*** title: Embedded AI Assistant SSO Configuration - Okta OIDC position: 7 excerpt: '' deprecated: false hidden: false metadata: title: '' description: '' robots: index next: description: '' --------------- # Installing Embedded AI Assistant with a Code Snippet and Okta OIDC This method of installation allows you to embed Embedded AI Assistant on any webpage governed by Okta Single Sign-On (SSO), as long as the page supports HTML/JavaScript editing. This will create an Okta application that will allow you to copy a code snippet of the AI Assistant and paste it onto any page governed by Okta , and Embedded AI Assistant will just work, automatic authentication and all. ### Prerequisite Questions * Does the site/page you want to include Embedded AI Assistant on allow for HTML/JavaScript editing? * If you want it to be everywhere on the site, does it support site templates, master pages, headers, footers, or other similar global page elements that support HTML/JavaScript editing? * Is the site/page governed by Okta SSO? * Ensure there is a tool owner with **Super Admin** access in your Okta instance ## Installation Participants On the day of installation, we need these individuals from your team on the call: * Okta **super admin** * Must be able to add a new application and make tenant-level configuration changes. * Target host admin(s) * Must be able to paste an HTML/JavaScript code snippet onto the target page or site. ## Installation Overview Moveworks can walk you through the Okta application installation on a call in about 15 minutes. Setting up the Okta application is a one-time activity and from then on you are free to paste the code snippet onto any other site governed by your Okta OIDC at your convenience. ## Moveworks will Provide the Following: * Unique Customer AI Assistant ID ## Okta App Setup Instructions Go to the screen that lets you create Applications. Click on Create App Integration ![](https://files.readme.io/0eff6b5-small-image-20210715-094919_2.png) Select OIDC - OpenID Connect in the next screen. ![](https://files.readme.io/8026e11-small-Screen_Shot_2022-06-01_at_5.19.51_PM_1.png) 1. Fill out the Settings page 1. Specify a name for the application. We recommend using your bot’s name. 2. Use as the **Sign-in redirect URL**: **Commercial Environment**: `https://webchat-kprod.moveworks.io/login/sso/oidc` **GovCloud Environment**: `https://webchat.prod.am-usge1.moveworks.io/login/sso/oidc` **EU Environment**: `https://webchat.prod.am-euc1.moveworks.io/login/sso/oidc` **Canada Environment**: `https://webchat.prod.am-cac1.moveworks.io/login/sso/oidc` 3. Specify as the **Trusted Origin**. **Commercial Environment**: `https://webchat-kprod.moveworks.io` **GovCloud Environment**: `https://webchat.prod.am-usge1.moveworks.io` **EU Environment**: `https://webchat.prod.am-euc1.moveworks.io` **Canada Environment**: `https://webchat.prod.am-cac1.moveworks.io` 4. Configure to be one of the following options: 1. `Allow everyone in you organization to access` 2. `Limit access to selected groups` Select options as shown below. ![](https://files.readme.io/c22cdd4-small-OIDC.png) Go back to General Settings and uncheck Require consent. Since the AI Assistant is doing silent authentication, the **Require consent** will block the AI Assistant auth flow and leave the AI Assistant invisible. ![](https://files.readme.io/180cdd1-small-Screen_Shot_2022-06-01_at_6.03.20_PM_1.png) ![](https://files.readme.io/6509fc7-small-Screen_Shot_2022-06-01_at_5.23.49_PM_1.png) ### Finish the Moveworks side of the integration After setup is complete, login to Moveworks Setup to add the SSO application details. 1. Within Moveworks Setup, navigate to Single Sign-on (SSO) 2. Click **create** to create a new SSO configuration 3. Input the following details: 1. Moveworks Product: Movewebchat 2. Select Connector: Okta 3. Authentication Protocol: OIDC 4. IDP redirect URL 5. IDP issuer: https\://'okta-tenant-name'.okta.com 1. **NOTE:** If you are using a custom URL for your Okta login page for end users, that is the URL that must be used here, rather than the default subdomain URL. This is because Okta session cookie is linked to the login page that is accessed. For more information, see [Okta documentation here](https://support.okta.com/help/s/article/If-I-add-a-Custom-URL-Domain-to-my-Okta-tenant-should-I-update-my-Applications?language=en_US). 6. IDP Client ID: App client ID 7. IDP Client Secret: App client secret All other settings are typically not required to be populated. * To get these information, Go to the General tab ![](https://files.readme.io/4aa7d78-small-Screen_Shot_2022-06-01_at_5.23.13_PM_1.png) ### Create Moveworks Setup Authentication Configuration 1. Within Moveworks Setup, Navigate to **Web Chatbot > Authentication** and click create to create a new authentication record 2. Set **Auth Config** to **Generic SSO** 3. Set **SSO Config** to the SSO configuration record you created in the previous section of this guide. 4. Set **Auth Key** to **default**for single SSO authentication setups. For setups where you have multiple SSO systems users use to authenticate, follow the [Multi SSO Configuration Guide](/ai-assistant/ai-assistant-web-surfaces/moveworks-for-web/embedded-ai-assistant-multi-sso-configuration-guide) ### Configure the Embedded AI Assistant You will need to follow the [Embedded AI Assistant Configuration Guide](/ai-assistant/ai-assistant-web-surfaces/moveworks-for-web/embedded-ai-assistant-installation-guide) to complete the remaining setup steps if you have not done so already.