Moveworks for Web Installation - Okta SAML SSO
Installing Moveworks for Web with a Code Snippet and Okta SAML SSO
This method of installation allows you to embed Moveworks for Web on any webpage governed by Okta Single Sign-On (SSO), as long as the page supports HTML/JavaScript editing. It simply requires setting up an Okta application and then pasting a code snippet onto your target pages.
Installation Participants
On the day of installation, we need these individuals from your team on the call:
- Okta super admin
- Must be able to add a new application and make tenant-level configuration changes.
- Target host admin(s)
- Must be able to paste an HTML/JavaScript code snippet onto the target page or site.
Installation Overview
Moveworks can walk you through the Okta application installation on a call in about 15 minutes.
Setting up the Okta application is a one-time activity and from then on you are free to paste the code snippet onto any other site governed by your Okta SSO at your convenience.
Moveworks will provide the following:
- Unique Customer Identifier String
- Unique Customer Code Snippet
Step 1: Review Security Overview document and Verify Okta tenant is configured to support iFrames
Moveworks for Web is an iframe-based application since the entire chat is hosted on Moveworks’ domain. Okta allows these kinds of applications to be installed by enabling a tenant-wide configuration (see screenshot below).
Enabling this feature is necessary for Moveworks for Web to function, however, it does allow other Okta applications to utilize iFrames as well. By enabling this feature within the Okta tenant, customer’s security posture may be weakened since this may enable attackers to perform a clickjacking attack against end users. Customers may sign up for Okta’s beta program feature for trusted origins which only allows explicitly specified domains to be displayed in iFrames, such as Moveworks. We highly recommend customers review this with their security team (or an equivalent) before enabling this feature.
For further information about this feature please see:
- Okta iFrame solution: https://support.okta.com/help/s/article/Okta-in-IFrame-is-not-working?language=en_US
- Trusted Origins for iFrame embedding (beta feature): https://help.okta.com/en-us/Content/Topics/API/trusted-origins-iframe.htm
Step 2: Okta App Setup Instructions
Go to the screen that lets you create Applications.
Click on Create App Integration.
Select SAML 2.0 in the next screen.
Specify a name for the application. Moveworks recommends using your bot’s name.
Check the box to not display the bot as an application among your users’ Okta chiclets.
Click next to configure the application.
Based on your bot environment, set the Single sign on URL as one of the following:
Commercial Environment: https://webchat-kprod.moveworks.io/login/sso/saml
GovCloud Environment: https://webchat.moveworksgov.com/login/sso/saml
EU Environment: https://webchat.prod.am-euc1.moveworks.io/login/sso/saml
Canada Environment: https://webchat.prod.am-cac1.moveworks.io/login/sso/saml
Specify https://www.moveworks.com/ as the Audience URI.
In Default Relay State: Add the unique customer identifier string provided by Moveworks.
Select email address as the Name ID format.
On the Feedback panel, select the following options.
Step 3: Provide Moveworks configuration info about your app
- Go the Sign On tab and click on View Setup Instructions.
-
Please provide Moveworks the following:
- Identity Provider Single Sign-On URL
- Identity Provider Issuer
- X.509 Certificate
-
Go to the General tab. Please provide Moveworks the Embed Link.
Step 4: Complete your Configuration in Moveworks Setup
Moveworks will use the details you provided to complete the configuration on the Moveworks backend. This typically takes about 2 business days.
Step 5: Prepare code snippet
You will need to follow this section here to paste the code snippet onto your website.
That’s it!
You can reuse the code snippet on as many host websites as you like as long as they use the same Okta SSO.
By pasting this onto a given page, or a template for a page, the bot will appear if the user successfully authenticates when they visit it. Authentication is seamless, and no login prompt will ever be seen by the user. If the user is not authenticated, the bot will simply not appear. For security purposes, no error message will be shown to the user
If the bot does not automatically appear, please file a Moveworks Support ticket letting the team know the domains to which you added to the bot, and our support team can investigate.
Updated 5 months ago