Skip to main content
Procore

Configure IdP-Initiated SSO for Microsoft Azure AD (Entra ID)

Azure Active Directory is now Microsoft Entra ID
Microsoft has rebranded Azure Active Directory as Microsoft Entra ID. This instructions in this documentation are not impacted by the name change.
 Note

If your organization is using the Portfolio Financials and Capital Planning products in Procore, you will need to reach out to your Procore point of contact or the Support team to set up your Azure AD SSO.

You will need to provide the following information when requesting the setup: Single Sign On Issuer URL, Single Sign On Target URL (Optional for IdP-Initiated SSO), and Single Sign On x509 Certificate.

Objective

To configure Procore's IdP-Initiated Single Sign-On (SSO) solution for Microsoft Azure Active Directory (Azure AD).

Background

If your company manages your users with Azure AD, you can leverage its SSO capabilities. This gives your end users the ability to authenticate their identify for the Procore application using their Azure AD account. With this SSO integration, you can:

  • Leverage Azure, AD for SSO access to Procore.
  • Simplify your entire organization's password management process.
  • Avoid problematic user password management.

Things to Consider

  • Authentication Protocol:
    • You can integrate the Procore application with Azure AD using the Security Assertion Markup Language (SAML 2.0). 
  • Requirements:
    • Azure AD 
  • Required Permissions:
    • Global Administrator rights to Azure AD.
    • 'Admin' level permissions to Procore's Company level Admin tool.

Steps

Step 1: Add Procore as a New Enterprise Application in Azure Active Directory

  1. Log in to the Azure AD portal as a Global Administrator: http://portal.azure.com

    demo-azure-add-procore.gif
     
  2. Under Favorites, click Azure Active Directory.
  3. Under Manage, click Enterprise Applications.
  4. Click +New Application.
  5. Under Add from the Gallery, type the following in the Enter a Name box: Procore
  6. Click the matching application named Procore
    This reveals a new pane.
  7. In the Name box, type a name for your application. 
    Note: In the example above, we named our application: Procore (Demo)
  8. Click Add.
    A message appears to confirm that the application was added successfully. You should now be viewing your new Procore enterprise application's Overview page. 

Step 2: Configure the Procore Enterprise Application's SSO Settings

  1. In the Overview page for your new enterprise application, under Manage, click Single Sign-On.

    demo-basic-saml-config.gif
     
  2. In the Single Sign-on Mode page, click SAML.
    This opens the Set Up Single Sign-On with SAML - Preview page.
  3. Under Basic SAML Configuration, click Edit.
    This opens the Basic SAML Configuration window. 
  4. Under the Basic SAML Configuration page, do the following:
    • Identifier (Entity ID)
      Change the value from: https://app.procore.com to: https://login.procore.com
      Note: If you are using Portfolio Financials and Capital Planning, enter the following value instead:https://www.honestbuildings.com/pfcp/app/#!/login 
       
       Optional - Unique Entity ID

      When configuring SSO for a single Procore instance, you should NOT check this box.

      If your company licenses more than one Procore instance, and you want to configure unique Procore enterprise applications within your IdP tenant for each instance, you can by enabling Unique Entity ID. If enabled, you are still limited to one (1) enterprise application per Procore company instance.

      Important: SSO for Procore targets users by email domain. An email domain can only be targeted once in all of Procore, so if you're considering setting up SSO with Unique Entity IDs across multiple Procore instances, remember that you can only target an email domain once, in a single instance.

      To generate a Unique Entity ID for an enterprise application, check the Enable Unique Entity ID box in the Procore Admin tool's SSO configuration page for the Procore instance you want to specify on an enterprise application. Checking this box will generate a unique Entity ID URL in the field below, which you will then copy and paste into the appropriate Entity ID field in your IdP's configuration page.

      Notes: You must save your configuration with the box checked to generate the Unique Entity ID. Enabling this feature does not impact user membership or access to a given instance. Access to a company in Procore is determined by a user's presence in the Directory tool, and their configured permissions within Procore. Auto-provisioning with SSO is not supported at this time.

      sso-unique-entity-id.png

       

    • Sign On URL
      Leave this field blank. You do NOT need to enter a value in this field.
    • Reply URL (Assertion Consumer Service URL)
      Enter the following: https://login.procore.com/saml/consume
  5. Click Save.
    A message appears to confirm that your settings were saved successfully.
  6. Click the 'x' to close the Basic SAML Configuration page. 
  7. Under SAML Signing Certificate, click the Download link for the Certificate (Base64) file. 
    Notes:
    • This downloads a file named PublicCertificate.cer to your browser's specified download area. 
    • Open the file in a text editor and leave it open on your computer. Later, you will copy the code that appears between the ---BEGIN CERTIFICATE--- and ---END CERTIFICATE-- tags into Procore.

      certificate-base64.png

Step 3: Assign Users and Groups to the Procore Enterprise Application

Note: This step is only required if the 'User Assignment Required' setting is enabled in the Procore Enterprise Application under Manage > Properties. This setting is disabled by default in the Procore application.

  1. In the Overview page for your new enterprise application, under Manage, click Users and Groups.
  2. Click Add User.
  3. Select the users to whom you will grant access to Procore.
    The users names appear under the Selected Members list. 
  4. Click Select at the bottom right of the page. 
    Note: If you want to test the Azure Active Directory SSO integration before deploying it to your end users, add only your user account. Then, after completing the configuration steps and testing the integration, come back and assign the rest of your company's users to Procore. 
    The system displays a message to confirm that you want to grant access to these users. 
  5. Click Yes to confirm that you want to grant the selected users access.
    Yes will appear for each user in the 'Access' column.

Step 4: Add the Azure AD Settings to Procore

  1. Log into the Procore application.
    Important: You must log into Procore with an account that has been granted 'Admin' level permissions to the Company level Admin tool.
  2. Navigate to the company's Admin tool. 
  3. Under Company Settings, click Single Sign On Configuration.
  4. Enter the following information:
    • Allow Password Login
      Choose this option to enable IdP-initiated SSO.
    • Single Sign On Issuer URL (Required)
      Paste the 'Azure AD Identifier' that you obtained from Azure Active Directory in this field. 
    • Single Sign On Target URL (Optional for IdP-Initiated SSO)
      Paste the 'SAML Single Sign-On Service URL' into this field. 
      Note: Although this is an optional field for IdP-Initiated SSO, Procore recommends completing the data entry in this field now to make any future transition from IdP- to SP-initiated SSO smoother.
    • Single Sign On x509 Certificate (Required)
      Paste the information from the certificate that you downloaded from Azure Active Directory.
      Important! When copying the certificate information from , do NOT copy the "------------BEGIN CERTIFICATE------------" and "------------END CERTIFICATE------------" markers. You only want to copy the text that resides between these markers. 

      sso-azure-idp-settings.png
       
  5. Scroll to the bottom of the page, and click Save Changes.
  6. Next, reach out to your company's Procore point of contact or contact Procore Support to request that they enter the domain(s) you want to target for authentication via SSO. Procore must enter these domains on your behalf. 
  7. Once the domain(s) have been entered by Procore, take the final steps to enable SSO for your company:
    1. Mark the Enable Single Sign On box in Procore's SSO configuration settings.
    2. Select Allow Password Login to enable an IdP-initiated flow.
    3. Click Save.

 

Authentication via the configured SSO method will become active immediately after saving the final completed configuration.