Overview of Single Sign-On in Foundry
Many partners wish to provide consumers with a seamless and easy experience when logging into their website and navigating from their site into EVERFI’s content. However, when faced with creating or remembering passwords for login, users can experience password fatigue, the negative feeling of having to create and remember many passwords; leading to user abandonment or the creation of insecure passwords. By implementing a Single Sign-On (SSO) system between the partner and EVERFI, users will be able to log into the partner’s website and navigate, as a logged in user, directly to EVERFI’s content, without creating a new account or re-entering their information.
Through SSO, the partner can ensure that their consumers receive the full experience of EVERFI’s content, including tracking of playlist completion, which is important for saving progress and activation of incentives upon completion of a playlist. The partner benefits from this because users are more likely to be motivated and engaged when they can see they are advancing towards a goal, and it enhances the ability to collect meaningful data.
Foundry’s Single Sign-On (SSO) system is built using SAML 2.0, a standard that, when used, provides a process to request, validate, and approve login attempts without forcing the end user to create or re-enter their username and password. There are two main ways the SAML protocol is used. Both are explained below.
Process Map: Service Provider Initiated Login
The process map above shows the flow of data when someone clicks to use SSO to sign into an application. EVERFI, in this scenario, is the service provider. When a learner attempts to log into EVERFI’s platform they are presented the option of logging in with their organization’s credentials. Upon choosing this option the platform sends a request to the organization’s directory to verify that the person logging in has approved credentials, and then allows them to log in when verified. This will be the preferred way to log in student learners.
To achieve this, our customers need to provide us with the appropriate information to verify these credential requests.
Process Map: Identity Provider Initiated Login
The process map above shows the flow of data when someone initiates their login from an internal portal (i.e. partner’s website) controlled by their organization. EVERFI is the service provider (SP), and the partner is the identity provider (IdP). In this scenario, a user within an internal portal for their org clicks on a link to log into EVERFI’s platform. This will send a request to Foundry with the user’s login credentials. If verified, they will be logged in. If the account does not exist yet, Foundry will automatically create a new account and log the user in. This process occurs quickly. The user will not be asked for more information and will likely not notice the transition.
To achieve this flow, you will need to configure your IdP to send a SAML assertion with the necessary user attributes to the assertion consumer service URL specified in the metadata provided to you. This interaction all follows the SAML 2.0 specification.