For detailed information on Watermark Navigator, including troubleshooting steps, please review the following resource:
SAML SSO is the most modern, reliable single sign-on configuration, and is now the industry-preferred standard for user authentication. It is likely the method of single sign-on that your IT teams favor. Implementing SAML SSO will ensure your faculty and staff can access the system efficiently and securely, using their single set of campus credentials. The clarity and simplicity of the single sign-on experience - with no need to remember more sets of credentials - will reduce the risk of user confusion, and decrease the number of helpdesk requests you receive about accessing your Watermark systems.
SAML SSO is more secure and much easier to configure and maintain than the LDAP and HMAC Portal methods and does not require any ongoing subscriptions to federations, nor does it require a third-party vendor between your campus and Watermark.
Watermark supports SAML SSO through Watermark Navigator. This means that in addition to providing a secure sign-on method, it also provides a single front door to access all of your Watermark products. The Watermark Navigator allows users with matching accounts in multiple products to toggle between those products.
To get started with SAML through Navigator, submit a general work request with the following information:
- Email Domain(s): A complete list of the email domains, e.g., youru.edu, subdomain.youru.edu, that we should allow to sign-in. We'll prevent sign-ins from other email domains.
- Sign-in URL: The URL of your IdP that accepts SAML login requests
- If you're using ADFS... it might look like "https:///adfs/ls/"
- If you're using Shibboleth... it might look like "http:///idp/profile/SAML2/Redirect/SSO" or "http:///idp/profile/SAML2/Post/SSO"
- Sign-out URL: The URL of your IdP that accepts SAML logout requests
- If you're using ADFS... it might look like "https:///adfs/ls/," which is the same as the sign-in URL
- If you're using Shibboleth... it might look like "http:///idp/profile/Logout"
- X.509 Certificate: The certificate itself, your IdP metadata or IdP metadata URL
- Test user account: An account you should keep enabled that we'll use to test your configuration now and in the future. The account should be named in a generic manner that's obvious to its purpose, e.g., "WM_SAML Test." The account should not have access other than to log in through SAML. For instance, don't provide an account that has access to email in addition to SAML.
- Your User Attributes. We’re looking for the following user attributes: first name, last name and email. Let us know what labels you used to represent these concepts. We use email for matching to determine if the user is able to log in to Navigator. We also require a nameid for session management. You must populate nameid with a unique value, and we recommend email address as the value unless you have a different preference.
Once we receive the above information, we'll supply a SAML Metadata file and SSO URL to you and your technical team will be able to configure Watermark as a relying party using these metadata and perform a login test. Our team of integration specialists will work with your technical liaison to complete the setup.