Skip to main content
Procore

Configure SP-Initiated SSO for Procore in Azure AD

Objective

To configure SP-initiated Single Sign-On (SSO) for Procore in Microsoft Azure Active Directory (Azure AD). 

Background

To assist you with understanding the terms discussed below, here are some definitions:

  • Identity Provider (IdP). This is the service that verifies the identity of your end users (e.g., Okta, OneLogin, or Microsoft Azure AD).
  • Issuer URL (Entity ID). A unique string that identifies the provider issuing a SAML request. 
  • SAML. Short for Security Assertion Markup Language.
  • Service Provider (SP). Procore
  • Target URL. The IdP URL that will receive SAML requests from Procore.
  • x509 Certificate. This is an encrypted digital certificate that contains the required values that allow the SSO service to verify the identities of your users.

If your company wants to use Azure AD SSO to manage user logins to Procore, these configurations are supported:

  • Service Provider Initiated (SP-initiated) SSO. Referred to as Procore-initiated SSO, this option gives your end users the ability to sign into the Procore Login page and then sends an authorization request to the IdP. Once the IdP authenticates the user's identify, the user is logged into Procore. To configure this solution with Microsoft Azure AD, see the Steps below.
    OR
  • Identity Provider Initiated (IdP-initiated) SSO. With this option, your end users must log into your Identity Provider's SSO page (for example, Azure AD) and then click an icon to log into and open the Procore web application. To configure this solution, see Configure IdP-Initiated SSO for Microsoft Azure AD.

Things to Consider

Steps

Step 1: Add Procore as a New Enterprise Application in Azure AD

  1. Log in to the Azure AD portal as a Global Administrator: http://portal.azure.com

    demo-azure-add-procore.gif
     
  2. Under Favorites, click Azure Active Directory.
  3. Under Manage, click Enterprise Applications.
  4. Click +New Application.
  5. Under Add from the Gallery, type the following in the Enter a Name box: Procore
  6. Click the matching application named Procore
    This reveals a new pane.
  7. In the Name box, type a name for your application. 
    Note: In the example above, we named our application: Procore (Demo)
  8. Click Add.
    A message appears to confirm that the application was added successfully. You should now be viewing your new Procore enterprise application's Overview page. 

Step 2: Configure the Procore Enterprise Application's SSO Settings

  1. In the Overview page for your new enterprise application, under Manage, click Single Sign-On.

    demo-basic-saml-config.gif
     
  2. In the Single Sign-on Mode page, click SAML.
    This opens the Set Up Single Sign-On with SAML - Preview page.
  3. Under Basic SAML Configuration, click Edit.
    This opens the Basic SAML Configuration window. 
  4. Under the Basic SAML Configuration page, do the following:
  5. Click Save.
    A message appear to confirm that your settings were saved successfully.
  6. Click the 'x' to close the Basic SAML Configuration page. 
  7. Under SAML Signing Certificate, click the Download link for the Certificate (Base64) file. 
    Notes:
    • This downloads a file named PublicCertificate.cer to your browser's specified download area. 
    • Open the file in a text editor and leave it open on your computer. Later, you will copy the code that appears between the ---BEGIN CERTIFICATE--- and ---END CERTIFICATE-- tags into Procore.

      certificate-base64.png

Step 3: Add the Azure AD Settings to Procore's Company Level Admin Tool

  1. Leave the Azure AD page open as described in the previous step. 
  2. Log into Procore using your Procore Administrator account.
  3. Navigate to the Company level Admin tool.
    This reveals the Company Settings page.
  4. Under Administrative Settings, click Single Sign On Configuration
    This opens the Single Sign On Configuration page. Leave this window open. 

    demo-azure-configure-procore.gif
     
  5. Go to the Azure AD page that you left open. 
  6. Under Set Up <Your Application Name>, click View Step-by-Step Instructions.
    This opens the Configure Sign-On page.
                                                                                                                                      
    Copy this information from Azure AD… Paste it into this field in Procore…
    SAML Entity ID
    Copy the URL in this field from Azure AD.
    Single Sign On Issuer URL
    Paste the SAML Entity ID URL into the Single Sign On Issuer URL field.
    saml-entity-id.png issuer-url.png
    SAML Single Sign-On Service URL
    Copy the URL in this field from Azure AD.
    Single Sign On Target URL
    Paste the SAML Single Sign-On Service URL into the Single Sign On Target URL field. 
    saml-sso-service-url.png sso-target-url.png

    SAML XML Metadata
    Download this file to your computer and open it in a text editor (i.e., Notepad or Text/Edit). Locate the certificate data that appears between the HTML start and end tags for the x509 certificate. Then copy the data. Do NOT copy the tags. This is depicted in the animated image above:

    Start Tag: <X509Data><X509Certificate> 
    
    End Tag: </X509Data></X509Certificate>
    
    Single Sign On x509 Certificate
    Paste the certificate data you copied into this field.
    xml-certificate.png sso-x509.png

     
  7. In Procore, scroll to the bottom of the page and click Save Changes
    This saves your SSO configuration.
  8. Contact your Procore point of contact. Before you can test your SSO configuration, a final configuration step must be performed by Procore.  

See Also