To configure Procore's IdP-Initiated Single Sign-On (SSO) solution for Microsoft Azure Active Directory (Azure AD).
If your company manages your users with Azure AD, you can leverage its SSO capabilities. This give your end users the ability authenticate their identify for the Procore application using their Azure AD account. With this SSO integration, you can:
- Leverage Auzre AD for SSO access to Procore.
- Simplify your entire organization's password management process.
- Avoid problematic user password management.
Things to Consider
- Authentication Protocol:
- You can integrate the Procore application with Azure AD using the Security Assertion Markup Language (SAML 2.0).
- Azure AD
- Required Permissions:
- Global Administrator rights to Azure AD.
- 'Admin' level permissions to Procore's Company level Admin tool.
- Step 1: Add Procore as a New Enterprise Application in Azure Active Directory
- Step 2: Configure the Procore Enterprise Application's SSO Settings
- Step 3: Assign Users and Groups to the Procore Enterprise Application
- Step 4: Add the Azure AD Settings to Procore
Step 1: Add Procore as a New Enterprise Application in Azure Active Directory
- Log in to the Azure AD portal as a Global Administrator: http://portal.azure.com
- Under Favorites, click Azure Active Directory.
- Under Manage, click Enterprise Applications.
- Click +New Application.
- Under Add from the Gallery, type the following in the Enter a Name box: Procore
- Click the matching application named Procore.
This reveals a new pane.
- In the Name box, type a name for your application.
Note: In the example above, we named our application: Procore (Demo)
- Click Add.
A message appears to confirm that the application was added successfully. You should now be viewing your new Procore enterprise application's Overview page.
Step 2: Configure the Procore Enterprise Application's SSO Settings
- In the Overview page for your new enterprise application, under Manage, click Single Sign-On.
- In the Single Sign-on Mode page, click SAML.
This opens the Set Up Single Sign-On with SAML - Preview page.
- Under Basic SAML Configuration, click Edit.
This opens the Basic SAML Configuration window.
- Under the Basic SAML Configuration page, do the following:
- Identifier (Entity ID)
Change the value from:
- Sign On URL
Leave this field blank. You do NOT need to enter a value in this field.
- Reply URL (Assertion Consumer Service URL)
Enter the following:
Note: Later, you will need to add this URL to the Single Sign On Target URL box in the Project level Admin tool.
- Identifier (Entity ID)
- Click Save.
A message appear to confirm that your settings were saved successfully.
- Click the 'x' to close the Basic SAML Configuration page.
- Under SAML Signing Certificate, click the Download link for the Certificate (Base64) file.
- This downloads a file named PublicCertificate.cer to your browser's specified download area.
- Open the file in a text editor and leave it open on your computer. Later, you will copy the code that appears between the ---BEGIN CERTIFICATE--- and ---END CERTIFICATE-- tags into Procore.
Step 3: Assign Users and Groups to the Procore Enterprise Application
- In the Overview page for your new enterprise application, under Manage, click Users and Groups.
- Click Add User.
- Select the users to whom you will grant access to Procore.
The users names appear under the Selected Members list.
- Click Select at the bottom right of the page.
Note: If you want to test the Azure Active Directory SSO integration before deploying it to your end users, add only your user account. Then, after completing the configuration steps and testing the integration, come back and assign the rest of your company's users to Procore.
The system displays a message to confirm that you want to grant access to these users.
- Click Yes to confirm that you want to grant the selected users access.
A Yes will appear for each user in the 'Access' column.
Step 4: Add the Azure AD Settings to Procore
- Log into the Procore application.
Important: You must log into Procore with an account that has been granted 'Admin' level permissions to the Company level Admin tool.
- Navigate to the company's Admin tool.
- Under "Administrative Settings," click Company Settings.
- Enter the following information:
- Single Sign On Issuer URL. Paste the 'Remove Login URL' that you obtained from Azure Active Directory in this field.
- Single Sign On Target URL. Always leave this field blank to avoid redirecting users to an unsupported login page. A target URL is NOT supported by the Azure Active Directory SSO solution.
- Single Sign On x509 Certificate field. Paste the information from the certificate that you downloaded from Azure Active Directory.
Important! When copying the certificate information from , do NOT copy the "------------BEGIN CERTIFICATE------------" and "------------END CERTIFICATE------------" markers. You only want to copy the text that resides between these markers.
- Scroll to the bottom of the page, and click Save Changes.
You should now log into Azure Active Directory or have an end user log in to verify the configuration settings were entered correctly.