Watermark Navigator supports secure, modern SAML SSO for single sign-on, allowing faculty and staff to access all Watermark products with campus credentials. It is easier and more secure than LDAP and HMAC methods, requiring no third-party vendors. To implement, submit email domains, IdP sign-in/sign-out URLs, X.509 certificate, a test user account, and user attribute details. Watermark provides metadata and assists with configuration and testing. More info is available in the Watermark Navigator Integration resource.
For detailed information on Watermark Navigator SSO, including troubleshooting steps, please review the following resource: Watermark Navigator Integration
Overview
SAML SSO is the most modern, reliable single sign-on configuration, and is the industry-preferred standard for user authentication. It is likely the method of single sign-on that your IT teams favor. Implementing SAML SSO will ensure your faculty and staff can access the system efficiently and securely, using their single set of campus credentials. The clarity and simplicity of the single sign-on experience - with no need to remember more sets of credentials - will reduce the risk of user confusion, and decrease the number of help desk requests you receive about accessing your Watermark systems.
SAML SSO is more secure and much easier to configure and maintain than the LDAP and HMAC Portal methods and does not require any ongoing subscriptions to federations, nor does it require a third-party vendor between your campus and Watermark.
Watermark supports SAML SSO through Watermark Navigator. This means that in addition to providing a secure sign-on method, it also provides a single front door to access all of your Watermark products. The Watermark Navigator allows users with matching accounts in multiple products to toggle between those products.
Requirements
To get started with SAML through Navigator, submit a general work request with the following information:
- Email Domain(s): A complete list of the email domains, e.g., youru.edu, subdomain.youru.edu, that we should allow to sign-in. We'll prevent sign-ins from other email domains.
-
Sign-in URL: The URL of your IdP that accepts SAML login
requests
- If you're using ADFS... it might look like "https:///adfs/ls/"
- If you're using Shibboleth... it might look like "http:///idp/profile/SAML2/Redirect/SSO" or "http:///idp/profile/SAML2/Post/SSO"
-
Sign-out URL: The URL of your IdP that accepts SAML
logout
requests
- If you're using ADFS... it might look like "https:///adfs/ls/," which is the same as the sign-in URL
- If you're using Shibboleth... it might look like "http:///idp/profile/Logout"
- X.509 Certificate: The certificate itself, your IdP metadata or IdP metadata URL
- Test user account: An account you should keep enabled that we'll use to test your configuration now and in the future. The account should be named in a generic manner that's obvious to its purpose, e.g., "WM_SAML Test." The account should not have access other than to log in through SAML. For instance, don't provide an account that has access to email in addition to SAML.
- Your User Attributes. We’re looking for the following user attributes: first name, last name and email. Let us know what labels you used to represent these concepts. We use email for matching to determine if the user is able to log in to Navigator. We also require a nameid for session management. You must populate nameid with a unique value, and we recommend email address as the value unless you have a different preference.
Implementation Details
Once our Watermark Integration team receives the above information, we'll supply a SAML Metadata file and SSO URL to you and your technical team will be able to configure Watermark as a relying party using these metadata and perform a login test. Our team of integration specialists will work with your technical liaison to complete the setup.