Moveworks for Web Installation - Okta OIDC

Installing Moveworks for Web with a Code Snippet and Okta OIDC

This method of installation allows you to embed Moveworks for Web on any webpage governed by Okta Single Sign-On (SSO), as long as the page supports HTML/JavaScript editing. This will create an Okta application that will allow you to copy a code snippet of the bot and paste it onto any page governed by Okta , and Moveworks for Web will just work, automatic authentication and all.

Prerequisite Questions

  • Does the site/page you want to include Moveworks for Web on allow for HTML/JavaScript editing?
    • If you want it to be everywhere on the site, does it support site templates, master pages, headers, footers, or other similar global page elements that support HTML/JavaScript editing?
  • Is the site/page governed by Okta SSO?
  • Ensure there is a tool owner with Super Admin access in your Okta instance

Installation Participants

On the day of installation, we need these individuals from your team on the call:

  • Okta super admin
    • Must be able to add a new application and make tenant-level configuration changes.
  • Target host admin(s)
    • Must be able to paste an HTML/JavaScript code snippet onto the target page or site.

Installation Overview

Moveworks can walk you through the Okta application installation on a call in about 15 minutes.

Setting up the Okta application is a one-time activity and from then on you are free to paste the code snippet onto any other site governed by your Okta OIDC at your convenience.

Moveworks will Provide the Following:

  • Unique Customer Bot ID

Okta App Setup Instructions

Go to the screen that lets you create Applications.

Click on Create App Integration

Select OIDC - OpenID Connect in the next screen.

  1. Fill out the Settings page
    1. Specify a name for the application. We recommend using your bot’s name.
    2. Use https://webchat-kprod.moveworks.io/login/sso/oidc as the Sign-in redirect URL.
    3. Specify https://webchat-kprod.moveworks.io as the Trusted Origin.
    4. Configure to be one of the following options:
      1. Allow everyone in you organization to access
      2. Limit access to selected groups

Select options as shown below.

Go back to General Settings and uncheck Require consent. Since the bot is doing silent authentication, the Require consent will block the bot auth flow and leave the bot invisible.

Finish the Moveworks side of the integration

After setup is complete, provide the following information to your CS team.

  1. The domains and URLs that will host the web bot (e.g. www.moveworks.ai/*)
  2. Client ID (idp_client_id)
  3. Client Secret (idp_secret)
  4. Okta Domain (idp_issuer)
  • To get these information, Go to the General tab

Prepare code snippet

You will need to paste the following code snippet in your web page html body.

The highlighted red areas are provided based on your settings. bot_id is the unique bot ID provided by your CS team.

If your installation does not require any style overrides then use the following:

<script src="https://webchat-kprod.moveworks.io/script/<bot_id>" />

Otherwise use the following:

<div id="webchat">
    <script>
        var script = document.createElement('script');
        script.type = "text/javascript";
        script.onload = function () {
            window.mwwebchat.openMWWebChat(
                '', <!--Leave this blank; this is for token-based deploys. -->
                '<bot_id>',
                {
                    serverUrl: 'https://webchat-kprod.moveworks.io/login/<bot_id>',
										styles: '<optional, see below>'
                },
            );
        };
        script.src = 'https://webchat-kprod.moveworks.io/movewebchat-client-script.js';
        document.getElementById('webchat').appendChild(script);
    </script>
</div>
  • You can also added these optional parameters along with the serverURL. See below.
    • styles controls the position of the avatar
								{
                    serverUrl: 'https://webchat-kprod.moveworks.io/login/<bot_id>',
                    styles: { 
							        bottom: '0px',
							        right: '10px',
							        zIndex: 999,
							    },
                },

Congrats! You did it! By pasting this onto a given page, or template for a page, the bot will appear if the user successfully authenticates. Authentication is seamless, and no login prompt will ever be seen by the user. If the user is not authenticated, the bot will simply not appear. This is true for all websites governed by Azure OIDC SSO, thus you are now free to paste this snippet anywhere that supports it.

By default, this behavior is NOT enabled for all users. Work with your CS team to first create an allowlist of users who can test the web bot before having them enable it to all users.