On the day of installation, we need these individuals from your team on the call:
- Okta super admin
- Must be able to add a new application and make tenant-level configuration changes.
- Target host admin(s)
Moveworks can walk you through the Okta application installation on a call in about 15 minutes.
Setting up the Okta application is a one-time activity and from then on you are free to paste the code snippet onto any other site governed by your Okta SSO at your convenience.
- Unique Customer Identifier String
- Unique Customer Code Snippet
Please review the following document with your security team (or equivalent) before proceeding with installation:
Moveworks for Web is an iframe-based application since the entire chat is hosted on Moveworks’ domain. Okta allows these kinds of applications to be installed by enabling a tenant-wide configuration (see screenshot below).
Enabling this feature is necessary for Moveworks for Web to function, however, it does allow other Okta applications to utilize iFrames as well. By enabling this feature within the Okta tenant, customer’s security posture may be weakened since this may enable attackers to perform a clickjacking attack against end users. Customers may sign up for Okta’s beta program feature for trusted origins which only allows explicitly specified domains to be displayed in iFrames, such as Moveworks. We highly recommend customers review this with their security team (or an equivalent) before enabling this feature.
For further information about this feature please see:
- Okta iFrame solution: https://support.okta.com/help/s/article/Okta-in-IFrame-is-not-working?language=en_US
- Trusted Origins for iFrame embedding (beta feature): https://help.okta.com/en-us/Content/Topics/API/trusted-origins-iframe.htm
Go to the screen that lets you create Applications.
Click on Create App Integration.
Select SAML 2.0 in the next screen.
Specify a name for the application. Moveworks recommends using your bot’s name.
Check the box to not display the bot as an application among your users’ Okta chiclets.
Click next to configure the application.
Based on your bot environment, set the Single sign on URL as one of the following:
Commercial Environment: https://webchat-kprod.moveworks.io/login/sso/saml
GovCloud Environment: https://webchat.prod.am-usge1.moveworks.io/login/sso/saml
EU Environment: https://webchat.prod.am-euc1.moveworks.io/login/sso/saml
Canada Environment: https://webchat.prod.am-cac1.moveworks.io/login/sso/saml
Specify https://www.moveworks.com/ as the Audience URI.
In Default Relay State: Add the unique customer identifier string provided by Moveworks.
Select email address as the Name ID format.
On the Feedback panel, select the following options.
- Go the Sign On tab and click on View Setup Instructions.
Please provide Moveworks the following:
- Identity Provider Single Sign-On URL
- Identity Provider Issuer
- X.509 Certificate
Go to the General tab. Please provide Moveworks the Embed Link.
Moveworks will use the details you provided to complete the configuration on the Moveworks backend. This typically takes about 2 business days.
If you would like to move the bot around the page, you can use this snippet format instead, which includes some style parameters:
Step 5 is the only step necessary going forward if you want to put the bot onto other hosts. You can reuse the code snippet on as many websites as you like as long as they use the same Okta SSO.
By pasting this onto a given page, or a template for a page, the bot will appear if the user successfully authenticates when they visit it. Authentication is seamless, and no login prompt will ever be seen by the user. If the user is not authenticated, the bot will simply not appear.
If the bot does not automatically appear, let your Moveworks Customer Success Engineer know the domains to which you added the bot, and we’ll make sure they are allow listed on the Moveworks side.
Updated 3 months ago