Skip to main content
Procore

Configure SP-Initiated SSO for Procore in Azure AD

 Note

If your organization is using the Portfolio Financials and Capital Planning products in Procore, you will need to reach out to your Procore point of contact or the Support team to set up your Azure AD SSO.

You will need to provide the following information when requesting the setup: Single Sign On Issuer URL, Single Sign On Target URL (Optional for IdP-Initiated SSO), and Single Sign On x509 Certificate.

Objective

To configure SP-initiated Single Sign-On (SSO) for Procore in Microsoft Azure Active Directory (Azure AD). 

Background

To assist you with understanding the terms discussed below, here are some definitions:

  • Identity Provider (IdP). This is the service that verifies the identity of your end users (e.g., Okta, OneLogin, or Microsoft Azure AD).
  • Issuer URL (Entity ID). A unique string that identifies the provider issuing a SAML request. 
  • SAML. Short for Security Assertion Markup Language.
  • Service Provider (SP). Procore
  • Target URL. The IdP URL that will receive SAML requests from Procore.
  • X.509 Certificate. This is an encrypted digital certificate that contains the required values that allow the SSO service to verify the identities of your users.

If your company wants to use Azure AD SSO to manage user logins to Procore, these configurations are supported:

  • Service Provider Initiated (SP-initiated) SSO. Referred to as Procore-initiated SSO, this option gives your end users the ability to sign into the Procore Login page and then sends an authorization request to the IdP. Once the IdP authenticates the user's identify, the user is logged into Procore. To configure this solution with Microsoft Azure AD, see the Steps below.
    OR
  • Identity Provider Initiated (IdP-initiated) SSO. With this option, your end users must log into your Identity Provider's SSO page (for example, Azure AD) and then click an icon to log into and open the Procore web application. To configure this solution, see Configure IdP-Initiated SSO for Microsoft Azure AD.

Things to Consider

Steps

Step 1: Add Procore as a New Enterprise Application in Azure AD

  1. Log in to the Azure AD portal as a Global Administrator: http://portal.azure.com

    demo-azure-add-procore.gif
     
  2. Under Favorites, click Azure Active Directory.
  3. Under Manage, click Enterprise Applications.
  4. Click +New Application.
  5. Under Add from the Gallery, type the following in the Enter a Name box: Procore
  6. Click the matching application named Procore
    This reveals a new pane.
  7. In the Name box, type a name for your application. 
    Note: In the example above, we named our application: Procore (Demo)
  8. Click Add.
    A message appears to confirm that the application was added successfully. You should now be viewing your new Procore enterprise application's Overview page. 

Step 2: Configure the Procore Enterprise Application's SSO Settings

  1. In the Overview page for your new enterprise application, under Manage, click Single Sign-On.

    demo-basic-saml-config.gif
     
  2. In the Single Sign-on Mode page, click SAML.
    This opens the Set Up Single Sign-On with SAML - Preview page.
  3. Under Basic SAML Configuration, click Edit.
    This opens the Basic SAML Configuration window. 
  4. Under the Basic SAML Configuration page, do the following:
    • Identifier (Entity ID)
      Change the value from: https://app.procore.com to: https://login.procore.com
      Note: If you are using Portfolio Financials and Capital Planning, enter the following value instead:https://www.honestbuildings.com/pfcp/app/#!/login 
       
       Optional - Unique Entity ID

      When configuring SSO for a single Procore instance, you should NOT check this box.

      If your company licenses more than one Procore instance, and you want to configure unique Procore enterprise applications within your IdP tenant for each instance, you can by enabling Unique Entity ID. If enabled, you are still limited to one (1) enterprise application per Procore company instance.

      Important: SSO for Procore targets users by email domain. An email domain can only be targeted once in all of Procore, so if you're considering setting up SSO with Unique Entity IDs across multiple Procore instances, remember that you can only target an email domain once, in a single instance.

      To generate a Unique Entity ID for an enterprise application, check the Enable Unique Entity ID box in the Procore Admin tool's SSO configuration page for the Procore instance you want to specify on an enterprise application. Checking this box will generate a unique Entity ID URL in the field below, which you will then copy and paste into the appropriate Entity ID field in your IdP's configuration page.

      Notes: You must save your configuration with the box checked to generate the Unique Entity ID. Enabling this feature does not impact user membership or access to a given instance. Access to a company in Procore is determined by a user's presence in the Directory tool, and their configured permissions within Procore. Auto-provisioning with SSO is not supported at this time.

      sso-unique-entity-id.png

       

    • Sign On URL
      Leave this field blank. You do NOT need to enter a value in this field.
    • Reply URL (Assertion Consumer Service URL)
      Enter the following: https://login.procore.com/saml/consume
  5. Click Save.
    A message appears to confirm that your settings were saved successfully.
  6. Click the 'x' to close the Basic SAML Configuration page. 
  7. Under SAML Signing Certificate, click the Download link for the Certificate (Base64) file. 
    Notes:
    • This downloads a file named PublicCertificate.cer to your browser's specified download area. 
    • Open the file in a text editor and leave it open on your computer. Later, you will copy the code that appears between the ---BEGIN CERTIFICATE--- and ---END CERTIFICATE-- tags into Procore.

      certificate-base64.png

Step 3: Add the Azure AD Settings to Procore's Company Level Admin Tool

  1. Leave the Azure AD page open as described in the previous step. 
  2. Log into Procore using your Procore Administrator account.
  3. Navigate to the Company level Admin tool.
  4. Under Company Settings, click Single Sign On Configuration
  5. Leave Procore's 'Single Sign On Configuration' page open.
  6. Go to the Azure AD page that you left open. 
  7. Under Set Up [Your Application Name], click View Step-by-Step Instructions.
    This opens the Configure Sign-On page.
                                                                                                                                      
    Copy this information from Azure AD… Paste it into this field in Procore…
    SAML Entity ID
    Copy the URL in this field from Azure AD.
    Single Sign On Issuer URL
    Paste the SAML Entity ID URL into the Single Sign On Issuer URL field.
    saml-entity-id.png issuer-url.png
    SAML Single Sign-On Service URL
    Copy the URL in this field from Azure AD.
    Single Sign On Target URL
    Paste the SAML Single Sign-On Service URL into the Single Sign On Target URL field. 
    saml-sso-service-url.png sso-target-url.png

    SAML XML Metadata
    Download this file to your computer and open it in a text editor (i.e., Notepad or Text/Edit). Locate the certificate data that appears between the HTML start and end tags for the x509 certificate. Then copy the data. Do NOT copy the tags. This is depicted in the animated image above:

    Start Tag: <X509Data><X509Certificate> 
    
    End Tag: </X509Data></X509Certificate>
    
    Single Sign On x509 Certificate
    Paste the certificate data you copied into this field.
    xml-certificate.png sso-x509.png

     
  8. On the 'Single Sign On Configuration' page in Procore, click Save Changes.
  9. Reach out to Procore Support or your company's Procore point of contact to request they configure the email domain(s) you'd like to target for SSO.
  10. After you receive confirmation that the SSO configuration is ready, mark the Enable Single Sign On checkbox on the 'Single Sign On Configuration' page.
  11. Select the Service Provider Forward option.
  12. Click Save Changes.

 

See Also