Installing Embedded AI Assistant with a Code Snippet and Azure OIDC

This guide walks you through the Azure SSO OIDC setup for Embedded AI Assistant (M4W). This will create an Azure application that will then allow customers to copy a code snippet of the AI Assistant and paste it onto any page governed by Azure SSO, and Embedded AI Assistant will just work, automatic authentication and all.

Prerequisite Questions

• Does the site/page you want to include Embedded AI Assistant on allow for HTML/JavaScript editing?
  • If you want it to be everywhere on the site, does it support site templates, master pages, headers, footers, or other similar global page elements that support HTML/JavaScript editing?
• Is the site/page governed by Azure SSO?

Installation Prerequisites

• On the day of installation, we need an individual who has Global Administrator access in your Azure tenant

🚧

The Azure OIDC silent authentication only works if users are logged into only one MS tenant. Make sure users logged out from other testing tenants when testing webchat bot. This should be rare if the end users are logged into multiple tenants at once.

Step 1: Azure App Setup Instructions

1. Go to the https://portal.azure.com/ that lets you create Applications.
2. Click on App registrations

3. Select New Registration in the next screen.

Step 2: Configure the application

1. Specify a name for the application. We recommend using your bot’s name.

2. Configure the application.

   1. Based on your Moveworks environment, set the Redirect URI as one of the following: Commercial Environment: https://webchat-kprod.moveworks.io/login/sso/oidc GovCloud Environment: https://webchat.prod.am-usge1.moveworks.io/login/sso/oidc EU Environment: https://webchat.prod.am-euc1.moveworks.io/login/sso/oidc Canada Environment: https://webchat.prod.am-cac1.moveworks.io/login/sso/oidc AU Environment: https://webchat.prod.am-apse2.moveworks.io/login/sso/oidc

3. Select options as shown below.

Step 3: Generate idp_secret

1. Go to Certificates & secrets on the left
2. Click New client secret
3. Add Description and Expires. 24 months is our recommended option to go with as it is the longest time possible. You can have multiple secrets at once, so before one expires you can create another for a seamless cutover.

Once the secret is created, copy the value and send to Moveworks engineer. Note that this value is only accessible at the time of creation. You will need to create a new one if the previous one isn’t saved before leaving the page.

Step 4: Grant tenant level user consent to the app

1. Go to Azure Active Directory
2. Go to Enterprise Application under Manage
3. Find the application just created and open
4. Go to Permissions and click Grant admin consent for<org>

Step 5: Configure Moveworks

After setup is complete, use the following information to add the SSO configuration within Moveworks setup:

1. Go the Overview in App registrations → your app just created.
   1. idp_client_id
   2. idp_issuer
   3. idp_secret (saved locally in the previous step)
2. Within Moveworks Setup, navigate to Single Sign-on (SSO)
3. Click create to create a new SSO configuration
4. Input the following details:
   1. Moveworks Product: Movewebchat
   2. Select Connector: ms_graph
   3. Authentication Protocol: OIDC
   4. IDP redirect URL
   5. IDP issuer
   6. Client ID
   7. Client Secret

Create Moveworks Setup Authentication Configuration

1. Within Moveworks Setup, Navigate to Web Chatbot > Authentication and click create to create a new authentication record
2. Set Auth Config to Generic SSO
3. Set SSO Config to the SSO configuration record you created in the previous section of this guide.
4. Set Auth Key to defaultfor single SSO authentication setups. For setups where you have multiple SSO systems users use to authenticate, follow the Multi SSO Configuration Guide

Configure the Embedded AI Assistant

You will need to follow the Embedded AI Assistant Configuration Guide to complete the remaining setup steps if you have not done so already.