Prerequisites

🚧

Making edits?

Before you edit your SSO configuration, make sure you are logged into MyMoveworks. Otherwise, you will not be able to log in and update your SSO configuration details.

Microsoft Entra Prerequisites

• Ensure you have Access to the Azure Admin Portal with the appropriate IAM permissions in Azure to register a new Enterprise Application.

Moveworks SSO Prerequisites

• Your Moveworks Environment should be initialized in order to continue. (Verify with your Account Team if this has been completed)

• Note the following values.

  • data_center_domain - the data center where your organization is hosted (see table below).

    Data Center	data_center_domain
    United States (default)	moveworks.com
    Canada	am-ca-central.moveworks.com
    EU	am-eu-central.moveworks.com
    Australia / Asia Pacific	am-ap-southeast.moveworks.com
    Government Secure Cloud	moveworksgov.com

  • subdomain - your organization's login subdomain. This should match your customer_id, which can beverified from the General Information Page.

    🚧

    Warning

    Make sure to use the unique subdomain. For example, if you're organization's login subdomain is acme.moveworks.com, then your subdomain is acme and your data_center_domain is moveworks.com which is part of the US Data center.

  • customer_id - The unique identifier for your organization . This is stored as Org Name under Organization Details > General Information

    

    ❗️

    The Org name cannot be changed. Once set, the same value should be used in all cases.

    In exceptional cases where you would like Moveworks to support your organisation with a different subdomain value. Please reach out to Moveworks Support.

Configuration Steps

Create OIDC Application

We recommend setting up a new/separate app registration for this step instead of reusing the App-reg created for the Teams bot setup

1. Go to https://portal.azure.com/

2. Find the App Registrations service

   

3. Select New Registration

   

4. Register the Application

   • Name: Moveworks
   • Supported account types: Accounts in this organizational directory only

5. Select Register

Configure Moveworks Settings

1. Go to Manage > Branding & properties and update the following:

   • Upload new logo:

     

   • Home Page URL: https://{{subdomain}}.{{data_center_domain}}

2. Go to Manage > Authentication, Select Add a Platform and choose Web

   

   
   

3. Add your Redirect URI as https://{{subdomain}}.{{data_center_domain}}/login/sso/oidc

Enable User Access

1. Go to Enterprise Applications

   

2. Find the application you created

   

   
   

3. Go to Security > Permissions and click Grant admin consent for {{your company}}.

   

Generate Client Secret

1. Navigate back to the App Registration page. The following settings are not available on the Enterprise Application page

2. Go to Certificates & secrets.

3. Click New client secret.

   

4. Add Description and Expires. We recommend selecting 24 months as the expiration policy.

   

5. Write down the Value as your idp_secret

   

6. Go to the Overview tab and note down your Application (client) ID. This is your idp_client_id

   

7. Click Endpoints > OpenID Connect metadata document and paste it in your browser

8. 

   Copy the issuer from the resulting JSON. This is your idp_issuer

   

   
   

   Add SSO Configuration in MyMoveworks

9. Navigate to SSO Settings in MyMoveworks

   

   
   

10. If you already see a studio config, edit it. Otherwise, choose Create.

11. Add your configuration using the values you've noted above

    • Moveworks Product: studio
    • Select Connector: ms_graph
    • Authentication Protocol: OIDC
    • IDP Redirect URL: https://{{subdomain}}.{{data_center_domain}}/login/sso/oidc
      • e.g. https://acme.am-eu-central.moveworks.com/login/sso/oidc
    • IDP Issuer: idp_issuer(from Step 7)
      • e.g. https://login.microsoftonline.com/9ed5798c-9bbe-471c-8005-7658c9846400/v2.0
    • IDP Client Id: idp_client_id (from Step 5)
    • IDP Client Secret: idp_client_secret (from Step 4)

12. Click Submit.

13. Wait a few minutes, then attempt to log into your instance at https://{{subdomain}}.{{data_center_domain}}

FAQ

Does Moveworks support reading user data such as 'upn' from a custom scope / additional claim?

1. No - Moveworks will only request the openid, email, and profile scopes during the authentication process. By default, Moveworks will use the 'Mail' field from Azure to determine the logging in user. By default the email address from the user's 'Mail' field in Entra must match their email_addr field in their Moveworks User Record for the login to My Moveworks or Web Bot to be successfull.

How do I assign users to an Entra Application?

1. Go to Enterprise Applications in Azure

2. Find the application you just registered.

3. From there, click Manage > Properties as shown below.

4. From the Properties page, toggle the Assignment required field to Yes, and Visible to users field to Yes as shown below.

   

5. Navigate to the Users and groups section and assign the app to all users that need access to it either directly or via a group.

   

6. When your users navigate to the MyApps Portal after a few minutes, they should be able to see the app and login directly from there.