/
Single Sign-On (SSO)

Single Sign-On (SSO)

Watching That supports enterprise-grade Single Sign-On (SSO) via the SAML 2.0 protocol. Once enabled for your account, your users will authenticate using their existing corporate credentials rather than a separate Watching That password.

Before You Begin

Contact support@watchingthat.com to request the two account-specific URLs you'll need during setup:

  • Single sign-on URL / Reply URL (Assertion Consumer Service URL)

  • Audience URI / Identifier (Entity ID)

Watching That will provide these values specific to your account.

Supported Identity Providers

Select your identity provider below for step-by-step setup instructions:

Once you have completed setup in your identity provider, you will be asked to share a Metadata URL back with Watching That to complete the connection on the platform side.

How SSO Login Works

Watching That uses SP-initiated SSO only. This means the login flow must always start from Watching That — not from your SSO platform. Attempting to log in by clicking the Watching That app tile directly in Okta or Microsoft Entra will not work and will result in an error.

The correct login flow:

  1. A user navigates to Watching That and enters their email address.

  2. Watching That detects the SSO configuration and redirects the user to their SSO platform.

  3. The user authenticates (password, 2FA, etc.) on the SSO platform.

  4. The user is redirected back to Watching That as an authenticated user.

The flow that will NOT work:

  1. A user goes to their SSO platform (e.g. Okta or Microsoft Entra).

  2. The user clicks the Watching That app tile from within the SSO platform.

  3. The user expects to be taken directly into Watching That.

This IdP-initiated flow is not supported and will result in a login error. Please make sure your users are aware to always start the login process from the Watching That login page.

Need Help?

Contact support@watchingthat.com if you run into any issues during setup or need your account-specific URLs.