Platform Selector


How to Configure a New Identity Provider

Within EVERFI’s platform, the process of configuring your SAML 2.0 Identity Provider (IDP) is simply a matter of taking a few minutes to enter in the appropriate metadata. You’ll need to do similar setups to configure Foundry as a service provider in your identity management solution.

For partners currently using non-SAML SSO protocols, a period of technical exploration is needed to discover the feasibility of integrating SAML 2.0 directly into their systems or perhaps choosing to use a Federated Identity Management tool, such as Okta, to implement the SSO connection.

Once partners have configured their identity provider in EVERFI’s platform, then, it is up to them to create the links on their websites that will go to EVERFI’s content. When the links are in place, the partner will finally test the SSO connection by navigating to EVERFI’s content and logging in via their organization with their own valid user accounts, as described in SSO Testing.

To get started, the list below shows the data you will need to collect before attempting to set up your identity provider in EVERFI’s Customer Admin Portal. Please review the checklist below before proceeding to the integration steps.


Integration Checklist

❏ A download of EVERFI’s SAML metadata file (see SSO Setup for how to get the Foundry SAML metadata file)
❏ Configuration Options: Request the following from your IT team (options 1 & 2 are recommended):

Option 1:

❏ The SAML metadata URL for your organization’s IDP

Option 2:

❏ The SAML metadata file for your organization’s IDP

Option 3 (manual configuration):

❏ Entity ID — this is a globally unique name for a SAML entity and is often in the form of a URL

❏ Login URL — the user gets redirected to this URL during SP-initiated SSO.

❏ Logout URL (optional) — the identity provider logout URL, if any. The user gets redirected to this URL when they log out from Foundry. If this information is not provided by the identity provider, the user gets redirected to the portal. If provided, then Foundry will post a SAML LogoutRequest to this URL so that the user will be logged out of the IDP when then log out of Foundry. See SAML Single Logout for more details.

❏ IDP Certificate Algorithm — the name of the algorithm used to calculate the fingerprint (below) (e.g. SHA 256 ) It should be in the form of a URL.

❏ IDP Certificate – the X.509 public certificate that your identity provider uses to sign its SAML Assertions.

❏ IDP Certificate Fingerprint – as an alternate to providing the full certificate, you may instead provide the fingerprint of the IDP’s SAML certificate that the identity provider uses to sign the SAML assertions. You may find this tool helpful in calculating the fingerprint.


Just-in-Time User Provisioning

If you wish to have users who are not already in Foundry to be automatically created during a successful single sign-on, then complete the remaining items. See SSO New User Registration for more details.

❏ Default User Type and Role — define what the user type will be if not defined by the IDP at time of login. EVERFI’s implementation team will advise on the appropriate selection.

❏ Default Location – define what the default location should be for any new users.

❏ List of your organization’s SAML attribute names that correspond to EVERFI’s properties.

  • Depending on the use case, various attributes may or may not be required to be passed along. For example, to simply log in a user that already exists in the organization account on EVERFI’s platform, the only thing needed is the NameID in the Subject attribute, but to register a new user the first time they come to the EVERFI platform, more attributes are necessary, such as first name, last name, email, etc.
  • Therefore, all attributes except the SAML Subject are optional at the SAML endpoint. If you are missing attributes that are required for your use case, the SAML exchange will still be successful but the user will be directed to an error page on the EverFi platform and may not be logged in or registered. You may find this table helpful to compile your list of SAML Attribute Mappings:
Foundry Property SAML Attribute Name
First Name
Last Name
Email
User Type
Role
Location Name