What is Single Sign-On (SSO)?
Single Sign-On (SSO) is a login method that allows you to access multiple internet applications through one password protected website. This means you can quickly and securely access different applications (such as EVERFI) without having to remember a separate username/password. Need a primer on SSO jargon? Check out our SAML Glossary.
Why it Matters
SSO is not required for schools and organizations, but is an option many choose to use because it allows users to use the same username/password for their EVERFI courses as they do for their school or organization’s portal.
How you will use Single Sign-On (SSO)
You will use SSO to log in to your EVERFI course(s). If you are using SSO your login URL for EVERFI courses will vary depending on your organization or school district. Note: If you are not using SSO your login URL will include “fifoundry.net” in the URL.
SAML System Requirements
In order to implement SAML Single Sign-On, read our SAML Single Sign-On System Requirements.
Before you can use SSO as your login method on Foundry, SSO must first be set up for your school or organization; check with your customer success manager to turn on SSO. The steps to implement SSO are outlined below. Click on the headings for more details.
- Introduction to SSO in Foundry
- A basic overview
- Identity Provider Setup – Checklist
- The checklist of items you need before configuring your Identity Provider (IdP)
- Identity Provider Setup – Steps
- The steps to configuring your Identity Provider (IdP)
- Validating your SSO Setup
- Test cases to verify the SSO and SLO setup between Foundry and your Identity Provider is correct
- Common troubleshooting cases and their solutions
- Foundry SSO with SAML Tracer – guide to recording a log of SAML messages during SSO and SLO, for diagnostics and troubleshooting
- Frequently Asked Questions (FAQ)
- Common questions and their answers
- SAML NameID and EVERFI SSO ID
- See User Registration in Single Sign-On for details on how you can create new users during SSO
- Single Logout
- How to configure SAML Single Logout
- EVERFI X.509 Certification Rotation
- In Depth topic: Instructions on how to set up the public certificate
Identity Provider Setup Guide
If you operate one of the following identity providers, see the guide for tips on configuring EVERFI as a service provider in your identity provider.
- Google’s G Suite can operate as a SAML 2.0 identity provider with Foundry as a service provider as described at Set up your own custom SAML application | Google.
- Microsoft AD FS SAML Single Sign-On Integration to EVERFI Foundry
- Microsoft Azure SAML SSO to EVERFI Foundry
- Okta SAML Single Sign-On Integration to EVERFI Foundry
- OneLogin SAML Single Sign-On Integration to EVERFI Foundry
In addition to the instructions for specific identity provider products above, here are some general tips on setting up Foundry as a service provider in your identity provider:
- Use the Foundry SAML service provider metadata file to create the service provider in your identity provider.
- See SAML Single Sign-On System Requirements for requirements and recommendations. Give careful though on which field to use for
NameID, as described in linked page, as you must ensure that Foundry users have the same value in their SSO ID field.
- Most IDPs need you to assign groups or roles to the service provider to grant your users access to the service provider. These group(s) should encompass all the learners who ultimately are or should be in Foundry. Unless you have just-in-time user provisioning enabled, it’s not problematic if you “over assign” permissions because ultimately a user will not be able to gain entry to Foundry unless they are already a learner in Foundry. Nevertheless, you should strive to ensure that the groups/roles assigned to the service provider are as close as possible to the active learners who are in Foundry. If a user attempt to SSO and gets an error like “The signed in user ‘jsmith77’ is not assigned to a role for the application ‘EVERFI Foundry’” or similar text, this is likely because the user has authenticated successfully to your identity provider, but they are not in a group/role assigned to the Foundry service provider.
- Foundry does support just-in-time user provisioning but that feature is appropriate for only a narrow set of use cases, one of which is if you are using SSO for financial education. See SSO User Registration for more.
- At this time, we do not recommend automatic updates to the Foundry service provider based on monitoring the Foundry SAML SP metadata URL, although we do plan to support that in 2021 or later.
- Foundry generally uses the same x.509 certificate for both signing and encryption, although during certificate rotation windows Foundry will accept both the old and new certificate for encryption to provide flexibility during the rotation window. See for SSO: EVERFI X.509 Certification Rotation for more details.