***

title: Embedded AI Assistant SSO Configuration - Okta SAML SSO
position: 9
excerpt: ''
deprecated: false
hidden: false
metadata:
title: ''
description: ''
robots: index
next:
description: ''
---------------

# Installing Embedded AI Assistant with a Code Snippet and Okta SAML SSO

This method of installation allows you to embed Embedded AI Assistant on any webpage governed by Okta Single Sign-On (SSO), as long as the page supports HTML/JavaScript editing. It simply requires setting up an Okta application and then pasting a code snippet onto your target pages.

## Installation Participants

On the day of installation, we need these individuals from your team on the call:

* Okta **super admin**
  * Must be able to add a new application and make tenant-level configuration changes.
* Target host admin(s)
  * Must be able to paste an HTML/JavaScript code snippet onto the target page or site.

## Installation Overview

Moveworks can walk you through the Okta application installation on a call in about 15 minutes.

Setting up the Okta application is a one-time activity and from then on you are free to paste the code snippet onto any other site governed by your Okta SSO at your convenience.

## Moveworks will provide the following:

* Unique Customer Identifier String
* Unique Customer Code Snippet

### Step 1: Review Security Overview document and Verify Okta tenant is configured to support iFrames

Embedded AI Assistant is an iframe-based application since the entire chat is hosted on Moveworks’ domain. Okta allows these kinds of applications to be installed by enabling a tenant-wide configuration (see screenshot below).

Enabling this feature is necessary for Embedded AI Assistant to function, however, it does allow other Okta applications to utilize iFrames as well. By enabling this feature within the Okta tenant, customer’s security posture may be weakened since this may enable attackers to perform a clickjacking attack against end users. Customers may sign up for Okta’s beta program feature for trusted origins which only allows explicitly specified domains to be displayed in iFrames, such as Moveworks. We highly recommend customers review this with their security team (or an equivalent) before enabling this feature.

For further information about this feature please see:

* Okta iFrame solution: [https://support.okta.com/help/s/article/Okta-in-IFrame-is-not-working?language=en\_US](https://support.okta.com/help/s/article/Okta-in-IFrame-is-not-working?language=en_US)
* Trusted Origins for iFrame embedding (beta feature): [https://help.okta.com/en-us/Content/Topics/API/trusted-origins-iframe.htm](https://help.okta.com/en-us/Content/Topics/API/trusted-origins-iframe.htm)
  ![](https://files.readme.io/4a3ab53-small-iframe.png)

### Step 2: Okta App Setup Instructions

Go to the screen that lets you create Applications.

Click on Create App Integration.

![](https://files.readme.io/b04ed50-small-image-20210715-094919_2.png)

Select SAML 2.0 in the next screen.

![](https://files.readme.io/6976308-small-image-20210715-095028_1.png)

Specify a name for the application. Moveworks recommends using your bot’s name.

Check the box to not display the AI Assistant as an application among your users’ Okta chiclets.

Click next to configure the application.

![](https://files.readme.io/4a51578-small-Screen_Shot_2022-04-26_at_2.38.27_PM_1.png)

Based on your AI Assistant environment, set the **Single sign on URL** as one of the following:

Commercial Environment: [https://webchat-kprod.moveworks.io/login/sso/saml](https://webchat-kprod.moveworks.io/login/sso/saml)
GovCloud Environment: [https://webchat.moveworksgov.com/login/sso/saml](https://webchat.moveworksgov.com/login/sso/saml)
EU Environment: [https://webchat.prod.am-euc1.moveworks.io/login/sso/saml](https://webchat.prod.am-euc1.moveworks.io/login/sso/saml)
Canada Environment: [https://webchat.prod.am-cac1.moveworks.io/login/sso/saml](https://webchat.prod.am-cac1.moveworks.io/login/sso/saml)

Specify [https://www.moveworks.com/](https://www.moveworks.com/) as the Audience URI.

In Default Relay State: Add the unique customer identifier string **provided by Moveworks**.

Select email address as the Name ID format.

![](https://files.readme.io/4716ef6-small-Screen_Shot_2022-04-26_at_2.38.27_PM_1.png)

On the Feedback panel, select the following options.

![](https://files.readme.io/ce3942f-small-image-20210715-095533_1.png)

### Step 3: Record configuration info about your app

1. Go the Sign On tab and click on View Setup Instructions.

![](https://files.readme.io/a04ddbb-small-image-20210715-095656_1.png)

2. Note down the following:
   ![](https://files.readme.io/6315a87-small-Untitled_-_2023-05-04T120727.791.png)
   1. Identity Provider Single Sign-On URL
   2. Identity Provider Issuer
   3. X.509 Certificate

3. Embed Link:

![](https://files.readme.io/36f2a95-small-Screen_Shot_2022-04-26_at_2.52.28_PM_1.png)

### Step 4: Complete your Configuration in Moveworks Setup

After setup is complete, login to Moveworks Setup to add the SSO application details.

1. Within Moveworks Setup, navigate to Single Sign-on (SSO)
2. Click **create** to create a new SSO configuration
3. Input the following details:
   1. Moveworks Product: Movewebchat
   2. Select Connector: Okta
   3. Authentication Protocol: SAML
   4. IDP Sign On/ SSO URL
   5. IDP Issuer/Identifier ID
   6. IDP Public Certificate

### Create Moveworks Setup Authentication Configuration

1. Within Moveworks Setup, Navigate to **Web Chatbot > Authentication** and click create to create a new authentication record
2. Set **Auth Config** to **Generic SSO**
3. Set **SSO Config** to the SSO configuration record you created in the previous section of this guide.
4. Set **Auth Key** to **default**for single SSO authentication setups. For setups where you have multiple SSO systems users use to authenticate, follow the [Multi SSO Configuration Guide](/ai-assistant/ai-assistant-web-surfaces/moveworks-for-web/embedded-ai-assistant-multi-sso-configuration-guide)

### Configure the Embedded AI Assistant

You will need to follow the [Embedded AI Assistant Configuration Guide](/ai-assistant/ai-assistant-web-surfaces/moveworks-for-web/embedded-ai-assistant-installation-guide) to complete the remaining setup steps if you have not done so already.