Resource Hub | EVERFI

Platform Selector

InCommon Federation and Foundry

Eligibility

In order for EVERFI to manger your service provider through InCommon, we require that your identity provider system meet the following two requirements. Based on EVERFI’s interpretation of Signing and Encryption Keys in InCommon Federation, we believe that any identity provider that is in the InCommon Federation meets these requirements. We need you to confirm that your system satisfies these two requirement in order for EVERFI to successfully perform routine certificate rotations within InCommon.

Identity Provider Requirements

EVERFI assumes the following about your identity provider setup:

Your identity provider supports multiple signing certificates for a service provider like EVERFI’s Foundry.
Your identity provider automatically updates the Foundry service provider in response to updates to the associated InCommon registry, or you have a process in place to manually apply such updates.

How to Request

If your organization is a member of the InCommon Federation, and you would like to manage Foundry as a service provider in the InCommon registry, the follow these steps:

Request to your EVERFI customer success manager that you would like for Foundry to have an InCommon service provider entry for your organization. Each organization in EVERFI has a personalized single sign-on URL so EVERFI must to register a separate SP entry for each EVERFI customer.
EVERFI will provision a new service provider in InCommon within 2 to 3 business days of your request.
EVERFI will inform you when the service provider entry for your institution has been added to InCommon. The name of the service provider will be “EverFi Foundry – YOUR INSTITUTION NAME”, for example, “EverFi Foundry – Wossamotta University”.
In your identity provider, set up EVERFI as you would for any service provider that is in InCommon.
In Foundry, you will add an identity provider configuration that describes your identity provider to Foundry. See steps 2 and 3 on the Single Sign-On (SSO) page for more details.
Test your single sign-on as described on the previously linked page.

FAQ

SPSSODescriptor and WantAssertionsSigned="true"

Q: I realize that Foundry requires the Assertion of SAML Responses to be signed by the identity provider. But in the InCommon service provider for my organization, in SPSSODescriptor, you do not have the attribute WantAssertionsSigned="true". Will you please add this attribute?

A: It appears that InCommon does not currently support this metadata attribute. Therefore, you will need to ensure that your identity provider signs the assertions for the Foundry service provider. For more information, see Metadata-Support] support for WantAssertionsSigned in FM | InCommon

Foundry Certificate Rotation

Q: How do I handle the Foundry SAML x509 certificate rotation?

A: See Foundry SAML Certificate Rotation for InCommon Members.

How can I know if EVERFI has added my institution to InCommon?

Q: We are InCommon Federation members. How can I know if we have already asked EVERFI to put our Foundry organization into InCommon as a service provider? I am new to my job and I’m not sure if this was done in the past or not.

A: Here is how you can tell. Optionally, simply ask your EVERFI contact person and we’ll find out for you.

Navigate to InCommon at: https://incommon.org/federation/incommon-federation-entities/
Click the tab for SPs (service providers)
Navigate to the “E” listings for EVERFI
You’ll see many listings for “EverFi Foundry -“. Look for your institution in this list.