DocumentationDeveloperAcademyCommunitySupportLogin

Microsoft Entra (Azure AD) SSO Configuration Guide (SAML)

Suggest Edits

Before you start

Ensure you have Admin Access to your SSO portal.

Ask your Moveworks team for your CUSTOMER_ID: this is your organization's unique identifier which will be used to create branded urls for login.

Setup Instructions in Azure Portal

  1. Create a new Enterprise application > + New application

  2. Search Moveworks in Entra Gallery > Select Moveworks > Create application.

  1. Go to Single sign-on > Select SAML application.

  2. Edit Basic SAML Configuration > and set the Reply URL (Assertion Consumer Service URL), Sign on URL, and Relay State

  3. Reply URL (Assertion Consumer Service URL): Moveworks uses the same url for sending and receiving SAML Assertions. Specify your SAML Assertion Consumer Service (ACS) URL based on your region below. Use United States as your default region, unless your organization is launched in a different data center region. Please ask your Moveworks Customer Success team for your region if you are unsure.

RegionSAML ACS URL (also called single sign-on URL, Destination URL, Recipient URL)Sign-on URL
United States (default)https://CUSTOMER_ID.moveworks.com/login/sso/samlhttps://CUSTOMER_ID.moveworks.com
Canadahttps://CUSTOMER_ID.am-ca-central.moveworks.com/login/sso/samlhttps://CUSTOMER_ID.am-ca-central.moveworks.com
EUhttps://CUSTOMER_ID.am-eu-central.moveworks.com/login/sso/samlhttps://CUSTOMER_ID.am-eu-central.moveworks.com
Australia / Asia Pacifichttps://CUSTOMER_ID.am-ap-southeast.moveworks.com/login/sso/samlhttps://CUSTOMER_ID.am-ap-southeast.moveworks.com
Government Secure Cloudhttps://CUSTOMER_ID.moveworksgov.com/login/sso/samlhttps://CUSTOMER_ID.moveworksgov.com

  1. Sign-on URL: This URL defines the entry point your employees can use to access your Moveworks SAML app. Use the table above for your sign-on URL. Use United States as your default region, unless your organization is launched in a different data center region. Please ask your Moveworks Customer Success team for your region if you are unsure.

  2. Audience URI (also called SP Entity ID): Enter https://www.moveworks.com.

  3. Default Relay State: Enter your CUSTOMER_ID from the previous step.

  4. App Visibility: Ensure your app is visible to users. Additionally set "Assignment Required" to true, as per your organization's IT policy.

  5. Signing Option(Optional): Choose Sign SAML response and assertion

  6. Signing Algorithm(Optional): Choose SHA-256

  7. Logo(Optional) Download & upload the following Moveworks icon for your application:

Finish Moveworks’ side of the integration

After the above setup is complete, provide the following information to your Moveworks Customer Success team:

  1. Identity Provider (IDP) Single Sign-On URL: (called idp_sso_url)
  2. Issuer URL: (called idp_issuer)
  3. Issuer X.509 Certificate: (called idp_issuer_cert)
    1. Your certificate can be viewed or downloaded from your SSO app
    2. Your certificate should start with a -----BEGIN CERTIFICATE-----
    3. Your certificate should end with a -----END CERTIFICATE-----

Updated about 2 months ago