Objective
To configure IdP-initiated SSO for Okta (SAML 2.0).
Background
If your company wants to configure Single Sign-On with Okta, you can leverage one of Procore's supported SSO solutions:
- Identity Provider Initiated (IdP-initiated) SSO. With this option, your end users must log into your Identity Provider's SSO page (for example, Azure AD or Okta) and then click an icon to log into and open the Procore web application. To configure this solution, see the Steps below.
OR - Service Provider Initiated (SP-initiated) SSO. Referred to as Procore-initiated SSO, this option gives your end users the ability to sign into the Procore Login page and then sends an authorization request to the IdP. Once the IdP authenticates the user's identify, the user is logged into Procore. To configure this solution with Okta, see Configure Procore-Initiated SSO for Okta.
Steps
Step 1: Add the Procore Application to Okta
- Log in to Okta as an Administrator.
- Click Admin.
This reveals the Dashboard. - Choose Applications > Applications.
This reveals the Applications page. - Click Add Application.
- In the Search for an Application box, search for Procore. When Procore's Okta-Verified SAML app appears, click Add.
This reveals the Add Procore page. - Under General Settings, do the following:
- Application Label. Type a name for the new application. For example, type: Procore
- Application Visibility. Leave both of these checkboxes blank. This will allow the Procore icon to appear in Okta and on the Okta login page. If you place a checkmark in this box, the logo with NOT appear.
- Browser Plugin Auto-Submit. Ensure a checkmark appears in this box.
- Click Next.
This opens the Sign-On Options page.
- Click View Setup Instructions.
This opens the Setup SSO page in a new web browser tab. Leave this page open in your browser. Later, you will need to copy information in this page when you configure the Okta SSO settings in the Procore web application.
Important! When copying the X.509 Certificate string, do NOT copy the "------------BEGIN CERTIFICATE------------" and "------------END CERTIFICATE------------" markers. Only copy the text that resides between these markers.
- Return to your open browser tab with Okta's Sign On page, as shown below. Then ensure that Okta Username is selected in the Application Username Format list.
- Click Next.
This reveals the Assign Procore to People page. This page lists all the users that exist in your Okta domain. - Place a checkmark next to the name of your organization's Procore users in the People list.
- Click Next.
This reveals the End User Attributes settings. - Verify that the attribute settings are correct for all of your Procore users. This Otka username is an email address. This is the address that you Procore users will use to log in to your Procore + Okta SSO Integration.
- Click Done.
The system assigns Procore to the people you selected. - Continue with the next procedure.
Step 2: Configure the Okta Settings in Procore
Login into Procore using an account that has 'Admin' permission to the company's Admin tool.
-
Login into the Procore web application.
Note: You must log in using an account that has 'Admin' permission to the company's Admin tool.
- Navigate to the Company level Admin tool.
- On the 'Company Settings' page, do the following:
- Single Sign On Issuer URL
Paste the 'Identity Provider Single Sign-On URL' that you from Okta into this field. - Single Sign On x509
Paste the 'X509 Certificate' that you copied from Okta into this field.
Important: When copying the certificate information from Okta, do NOT copy the "------------BEGIN CERTIFICATE------------" and "------------END CERTIFICATE------------" markers. You only want to copy the text that resides between these markers. - Single Sign On Target URL.
Leave this field blank.
- Click Save Changes.
This saves the information in Procore. You can now have an end user log into your Okta SSO page and then launch the Procore application. See Log in to Procore Using IdP-Initiated Okta SSO.
