Platform Selector

Add an Identity Provider

The steps for describing your Identity Provider to Foundry are outlined below. Please make sure to review the data checklist first.

Once you’ve collected the necessary data about your organization’s identity provider, you are ready to enter it into EVERFI’s Customer Admin Portal.

  1. Log into EVERFI’s Customer Admin Portal. To do this, use the URL provided for your organization. When you get to the login page, type in your login credentials. You will need your email and password for this step.
  2. Once logged in, find Settings in the sidebar and click on it.
  3. The Single Sign-on option will appear in the drop-down menu, click on this to navigate to the SSO configuration page.
    • If you don’t see this link, this means your organization hasn’t been enabled for SSO yet. Contact your EVERFI contact for assistance
  4. Open the View Metadata link to access the service provider SAML metadata for Foundry. Depending on how you add a service provider to your identity provider you may:
    • Click the Download link to download EVERFI’s SAML metadata file.
    • Alternately, depending on your identity provider setup tools, you can copy the various SAML properties like entity ID, ACS URL, etc. and then paste them into Foundry service provider entry in your identity provider.
    • Download Foundry’s X.509 certificate file.
  1. If you wish to disable the ability to log in with a local password in Foundry, and only allow users to authenticate via your identity provider, then set the Use SSO Exclusively toggle to on.
  2. Click New Identity Provider to create a new SSO configuration.
  3. Enter the Display Name of the SSO Provider
    • For SP-initiated SSO, this text is what will be displayed on the button for users to login through your organization’s identity provider.
  4. Check the Allow service provider initiated login checkbox if you want to allow SP-initiated SSO.
  5. Check the Also log users out of this provider when logging out of Foundry if you want to have the user get logged out of their identity provider system when if they log out of Foundry. You must also have the Single Logout URL property filled in for the IDP, and your IDP must support single log-out. See SAML Single Logout for more.
  6. In SAML Certificate, select the newest EVERFI X.509 Certificate from the dropdown. See EVERFI X.509 Certificate for more.
  7. In the Technical Contact section, enter the name, phone number and email address of a technical support contact at your organization. If a user attempting to single sign-on encounters an error message, the error page will output these fields so the user can seek assistance. These fields are optional but we recommend you provide contact information to help users resolve SSO issues if they get stuck. Foundry will also send automated informational emails to this email address alerting you to important concerns like if your X.509 certificate is nearing its expiration date.
  8. In the SSO Metadata section, you will provide properties about your identity provider. You may do this in one of three ways:
    • Enter the metadata URL of your identity provider
    • Upload your IDP’s SAML metadata file
    • Enter the properties into a form, referring to the information from the integration checklist you compiled earlier
  9. Check Allow automatic registration during SSO if you wish to have new users created automatically during SSO, if the user does not exist in Foundry; see User Registration in Single Sign-On for more details.
  10. Check the Suppress Welcome Emails to users created via SSO checkbox if you don’t want users who are created during SAML SSO to get a welcome email.The next three steps are relevant only if you checked Allow automatic registration during SSOThe Default User Type, Role and Location should be specified to set those properties for any users who get created during SSO. Note that all three of these properties can be overridden if desired by setting specific SAML Attributes as described below. The Default User Type, Role and Location apply only for new users. They do not affect existing Foundry users.
  11. Select Default User Type from the drop-down menu.
  12. Select Default User Role from the drop-down menu.
  13. Select the Default Location from the drop-down menu. Note that this property is not used for some lines of business including financial education.
  14. If you checked Allow automatic registration during SSO then you you must map the first name, last name and email SAML attributes. You may optionally map a SAML attribute for location, user type and role if you wish to override the default values for a particular user.
    • The Foundry User Property is the EVERFI property such as First Name, Last Name, etc.
    • The SAML Attribute is the attribute name in your IDP’s SAML Assertion.
    • Is Editable? specifies if you wish to allow the user to edit their own information for that attribute, or a customer admin to edit that information, in EVERFI’s system only. If is editable is not checked for a property, then for any user with a SSO ID, that property will not be editable by the user or by a customer admin.
    • To override the default user type, provide the desired user type in an Attribute in the SAML response’s assertion provided by your IDP. If you specify a user type, then the Assertion should also send an Attribute to override the default user role with a role that is applicable to the user type. For a list of the user type codes and the roles that go with each, see the API documentation and review the rule_set and role section for a table listing them (also known as rule_set). Note that you can only specify a user type that belongs in your account’s line of business.
    • To override the default user role, provide the desired role in an attribute in the SAML response’s assertion provided by your IDP.  If you want to set the role, then the Assertion also must set the user type. You have the following options. Note these values are lowercase:
      • If the user type is Employee Learner or Faculty/Staff Learner, then you can override the default user role with either supervisor or non_supervisor.
      • If the user type is Higher Education Student, then you can override the default user role with any of: undergradgraduatenon_traditional or greek.
      • None of the other user types permit an override of default user role.
    • To override the default location, provide the desired location name in an attribute in the SAML response’s assertion provided by your IDP. The value you send must be the Foundry location name, not the ID.

If you did not check Allow automatic registration during SSO then you may provide attributes for first name, last name, email, location or role if desired. If the SAML Assertion contains any of these Attributes then the existing user will be updated during SSO.

If the Assertion contains an Attribute for user type and also has an Attribute for role, and an existing user is logging in, then Foundry will give this user that type + role combination if they do not already have it. Foundry will not remove an existing type + role, only add a new one if it doesn’t already exist. If the Foundry user already has the provided user type but with a different role, then Foundry will change the user’s role to the provided role in the Attribute.

20. Click Save when you are finished.

If you need assistance with configuring the new identity provider, you can contact your Customer Success Manager, and they will arrange the appropriate technical assistance.

Update an Identity Provider

SAML Attribute Map

If you need to correct a mistake in a SAML attribute map, for example the name of the attribute is incorrect, follow these steps:
  1. Edit the identity provider
  2. Press Remove to remove the incorrect attribute map
  3. Save the identity provider
  4. Edit the identity provider again
  5. In the SAML Attribute Map section, add the attribute by selecting the Foundry property from the dropdown and typing in the corresponding SAML attribute name, the press Add
  6. Save the identity provider

If you accidentally mixed up attributes, such as assigned the first name to last name and vice versa, then Remove both attributes, save the identity provider, then add both attributes again, then save the identity provider.