Skip to main content
Procore

Configure SP-Initiated SSO for Procore in Azure AD

Objective

To configure SP-initiated Single Sign-On (SSO) for Procore in Microsoft Azure Active Directory (Azure AD). 

Background

To assist you with understanding the terms discussed below, here are some definitions:

  • Identity Provider (IdP). This is the service that verifies the identity of your end users (e.g., Okta, OneLogin, or Azure AD).
  • Issuer URL (Entity ID). A unique string that identifies the provider issuing a SAML request. 
  • SAML. Short for Security Assertion Markup Language.
  • Service Provider (SP). Procore
  • Target URL. The IdP URL that will receive SAML requests from Procore.
  • x509 Certificate. This is an encrypted digital certificate that contains the required values that allow the SSO service to verify the identities of your users.

If your company wants to use Azure AD SSO to manage user logins to Procore, these configurations are supported:

  • Service Provider Initiated (SP-initiated) SSO. Referred to as Procore-initiated SSO, this option gives your end users the ability to sign into the Procore Login page and then sends an authorization request to the IdP. Once the IdP authenticates the user's identify, the user is logged into Procore. To configure this solution with Microsoft Azure AD, see the Steps below.
    OR
  • Identity Provider Initiated (IdP-initiated) SSO. With this option, your end users must log into your Identity Provider's SSO page (for example, Azure AD) and then click an icon to log into and open the Procore web application. To configure this solution, see Configure IdP-Initiated SSO for Microsoft Azure AD.

Things to Consider

Steps

Step 1: Add Procore as a New Enterprise Application in Azure AD

  1. Sign into the Azure AD portal using an account that has been granted Global Administrator rights to Azure AD:

    https://portal.azure.com

    This opens the Dashboard page.
  2. Under Favorites, click Azure Active Directory.
  3. Under Manage, click Enterprise Applications
  4. Click New Application.
  5. In the Add from Gallery box, type Procore. Then press ENTER.
  6. Click the Procore application in the search results. 
  7. In the right pane, type a title for your new application in the Name box. The system's default name is Procore. However, you can name the application anything that you want. 
    Note: In this example, we named the application: Procore SSO Demo
  8. Click Add.
    This creates a new Procore enterprise application in your Azure AD organization. 

    add-new-enterprise-application.gif

Step 2: Obtain the Procore Enterprise Application's SSO Settings

In the enterprise application that you just added above, do the following:

  1. Under Manage, click Single Sign-On.
  2. In the Single Sign-on Mode drop-down list, select SAML based Sign-on from the list.
  3. Click Save at the top of the page. 
  4. Scroll to the bottom of the page and click Configure Procore SSO Demo.
  5. Under Configure <Your Application's Name> for Single Sign On, review the following information: 
    • SAML Single Sign-On Service URL
      You will need to add this URL to the Single Sign On Target URL box in Procore. 
    • SAML Entity ID
      You will need to add this URL to the SAML Entity ID box in Procore. 
    • SAML XML Metadata
      You will need to click this link to download an XML file with the SSO X509 data to the download location specified by your web browser's settings. Typically, this is your computer's Downloads folder. However, your configuration settings may be different. 

      obtain-azure-ad-settings.gif
       
  6. Leave the Azure AD page open. 
    You will need to copy some information in this page when performing next configuration step in the Procore for web application.

Step 3: Add the Azure AD Settings to Procore's Company Level Admin Tool

  1. Leave the Azure AD page open as described in the previous step. 
  2. Log into Procore using your Procore Administrator account.
  3. Navigate to the Company level Admin tool.
    This reveals the Company Settings page.
  4. Under Administrative Settings, click Single Sign On Configuration
    This opens the Single Sign On Configuration page. Leave this window open. 

    sp-active-ad-settings.gif
     
  5. Use a copy-and-paste operation to add the Azure AD settings to the Single Sign On Configuration page in Procore's Company level Admin tool as follows:
                                                                                                                                      
    Copy this information from Azure AD… Paste it into this field in Procore…
    SAML Entity ID
    Copy the URL in this field from Azure AD.
    Single Sign On Issuer URL
    Paste the SAML Entity ID URL into the Single Sign On Issuer URL field.
    saml-entity-id.png issuer-url.png
    SAML Single Sign-On Service URL
    Copy the URL in this field from Azure AD.
    Single Sign On Target URL
    Paste the SAML Single Sign-On Service URL into the Single Sign On Target URL field. 
    saml-sso-service-url.png sso-target-url.png

    SAML XML Metadata
    Download this file to your computer and open it in a text editor (i.e., Notepad or Text/Edit). Locate the certificate data that appears between the HTML start and end tags for the x509 certificate. Then copy the data. Do NOT copy the tags. This is depicted in the animated image above:

    Start Tag: <X509Data><X509Certificate> 
    
    End Tag: </X509Data></X509Certificate>
    
    Single Sign On x509 Certificate
    Paste the certificate data you copied into this field.
    xml-certificate.png sso-x509.png

     
  6. In Procore, scroll to the bottom of the page and click Save Changes
    This saves your SSO configuration.
  7. Contact your Procore point of contact. Before you can test your SSO configuration, a final configuration step must be performed by Procore.  

See Also