To configure Procore's IdP-Initiated Single Sign-On (SSO) solution for Microsoft Azure Active Directory (Azure AD).
If your company manages your users with Azure AD, you can leverage its SSO capabilities. This give your end users the ability authenticate their identify for the Procore application using their Azure AD account. With this SSO integration, you can:
- Leverage Auzre AD for SSO access to Procore.
- Simplify your entire organization's password management process.
- Avoid problematic user password management.
Things to Consider
- Authentication Protocol:
- You can integrate the Procore application with Azure AD using the Security Assertion Markup Language (SAML 2.0).
- Azure AD
- Required Permissions:
- Global Administrator rights to Azure AD.
- 'Admin' level permissions to Procore's Company level Admin tool.
Azure Active Directory Steps
Add Procore to Azure Active Directory
- Log into into your Azure management portal.
Note: You must login with an account that has Global Administrator rights to Azure Active Directory.
- Navigate to the Active Directory > [YourCompany] > Applications section.
- Click Add.
- Click Add an Application from the Gallery.
- In the left pane, click Custom or click the Add an Unlisted Application My Organization is Using link.
- In the Name box, enter a name for the Procore application.
In this example, we typed: Procore SSO
- Click the checkmark in the bottom right corner.
- Continue with Enable Single Sign-On in Azure Active Directory below.
Enable Single Sign-On in Azure Active Directory
- Complete the steps in Add Procore to Azure Active Directory above.
- Next to '1 | Enable Single Sign-On with Windows Azure AD', click the Configure Single Sign-On button.
- At the 'How would you like users to sign on to Procore SSO' page, choose the Windows Azure AD Single Sign-On option. Then click the right arrow at the bottom right of the page.
- At the Configure App Settings page, enter this information for the Procore application:
- Click the right arrow at the bottom of the page.
- At the 'Configure Single sign-on at Procore SSO' page, save the following information for later user:
Note: Keep this certificate in a safe place. You will need it when you complete the steps in Add the Azure Active Directory SSO Certificate to Procore below.
- Click the Download Certificate link and save the certificate to your computer.
- Copy the Issuer URL for later use.
- Configure the Procore application for Azure Active Directory SSO. For instructions, see Add the Azure Active Directory SSO Certificate and Issuer URL to Procore. After saving the changes in Procore, continue with the next step.
- Mark the Confirm that you have configured single-sign on… checkbox.
- Click the right arrow at the bottom of the page to continue.
The system confirms that you have enabled SSO.
- Click Next and then click Complete.
- Continue with the next step, Assign Users and Groups to Procore below.
Assign Users and Groups to Procore
- In the Procore application's page, click the Assign Users button.
- Select the users to whom you will grant access to Procore. Then click Assign at the bottom right of the page.
Note: If you want to test the Azure Active Directory SSO integration before deploying it to your end users, add only your user account. Then, after completing the configuration steps and testing the integration, come back and assign the rest of your company's users to Procore.
The system displays a message to confirm that you want to grant access to these users.
- Click Yes to confirm that you want to grant the selected users access.
A Yes will appear for each user in the 'Access' column.
- Continue with Add the Azure Active Directory SSO Certificate and Issure URL to Procore below.
Add the Azure Active Directory SSO Certificate and Issuer URL to Procore
- Log into the Procore application.
Important: You must log into Procore with an account that has been granted 'Admin' level permissions to the Company level Admin tool.
- Navigate to the company's Admin tool.
- Under "Administrative Settings," click Company Settings.
- Enter the following information:
- Single Sign On Issuer URL. Paste the 'Remove Login URL' that you obtained from Azure Active Directory in this field.
- Single Sign On Target URL. Always leave this field blank to avoid redirecting users to an unsupported login page. A target URL is NOT supported by the Azure Active Directory SSO solution.
- Single Sign On x509 Certificate field. Paste the information from the certificate that you downloaded from Azure Active Directory.
Important! When copying the certificate information from , do NOT copy the "------------BEGIN CERTIFICATE------------" and "------------END CERTIFICATE------------" markers. You only want to copy the text that resides between these markers.
- Scroll to the bottom of the page, and click Save Changes.
You should now log into Azure Active Directory or have an end user log in to verify the configuration settings were entered correctly.