Configure Procore for IdP-Initated Okta SSO
Note
If your organization is using the Portfolio Financials and Capital Planning products in Procore, you will need to reach out to your Procore point of contact or the Support team to set up your Okta SSO.
Objective
To configure IdP-initiated SSO for Okta (SAML 2.0).
Background
If your company wants to configure Single Sign-On with Okta, you can leverage one of Procore's supported SSO solutions:
- Identity Provider Initiated (IdP-initiated) SSO. With this option, your end users must log into your Identity Provider's SSO page (for example, Azure AD or Okta) and then click an icon to log into and open the Procore web application. To configure this solution, see the Steps below.
OR - Service Provider Initiated (SP-initiated) SSO. Referred to as Procore-initiated SSO, this option gives your end users the ability to sign into the Procore Login page and then sends an authorization request to the IdP. Once the IdP authenticates the user's identify, the user is logged into Procore. To configure this solution with Okta, see Configure Procore-Initiated SSO for Okta.
Things to Consider
- Required Permissions:
- Administrator permissions to Okta
AND - 'Admin' level permissions to Procore's Company level Admin tool.
- Administrator permissions to Okta
- Supported Authentication Protocol:
- Security Assertion Markup Language (SAML 2.0)
- Limitations:
- Just In Time (JIT) provisioning is NOT supported.
Steps
Step 1: Add the Procore Application to Okta
Step 2: Configure the Okta Settings in Procore
-
Login into the Procore web application.
Note: You must log in using an account that has 'Admin' permission to the company's Admin tool. - Navigate to the company's Admin tool.
- Under Administrative Settings, click Single Sign On Configuration.
- Enter the following information:
- Enable Single Sign On
Place a mark in this checkbox to enable SSO for your company. - Allow Password Login
Choose this option to enable IdP-initiated SSO. - Single Sign On Issuer URL
Paste the 'Identity Provider Single Sign-On URL' that you copied from Okta into this field. - Single Sign On Target URL.
Leave this field blank. - Single Sign On x509
Paste the 'X509 Certificate' that you copied from Okta into this field.
Important: When copying the certificate information from Okta, do NOT copy the "------------BEGIN CERTIFICATE------------" and "------------END CERTIFICATE------------" markers. You only want to copy the text that resides between these markers.
- Enable Single Sign On
- Click Save Changes.
This saves the information in Procore. Next, notify your company's Procore point of contact. A final configuration step must be completed by Procore before you can test your SSO configuration. - After your Procore point of contact confirms that the final configuration step is complete, an end user should be able to log into your Okta SSO page (see Log in to Procore Using IdP-Initiated Okta SSO) and then launch the Procore application.