Introduction to Navigator
Watermark Navigator allows users* to toggle between multiple Watermark Solutions. For SAML
setups, the Institution will authenticate using a campus email domain, so it’s important to make
sure that user accounts are using a consistent email address handle.
For advanced authentication, Navigator can be configured to support SAML SSO. It supports
SP-initiated SSO and JIT (Just In Time) Provisioning, the protocol that is widely considered to be
the industry preferred method of single sign on. When SAML setup is complete, Institution's IT
Representatives will help us set up a redirect to their campus portal from a login URL that looks
like this - https://login.watermarkinsights.com/connect/clientconnectionname
*Students will not access Watermark Solutions via Watermark Navigator
Watermark Navigator SSO Setup Process
1. Institution's IT Representative is asked to complete the setup form - we will require the
metadata and x509 certificate from your IdP
- We need the following claims - Firstname, Lastname and Email address
- Along with the above - NameID mapped to email address
2. Watermark Engineering Services will configure our Service Provider (Auth0), and provide
you with the metadata.
3. Institution's IT Representative will then apply the metadata to their IdP
4. We will then ask the Institution's IT Representative to test the SAML connection -
Watermark Engineering Services may request a zoom meeting to complete this step.
A test account may be required to troubleshoot.
Design Flow - Once the above steps are in place.
- Stage 1: The user is successfully redirected to an identity provider (IdP) and is able to login
- Stage 2: After login with the IdP, the user returns to Auth0 with a successful login event
- Stage 3: After a successful login event in Auth0, the user profile in Auth0 is verified.
- Stage 4: The user successfully redirects back to application and is able to access the
If any of the above stages fail, Engineering Services will troubleshoot with the Institution's IT Representative and a test account may be required.
On completion of Stage 1-4, please use the test account to test the connection. A successful log in
for the Test User would yield one of two outcomes:
a. Successful login and access to the platform. This means SAML is on for the
platform and the Test User has a real account that can be accessed
b. A message that says “We weren’t expecting you.” This means that SAML is working
for the client, but the Test Account is not a real account that can be accessed
Please fill out the form linked below if you are interested in setting up SSO through Watermark Navigator. You can expect a Watermark Project Manager to contact you within 5 business days of completing the form.