***

title: Okta Installation Guide (SAML)
excerpt: ''
deprecated: false
hidden: false
metadata:
title: ''
description: ''
robots: index
next:
description: ''
---------------

<Callout intent="warning" title="SAML is not recommended">
  Moveworks recommends that you set up your Okta apps via OIDC. Our OIDC installation will provide a better experience. You can follow the instructions [here (🔗)](/service-management/administration/sso-configuration/okta-sso/okta-oidc).
</Callout>

This document describes the steps required to set up the Moveworks as a SAML application in Okta. Doing this will allow employees in your organization to access the Moveworks Control Center through their Okta dashboard, in the same way as they use single sign-on to access other apps they use.

# Prerequisites

<Warning title="Making edits?">
  Before you edit your SSO configuration, make sure you are logged into MyMoveworks. Otherwise, you will not be able to log in and update your SSO configuration details.
</Warning>

**Okta SSO Prerequisites**

* Have access to an Okta tenant
* Be an Okta administrator to that tenant

**Moveworks SSO Prerequisites**

* Your Moveworks Environment should be initialized in order to continue. (Verify with your Account Team if this has been completed)
* Note the following values.

  * `data_center_domain` - the data center where your organization is hosted (see table below).

    | Data Center              | data\_center\_domain          |
    | :----------------------- | :---------------------------- |
    | United States (default)  | moveworks.com                 |
    | Canada                   | am-ca-central.moveworks.com   |
    | EU                       | am-eu-central.moveworks.com   |
    | Australia / Asia Pacific | am-ap-southeast.moveworks.com |
    | Government Secure Cloud  | moveworksgov.com              |
  * `subdomain` - your organization's login subdomain. The value for **subdomain** should match your `customer_id`, which can be [verified from the General Information Page](/service-management/administration/organization-information).

    <Callout intent="warning">
      Make sure to use the unique subdomain. For example, if you're organization's login subdomain is **acme.moveworks.com**, then your `subdomain` is **acme** and your `data_center_domain` is **moveworks.com** which is part of the US Data center.
    </Callout>
  * `customer_id` - The unique identifier for your organization . This is stored as **Org Name** under **Organization Details > General Information**

    ![](https://files.readme.io/ec5bf3b5e47317fcf8d2ba7f7d6b1348befd4c402553e53c4d966795d1715e13-CleanShot_2024-11-11_at_14.53.19.png)

    <Callout intent="error" title="The Org name cannot be changed. Once set, the same value should be used in all cases.">
      In exceptional cases where you would like Moveworks to support your organisation with a different subdomain value. Please reach out to Moveworks Support.
    </Callout>

# Configuration Steps

## Create SAML Application

1. Log in to your Okta org and navigate to the Admin user interface
2. Navigate to **Applications > Applications.**
3. Navigate to the Applications section of Okta, and click on **Create App Integration**.\
   ![](https://files.readme.io/9d3b47c-small-Untitled_-_2023-05-03T113109.045.png)
4. Select SAML 2.0 in the next screen.\
   ![](https://files.readme.io/0926ff8-small-Untitled_-_2023-05-03T113038.160.png)
5. Define General Settings

   1. **App Name:** `Moveworks`
   2. **App Logo**: Download the following image

      ![](https://files.readme.io/7ce3cd8e7a2f7a1b9e0280f79d46e36c6deab9c7fcbbcb919451fb5c43fe34c1-image.png)

      <br />
   3. **App Visibility**: Leave unchecked
6. Configure SAML using the values you've noted above

   1. **Single sign on URL:** `https://{{subdomain}}.{{data_center_domain}}/login/sso/saml`
      1. e.g. `https://acme.am-eu-central.moveworks.com/login/sso/saml`
      2. Leave `Use this for Recipient URL and Destination URL` selected
   2. **Audience URI:** `www.moveworks.com`
   3. **Default Relay State:** `customer_id`
   4. **Name ID format:** `EmailAddress`
   5. **Application username:** `Okta username`
   6. **Update application username on:** `Create and update`

      ![](https://files.readme.io/8e632e09559808f4e1fe72b6d15d1b1a9ebfd4150abd67ddb91610766ae24152-CleanShot_2024-10-28_at_10.41.582x.png)

      <br />
7. Submit **Feedback** & **Finish**
   1. **Are you a customer or partner?** `I’m an Okta customer adding an internal app`
   2. **App type**: `This is an internal app that we have created`\
      ![](https://files.readme.io/4aeea16-small-Untitled_-_2023-05-03T112748.625.png)

## Add SAML Configuration in MyMoveworks

1. On the **Sign On** tab select **View SAML setup instructions**

   ![](https://files.readme.io/f90ae83be242d9e29347d719833bbe178bb78a51d0b52b641ada56668d6cf51a-CleanShot_2024-10-28_at_10.43.552x.png)
2. Copy / Download the provided information

   * **Identity Provider SSO URL**`idp_url`
   * **Identity Provider Issuer**: `idp_issuer`
   * **X.509 Certification**: `x509_certificate`

   ![](https://files.readme.io/d06995a67a8b280618a3d74da70e9692e716656a5c697554b9b55014bd640caf-CleanShot_2024-10-28_at_10.45.122x.png)
3. Navigate to SSO Settings in MyMoveworks

   ![](https://files.readme.io/c1f062b02e5f9c221b37838fa2ed709cf8a548cadd10c854a85e764cef208f81-image.png)
4. If you already see a `studio` config, edit it. Otherwise, choose Create.
5. Add your configuration using the values you've noted above
   * **Moveworks Product**: `studio`
   * **Select Connector**: `okta` or `moveworks`
   * **Authentication Protocol**: `SAML`
   * **IDP Sign On / SSO URL**: `{{idp_url}}` (From Step 2)
     * e.g. `https://acme.okta.com/app/acme_moveworks_1/d4f567gd8s9sdfgds/sso/saml`
   * **IDP Issuer**: `{{idp_url}}`(From Step 2)
     * e.g. `http://www.okta.com/d4f567gd8s9sdfgds`
   * **IDP Public Certificate**: `x509_certificate` (From Step 2)
6. Click **Submit**.
7. Wait a few minutes, then attempt to log into your instance at `https://{{subdomain}}.{{data_center_domain}}`