Platform Selector


Overview

As described in EVERFI X.509 Certification Rotation, Foundry’s SAML certificate expires January 7, 2021. This page outlines how EVERFI will work with clients who are InCommon Federation members to rotate their Foundry certificate.

 


Identity Provider System Requirements

Assuming your identity provider meets the following conditions, then this rotation process is expected to complete easily with no downtime in single sign-on during any of these rotation steps.

Identity Provider Requirements

EVERFI assumes the following about your identity provider setup:

  • Your identity provider supports multiple signing certificates for a service provider
  • Your identity provider automatically updates the Foundry service provider in response to updates to the associated InCommon registry, or you have a process in place to manually apply such updates

If your identity provider cannot support a service provider with multiple signing certificates, then you can still rotate your Foundry certificate, but in order to minimize downtime to single sign-on, then you must ensure that you update Foundry’s SSO configuration at the same time you update the Foundry service provider in your identity provider.

If your identity provider does not automatically apply InCommon registry updates, then you must be sure to manually apply these updates.

If your identity provider does not meet the requirements above, please contact your EVERFI representative to discuss how to best complete the certificate rotation.

 

 


Certificate Rotation Sequence

The process to rotate from the older Foundry certificate to the new Foundry certificate will be three main steps, starting in December and concluding on January 8, 2021.

EVERFI will complete the first and third steps, and we invite you to complete the second step. If you have not completed the second step by January 8, 2021, then EVERFI will complete this step for you.

For reference, this page refers to two Foundry x509 SAML certificates. The Foundry certificates are used to digitally sign Foundry’s outing SAML authenticate requests, as well as logout requests and logout responses.  Additionally, if you opt to encrypt the SAML Assertions provided in your identity provider’s SAML Responses, then you must use the Foundry certificate to encrypt the Assertion. For brevity, we describe the new Foundry certificate (which expires October 6, 2022) as the “new” certificate and the predecessor certificate that expires January 7, 2021, as the “old” certificate.

Step 1 – First InCommon Registry Update

  1. In December, on a date to be announced, EVERFI will update the InCommon service provider registries for all EVERFI Foundry clients to do the following.
Property Before After
Signing Certificate Old Old and New
Encryption Certificate Old New

 

  1. Typically, when EVERFI updates an InCommon service provider entry, the update happens quickly.
  2. At some point after InCommon accepts the update, InCommon will publish the updated registry.
  3. Your identity provider will receive the update.
  4. Your identity provider will update the Foundry service provider as described in the table above

At this point, single sign-on and single logout should operate successfully. Foundry will continue to sign its SAML messages with the old certificate, and your identity provider will be able to verify the signature. Your identity provider will encrypt (if encryption is enabled) with the new certificate, and Foundry is able to decrypt with the new certificate.

Step 2 – Update Foundry SAML Configuration

EVERFI will communicate to our InCommon member clients after the first update has been performed. At some point after that, and before January 8, 2021, you must:

  1. Log in to the Foundry customer admin portal
  2. Navigate to Settings –> Single Sign-on
  3. Edit your identity provider configuration
  4. Change the EVERFI SAML Certificate to the newest one which is called “EVERFI Certificate 2020 – 2022 (Expires Oct 6, 2022)”
  5. Save the identity provider settings

If your institution has multiple accounts in Foundry then you must do this for each account.

After this update, Foundry will begin to sign its SAML messages with the newest certificate. Since the Foundry service provider in your identity provider supports either the old or new certificate for signing, SSO and SLO will continue to operate successfully.

Step 3 – Second InCommon Registry Update

To complete the rotation, EVERI will perform a second update to the service provider entries for our InCommon member clients. We will run this update the day the old certificate expires. Before running this update, EVERFI will check multiple times to ensure you have performed Step 2, and ask you to do so. If you have not performed this update by the expiration date of the certificate, then EVERFI will do Step 2 for you.

The second InCommon service provider registry update will do the following:

Property Before First Registry Update Second Registry Update
Signing Certificate Old Old and New New
Encryption Certificate Old New New

 

As illustrated in the nearby table, this InCommon registry updates removes the old Foundry certificate as a signing certificate.

Specifically, the actions in Step 3 are the following:

  1. EVERFI updates the service provider registry in InCommon to remove the old Foundry certificate
  2. Typically, when EVERFI updates an InCommon service provider entry, the update happens quickly.
  3. At some point after InCommon accepts the update, InCommon will publish the updated registry.
  4. Your identity provider will receive the update.
  5. Your identity provider will update the Foundry service provider as described in the table above, or you will do it manually.

After this update completes, the old certificate is completely rotated in favor of the new certificate. SSO and SLO will continue to operate without interruption during the updates in Step 3.


FAQ

A: EVERFI would prefer to update all InCommon members at the same time, for simplicity. If you need to perform these updates on a different timetable, please contact your EVERFI representative to discuss.

A: Generally, EVERFI prefers for our clients to manage their own identity provider settings in the customer admin portal, in order to prevent communication and timing mistakes. The Foundry identity provider configuration works in tandem with your own identity provider, and since EVERFI cannot configure your identity provider, it’s best for you to make any adjustments to the Foundry identity provider configuration since you are the only party who has configuration access to both systems. In the case that your identity provider does not meet the system requirements described above, EVERFI is concerned that this update could cause a disruption to SSO and we do not want to cause that.

That being said, if you have not performed Step 2 by the time the Foundry certificate expires, EVERFI will do this for you for your convenience. We will communicate to you periodically to make this update if you have not already.

Q: My identity provider does not support multiple signing certificates. What do I need to do?

A: Contact your EVERFI representative and we will work with you on the rotation.

Q: My identity provider does not automatically apply InCommon registry updates to service providers. How do I handle this?

A: EVERFI will let you know when we update the InCommon registries. If your identity provider doesn’t automatically update, they you will need to update the Foundry service provider manually in Steps 1 and 3 above.