To configure Procore-initiated Single Sign-On (SSO) for Microsoft Azure Active Directory (Azure AD).
If your company wants to configure Single Sign-On with Microsoft Azure AD, you can leverage one of Procore's supported SSO solutions:
- Identity Provider Initiated (IdP-initiated) SSO. With this option, your end users must log into your Identity Provider's SSO page (for example, Azure AD) and then click an icon to log into and open the Procore web application. To configure this solution, see Configure IdP-Initiated SSO for Microsoft Azure AD
- Service Provider Initiated (SP-initiated) SSO. Referred to as Procore-initiated SSO, this option gives your end users the ability to sign into the Procore Login page and then sends an authorization request to the IdP. Once the IdP authenticates the user's identify, the user is logged into Procore. To configure this solution with Microsoft Azure AD, see the Steps below.
Things to Consider
- Required Permissions:
- Global Administrator rights to Azure AD.
- 'Admin' level permissions to Procore's Company level Admin tool.
- Global Administrator rights to Azure AD.
- Complete all the Preparation Phase steps outlined in Setup Guide: Microsoft Azure AD.
- Supported Azure AD Editions:
- Microsoft Azure Active Directory Premium P1
- Supported Authentication Protocol:
- Security Assertion Markup Language (SAML 2.0)
- Additional Information:
- Procore-initiated SSO supports both single domain and multiple domain sign in. After completing the steps below, you must provide your SSO domain(s) to your company's Procore point of contact. This information will added to Procore as a final configuration step before you test your SSO configuration.
Complete these steps in Azure Active Directory:
- Step 1: Add Procore-Initiated SSO as an Enterprise Application
- Step 2: Add a Logo for Your Login Page
- Step 3: Add an SSO User Group
- Step 4: Single Sign-On Configuration
- Step 5: Configure the App Registration
- Step 6: Configure the Reply URL
Complete these steps in Procore:
Step 1: Add Procore-Initiated SSO as an Enterprise Application
- Log into your Microsoft Azure portal.
Note: You must login with an account that has Global Administrator rights to Azure Active Directory.
This reveals the Microsoft Azure Dashboard.
- In the left pane, click Azure Active Directory.
- Click Enterprise Applications.
This reveals the Overview page for your domain's Enterprise Applications.
- Click Add.
This reveals the Add an Application page.
- Click Non-Gallery Application.
This reveals the Add Your Own Application pane on the right sidebar.
- In the Name box, type: Procore-Initiated SSO
Note: Make sure a GREEN checkmark appears to the right of the Name box.
- Scroll to the bottom of the right sidebar and click Add.
This opens the Quick Start page for the new Procore-Initiated SSO application.
- Continue with Step 2: Add a Logo for Your Login Page.
Step 2: Add a Logo for Your Login Page
- In the left pane of the Procore-Initiated SSO application, click Properties.
This opens the Properties sheet for the new application.
- Next to the Enabled for Users to Sign-In label, choose Yes.
- (Optional) If you want to change the name of your application, type over the value in the Name box.
- Click the folder icon next to the Logo label.
- Navigate to the logo that you want to include on your Procore-Initiated SSO Login page. Then click Open.
The system uploads the selected logo.
- Next to the User Assignment Required label, choose Yes.
- Click Save at the top of the page.
The system updates the new Procore-Initiated SSO application's properties.
- Continue with Step 3: Add an SSO User Group.
Step 3: Add an SSO User Group
- In the left pane of the Procore-Initiated SSO page, click Users and Groups.
- At the top of the page, click Add.
- Under Add Assignment, click Users and Groups.
- Search for your SSO group or select one or more users to assign to the application.
Note: A GREEN checkmark appears when items matching your entry is found.
- Place a checkmark next to the SSO group or selected users. Then scroll down to the bottom of the page and click Select.
- In the Add Assignment pane, click Assign.
The system assigns the SSO group or selected users to the Procore-Initiated SSO application.
- Continue with Step 4: Configure Single Sign-On.
Step 4: Configure Single Sign-On
- In the left pane of the Procore-Initiated SSO page, click Single Sign-On.
- In the Mode drop-down list, select SAML-Based Sign-On.
- In the Identifier drop-down list, type:
- In the Reply URL drop-down list, type:
Note: Make sure a GREEN checkmark appears next to the right of the Identifier and Reply URL.
- Scroll to the SAML Signing Certificate area and click Create New Certificate.
- In the Create New Certificate pane on the left, select an Expiry Date using the calendar control.
- Click Save.
The system creates the SAML certificate.
- Under SAML Signing Certificate, place a checkmark in the Make New Certificate Active box.
- At the top of the page, click Save.
- In the Rollover Certificate pop-up window, click OK.
The system saves your Single Sign-On configuration.
- Under SAML Signing Certificate, under Download, click Metadata XML.
The system downloads and saves the XML file to your computer in the location specified by your browser's settings.
- Open Windows Explorer or the Finder to view the file.
- Open the downloaded file in a text editor.
- Search the downloaded file for 'X509'.
Note: The required X509 certificate information resides between the <X509Certificate></509Certificate> markers shown below.
- Highlight and then copy the required X509 certificate information.
- Open a new blank document in Microsoft Word or another editor.
- Paste the required X509 certificate into your new document. Then save the document.
Note: You will need to be able to refer to the information in this document at a later time (i.e., when you configure the SSO settings in Procore). It is recommended that you save this document on your computer in a safe location.
- Continue with Step 5: Configure the App Registration.
Step 5: Configure the App Registration
Complete the app registration process to provide your new Procore-Initiated SSO application with the ability use the capabilities of Microsoft Azure AD.
- In the far left pane, click the Active Directory icon.
- Click App Registrations.
- In the App Registrations pane on the left, click Procore-Initiated SSO.
- In the middle pane, review the following information:
- Home Page. This should show a URL.
- Managed Application in Local Directory. This should show the name of the Procore-Initiated SSO app.
- In the Settings pane to the right, click Properties.
This opens the Properties sheet in a pane in the far right.
- In the Home Page URL box, select the Home Page URL (i.e., be sure to Select All). Then press DELETE to remove the existing value from that box.
- Use a cut-and-paste operation to paste the App ID URI (https://app.procore.com) into the Home Page URL box.
- It is very important that the value in Home Page URL box exactly matches the App ID URI box.
- Since the Procore-Initiated SSO app in Microsoft Azure AD is for Procore, you must enter enter https://app.procore.com in both the Home Page URL and App ID URI boxes.
- Make sure a GREEN checkmark appears to the right of the Home Page URL box.
- Leave all other values in the Properties sheet as is.
- At the top of the Properties sheet in the right pane, click Save.
The system updates the applications properties and reloads the Procore-Initiated SSO settings page. The reload process may take several seconds to complete. When reloaded, the Home Page value will read: https://app.procore.com
- In the Settings pane on the right, click Properties. Then verify the following:
- Confirm that the Home Page field displays: https://app.procore.com
- Configure that the Managed Application in Local Directory field displays: Procore-Initiated SSO
- Continue with Step 6: Configure the Reply URL.
Step 6: Configure the Reply URL
- In the Settings pane on the right, click Reply URLs.
This opens the Reply URLs pane on the right.
- Ensure that the top box contains: https://app.procore.com/saml/consume
- Click the ellipsis (…) and then choose Delete from the shortcut menu to remove the URL value from the second box.
- At the top of the Reply URLs pane, click Save.
The system updates the application URLs.
- Reload the application by clicking the Procore-Initiated SSO link in the Settings pane on the left.
- Continue with Step 7: Configure Procore-Inititaed SSO.
Step 7: Configure Procore for Single Sign-On
- In the left pane of the Procore-Initiated SSO application, click Single Sign-On.
- Scroll to the bottom of the Single Sign-On page.
- Under Procore-Initiated SSO Configuration, click Configure Procore Initiated SSO.
This opens the Configure Sign-On page in the left pane.
- Use a copy-and-paste operation to add the following URLs to the document that you saved (i.e., this is the document in which saved the required X509 certificate information in Step 4: Configure Single Sign On above):
- SAML Single Sign-On Service URL. Copy the full URL and paste it into your document.
- SAML Entity ID. Copy the full URL and paste it into your document.
- Open a new browser tab or window.
- Log into Procore using an account with Procore Administrator permissions. See Log in to Procore Web.
- Navigate to the company's Admin tool.
This reveals the Company Settings page.
- Copy the following Azure information from the document with the required X509 registration information that you saved to your computer. The paste it into Procore:
- Copy the SAML Single Sign-On Service URL and paste it into the Single Sign On Target URL box .
- Copy the SAML Entity ID and paste it into the Single Sign On Issuer URL box.
- Copy the XML for the SSO X509 Certificate and paste it into the Single Sign On x509 box.
- Click Save Changes.
This saves the information in Procore. Next, notify your company's Procore point of contact. A final configuration step must be completed by Procore before you can test your SSO configuration.
You can now have an end user log into the Procore login page. The system should now display your Windows Azure login page and then take you back to the Procore application.