Moveworks for Web Installation - Okta SAML SSO

Installing Moveworks for Web with a Code Snippet and Okta SAML SSO

This method of installation allows you to embed Moveworks for Web on any webpage governed by Okta Single Sign-On (SSO), as long as the page supports HTML/JavaScript editing. It simply requires setting up an Okta application and then pasting a code snippet onto your target pages.

Installation Participants

On the day of installation, we need these individuals from your team on the call:

Okta super admin
- Must be able to add a new application and make tenant-level configuration changes.
Target host admin(s)
- Must be able to paste an HTML/JavaScript code snippet onto the target page or site.

Installation Overview

Moveworks can walk you through the Okta application installation on a call in about 15 minutes.

Setting up the Okta application is a one-time activity and from then on you are free to paste the code snippet onto any other site governed by your Okta SSO at your convenience.

Moveworks will provide the following:

Unique Customer Identifier String
Unique Customer Code Snippet

Step 1: Review Security Overview document and Verify Okta tenant is configured to support iFrames

Moveworks for Web is an iframe-based application since the entire chat is hosted on Moveworks’ domain. Okta allows these kinds of applications to be installed by enabling a tenant-wide configuration (see screenshot below).

Enabling this feature is necessary for Moveworks for Web to function, however, it does allow other Okta applications to utilize iFrames as well. By enabling this feature within the Okta tenant, customer’s security posture may be weakened since this may enable attackers to perform a clickjacking attack against end users. Customers may sign up for Okta’s beta program feature for trusted origins which only allows explicitly specified domains to be displayed in iFrames, such as Moveworks. We highly recommend customers review this with their security team (or an equivalent) before enabling this feature.

For further information about this feature please see:

Okta iFrame solution: https://support.okta.com/help/s/article/Okta-in-IFrame-is-not-working?language=en_US
Trusted Origins for iFrame embedding (beta feature): https://help.okta.com/en-us/Content/Topics/API/trusted-origins-iframe.htm

Step 2: Okta App Setup Instructions

Go to the screen that lets you create Applications.

Click on Create App Integration.

Select SAML 2.0 in the next screen.

Specify a name for the application. Moveworks recommends using your bot’s name.

Check the box to not display the bot as an application among your users’ Okta chiclets.

Click next to configure the application.

Based on your bot environment, set the Single sign on URL as one of the following:

Commercial Environment: https://webchat-kprod.moveworks.io/login/sso/saml
GovCloud Environment: https://webchat.moveworksgov.com/login/sso/saml
EU Environment: https://webchat.prod.am-euc1.moveworks.io/login/sso/saml
Canada Environment: https://webchat.prod.am-cac1.moveworks.io/login/sso/saml

Specify https://www.moveworks.com/ as the Audience URI.

In Default Relay State: Add the unique customer identifier string provided by Moveworks.

Select email address as the Name ID format.

On the Feedback panel, select the following options.

Step 3: Provide Moveworks configuration info about your app

Go the Sign On tab and click on View Setup Instructions.

Please provide Moveworks the following:
1. Identity Provider Single Sign-On URL
2. Identity Provider Issuer
3. X.509 Certificate
Go to the General tab. Please provide Moveworks the Embed Link.

Step 4: Await Moveworks to complete its configuration

Moveworks will use the details you provided to complete the configuration on the Moveworks backend. This typically takes about 2 business days.

Step 5: Paste the bot onto your site

Go to your web host’s HTML/JavaScript editor, paste the following code snippet onto the page (which Moveworks will uniquely configure for you), and publish the changes.

<div id="webchat">
    <script>
        var script = document.createElement('script');
        script.type = "text/javascript";
        script.onload = function () {
            window.mwwebchat.openMWWebChat(
                '',
                '<bot_id>',
                {
                  	serverUrl: 'https://webchat-kprod.moveworks.io/login/<bot_id>', // Replace <bot_id> your bot ID here. This will be provided by Moveworks
                },
            );
        };
        script.src = 'https://webchat-kprod.moveworks.io/movewebchat-client-script.js';
        document.getElementById('webchat').appendChild(script);
    </script>
</div>

If you would like to move the bot around the page, you can modify the style parameters:

That’s it!

Step 5 is the only step necessary going forward if you want to put the bot onto other hosts. You can reuse the code snippet on as many websites as you like as long as they use the same Okta SSO.

By pasting this onto a given page, or a template for a page, the bot will appear if the user successfully authenticates when they visit it. Authentication is seamless, and no login prompt will ever be seen by the user. If the user is not authenticated, the bot will simply not appear.

If the bot does not automatically appear, let your Moveworks Customer Success Engineer know the domains to which you added the bot, and we’ll make sure they are allow listed on the Moveworks side.

Updated about 1 month ago