Azure SSO Configuration Guide

Before you start

  1. Ensure you have Access to the Azure Admin Portal with the appropriate IAM permissions in Azure to register a new Enterprise Application.
  1. Identify your Moveworks base url:
  • Commercial Environment: https://my.moveworks.com
  • GovCloud Environment: https://my.moveworksgov.com
  • EU: https://my.am-eu-central.moveworks.com
  • Canada: https://my.am-ca-central.moveworks.com

Azure App Setup Instructions

Go to the https://portal.azure.com/ where you can create new Applications.

Click on App registrations

azure_sso_start

Select New Registration in the next screen.

azure_sso_new

Configure the application

  1. Specify a name for the application. We recommend using Moveworks.
  2. Configure the application.
    1. Choose Accounts in this organizational directory only
    2. Select Web
    3. Use <moveworks_base_url>/login/sso/oidc as the Sign-in redirect URL.

Setup Customer ID

Make sure to get your Customer ID from your Customer Success Engineer before this step
Click on the Branding & Properties tab, & set the Home page URL to be <moveworks_base_url>/login/org/CUSTOMER_ID azure_customer_id

Generate idp_secret

  1. Go to Certificates & secrets on the left
  2. Click New client secret azure_sso_idp_1
  3. Add Description and Expires. 24 months is our recommended option to go with as it is the longest time possible. You can have multiple secrets at once, so before one expires you can create another for a seamless cutover. azure_sso_idp_2

Once the secret is created, copy the value and send it to your Moveworks CSE. Note that this value is only accessible at the time of creation. You will need to create a new one if the previous one isn’t saved before leaving the page.

azure_sso_client_secret

Grant tenant level user consent to the app

  1. Go to Azure Active Directory
  2. Go to Enterprise Application under Manage
  3. Find the application just created and open
  4. Go to Permissions and click Grant admin consent for Moveworks, Inc. azure_sso_tenant

(Optional) Assign the app to employees in the Azure MyApps portal

  1. Navigate to the Creator Studio Prod Enterprise Application
  2. From the Overview page, click on the Creator Studio Managed Application as shown below Untitled
  3. From there, click Properties as shown below Screenshot 2023-06-13 at 6.08.22 PM.png
  4. From the Properties page, toggle the Assignment required field to Yes, and Visible to users field to Yes as shown below Screenshot 2023-06-13 at 6.09.56 PM.png
  5. Navigate to the Users and groups section and assign the app to all users that need access to it either directly or via a group. Untitled
  6. When your users navigate to the MyApps Portal after a few minutes, they should be able to see the app and login directly from there. Untitled

Finish Moveworks' side of the integration

After the above setup is complete, provide the following information to your Moveworks Customer Success team.

  1. Go the Overview in App registrations → your app just created.
  2. Share the idp_client_id , idp_secret , and idp_issuer with your Customer Success Engineer.
    1. idp_client_id azure_sso_idp_client_id.png
    2. idp_issuer azure_sso_idp_issuer_1.png azure_sso_idp_issuer_2.png azure_sso_idp_issuer_3.png
    3. idp_secret (saved locally in the previous step)

Configuring for Custom Domains

Limited Preview Availability

This capability is in limited preview. Please contact your CSM if interested.

If you are migrating to "mycompany.moveworks.com" for your login, please make the following changes to your configuration. This should be done live on a call with the Moveworks team to ensure success.

  1. Update the Sign-in redirect URL. It should allow multiple redirect URLs. Please take the CUSTOMER_ID you used before and add the following URL to the list:
Copy
Copied
https://CUSTOMER_ID.moveworks.com/login/sso/oidc
  1. Ask the Moveworks Team to finish the update. We'll need to configure our IDP Redirect URL. After that, you can start using your new domain.
  2. Update the Home Page URL. It should now be:
Copy
Copied
https://CUSTOMER_ID.moveworks.com