Skip to main content

Configure SP-Initiated SSO for Procore in Okta


To configure Procore-initiated SSO for Okta. (SP-initiated SSO)


If your company wants to configure Single Sign-On with Okta, you can leverage one of Procore's supported SSO solutions:

  • Identity Provider Initiated (IdP-initiated) SSO. With this option, your end users must log into your Identity Provider's SSO page (for example, Azure AD or Okta) and then click an icon to log into and open the Procore web application. To configure this solution, see Configure Procore for IdP-Initiated Azure Active Directory SSO or Configure Procore for IdP-Initiated Okta SSO.
  • Service Provider Initiated (SP-initiated) SSO. Referred to as Procore-initiated SSO, this option gives your end users the ability to sign into the Procore Login page and then sends an authorization request to the IdP. Once the IdP authenticates the user's identify, the user is logged into Procore. To configure this solution with Okta, see the Steps below.

Things to Consider

  • Required Permissions:
    • Administrator permissions to Okta
    • 'Admin' level permissions to Procore's Company level Admin tool.
  • Prerequisites:
  • Supported Authentication Protocol:
    • Security Assertion Markup Language (SAML 2.0) 
  • Limitations:
    • Just In Time (JIT) provisioning is NOT supported. 
  • Additional Information:
    • Procore-initiated SSO supports both single domain and multiple domain sign in. After completing the steps below, you must provide your SSO domain(s) to your company's Procore point of contact. This information will added to Procore as a final configuration step before you test your SSO configuration. 


Step 1: Add the Procore App to Okta

  1. Log in to Okta as an Administrator. 
  2. Click Admin

    This reveals the Dashboard.
  3. Choose Applications > Applications.

    This reveals the Applications page. 
  4. Click Add Application.

  5. In the Search for an Application box, search for Procore. When Procore's Okta-Verified SAML app appears, click Add.

    This reveals the Add Procore page. 
  6. Under General Settings, do the following:
    • Application Label. Type a name for the new application. For example, type: Procore
    • Application Visibility. Leave both of these checkboxes blank. This will allow the Procore icon to appear in Okta and on the Okta login page. If you place a checkmark in this box, the logo with NOT appear. 
    • Browser Plugin Auto-Submit. Ensure a checkmark appears in this box. 

  7. Click Next
    This opens the Sign-On Options page. 

  8. Click View Setup Instructions.
    This opens the Setup SSO page in a new web browser tab. Leave this page open in your browser. Later, you will need to copy information in this page when you configure the Okta SSO settings in the Procore web application.
    Important!  When copying the X.509 Certificate string, do NOT copy the "------------BEGIN CERTIFICATE------------" and "------------END CERTIFICATE------------" markers. Only copy the text that resides between these markers. 
  9. Return to your open browser tab with Okta's Sign On page, as shown below. Then ensure that Okta Username is selected in the Application Username Format list.

  10. Click Next.
    This reveals the Assign Procore to People page. This page lists all the users that exist in your Okta domain. 
  11. Place a checkmark next to the name of your organization's Procore users in the People list. 

  12. Click Next.
    This reveals the End User Attributes settings.
  13. Verify that the attribute settings are correct for all of your Procore users. This Otka username is an email address. This is the address that you Procore users will use to log in to your Procore + Okta SSO Integration.

  14. Click Done.
    The system assigns Procore to the people you selected. 
  15. Continue with the next procedure.

Step 2: Configure the Okta SSO Settings In Procore

  1. Login into the Procore web application.  
    Note: You must log in using an account that has 'Admin' permission to the company's Admin tool. 

  2. Navigate to the Company level Admin tool.
  3. Under "Administrative Settings," click Company Settings.
  4. Enter the following information:
    • Single Sign On Issuer URL
      Paste the 'Identity Provider Single Sign-On URL' that you from Okta into this field.
    • Single Sign On x509
      Paste the 'X509 Certificate' that you copied from Okta into this field. 
      Important: When copying the certificate information from Okta, do NOT copy the "------------BEGIN CERTIFICATE------------" and "------------END CERTIFICATE------------" markers. You only want to copy the text that resides between these markers. 
    • Single Sign On Target URL.
      Always leave this field blank.
  5. Click Save Changes.
    This saves the information in Procore. Next, notify your company's Procore point of contact. A final configuration step must be completed by Procore before you can test your SSO configuration. 

You can now have an end user log into the Procore login page. The system should now display your Okta login page and then take you back to the Procore application. 

See Also 

  • Was this article helpful?