Watermark Navigator Setup

Introduction to Watermark Navigator

Watermark Navigator lets you switch between different Watermark Solutions with a single sign-on. This article explains how Navigator works and the process for setting up Single Sign-On (SSO) for your institution.

Understanding Navigator and SSO

Watermark Navigator can be configured to use SAML Single Sign-On (SSO), which is the industry standard for secure single sign-on. This allows your users to access Watermark Solutions using their existing campus credentials.

• Who uses Navigator?
  • Faculty and staff use Watermark Navigator. Students do not use Navigator to access Watermark Solutions.

Authentication with SAML SSO

When you use SAML SSO, your institution authenticates users based on their campus email domain. It is crucial that all user accounts are created using a consistent email domain (e.g., user@institution.edu).

Once setup is complete, your institution's IT representatives will work with our Engineering Services team to set up a redirect from a Watermark login URL to your campus portal.

Example Login URL: https://login.watermarkinsights.com/connect/"clientconnectionname"

Note: The "client connection name" is your specific institution's name.

Requesting Navigator SSO Setup

If you are interested in setting up SSO through Watermark Navigator, submit a request to begin the process. A member of our Engineering Services team will contact you within 1-2 business days.

Watermark Navigator SSO Setup Process

The SSO setup process is a collaborative effort between your institution's IT Representative and Watermark Engineering Services.

Step 1: Submit a Technical Consultation Request

1. Click theSubmit a Request button in the Help Center
2. Indicate in the subject field, "Watermark Navigator SSO Setup"

Step 2: Provide Required Information

Your IT Representative must provide our team with the metadata and x509 certificate from your Identity Provider (IdP).

We also require the following claims:

• Firstname

• Lastname

• Email address

• The NameID must be mapped to the user's email address.

Step 3: Configuration and Metadata Exchange

1. Watermark Engineering Services will configure our Service Provider (Auth0) and provide the metadata back to your IT Representative.

2. Your IT Representative will then apply the metadata to your institution's IdP.

Step 4: Test the SAML Connection

1. Watermark Engineering Services will ask your IT Representative to test the SAML connection using a test account.

2. We may request a Zoom meeting to complete this step and troubleshoot if necessary.

   • A test account may be required to troubleshoot.

SSO Design Flow: What Happens When a User Logs In

Once the setup is in place, this is the sequence of events when a user attempts to log in:

• Stage 1: The user is successfully redirected to an identity provider (IdP) and is able to login.
• Stage 2: After login with the IdP, the user returns to Auth0 with a successful login event recorded.
• Stage 3: After a successful login event in Auth0, the user profile in Auth0 is verified.
• Stage 4: The user successfully redirects back to application and is able to access the application.

If any of the above stages fail, Engineering Services will troubleshoot with the Institution's IT Representative, and a test account may be required.

Testing the Connection

On completion of Stages 1-4, please use the test account to test the connection. A successful log in for the Test User would yield one of two outcomes:

• Successful Login: The test user logs in and can access the platform. This means SAML is working for the platform and the Test User has a real account that can be accessed.

• “We weren’t expecting you” Message: This means that SAML is working for the client, but the Test Account is not a real account that can be accessed.