Skip to main content
Procore (en-CA)

Configure Single Sign On in the Company Admin Tool

Objective

To configure Single Sign On (SSO) in the Company level Admin tool. 

Background

Procore supports both SP- and IdP-initiated SSO:

To assist you with understanding the terms discussed below, here are some definitions:

  • Identity Provider (IdP). This is the service that verifies the identity of your end users (e.g. Okta, OneLogin or Microsoft Azure AD).
  • Issuer URL (Entity ID). A unique string that identifies the provider issuing a SAML request. 
  • SAML. Short for Security Assertion Markup Language.
  • Service Provider (SP). Procore
  • Target URL. The IdP URL that will receive SAML requests from Procore.
  • x509 Certificate. This is an encrypted digital certificate that contains the required values that allow the SSO service to verify the identities of your users.

Things to Consider

Steps

  1. Navigate to the Company level Admin tool.
  2. Under 'Company Settings,' click Single Sign On Configuration
    Note: The data you enter on the page below is always obtained from the issuer (e.g. Okta, OneLogin or Microsoft Azure AD).

    admin-sso-configuration.png
     
    Enter the Single Sign On Issuer URL.
    • Azure
      • For SP-Initiated SSO, enter the SAML Entity ID from Azure AD here.
      • For IdP-Initiated SSO, Enter the Remove Login URL from Azure AD here.
    • Okta
      • For SP-Initiated SSO, enter the Identity Provider Issuer URL from Okta here. 
      • For IdP-Initiated SSO, enter Enter the Identity Provider Issuer URL from Okta here. 
    • OneLogin
      • For SP-Initiated SSO, enter the Issuer URL from OneLogin here. 
      • For IdP-Initiated SSO, Enter the Issuer URL from OneLogin here. 
  3. This is commonly referred to as the issuer and is a unique URL that identifies the provider issuing a SAML request.
  4. Enter the Single Sign On Target URL.
    This is the URL that will receive SAML requests from the provider. 
    • Azure AD
      • For SP-Initiated SSO, enter the SAML Entity ID here.
      • For IdP-Initiated SSO, enter the Remove Login URL here.
    • Okta
      • For SP-Initiated SSO, enter the Identify Provider Single Sign-On URL from Okta here. 
      • For IdP-Initiated SSO, leave this field blank.
    • OneLogin
      • For SP-Initiated SSO, enter the SAML 2.0 Endpoint (HTTP) URL from the SSO tab in Okta here. 
      • For IdP-Initiated SSO, leave this field blank.
  5. Enter the Single Sign On x509 Certificate.
    This is the encrypted digital certificate information.
    • Azure AD
      • For SP-Initiated SSO, enter the certificate data from the SAML XML Metadata file that you downloaded from Azure AD here. 
      • For IdP-Initiated SSO, enter the certificate data from the SAML XML Metadata file that you downloaded from Azure AD here. 
    • Okta
      • For SP-Initiated SSO, enter the X.509 Certificate from Okta here.
      • For IdP-Initiated SSO, enter the X.509 Certificate from Okta here.
    • OneLogin
      • For SP-Initiated SSO, enter the x.509 Cert from OneLogin here. 
      • For IdP-Initiated SSO, enter the x.509 Cert from OneLogin here. 
  6. Click Save Changes.
  7. Reach out to Procore Support or your company's Procore point of contact to request to enable SSO. Include the email domain you'd like to target for SSO in your request.
  8. After you receive confirmation that the SSO configuration is ready, mark the Enable Single Sign On checkbox on the 'Single Sign On Configuration' page.
  9. Click Save Changes.

See Also