SSO

What is Single Sign-On (SSO)?

Single Sign-On (SSO) is a protocol used to authenticate and authorize users to multiple applications using a single set of credentials. SSO is very convenient for users because they don’t need to memorize multiple passwords and don’t need to perform multiple login operations. When implemented correctly, Single Sign-On (SSO) solutions also improve security and reduce risks created by weak, repeated, or lost passwords.

How does Single Sign-On (SSO) work?

To make SSO possible, an identity provider (IdP) such as Okta or OneLogin must provide a central authentication server, which multiple applications can use to verify user identities. The authentication server validates user identities and confirms their identity to the application by providing an encrypted access token.

When a user first logs into an application, they are redirected to the IdP and are asked to provide their credentials, typically username and password.

For example, when signing in to an application, users can use two different identity providers to login: Application specific user name or Google. When users select one of the options, they are redirected to the relevant IdP to perform authentication.

The authentication server checks the user’s credentials against its central user directory, and if they are valid, starts an SSO session. Subsequently, the user can access the application for a predetermined period without logging in again.

When the user attempts to access another application from the trusted group, there is no need to request credentials again. The application requests authentication from the IdP, leveraging the open SSO session. The IdP provides an access token, and the application grants access to the user without showing the login screen again.

Here is an example of an SSO workflow:

1. The user requests a resource from their desired application/website.
2. The application/website redirects the user to the Identity Provider for authentication, using SAML, OpenID Connect, etc.
3. The IdP authenticates the user and passes a token to the SSO server.
4. The SSO server delivers the token to the application.
5. The application grants access to the user.

Why is SSO configuration necessary for Moveworks?

SSO configuration helps in defining the authentication workflow between your Identity Provider systems and Moveworks. Configuring SSO in Moveworks will allow employees of your company to access your subscribed Moveworks products using single sign-on (SSO).

Users can configure Single Sign-On (SSO) for the following Moveworks products:

1. Control Center
2. Creator Studio
3. Employee Experience Insights (EXI)
4. Moveworks for Web Chat

What are the supported authenticated protocols for SSO?

Moveworks supports following authentication protocols for SSO configuration:

1. SAML (Security Access Markup Language)
2. OIDC (OpenID Connect)

Let’s now go-through a step-by-step guide for setting up SSO for different Moveworks products.

How to configure SSO?

1. Select Moveworks Product - Select the product for which you want to add the connector. (e.g. Creator Studio, EXI, Control Center, etc.). The dropdown will only show products which your organization has subscribed to.
2. Select Authentication Protocol - Choose the type of authentication protocol “SAML”.
3. Select Identity Provider - The integration ID refers to the Identity Provider (okta, ms_graph, ping, etc)

Follow below steps for OIDC based SSO configuration:

1. Add IDP redirect URL - The IDP Redirect URI, also known as the reply URL, is the specific web address where users are sent back to after successfully authenticating with the Identity Provider (IDP) during Single Sign-On (SSO). Input following IDP redirect URLs depending upon the Moveworks product for which you are configuring the SSO.
   1. Creator Studio: https://my.moveworks.com/login/sso/oidc or https://companyName.moveworks.com/login/sso/oidc
   2. Control Center: https://admin.moveworks.com/login/sso/oidc
   3. Employee Experience Insights (EXI): https://insights.moveworks.com/login/sso/oidc
   4. Moveworks for Web Chat: https://webchat-kprod.moveworks.io/login/sso/oidc
2. Add IDP Issuer - An Identity Provider (IDP) Issuer URL is a unique web address that identifies the Identity Provider responsible for authenticating users in a single sign-on (SSO) setup. It points to the location where the authentication service resides, allowing relying parties (such as applications or services) to redirect users there for authentication purposes. This URL is crucial in establishing a secure connection between the service provider and the identity provider during the authentication process in protocols like OAuth or OpenID Connect.

Examples of IDP Issuer URL: https://company.okta.com, https://login.microsoftonline.com/”unique ID”/v2.0

3. Enter IDP Client ID - Client ID is the Client Identifier retrieved from your Identity Provider (Okta, Azure AD, OneLogin, Ping, etc.). Refer to your identity provider's documentation for further details. (e.g. dbfd4b38-293e-4483-834e-8bc8f0873777)

4. Enter IDP Client Secret - Client Secret is the password issued by the IDP for a client. You can obtain the IDP client secret using following methods:

   1. IDP Console: Access the IDP's admin console or settings related to OAuth or application integrations to generate or retrieve the client secret.
   2. OAuth Documentation: Consult the IDP's OAuth or authentication documentation for guidance on creating and managing client secrets.
   3. API Credentials Section: Look within the IDP's developer or API credentials section for options to generate or obtain client secrets tied to specific applications or clients

5. Submit

Follow below steps for SAML based SSO configuration:

1. Enter IDP Sign On/ SSO URL - An IDP Sign-On or SSO URL is the web address where users are redirected to authenticate themselves with the Identity Provider (IDP) during the Single Sign-On (SSO) process. It's the entry point for users to log in with their credentials.

(e.g. Okta: https://yourorg.okta.com/app/example_app/ex12ab34cD5E6fG7/homedefault, Azure Active Directory: https://login.microsoftonline.com/yourtenantid/saml2)

Refer to your identity provider system’s documentation for more information.

2. Enter IDP Issuer/ Identifier ID - The IDP Issuer/ Identifier ID serves as a distinct label for the Identity Provider within SSO setups. It's like a digital fingerprint that uniquely identifies the provider (e.g. https://www.okta.com/ex1aBcDeFgHiJkLmNopq).

You can obtain the IDP Issuer/ Identifier ID using different methods (depending upon the IDP system you are using):
1. Identity Provider Setup: When configuring SSO with an Identity Provider (such as Okta, Azure Active Directory, OneLogin, etc.), they usually generate an Identifier ID or provide you with a specific URL/entity ID for your IDP.
2. Admin Console or Settings: Log in to your Identity Provider's admin console or settings panel. Look for sections related to SAML or SSO configurations.
3. Retrieve from Metadata: Often, the IDP Issuer/Identifier ID can be found within the metadata provided by the Identity Provider. This metadata contains information about the IDP, including its entity ID or issuer.

3. SAML Config Disable Authorization Request - If the protocol is SAML and IDP issuer is Microsoft Online, then disable_authn_request must be true

4. Upload IDP Public Certificate - An IDP certificate, or Identity Provider certificate, is like a digital passport for your SSO (Single Sign-On) system. It's a file that contains encrypted information used by your system to verify and trust the identity of users logging in from different services or applications.

Refer to your identity provider system’s documentation to obtain the certificate.

5. Submit

After submitting, your SSO connection for the requisite Moveworks product will be established. In case of any errors or more information about configuring SSO, contact your customer success manager or customer success engineer.