Skip to main content
Procore

Configure Procore for IdP-Initated Okta SSO

  1. Last updated
  2. Save as PDF
 Note

If your organization is using the Portfolio Financials and Capital Planning products in Procore, you will need to reach out to your Procore point of contact or the Support team to set up your Okta SSO.

Objective

 To configure IdP-initiated SSO for Okta (SAML 2.0).

Background

If your company wants to configure Single Sign-On with Okta, you can leverage one of Procore's supported SSO solutions:

  • Identity Provider Initiated (IdP-initiated) SSO. With this option, your end users must log into your Identity Provider's SSO page (for example, Azure AD or Okta) and then click an icon to log into and open the Procore web application. To configure this solution, see the Steps below.
    OR
  • Service Provider Initiated (SP-initiated) SSO. Referred to as Procore-initiated SSO, this option gives your end users the ability to sign into the Procore Login page and then sends an authorization request to the IdP. Once the IdP authenticates the user's identify, the user is logged into Procore. To configure this solution with Okta, see Configure Procore-Initiated SSO for Okta.

Things to Consider

  • Required Permissions:
    • Administrator permissions to Okta
      AND
    • 'Admin' level permissions to Procore's Company level Admin tool.
  • Supported Authentication Protocol:
    • Security Assertion Markup Language (SAML 2.0) 
  • Limitations:
    • Just In Time (JIT) provisioning is NOT supported. 

Steps

Step 1: Add the Procore Application to Okta

  1. Log in to Okta as an Administrator. 
  2. Click Admin

    okta-click-admin.png
     
  3. Choose Applications > Applications.

    okta-apps-apps.png
     
  4. Click Add Application.

    okta-add-app.png

     
  5. In the Search for an Application box, search for Procore. When Procore's Okta-Verified SAML app appears, click Add.

    okta-search-for-procore.png
     
  6. Under General Settings, do the following:
    • Application Label. Type a name for the new application. For example, type: Procore
    • Application Visibility. Leave both of these checkboxes blank. This will allow the Procore icon to appear in Okta and on the Okta login page. If you place a checkmark in this box, the logo with NOT appear. 
    • Browser Plugin Auto-Submit. Ensure a checkmark appears in this box. 

      okta-applicaton-label.png
  7. Click Next

    okta-sign-on-options.png
     
  8. Click View Setup Instructions.
    This opens the Setup SSO page in a new web browser tab. Leave this page open in your browser. Later, you will need to copy information in this page when you configure the Okta SSO settings in the Procore web application.
    Important!  When copying the X.509 Certificate string, do NOT copy the "------------BEGIN CERTIFICATE------------" and "------------END CERTIFICATE------------" markers. Only copy the text that resides between these markers. 
    okta-copy-certificate.png
  9. Return to your open browser tab with Okta's Sign On page, as shown below. Then ensure that Okta Username is selected in the Application Username Format list.

    okta-sign-on-options.png
     
  10. Click Next.
  11. Place a checkmark next to the name of your organization's Procore users in the People list. 

    okta-assign-procore-to-people.png
     
  12. Click Next.
  13. Verify that the attribute settings are correct for all of your Procore users. This Otka username is an email address. This is the address that you Procore users will use to log in to your Procore + Okta SSO Integration.

    okta-end-user-attributes.png
     
  14. Click Done.
  15. Continue with the next procedure.

Step 2: Configure the Okta Settings in Procore

  1. Login into the Procore web application.  
    Note: You must log in using an account that has 'Admin' permission to the company's Admin tool. 

  2. Navigate to the company's Admin tool.
  3. Under Administrative Settings, click Single Sign On Configuration.
  4. Enter the following information:
    • Enable Single Sign On
      Place a mark in this checkbox to enable SSO for your company. 
    • Allow Password Login
      Choose this option to enable IdP-initiated SSO.
    • Single Sign On Issuer URL
      Paste the 'Identity Provider Single Sign-On URL' that you copied from Okta into this field.
    • Single Sign On Target URL.
      Leave this field blank.
    • Single Sign On x509
      Paste the 'X509 Certificate' that you copied from Okta into this field. 
      Important: When copying the certificate information from Okta, do NOT copy the "------------BEGIN CERTIFICATE------------" and "------------END CERTIFICATE------------" markers. You only want to copy the text that resides between these markers. 

      okta-sso-idp-configuration-settings.png
       
  5. Click Save Changes.
    This saves the information in Procore. Next, notify your company's Procore point of contact. A final configuration step must be completed by Procore before you can test your SSO configuration. 
  6. After your Procore point of contact confirms that the final configuration step is complete, an end user should be able to log into your Okta SSO page (see Log in to Procore Using IdP-Initiated Okta SSO) and then launch the Procore application.  

See Also