1-866-477-6267 (toll-free)
Support Home > Integrations > Procore-Initiated SSO > Tutorials > Configure Procore-Initiated SSO for Okta

Configure Procore-Initiated SSO for Okta

Objective

To configure Procore-initiated SSO for Okta. (SP-initiated SSO)

Background

If your company wants to configure Single Sign-On with Okta, you can leverage one of Procore's supported SSO solutions:

  • Identity Provider Initiated (IdP-initiated) SSO. With this option, your end users must log into your Identity Provider's SSO page (for example, Azure AD or Okta) and then click an icon to log into and open the Procore web application. To configure this solution, see Configure Procore for IdP-Initiated Azure Active Directory SSO or Configure Procore for IdP-Initiated Okta SSO.
    OR
  • Service Provider Initiated (SP-initiated) SSO. Referred to as Procore-initiated SSO, this option gives your end users the ability to sign into the Procore Login page and then sends an authorization request to the IdP. Once the IdP authenticates the user's identify, the user is logged into Procore. To configure this solution with Okta, see the Steps below.

Things to Consider

  • Required Permissions:
    • Administrator permissions to Okta
      AND
    • 'Admin' level permissions to Procore's Company level Admin tool.
  • Prerequisites:
  • Supported Authentication Protocol:
    • Security Assertion Markup Language (SAML 2.0) 
  • Limitations:
    • Just In Time (JIT) provisioning is NOT supported. 

Demo

Coming Soon!

Steps

Step 1: Add the Procore App to Okta

  1. Log in to Okta as an Administrator. 
  2. Click Admin



    This reveals the Dashboard.
  3. Choose Applications > Applications.



    This reveals the Applications page. 
  4. Click Add Application.



     
  5. In the Search for an Application box, search for Procore. When Procore's Okta-Verified SAML app appears, click Add.



    This reveals the Add Procore page. 
  6. Under General Settings, do the following:
    • Application Label. Type a name for the new application. For example, type: Procore
    • Application Visibility. Leave both of these checkboxes blank. This will allow the Procore icon to appear in Okta and on the Okta login page. If you place a checkmark in this box, the logo with NOT appear. 
    • Browser Plugin Auto-Submit. Ensure a checkmark appears in this box. 

  7. Click Next
    This opens the Sign-On Options page. 

     
  8. Click View Setup Instructions.
    This opens the Setup SSO page in a new web browser tab. Leave this page open in your browser. Later, you will need to copy information in this page when you configure the Okta SSO settings in the Procore web application.
    Important!  When copying the X.509 Certificate string, do NOT copy the "------------BEGIN CERTIFICATE------------" and "------------END CERTIFICATE------------" markers. Only copy the text that resides between these markers. 
  9. Return to your open browser tab with Okta's Sign On page, as shown below. Then ensure that Okta Username is selected in the Application Username Format list.


     
  10. Click Next.
    This reveals the Assign Procore to People page. This page lists all the users that exist in your Okta domain. 
  11. Place a checkmark next to the name of your organization's Procore users in the People list. 


     
  12. Click Next.
    This reveals the End User Attributes settings.
  13. Verify that the attribute settings are correct for all of your Procore users. This Otka username is an email address. This is the address that you Procore users will use to log in to your Procore + Okta SSO Integration.


     
  14. Click Done.
    The system assigns Procore to the people you selected. 
  15. Continue with the next procedure.

Step 2: Configure the Okta SSO Settings In Procore

  1. Login into the Procore web application.  
    Note: You must log in using an account that has 'Admin' permission to the company's Admin tool. 

  2. Navigate to the Company level Admin tool.
  3. On the 'Company Settings' page, do the following:
    • Single Sign On Issuer URL
      Paste the 'Identity Provider Single Sign-On URL' that you from Okta into this field.
    • Single Sign On x509
      Paste the 'X509 Certificate' that you copied from Okta into this field. 
      Important: When copying the certificate information from Okta, do NOT copy the "------------BEGIN CERTIFICATE------------" and "------------END CERTIFICATE------------" markers. You only want to copy the text that resides between these markers. 
    • Single Sign On Target URL.
      Paste the 'Identity Provider Issuer' URL from Okta into this field. 


       
  4. Click Save Changes.
    This saves the information in Procore. Next, notify your company's Procore point of contact. A final configuration step must be completed by Procore before you can test your SSO configuration. 

You can now have an end user log into the Procore login page. The system should now display your Okta login page and then take you back to the Procore application. 

You must to post a comment.
Last modified
14:01, 20 Apr 2017

Tags

Classifications

This page has no classifications.