAML Entity ID from Azure AD here.
  - For IdP-Initiated SSO, Enter the Remove Login URL from Azure AD here.
- Okta
  - For SP-Initiated SSO, enter the Identity Provider Issuer URL from Okta here.
  - For IdP-Initiated SSO, enter Enter the Identity Provider Issuer URL from Okta here.
- OneLogin
  - For SP-Initiated SSO, enter the Issuer URL from OneLogin here.
  - For IdP-Initiated SSO, Enter the Issuer URL from OneLogin here.
This is commonly referred to as the issuer and is a unique URL that identifies the provider issuing a SAML request.
Enter the Single Sign On Target URL.
This is the URL that will receive SAML requests from the provider.
- Azure AD
  - For SP-Initiated SSO, enter the SAML Entity ID here.
  - For IdP-Initiated SSO, enter the Remove Login URL here.
- Okta
  - For SP-Initiated SSO, enter the Identify Provider Single Sign-On URL from Okta here.
  - For IdP-Initiated SSO, leave this field blank.
- OneLogin
  - For SP-Initiated SSO, enter the SAML 2.0 Endpoint (HTTP) URL from the SSO tab in Okta here.
  - For IdP-Initiated SSO, leave this field blank.
Enter the Single Sign On x509 Certificate.
This is the encrypted digital certificate information.
- Azure AD
  - For SP-Initiated SSO, enter the certificate data from the SAML XML Metadata file that you downloaded from Azure AD here.
  - For IdP-Initiated SSO, enter the certificate data from the SAML XML Metadata file that you downloaded from Azure AD here.
- Okta
  - For SP-Initiated SSO, enter the X.509 Certificate from Okta here.
  - For IdP-Initiated SSO, enter the X.509 Certificate from Okta here.
- OneLogin
  - For SP-Initiated SSO, enter the x.509 Cert from OneLogin here.
  - For IdP-Initiated SSO, enter the x.509 Cert from OneLogin here.
Click Save Changes.
Reach out to Procore Support or your company's Procore point of contact to request to enable SSO. Include the email domain you'd like to target for SSO in your request.
After you receive confirmation that the SSO configuration is ready, mark the Enable Single Sign On checkbox on the 'Single Sign On Configuration' page.
Click Save Changes.

Objective

Background

Things to Consider

Steps

See Also