If your organization is using the Portfolio Financials and Capital Planning products in Procore, you will need to reach out to your Procore point of contact or the Support team to set up your Azure AD SSO.
You will need to provide the following information when requesting the setup: Single Sign On Issuer URL, Single Sign On Target URL (Optional for IdP-Initiated SSO), and Single Sign On x509 Certificate.
To configure Procore's IdP-Initiated Single Sign-On (SSO) solution for Microsoft Azure Active Directory (Azure AD).
If your company manages your users with Azure AD, you can leverage its SSO capabilities. This gives your end users the ability to authenticate their identify for the Procore application using their Azure AD account. With this SSO integration, you can:
- Leverage Azure, AD for SSO access to Procore.
- Simplify your entire organization's password management process.
- Avoid problematic user password management.
Things to Consider
- Authentication Protocol:
- You can integrate the Procore application with Azure AD using the Security Assertion Markup Language (SAML 2.0).
- Azure AD
- Required Permissions:
- Global Administrator rights to Azure AD.
- 'Admin' level permissions to Procore's Company level Admin tool.
- Step 1: Add Procore as a New Enterprise Application in Azure Active Directory
- Step 2: Configure the Procore Enterprise Application's SSO Settings
- Step 3: Assign Users and Groups to the Procore Enterprise Application
- Step 4: Add the Azure AD Settings to Procore
Step 1: Add Procore as a New Enterprise Application in Azure Active Directory
- Log in to the Azure AD portal as a Global Administrator: http://portal.azure.com
- Under Favorites, click Azure Active Directory.
- Under Manage, click Enterprise Applications.
- Click +New Application.
- Under Add from the Gallery, type the following in the Enter a Name box: Procore
- Click the matching application named Procore.
This reveals a new pane.
- In the Name box, type a name for your application.
Note: In the example above, we named our application: Procore (Demo)
- Click Add.
A message appears to confirm that the application was added successfully. You should now be viewing your new Procore enterprise application's Overview page.
Step 2: Configure the Procore Enterprise Application's SSO Settings
- In the Overview page for your new enterprise application, under Manage, click Single Sign-On.
- In the Single Sign-on Mode page, click SAML.
This opens the Set Up Single Sign-On with SAML - Preview page.
- Under Basic SAML Configuration, click Edit.
This opens the Basic SAML Configuration window.
- Under the Basic SAML Configuration page, do the following:
- Identifier (Entity ID)
Change the value from:
Note: If you are using Portfolio Financials and Capital Planning, enter the following value instead:
- Sign On URL
Leave this field blank. You do NOT need to enter a value in this field.
- Reply URL (Assertion Consumer Service URL)
Enter the following:
- Identifier (Entity ID)
- Click Save.
A message appears to confirm that your settings were saved successfully.
- Click the 'x' to close the Basic SAML Configuration page.
- Under SAML Signing Certificate, click the Download link for the Certificate (Base64) file.
- This downloads a file named PublicCertificate.cer to your browser's specified download area.
- Open the file in a text editor and leave it open on your computer. Later, you will copy the code that appears between the ---BEGIN CERTIFICATE--- and ---END CERTIFICATE-- tags into Procore.
Step 3: Assign Users and Groups to the Procore Enterprise Application
Note: This step is only required if the 'User Assignment Required' setting is enabled in the Procore Enterprise Application under Manage > Properties. This setting is disabled by default in the Procore application.
- In the Overview page for your new enterprise application, under Manage, click Users and Groups.
- Click Add User.
- Select the users to whom you will grant access to Procore.
The users names appear under the Selected Members list.
- Click Select at the bottom right of the page.
Note: If you want to test the Azure Active Directory SSO integration before deploying it to your end users, add only your user account. Then, after completing the configuration steps and testing the integration, come back and assign the rest of your company's users to Procore.
The system displays a message to confirm that you want to grant access to these users.
- Click Yes to confirm that you want to grant the selected users access.
A Yes will appear for each user in the 'Access' column.
Step 4: Add the Azure AD Settings to Procore
- Log into the Procore application.
Important: You must log into Procore with an account that has been granted 'Admin' level permissions to the Company level Admin tool.
- Navigate to the company's Admin tool.
- Under Administrative Settings, click Single Sign On Configuration.
- Enter the following information:
- Enable Single Sign On
Place a mark in this checkbox to enable SSO for your company. You will need to enter all of the required information before you can place a mark in this box.
- Allow Password Login
Choose this option to enable IdP-initiated SSO.
- Single Sign On Issuer URL (Required)
Paste the 'Azure AD Identifier' that you obtained from Azure Active Directory in this field.
- Single Sign On Target URL (Optional for IdP-Initiated SSO)
Paste the 'SAML Single Sign-On Service URL' into this field.
Note: Although this is an optional field for IdP-Initiated SSO, Procore recommends completing the data entry in this field now to make any future transition from IdP- to SP-initiated SSO smoother.
- Single Sign On x509 Certificate (Required)
Paste the information from the certificate that you downloaded from Azure Active Directory.
Important! When copying the certificate information from , do NOT copy the "------------BEGIN CERTIFICATE------------" and "------------END CERTIFICATE------------" markers. You only want to copy the text that resides between these markers.
- Enable Single Sign On
- Scroll to the bottom of the page, and click Save Changes.
You should now log into Procore using a new browser session or have an end user log in to verify the configuration settings were entered correctly.