Configure Procore for IdP-Initated Okta SSO
Note
If your organization is using the Portfolio Financials and Capital Planning products in Procore, you will need to reach out to your Procore point of contact or the Support team to set up your Okta SSO.
Objective
To configure IdP-initiated SSO for Okta (SAML 2.0).
Background
If your company wants to configure Single Sign-On with Okta, you can leverage one of Procore's supported SSO solutions:
- Identity Provider Initiated (IdP-initiated) SSO. With this option, your end users must log into your Identity Provider's SSO page (for example, Azure AD or Okta) and then click an icon to log into and open the Procore web application. To configure this solution, see the Steps below.
OR - Service Provider Initiated (SP-initiated) SSO. Referred to as Procore-initiated SSO, this option gives your end users the ability to sign into the Procore Login page and then sends an authorization request to the IdP. Once the IdP authenticates the user's identify, the user is logged into Procore. To configure this solution with Okta, see Configure Procore-Initiated SSO for Okta.
Things to Consider
- Required Permissions:
- Administrator permissions to Okta
AND - 'Admin' level permissions to Procore's Company level Admin tool.
- Administrator permissions to Okta
- Supported Authentication Protocol:
- Security Assertion Markup Language (SAML 2.0)
- Limitations:
- Just In Time (JIT) provisioning is NOT supported.
Steps
Step 1: Add the Procore Application to Okta
Step 2: Configure the Okta Settings in Procore
-
Login into the Procore web application.
Note: You must log in using an account that has 'Admin' permission to the company's Admin tool. - Navigate to the company's Admin tool.
- Under Administrative Settings, click Single Sign On Configuration.
- Enter the following information:
- Single Sign On Issuer URL
Paste the 'Identity Provider Single Sign-On URL' that you copied from Okta into this field. - Single Sign On Target URL.
Leave this field blank. - Single Sign On x509
Paste the 'X509 Certificate' that you copied from Okta into this field.
Important: When copying the certificate information from Okta, do NOT copy the "------------BEGIN CERTIFICATE------------" and "------------END CERTIFICATE------------" markers. You only want to copy the text that resides between these markers.
- Single Sign On Issuer URL
- Click Save Changes.
- Next, reach out to your company's Procore point of contact or contact Procore Support to request that they enter the domains you want to target for authentication via SSO. Procore must enter these domains on your behalf.
- Once the domain(s) have been entered by Procore, take the final steps to enable SSO for your company:
- Mark the Enable Single Sign On box in Procore's SSO configuration settings.
- Select Allow Password Login to enable an IdP-initiated flow.
- Click Save.
Authentication via the configured SSO method will become active immediately after saving the final completed configuration.