Skip to main content
Procore

Configure IdP-Initiated SSO for OneLogin

 Note

If your organization is using the Portfolio Financials and Capital Planning products in Procore, you will need to reach out to your Procore point of contact or the Support team to set up your OneLogin SSO.

Objective

To configure Procore-initiated SSO for OneLogin. 

Background

If your company wants to configure Single Sign-On with OneLogin, you can leverage one of Procore's supported SSO solutions:

  • Identity Provider Initiated (IdP-initiated) SSO. With this option, your end users must log into your Identity Provider's SSO page (e.g., OneLogin) and then click an icon to log into and open the Procore web application. To configure this solution, see the Steps below. 
    OR
  • Service Provider Initiated (SP-initiated) SSO. Referred to as Procore-initiated SSO, this option gives your end users the ability to sign into the Procore Login page and then sends an authorization request to the IdP. Once the IdP authenticates the user's identify, the user is logged into Procore. To configure this solution, see Configure Procore-Initiated SSO

Things to Consider

  • Required Permissions:
    • Administrator permission to OneLogin.
      AND
    • 'Admin' level permissions to Procore's Company level Admin tool.
  • Prerequisites:
  • Supported Authentication Protocol:
    • Security Assertion Markup Language (SAML 2.0) 
 Optional - Unique Entity ID

When configuring SSO for a single Procore instance, you should NOT check this box.

If your company licenses more than one Procore instance, and you want to configure unique Procore enterprise applications within your IdP tenant for each instance, you can by enabling Unique Entity ID. If enabled, you are still limited to one (1) enterprise application per Procore company instance.

Important: SSO for Procore targets users by email domain. An email domain can only be targeted once in all of Procore, so if you're considering setting up SSO with Unique Entity IDs across multiple Procore instances, remember that you can only target an email domain once, in a single instance.

To generate a Unique Entity ID for an enterprise application, check the Enable Unique Entity ID box in the Procore Admin tool's SSO configuration page for the Procore instance you want to specify on an enterprise application. Checking this box will generate a unique Entity ID URL in the field below, which you will then copy and paste into the appropriate Entity ID field in your IdP's configuration page.

Notes: You must save your configuration with the box checked to generate the Unique Entity ID. Enabling this feature does not impact user membership or access to a given instance. Access to a company in Procore is determined by a user's presence in the Directory tool, and their configured permissions within Procore. Auto-provisioning with SSO is not supported at this time.

sso-unique-entity-id.png

Steps

Complete these steps:

Step 1: Add the Procore App to OneLogin

  1. Log in to your organization's OneLogin portal using an account that has been granted Administrator permission.

    onelogin-admin-login.png
     
  2. Click Administration.

    onelogin-administration.png
     
  3. Choose Apps > Add Apps

    apps-addapps.png

    This reveals the Find Applications page. 
  4. At the Find Applications page, type: Procore
    The Procore app will appear.

    find-procore.png
     
  5. Click the Procore app. 
    This reveals the Configuration page. 

    save-app-config.png
     
  6. Verify the following:
    • Display Name. Verify that the entry reads "Procore". 
    • Visible in Portal. A GREEN checkmark should appear. 
    • Rectangular Icon. The Procore logo should appear. 
    • Square Icon. The Procore icon should appear. 
  7. Click Save.
    A green banner appears to confirm that the app was successfully added. A row of tabs appears in your apps new page.

Step 2: Configure Procore with the SSO Settings from OneLogin

  1. In the new app's page, click the SSO tab.
    This tab provides you with access to all of OneLogin's SSO Settings. Later, you will add the settings that you copy on this page to Procore's Company Admin tool. 
  2. In the X.509 Certificate box, click View Details.

    onelogin-view-details.png

    This opens a page showing all the certificate details. 
  3. In the top-right corner of the X.509 Certificate box, click Copy to Clipboard.
    This copies the X.509 certificate to your web browser's clipboard.
    Important! When using the OneLogin website, you might want to paste the items you copy into a Notepad document, to ensure that the Copy to Clipboard command worked as expected. When the copy command is successful, the browser will display a 'Copied' tooltip like the one illustrated below. If the copy command does NOT work in your browser version, simply place your mouse cursor in the text field the copy all the text (e.g., press CTRL+C in Windows or CMD+C on a Mac). 

    onelogin-copy-to-clipboard.png
     
    1. Format the Certificate
      1. Open a new browser tab. Then visit this link:
        https://www.samltool.com/format_x509cert.php
        This opens the Format an X509 Certificate page, which is owned by OneLogin. 
      2. Paste the X.509 certificate that you copied into the X.509 Cert field, as shown below. 

        paste-x509-cert.png
      3. Click Format X.509 Certificate
        The OneLogin tool automatically formats the certificate in two ways -- with the header or with the string.  
      4. Scroll to X.509 Cert in String Format box at the bottom of the page.
      5. Click the Copy to Clipboard icon in the top-right corner of the X.509 Cert In String Format box. 

        x509-cert-in-string-format.png
    2. Configure Your Company's Procore Web Application with the OneLogin SSO Settings
      1. Log in to the Procore web application. See Log in to Procore Web.
        Note: You must login with a user account that has been assigned Procore Administrator permissions.
      2. Navigate to the company's Admin tool.
      3. Under Administrative Settings, click Single Sign On Configuration.
      4. Paste the information from OneLogin into Procore as follows:
                                                                                                                                          
        Copy this information from OneLogin… Paste it into this field in Procore…
        Issuer URL
        Copy the Issuer URL from the SSO tab for the Procore app in OneLogin.

        Single Sign On Issuer URL

        Paste the Issuer URL into this field.

        issuer-url-copy.png admin-sso-issuer.png
        SAML 2.0 Endpoint (HTTP)
        Copy the SAML 2.0 Endpoint (HTTP) from the SSO tab for the Procore app.

        Single Sign On Target Url
        Paste the SAML 2.0 Endpoint (HTTP) into this field.

        saml-endpoint-copy.png admin-sso-target.png
        X.509 Cert in String Format
        This should still be in your clipboard memory. 
        Single Sign On x509 Certificate
        Paste the certificate in the string format into this field.
        x509-cert-in-string-format.png admin-sso-cert.png
      5. In Procore, scroll to the bottom of the page and click Save Changes
      6. Next, reach out to your company's Procore point of contact or contact Procore Support to request that they enter the domains you want to target for authentication via SSO. Procore must enter these domains on your behalf. 
      7. Once the domain(s) have been entered by Procore, take the final steps to enable SSO for your company:
        1. Mark the Enable Single Sign On box in Procore's SSO configuration settings.
        2. Select Allow Password Login to enable an IdP-initiated flow.
        3. Click Save.

Authentication via the configured SSO method will become active immediately after saving the final completed configuration. 

See Also