Introduction to Navigator
Watermark Navigator allows users* to toggle between multiple Watermark Solutions. For SAML
setups, the Institution will authenticate using a campus email domain, so it’s important to make
sure that user accounts are created using a consistent domain, for example email@example.com.
For advanced authentication, Navigator can be configured to support SAML SSO. It supports
SP-initiated SSO and JIT (Just In Time) Provisioning, the protocol that is widely considered to be
the industry preferred method of single sign on. When SAML setup is complete, your Institution's IT
Representatives will help Watermark's e-services team set up a redirect to your campus portal from a login URL that looks like the example below:
Note that the "client connection name" will be specific to your institution.
*Students will not access Watermark Solutions via Watermark Navigator
Requesting Navigator Setup
Please click the link below if you are interested in setting up SSO through Watermark Navigator. The link will take you to the Watermark Academy and you can select the option that best fits your needs. You can expect a Watermark Project Manager to contact you within 5 business days.
Watermark Navigator SSO Setup Process
1. To begin the setup process, please select the URL above and choose the option titled:
"Watermark Navigator SSO Technical Consultation - Initial set-up, post-implementation"
Setup require the metadata and x509 certificate from your IdP
- We need the following claims - Firstname, Lastname and Email address
- Along with the above - NameID mapped to email address
2. Watermark Engineering Services will configure our Service Provider (Auth0), and provide
you with the metadata.
3. Institution's IT Representative will then apply the metadata to their IdP
4. We will then ask the Institution's IT Representative to test the SAML connection -
Watermark Engineering Services may request a zoom meeting to complete this step.
A test account may be required to troubleshoot.
Design Flow - Once the above steps are in place.
- Stage 1: The user is successfully redirected to an identity provider (IdP) and is able to login
- Stage 2: After login with the IdP, the user returns to Auth0 with a successful login event
- Stage 3: After a successful login event in Auth0, the user profile in Auth0 is verified.
- Stage 4: The user successfully redirects back to application and is able to access the
If any of the above stages fail, Engineering Services will troubleshoot with the Institution's IT Representative and a test account may be required.
On completion of Stage 1-4, please use the test account to test the connection. A successful log in
for the Test User would yield one of two outcomes:
a. Successful login and access to the platform. This means SAML is on for the
platform and the Test User has a real account that can be accessed
b. A message that says “We weren’t expecting you.” This means that SAML is working
for the client, but the Test Account is not a real account that can be accessed