Chat Platform ExperiencesMoveworks for Web

Moveworks for Web Installation Guides

View as Markdown

Moveworks for Web can be installed on the following systems:

Installing it on ServiceNow

Installation Participants

On the day of installation, we need these individuals from your team on the call:

  • ServiceNow admin (able to elevate to the security_admin role)
  • Testers
  • Approver to move from test to prod instances

Installation Overview

The call will only take 1 hour to install and run through our test suite.

  • We will install the prod Moveworks bot into your test ServiceNow environment via update sets.
  • Once installed, we will run through a test suite designed to test all aspects of Moveworks for Web without overwhelming your team with needing to test core Moveworks features that would already have been tested during your initial Moveworks deployment.
  • Once tested, we’ll ask the approver on the call for permission to move this to your production environment.
    • This will be done by promoting the update sets to prod and exporting and importing a few additional records.

At the start of the meeting, Moveworks will send you an encrypted email containing the following:

  • Java KeyStore certificate and password
  • Latest base Moveworks update set XML file (if not already installed)
  • Latest Moveworks for Web update set XML file
  • Footer HTML snippet
1

- Install the certificate and create the JWT provider

First, we will create a JWT provider in your instance that will be responsible for generating authentication tokens for our services to verify a user is properly authenticated into ServiceNow whenever they visit a page with the Moveworks for Web widget on it. This is what enables Moveworks for Web to automatically log users in. The following steps will walk you through creating the records below:

  • MW Java Key Store Certificate
  • JWT Key
  • JWT Provider

  1. Navigate to the X.509 Certificate table in SNOW (search for “Certificates” to find it), create a new record as follows:

    Name: MW Java Key Store

    Type: Java Key Store

  2. Click on the paperclip in the upper right to attach the JKS certificate.

  3. Enter the password provided by Moveworks. Right click the top gray bar, click save.
    Important: If you save before entering the password, it may seem to auto populate the Key-store password. This doesn’t always work correctly, so always enter the password manually.

  4. Click “Validate Stores/Certificates” under Related Links to ensure the record was configured properly.

  5. Navigate to the JWT Keys table (under System Oauth). Create a new record and set its Signing Key Store to the certificate record you made in the previous step. Enter the same password Moveworks provided in the Signing Key field. Save this record.

  6. Navigate to the JWT Provider table. Create a new record and set its Signing Configuration to the key record you made in the previous step.

    Important: Copy the sys_id of this JWT Provider record and provide it to your Moveworks Customer Success Team.

2

- Install the base update set

Moveworks offers a number of ServiceNow modules we install into your ServiceNow environment via update sets. If you’ve previously used other Moveworks modules, you may already have the “base” update set module in place. Verify with your Customer Success Engineer that you have the latest one.

If you need to install the base module, navigate to the Retrieved Update Sets table and click Import Update Set from XML under Related Links.

Upload the base update set file you received in the encrypted email, preview the changes, and commit them.

Important: One of the changes the base update set makes in your environment is adding a moveworks_user role that will allow us to make an API call later to finalize setup. Please navigate to the sys_user table and apply the role to the Moveworks service account.

3

- Install the Moveworks for Web update set

Navigate again to the Retrieved Update Sets table and click Import Update Set from XML under Related Links.

Upload the Moveworks for Web update set, preview the changes, and commit them.

  • These modules are very self-contained. If you encounter any errors while committing the files, this is usually self-referential and not something to be concerned about. You can usually ignore the warnings and commit the changes.

Note: If you ever need to update a Moveworks module, back out the old update set before importing the new one.

4

- Place the widget on your portal pages

The Moveworks for Web update set makes a widget available in your system that can either be drag and dropped onto individual pages via the Page Designer or placed across multiple portal pages at once by adding a snippet to your portals’ theme(s).

We recommend the latter as it is fast and maximizes availability for your users.

Navigate to the sp_portal table. Find the portal(s) on which you’d like to include the widget, and click into its Theme record.

Find the footer field:

If there is nothing there, use the magnifying glass to create a new footer record and navigate to it. If there is already a footer there, navigate to that record.

In the footer record, add this snippet to the Body HTML template field:

<div>
<widget id="mw4web"></widget>
</div>

Ensure the footer is applied to your theme:

Now the widget is set to appear on any page using that theme.

5

- Finalize setup

With this complete, Moveworks will now make an API call to your instance. This will finalize the installation, and anyone granted access from the Moveworks side will start seeing the AI Assistant appear on the portal pages.

This API also allows us to make tweaks to the positioning of the AI Assistant on the page if necessary (in case it is blocking something else on your page for instance).

6

- Test

Moveworks will walk everyone through about 15 quick test cases to verify the AI Assistant behaves as expected.

📘

Note: Our test cases will not produce any tickets. If your team chooses to do additional ad hoc tests, it’s worth noting that because we are using a production bot, any tickets your team chooses to file will appear in your production instance, not the test instance in which the widget currently appears.

7

- Promote to production ServiceNow instance

With the tests complete, we like to wrap up the call by promoting the Moveworks for Web to your production instance, so your users can begin enjoying its benefits.

  • Apply the Moveworks role to the Moveworks service account in prod.
  • Export the x.509 certificate record, JWT key, and JWT provider record as XML, and import them into their respective tables in prod.
    • Follow your standard process for promoting update sets from test to prod, doing so for both the base and Moveworks for Web update sets.
  • Add the footer and footer snippet to the same themes in prod.

Finally, Moveworks will make one final API call and the installation process to your prod environment is complete.

Installing it on SharePoint Online (Cloud)

Who can install this?

A SharePoint admin with the global administrator role.

Upload the Moveworks for Web Package to your SharePoint Tenant

Moveworks will email you the web part package containing the Moveworks for Web app.

  1. Navigate to this page: https://{{tenant}}-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/webApiPermissionManagement
  2. Click upload, and upload the package provided by Moveworks.
  3. Check the box to deploy it to all sites in the organization.
  4. Click Deploy.

Approve Permissions

  1. Navigate to this page: https://login.microsoftonline.com/common/adminconsent?client_id=cf538890-2c10-4680-84ee-9081502a25b5&redirect_uri=https://www.moveworks.com/sharepoint-installed

    1. Click Accept.
    2. You will be redirected to a Moveworks page with a confirmation. You can close that now.

  2. Navigate to the SharePoint admin center API Access page here:

    1. https://{{tenant}}-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/webApiPermissionManagement
    2. Under pending requests, Approve both requested permissions (one from Windows Azure Active Directory for User.Read and one from mw-webchat for user_impersonation).

Now the webpart will be available in your webpart toolbox.

Add the Web Part to a Page

If your user account is allow listed on the Moveworks side, then you will see it right away, if not, work with Moveworks to do so.

Sharepoint Modern Site

It will look like this (a thin rectangle) if you successfully added it and are not allow listed (you can use the trash can to remove it, if desired):

Sharepoint Classic Site

Find the Moveworks for Web web part located in the Other category, and insert it on the page.

After the web part is added to the page. Edit the web part configuration. Change Chrome Type to None.

Installing it on SharePoint Online (Cloud) - GovCloud

Who can install this?

A SharePoint admin with the global administrator role.

Upload the Moveworks for Web Package to your SharePoint Tenant

Moveworks will email you the web part package containing the Moveworks for Web app.

  1. Navigate to this page: https://{{tenant}}.sharepoint.com/sites/appcatalog/AppCatalog/Forms/AllItems.aspx
  2. Click upload, and upload the package provided by Moveworks.
  3. Check the box to deploy it to all sites in the organization.
  4. Click Deploy.
  5. After deploying, now the web-part will be available in your web-part toolbox.

Configure SSO Configuration

right(px), bottom (px), and zIndex - These determine where on the Site UI the AI Assistant shows up.

bot id — This will be provided by your Moveworks CSE

server url — For commercial customers this is https://webchat-kprod.moveworks.io however for GovCloud, this URL should be: https://webchat.prod.am-usge1.moveworks.io

Add the Web Part to a Page

If your user account is allow listed on the Moveworks side, then you will see it right away, if not, work with Moveworks to do so.

Sharepoint Modern Site

It will look like this (a thin rectangle) if you successfully added it and are not allow listed (you can use the trash can to remove it, if desired):

Sharepoint Classic Site

Find the Moveworks for Web web part located in the Other category, and insert it on the page.

After the web part is added to the page. Edit the web part configuration. Change Chrome Type to None.

Installing it with a Code Snippet and Okta SAML SSO

This method of installation allows you to embed Moveworks for Web on any webpage governed by Okta Single Sign-On (SSO), as long as the page supports HTML/JavaScript editing. It simply requires setting up an Okta application and then pasting a code snippet onto your target pages.

Installation Participants

On the day of installation, we need these individuals from your team on the call:

  • Okta super admin
    • Must be able to add a new application and make tenant-level configuration changes.
  • Target host admin(s)
    • Must be able to paste an HTML/JavaScript code snippet onto the target page or site.

Installation Overview

Moveworks can walk you through the Okta application installation on a call in about 15 minutes.

Setting up the Okta application is a one-time activity and from then on you are free to paste the code snippet onto any other site governed by your Okta SSO at your convenience.

Moveworks will provide the following:

  • Unique Customer Identifier String
  • Unique Customer Code Snippet
1

Review Security Overview document and Verify Okta tenant is configured to support iFrames

Please review the following document with your security team (or equivalent) before proceeding with installation:

Moveworks for Web: Okta SAML Security Overview

Moveworks for Web is an iframe-based application since the entire chat is hosted on Moveworks’ domain. Okta allows these kinds of applications to be installed by enabling a tenant-wide configuration (see screenshot below).

Enabling this feature is necessary for Moveworks for Web to function, however, it does allow other Okta applications to utilize iFrames as well. By enabling this feature within the Okta tenant, customer’s security posture may be weakened since this may enable attackers to perform a clickjacking attack against end users. Customers may sign up for Okta’s beta program feature for trusted origins which only allows explicitly specified domains to be displayed in iFrames, such as Moveworks. We highly recommend customers review this with their security team (or an equivalent) before enabling this feature.

For further information about this feature please see:

2

Okta App Setup Instructions

Go to the screen that lets you create Applications.

Click on Create App Integration.

Select SAML 2.0 in the next screen.

Specify a name for the application. Moveworks recommends using your bot’s name.

Check the box to not display the AI Assistant as an application among your users’ Okta chiclets.

Click next to configure the application.

Based on your AI Assistant environment, set the Single sign on URL as one of the following:

Commercial Environment: https://webchat-kprod.moveworks.io/login/sso/saml
GovCloud Environment: https://webchat.prod.am-usge1.moveworks.io/login/sso/saml
EU Environment: https://webchat.prod.am-euc1.moveworks.io/login/sso/saml
Canada Environment: https://webchat.prod.am-cac1.moveworks.io/login/sso/saml

Specify https://www.moveworks.com/ as the Audience URI.

In Default Relay State: Add the unique customer identifier string provided by Moveworks.

Select email address as the Name ID format.

On the Feedback panel, select the following options.

3

Provide Moveworks configuration info about your app

  1. Go the Sign On tab and click on View Setup Instructions.

  1. Please provide Moveworks the following:
    1. Identity Provider Single Sign-On URL
    2. Identity Provider Issuer
    3. X.509 Certificate
  2. Go to the General tab. Please provide Moveworks the Embed Link.

4

Await Moveworks to complete its configuration

Moveworks will use the details you provided to complete the configuration on the Moveworks backend. This typically takes about 2 business days.

5

Paste the AI Assistant onto your site

Go to your web host’s HTML/JavaScript editor, paste the following code snippet onto the page (which Moveworks will uniquely configure for you), and publish the changes.

<div id="webchat">
    <script>
        var script = document.createElement('script');
        script.type = "text/javascript";
        script.onload = function () {
            window.mwwebchat.openMWWebChat(
                '', <!--Leave this blank-->
                'Paste your bot ID here. This will be provided by Moveworks',
                {
                    serverUrl: 'Paste your Okta embed link here.',
                },
            );
        };
        script.src = 'https://webchat-kprod.moveworks.io/movewebchat-client-script.js';
        document.getElementById('webchat').appendChild(script);
    </script>
</div>

If you would like to move the AI Assistant around the page, you can use this snippet format instead, which includes some style parameters:

<div id="webchat">
    <script>
        var script = document.createElement('script');
        script.type = "text/javascript";
        script.onload = function () {
            window.mwwebchat.openMWWebChat(
                '', <!--Leave this blank-->
                'Paste your bot ID here. This will be provided by Moveworks',
                {
                    serverUrl: 'Paste your Okta embed link here.',
                    styles: { 
							        bottom: '0px';
							        right: '10px';
							        zIndex: 999;
							      };
                },
            );
        };
        script.src = 'https://webchat-kprod.moveworks.io/movewebchat-client-script.js';
        document.getElementById('webchat').appendChild(script);
    </script>
</div>

That’s it!

Step 5 is the only step necessary going forward if you want to put the AI Assistant onto other hosts. You can reuse the code snippet on as many websites as you like as long as they use the same Okta SSO.

By pasting this onto a given page, or a template for a page, the AI Assistant will appear if the user successfully authenticates when they visit it. Authentication is seamless, and no login prompt will ever be seen by the user. If the user is not authenticated, the AI Assistant will simply not appear.

If the AI Assistant does not automatically appear, let your Moveworks Customer Success Engineer know the domains to which you added the bot, and we’ll make sure they are allow listed on the Moveworks side.

Installing it with a Code Snippet and Okta OIDC

This method of installation allows you to embed Moveworks for Web on any webpage governed by Okta Single Sign-On (SSO), as long as the page supports HTML/JavaScript editing. This will create an Okta application that will allow you to copy a code snippet of the AI Assistant and paste it onto any page governed by Okta , and Moveworks for Web will just work, automatic authentication and all.

Prerequisite Questions

  • Does the site/page you want to include Moveworks for Web on allow for HTML/JavaScript editing?
    • If you want it to be everywhere on the site, does it support site templates, master pages, headers, footers, or other similar global page elements that support HTML/JavaScript editing?
  • Is the site/page governed by Okta SSO?
  • Ensure there is a tool owner with Super Admin access in your Okta instance

Installation Participants

On the day of installation, we need these individuals from your team on the call:

  • Okta super admin
    • Must be able to add a new application and make tenant-level configuration changes.
  • Target host admin(s)
    • Must be able to paste an HTML/JavaScript code snippet onto the target page or site.

Installation Overview

Moveworks can walk you through the Okta application installation on a call in about 15 minutes.

Setting up the Okta application is a one-time activity and from then on you are free to paste the code snippet onto any other site governed by your Okta OIDC at your convenience.

Moveworks will Provide the Following:

  • Unique Customer Bot ID

Okta App Setup Instructions

Go to the screen that lets you create Applications.

Click on Create App Integration

Select OIDC - OpenID Connect in the next screen.

  1. Fill out the Settings page
    1. Specify a name for the application. We recommend using your bot’s name.
    2. Use https://webchat-kprod.moveworks.io/login/sso/oidc as the Sign-in redirect URL.
    3. Specify https://webchat-kprod.moveworks.io as the Trusted Origin.
    4. Configure to be one of the following options:
      1. Allow everyone in you organization to access
      2. Limit access to selected groups

Select options as shown below.

Go back to General Settings and uncheck Require consent. Since the AI Assistant is doing silent authentication, the Require consent will block the AI Assistant auth flow and leave the AI Assistant invisible.

Finish the Moveworks side of the integration

After setup is complete, provide the following information to your CS team.

  1. The domains and URLs that will host the web AI Assistant (e.g. www.moveworks.ai/*)
  2. Client ID (idp_client_id)
  3. Client Secret (idp_secret)
  4. Okta Domain (idp_issuer)
  • To get these information, Go to the General tab

Prepare code snippet

You will need to paste the following code snippet in your web page html body.

The highlighted red areas are provided based on your settings. bot_id is the unique AI Assistant ID provided by your CS team.

If your installation does not require any style overrides then use the following:

<script src="https://webchat-kprod.moveworks.io/script/<bot_id>" />

Otherwise use the following:

<div id="webchat">
    <script>
        var script = document.createElement('script');
        script.type = "text/javascript";
        script.onload = function () {
            window.mwwebchat.openMWWebChat(
                '', <!--Leave this blank; this is for token-based deploys. -->
                '<bot_id>',
                {
                    serverUrl: 'https://webchat-kprod.moveworks.io/login/<bot_id>',
										styles: '<optional, see below>'
                },
            );
        };
        script.src = 'https://webchat-kprod.moveworks.io/movewebchat-client-script.js';
        document.getElementById('webchat').appendChild(script);
    </script>
</div>
  • You can also added these optional parameters along with the serverURL. See below.
    • styles controls the position of the avatar
								{
                    serverUrl: 'https://webchat-kprod.moveworks.io/login/<bot_id>',
                    styles: { 
							        bottom: '0px',
							        right: '10px',
							        zIndex: 999,
							    },
                },

Congrats! You did it! By pasting this onto a given page, or template for a page, the AI Assistant will appear if the user successfully authenticates. Authentication is seamless, and no login prompt will ever be seen by the user. If the user is not authenticated, the AI Assistant will simply not appear. This is true for all websites governed by Azure OIDC SSO, thus you are now free to paste this snippet anywhere that supports it.

By default, this behavior is NOT enabled for all users. Work with your CS team to first create an allowlist of users who can test the web AI Assistant before having them enable it to all users.

Installing it with a Code Snippet and Azure OIDC

This guide walks you through the Azure SSO OIDC setup for Moveworks for Web (M4W). This will create an Azure application that will then allow customers to copy a code snippet of the AI Assistant and paste it onto any page governed by Azure SSO, and Moveworks for Web will just work, automatic authentication and all.

Prerequisite Questions

  • Does the site/page you want to include Moveworks for Web on allow for HTML/JavaScript editing?
    • If you want it to be everywhere on the site, does it support site templates, master pages, headers, footers, or other similar global page elements that support HTML/JavaScript editing?
  • Is the site/page governed by Azure SSO?

Installation Prerequisites

  • On the day of installation, we need an individual who has Global Administrator access in your Azure tenant

🚧

The Azure OIDC silent authentication only works if users are logged into only one MS tenant. Make sure users logged out from other testing tenants when testing webchat bot. This should be rare if the end users are logged into multiple tenants at once.

Azure App Setup Instructions

Go to the https://portal.azure.com/ that lets you create Applications.

Click on App registrations

Select New Registration in the next screen.

Configure the application

  1. Specify a name for the application. We recommend using your bot’s name.
  2. Configure the application.
    1. Based on your AI Assistant environment, set the Redirect URI as one of the following:
      Commercial Environment: https://webchat-kprod.moveworks.io/login/sso/oidc
      GovCloud Environment: https://webchat.prod.am-usge1.moveworks.io/login/sso/oidc
      EU Environment: https://webchat.prod.am-euc1.moveworks.io/login/sso/oidc
      Canada Environment: https://webchat.prod.am-cac1.moveworks.io/login/sso/oidc

Select options as shown below.

Generate idp_secret

  1. Go to Certificates & secrets on the left
  2. Click New client secret
  3. Add Description and Expires. 24 months is our recommended option to go with as it is the longest time possible. You can have multiple secrets at once, so before one expires you can create another for a seamless cutover.

Once the secret is created, copy the value and send to Moveworks engineer. Note that this value is only accessible at the time of creation. You will need to create a new one if the previous one isn’t saved before leaving the page.

  1. Go to Azure Active Directory
  2. Go to Enterprise Application under Manage
  3. Find the application just created and open
  4. Go to Permissions and click Grant admin consent for<org>

Finish Moveworks’ side of the integration

After setup is complete, the following information must be shared with Moveworks Customer Success, with the saved secret above.

  1. Go the Overview in App registrations → your app just created.
    1. idp_client_id
    2. idp_issuer


    3. idp_secret (saved locally in the previous step)

Prepare code snippet

You will need to paste the following code snippet in your web page html body.

The highlighted red areas are provided based on your settings. bot_id is the unique bot ID provided by your CS team.

If your installation does not require any style overrides then use the following:

Commercial Environment
<script src="https://webchat-kprod.moveworks.io/script/<bot_id>" />
GovCloud Environment
<script src="https://webchat.prod.am-usge1.moveworks.io/script/<bot_id>" />
EU Environment
<script src="https://webchat.prod.am-euc1.moveworks.io/script/<bot_id>" />
Canada Environment
<script src="https://webchat.prod.am-cac1.moveworks.io/script/<bot_id>" />

Otherwise use the following:

Commercial Environment
<div id="webchat">
    <script>
        var script = document.createElement('script');
        script.type = "text/javascript";
        script.onload = function () {
            window.mwwebchat.openMWWebChat(
                '', <!--Leave this blank; this is for token-based deploys. -->
                '<bot_id>',
                {
                    serverUrl: 'https://webchat-kprod.moveworks.io/login/<bot_id>',
										styles: '<optional, see below>'
                },
            );
        };
        script.src = 'https://webchat-kprod.moveworks.io/movewebchat-client-script.js';
        document.getElementById('webchat').appendChild(script);
    </script>
</div>
GovCloud Environment
<div id="webchat">
    <script>
        var script = document.createElement('script');
        script.type = "text/javascript";
        script.onload = function () {
            window.mwwebchat.openMWWebChat(
                '', <!--Leave this blank; this is for token-based deploys. -->
                '<bot_id>',
                {
                    serverUrl: 'https://webchat.prod.am-usge1.moveworks.io/login/<bot_id>',
										styles: '<optional, see below>'
                },
            );
        };
        script.src = 'https://webchat.prod.am-usge1.moveworks.io/movewebchat-client-script.js';
        document.getElementById('webchat').appendChild(script);
    </script>
</div>
EU Environment
<div id="webchat">
    <script>
        var script = document.createElement('script');
        script.type = "text/javascript";
        script.onload = function () {
            window.mwwebchat.openMWWebChat(
                '', <!--Leave this blank; this is for token-based deploys. -->
                '<bot_id>',
                {
                    serverUrl: 'https://webchat.prod.am-euc1.moveworks.io/login/<bot_id>',
										styles: '<optional, see below>'
                },
            );
        };
        script.src = 'https://webchat.prod.am-euc1.moveworks.io/movewebchat-client-script.js';
        document.getElementById('webchat').appendChild(script);
    </script>
</div>
Canada Environment
<div id="webchat">
    <script>
        var script = document.createElement('script');
        script.type = "text/javascript";
        script.onload = function () {
            window.mwwebchat.openMWWebChat(
                '', <!--Leave this blank; this is for token-based deploys. -->
                '<bot_id>',
                {
                    serverUrl: 'https://webchat.prod.am-euc1.moveworks.io/login/<bot_id>',
										styles: '<optional, see below>'
                },
            );
        };
        script.src = 'https://webchat.prod.am-euc1.moveworks.io/movewebchat-client-script.js';
        document.getElementById('webchat').appendChild(script);
    </script>
</div>
  • You can also added these optional parameters along with the serverUrl. See below.
    • styles controls the position of the avatar
Commercial Environment
								{
                    serverUrl: 'https://webchat-kprod.moveworks.io/login/<bot_id>',
                    styles: { 
							        bottom: '0px',
							        right: '10px',
							        zIndex: 999,
							    },
                },
GovCloud Environment
								{
                    serverUrl: 'https://webchat.prod.am-usge1.moveworks.io/login/<bot_id>',
                    styles: { 
							        bottom: '0px',
							        right: '10px',
							        zIndex: 999,
							    },
                },
EU Environment
								{
                    serverUrl: 'https://webchat.prod.am-euc1.moveworks.io/login/<bot_id>',
                    styles: { 
							        bottom: '0px',
							        right: '10px',
							        zIndex: 999,
							    },
                },
Canada Environment
								{
                    serverUrl: 'https://webchat.prod.am-cac1.moveworks.io/login/<bot_id>',
                    styles: { 
							        bottom: '0px',
							        right: '10px',
							        zIndex: 999,
							    },
                },

Congrats! You did it! By pasting this onto a given page, or template for a page, the AI Assistant will appear if the user successfully authenticates. Authentication is seamless, and no login prompt will ever be seen by the user. If the user is not authenticated, the AI Assistant will simply not appear. This is true for all websites governed by Azure OIDC SSO, thus you are now free to paste this snippet anywhere that supports it.

By default, this behavior is NOT enabled for all users. Work with your CS team to first create an allowlist of users who can test the web AI Assistant before having them enable it to all users.