Microsoft Entra (Azure AD) SSO Configuration Guide (SAML)

Before you start

Ensure you have Admin Access to your SSO portal.

Ask your Moveworks team for your CUSTOMER_ID: this is your organization's unique identifier which will be used to create branded urls for login.

Setup Instructions in Azure Portal

  1. Navigate to https://portal.azure.com

  2. Create a new Enterprise application > + New application

  3. Search Moveworks in Entra Gallery > Select Moveworks > Create application.

  1. Go to Single sign-on > Select SAML application.

  2. Edit Basic SAML Configuration > and set the Reply URL (Assertion Consumer Service URL), Sign on URL, and Relay State

  1. Reply URL (Assertion Consumer Service URL): Moveworks uses the same url for sending and receiving SAML Assertions. Specify your SAML Assertion Consumer Service (ACS) URL based on your region below. Use United States as your default region, unless your organization is launched in a different data center region. Please ask your Moveworks Customer Success team for your region if you are unsure.
  1. Sign-on URL: This URL defines the entry point your employees can use to access your Moveworks SAML app. Use the table above for your sign-on URL. Use United States as your default region, unless your organization is launched in a different data center region. Please ask your Moveworks Customer Success team for your region if you are unsure.

  2. Audience URI (also called SP Entity ID): Enter https://moveworks.com

    1. Note: this should be the default value if you install through the Entra app gallery
  3. Default Relay State: Enter your CUSTOMER_ID from the previous step.

  4. App Visibility: Ensure your app is visible to users. Additionally set "Assignment Required" to true, as per your organization's IT policy.

  5. On step 3, select Edit

  1. Update the the Signing Option(Optional) to Sign SAML response and assertionand Signing Algorithm(Optional): to SHA-256
  1. *Logo**(Optional) Download & upload the following Moveworks icon for your application:

Finish Moveworks’ side of the integration

After the above setup is complete, provide the following information to your Moveworks Customer Success team:

  1. Identity Provider (IDP) Single Sign-On URL: (called idp_sso_url)
  2. Issuer URL: (called idp_issuer)
  3. Issuer X.509 Certificate: (called idp_issuer_cert)
    1. Your certificate can be viewed or downloaded from your SSO app
    2. Your certificate should start with a -----BEGIN CERTIFICATE-----
    3. Your certificate should end with a -----END CERTIFICATE-----