How can I configure SSO in a sandbox environment for testing before implementing SSO in my Procore company account?

Background

If your company has access to a Procore Monthly Sandbox, your IT department can test your Single Sign-On (SSO) configuration there before deploying it to your company's production account.

While Procore does not require this step, it may be helpful for clients building custom SSO integrations with Identity Providers (IdPs) that fall outside of Procore's standard documentation. See Which SSO identity providers are supported by Procore?

 Important: Monthly Sandbox Environment vs. Sandbox Test Project

A Sandbox Test Project resides within your company's active Procore production account and cannot be used for SSO testing. Instead, use your Monthly Sandbox Environment to isolate your SSO configuration when testing it.

Answer

To setup SSO in a Monthly Sandbox Environment, follow the standard SSO configuration using the environment-specific attributes below.

Procore Label

Standard SAML Attribute/Name

Sandbox Value

Target Sign-on URL*

Assertion Consumer Service (ACS) URL

https://login-sandbox-monthly.procore.com/saml/consume

Recipient URL*

Recipient

https://login-sandbox-monthly.procore.com/

Destination URL*

Destination

https://api-sandbox-monthly.procore.com/

Audience URI (SP Entity ID)*

Entity ID (SP Entry ID)

https://login-sandbox-monthly.procore.com/

* Your Identity Provider (IdP) may label these fields differently than Procore. For example, if you are using Azure AD, the Target Sign-on URL corresponds to the Reply URL. If you are using Okta, it is simply Single Sign On URL. If you need assistance correlating entries, consult your IdP's support documentation or contact them for assistance.

Important

Ensure you clear the Use this for Recipient URL and Destination URL check box to manually enter the unique URL

Finalizing Your Setup

Once your IdP is configured with the attributes above:

  1. Contact Procore. Reach out to your Procore point of contact or Procore Support.

  2. Register Domains. Provide Procore Support the specific domain(s) you wish to target for SSO.

    Note:

    Please note that if your company chooses to manage its own SSO solution, Procore Support does not have access to or control over your company’s IdP settings (e.g., Microsoft Entra ID (formerly Azure AD), Okta, Ping Identity, One Login, JumpCloud, and others).

    • Procore's Responsibility: Populating the metadata URLs and registering your domains within the Procore application.

    • Your IT Department's Responsibility: Configuring the IdP, providing Procore with the metadata URLs, managing user permissions, and troubleshooting any internal authentication errors within your own identity platform.

  3. Enable SSO. Once Procore registers your domains, navigate to your Procore settings to select the Enable Single Sign-On checkbox. You can then choose between the IdP -Initiated or the SP-Initiated (i.e., Procore-Initiated SSO) options.

See Also

Loading related articles...