Skip to main content

Configure Single Sign-On in the Company Admin Tool


To configure Single Sign On (SSO) in the Company level Admin tool. 


Procore supports SP-initiated and IdP-initiated SSO with Okta, OneLogin, and Microsoft Azure AD. See What is the difference between SP- and IdP-Initiated SSO? Procore also supports SSO with other service providers that are SAML 2.0 and SHA 256 compliant.

To assist you with understanding the terms discussed below, here are some definitions:

  • Identity Provider (IdP). This is the service that verifies the identity of your end users (e.g., Okta, OneLogin, or Microsoft Azure AD).
  • Issuer URL (Entity ID). A unique string that identifies the provider issuing a SAML request. 
  • SAML. Short for Security Assertion Markup Language.
  • Service Provider (SP). Procore
  • Target URL. The IdP URL that will receive SAML requests from Procore.
  • X.509 Certificate. This is an encrypted digital certificate that contains the required values that allow the SSO service to verify the identities of your users.

Things to Consider

  • Required User Permissions:
    • 'Admin' level permissions on the Company level Admin tool. 
  • Additional Information:
    • Please contact your SSO service provider if you need assistance locating the Issuer URLTarget URL, and x509 Certificate.


  • Configure the Procore application in your identity provider's SSO software or solution.
  • Obtain the required SSO Settings from your identity provider's SSO software or solution.


  1. Navigate to the Company level Admin tool.
  2. Under 'Company Settings,' click Single Sign On Configuration
    Note: The data you enter on the page below is always obtained from the issuer (e.g., Okta, OneLogin, or Microsoft Azure AD).

    See the links below for more detailed instructions about configuring SSO with Okta, OneLogin, Azure Active Directory, and Google.

  3. Enter the Single Sign On Issuer URL. This is commonly referred to as the issuer and is a unique URL that identifies the provider issuing a SAML request.
  4. Enter the Single Sign On Target URL. This is the URL that will receive SAML requests from the provider.
  5. Enter the Single Sign On x509 Certificate. This is the encrypted digital certificate information.

    Multiple Entity ID Support: If you want to configure multiple Procore enterprise applications within your IdP tenant you may do so, but you are limited to one enterprise application per Procore company instance. To generate a unique Entity ID for an enterprise application, check the Enable Unique Entity ID box in the Procore Admin tool's SSO configuration page for the Procore company instance you want to specify on the enterprise application you're configuring. Checking this box will generate a unique Entity ID URL in the field below, which you will then copy and paste into the appropriate field in your IdP's configuration page.
    Note: You must save your configuration with the box checked to generate the Unique Entity ID.



  6. Click Save Changes.
  7. Reach out to Procore Support or your company's Procore point of contact to request to enable SSO. Include the email domain you'd like to target for SSO in your request.
  8. After you receive confirmation that the SSO configuration is ready, mark the Enable Single Sign On checkbox on the 'Single Sign On Configuration' page.
  9. Click Save Changes.