Microsoft Entra (Azure AD) SSO Configuration Guide (SAML)
Before you start
Ensure you have Admin Access to your SSO portal.
Ask your Moveworks team for your CUSTOMER_ID
: this is your organization's unique identifier which will be used to create branded urls for login.
Setup Instructions in Azure Portal
-
Navigate to https://portal.azure.com
-
Create a new
Enterprise application
>+ New application
-
Search
Moveworks
in Entra Gallery > SelectMoveworks
>Create
application.
-
Go to
Single sign-on
> SelectSAML
application. -
Edit
Basic SAML Configuration
> and set theReply URL (Assertion Consumer Service URL)
,Sign on URL
, andRelay State
- Reply URL (Assertion Consumer Service URL): Moveworks uses the same url for sending and receiving SAML Assertions. Specify your SAML Assertion Consumer Service (ACS) URL based on your region below. Use United States as your default region, unless your organization is launched in a different data center region. Please ask your Moveworks Customer Success team for your region if you are unsure.
Region | SAML ACS URL (also called single sign-on URL, Destination URL, Recipient URL) | Sign-on URL |
---|---|---|
United States (default) | https://CUSTOMER_ID.moveworks.com/login/sso/saml | https://CUSTOMER_ID.moveworks.com |
Canada | https://CUSTOMER_ID.am-ca-central.moveworks.com/login/sso/saml | https://CUSTOMER_ID.am-ca-central.moveworks.com |
EU | https://CUSTOMER_ID.am-eu-central.moveworks.com/login/sso/saml | https://CUSTOMER_ID.am-eu-central.moveworks.com |
Australia / Asia Pacific | https://CUSTOMER_ID.am-ap-southeast.moveworks.com/login/sso/saml | https://CUSTOMER_ID.am-ap-southeast.moveworks.com |
Government Secure Cloud | https://CUSTOMER_ID.moveworksgov.com/login/sso/saml | https://CUSTOMER_ID.moveworksgov.com |
-
Sign-on URL: This URL defines the entry point your employees can use to access your Moveworks SAML app. Use the table above for your sign-on URL. Use United States as your default region, unless your organization is launched in a different data center region. Please ask your Moveworks Customer Success team for your region if you are unsure.
-
Audience URI (also called SP Entity ID): Enter
https://moveworks.com
- Note: this should be the default value if you install through the Entra app gallery
-
Default Relay State: Enter your
CUSTOMER_ID
from the previous step. -
App Visibility: Ensure your app is visible to users. Additionally set "Assignment Required" to
true
, as per your organization's IT policy. -
On step 3, select Edit
- Update the the Signing Option(Optional) to
Sign SAML response and assertion
and Signing Algorithm(Optional): toSHA-256
- *Logo**(Optional) Download & upload the following Moveworks icon for your application:
Finish Moveworks’ side of the integration
After the above setup is complete, provide the following information to your Moveworks Customer Success team:
- Identity Provider (IDP) Single Sign-On URL: (called
idp_sso_url
) - Issuer URL: (called
idp_issuer
) - Issuer X.509 Certificate: (called
idp_issuer_cert
)- Your certificate can be viewed or downloaded from your SSO app
- Your certificate should start with a
-----BEGIN CERTIFICATE-----
- Your certificate should end with a
-----END CERTIFICATE-----
Updated 16 days ago