When you configure EVERFI Foundry as a service provider in your identity management system, you will provide the Foundry X.509 public certificate that you get from the SAML metadata file you download from Foundry’s platform, or from downloading the certificate directly.
Every X.509 certificate has an expiration date. If you continue to use an expired certificate, errors may occur. Therefore, be sure your Foundry service provider configuration always has an active Foundry X.509 certificate.
Around three months before the Foundry certificate expires, EVERFI will release a new replacement certificate. Between that release and the expiration of the predecessor certificate, both certificates are active and supported. During this three-month window, Foundry clients using the older certificate must rotate to the new certificate. EVERFI will contact every client who is using an older certificate to alert you when the new certificate is released, and follow up several times with each client until everyone has rotated from the older to the newer certificate.
If you are currently live with an older Foundry X.509 certificate, and you are ready to update to the newer certificate, follow these instructions.
These instructions may vary based on your organization’s own identity management solution.
1. Save a copy of the older EVERFI X.509 Certificate
Before making any changes, keep handy the older Foundry SAML X.509 certificate you use today, in the unlikely event that you need to roll back your changes.
You may already have this certificate from when you first configured EVERFI as a service provider in your identity access management solution, or you may be able to extract/download it from the current service provider configuration in your system. If not, contact EVERFI to get these assets.
2. Identify the places in your Identity Provider that use the Foundry Certificate
Note the places in your identity management system that currently use the Foundry certificate, so you’ll know exactly where you need to make these updates. Depending on your identity provider and how you have configured the EVERFI service provider, the EVERFI certificate might be present in one or multiple settings. Generally, a SAML service provider may use a certificate for two separate but related functions: signature and encryption. While some applications use a different certificate for each function, Foundry uses the same certificate for both functions. When you update the Foundry certificate, be sure to update it in every place your identity system uses it.
3. Download New Foundry Certificate
Login as an admin to Foundry’s customer admin portal and navigate to Settings → Single Sign-on, click View EVERFI SAML Metadata, then click Download encryption certificate.
Put the downloaded certificate file in a location that is accessible to your identity provider. For example, if your identity provider is located on a remote server, you will need to put that file where it can be accessed.
Note: some identity providers may require the encoded certificate text, but not a file. In this case, Copy the certificate text and paste it into a text editor (using a program that will not auto-format the text) for later use.
4. Update your Identity Access Management System
In your identity access management system’s service provider configuration for Foundry, update that configuration to have the newer Foundry certificate in all the place(s) the certificate is used. Depending on your specific identity provider and configuration, you will likely need to update the signing certificate and encryption certificate.
5. Update Identity Provider configuration in Foundry
As soon as you update your identity access management solution to use Foundry’s latest X.509 certificate, you will need to make a corresponding update in Foundry to indicate which EVERFI certificate your identity provider is using, the old or the new.
Login as an admin to Foundry’s customer admin portal and navigate to Settings → Single Sign-on, edit your Identity Provider, and select the newest EVERFI SAML Certificate.
After updating this setting to use the newer certificate, save your identity provider settings in Foundry
6. Test the Update
Last, test single sign-on scenarios, including a sign-in initiated from the identity provider website, and also from the service provider (Foundry) if you have enabled SSO initiated from the service provider.
Also test single logout if enabled.
Q: I have a couple of certificate files. How can I figure out which one is which?
A: Open the file in a text editor that won’t try to format the certificate as though it’s a normal document. Then go here https://www.sslshopper.com/certificate-decoder.html and follow the instructions. The newer EVERFI certificate expires in October 2022 (not released yet) and the older one expires January 7, 2021.
Q: We use InCommon with Foundry. How will the certificate rotation be handled?
A: EVERFI will communicate with our schools using InCommon to manage the rotation. We tentatively plan to rotate all the InCommon entries and the related Foundry configuration to the new certificate on or around the weekend of November 7-8, 2020. This time period is normally a less active time in the academic year so any potential disruption to single sign-on at that time should be minimal.
Q: My own organization’s x509 certificate is expiring. How do I update this in Foundry?
A: Log in to Foundry as an administrator and navigate to Settings –> Single Sign-On. Edit your identity provider configuration. Copy the certificate text or fingerprint and update the field. Save the IDP configuration. Be sure to make any necessary updates to the Foundry service provider entry in your identity provider at the same time.
Q: Which EVERFI products does this apply to?
A: EVERFI has single sign-on in various products, but the information on this page applies only to Foundry, which also include our Financial Education elective learning platform.
Q: I have multiple identity providers in Foundry. How do I manage that?
A: For each identity provider configuration you have in Foundry, you will need to rotate the certificate.
Q: The expiration date has passed by we haven’t rotated our certificate. What’s going to happen?
A: First of all, please rotate your certificate as soon as possible.
We cannot say for sure what will happen because each identity provider is different. Foundry will not stop SSO from happening if the Foundry certificate is expired, but your identity provider might not allow SSO to succeed if the Foundry certificate is expired.