This information applies to you only if you started your SSO implementation before May 9, 2019

Overview

On May 9, 2019, Foundry changed the naming pattern for the Entity ID and SAML URLs for Foundry as a service provider to provide more flexibility for our partners in their single sign-on setups.

End users who perform single sign-on won’t be able to tell the difference between the new way the legacy way; these changes are backend changes.

If you began your SSO implementation prior to this change, your SSO process will continue to operate, but you will need to switch to the new model by approximately January 2021.

The Entity ID is an important property in SAML because it is the unique name of a SAML service provider. Previously, the Foundry EntityID was https://fifoundry.net/saml/sp. With this change, each organization will have its own personal Entity ID, with the organization “slug” added to the Entity ID and to service URLs. For example, if your organization slug is acme then the before and after values are:

Property Before After
Entity ID
https://fifoundry.net/saml/sp https://fifoundry.net/acme/saml/sp
SSO/ACS URL
https://admin.fifoundry.net/saml/acs https://admin.fifoundry.net/acme/saml/acs
SLO URL
https://admin.fifoundry.net/saml/logout https://admin.fifoundry.net/acme/saml/logout
P

At the same time, we need for all partners running the old model to migrate to the new model in order to switch to the next EVERFI x.509 certificate that is expected to be released around July 2020. Timing your switch to a new certificate is a good opportunity to also switch to the new Foundry Entity ID and service URLs.

Steps to Migrate

Contact customer support to add a request to migrate to the new SAML model.

General FAQ

Q: Why did you change this?

A: Many partners have multiple organizations in Foundry that all authenticate to the same identity provider, and/or they have two or more service provider configurations for Foundry. It was not possible to support these scenarios with a single EntityID and fixed service URLs for all of Foundry. To support multiple SSO configurations for the same identity provider, we needed to give each Foundry organization its own unique EntityID and service URLs to distinguish each organization.

Q: The old model worked for us. Do we have to switch?

A: Yes, all SSO configurations running the old model need to switch in order to use the next EVERFI x.509 certificate which is targeted for release approximately July 2020. The current certificate expires January 7, 2021. To streamline application our code base and minimize complexity, we want to support only the new model in the long run.

Q: What happens if I don’t switch in time?

A: We plan to deprecate the legacy functionality close to when the current EVERFI certificate expires which is January 7, 2021.

Q: Something went wrong in the migration. Can I switch back to the old way?

A: Please contact customer support. This process cannot be reversed through the application. We recommend you schedule this migration at a time where you anticipate low usage to allow for any issues in migration.

Q: Can I run the old model and new model in parallel to have a phased switch over?

A: No, this is not possible. This is why we recommend migrating during the same time you switch certificates, since the certificate rotation will make SAML temporarily inoperable anyway.

Q: Can I migrate to the new model before the next EVERFI x.509 certificate is released?

A: Yes, and we encourage you to do so. You don’t have to migrate to the new model and also switch to the newer x.509 certificate at the same time, but you must migrate to the new model on or before you change to the new x.509 certificate.

Setup FAQ

Q: I have two identity provider configurations in Foundry for the same organization. Each authenticates to a different identity provider. Can I run one in legacy mode and the other in the new mode?

A: No. All the IDP configurations for a Foundry organization must use the same SSO model.

Q: My Foundry organization needs to have two identity provider configurations in Foundry. Can each of these setups have different Entity IDs and service URLs?

A: No. All the Foundry service provider configurations within a single Foundry organization have the same Entity ID and service URLs.

Q: How can I know if my Foundry organization is using the new SSO model or the legacy SSO model?

A: The easiest way to find out is to log in to Foundry, navigate to the identity providers page, and download the EVERFI SAML metadata. Open the metadata file in a text editor, and search the file for entityID. You will see this value near the top of the file. If the URL in the entityID has your organization slug in the URL as shown in the examples above, then you are operating on the new model.

Q: What if my organization slug (e.g. acme) changes? Will this break SSO?

A: Yes, changing your organization slug will consequently change the Entity ID and SSO/SLO URLs. You would need to update your identity management system’s service provider configurations for Foundry accordingly. Generally, EVERFI will never change your organization slug once it is established, because this slug is part of the URL path for many webpages. The only time you would want to change your slug is if your organization changes names or brands, and this change would need to be done deliberately and carefully to ensure there are no broken links.

Q: As a partner, can I change my organization slug myself?

A: No, this setting can only be changed by EVERFI.