Skip to content
English
  • There are no suggestions because the search field is empty.

EVERFI Signing Algorithm

EVERFI signs its SAML messages using the EVERFI SAML Certificate and Signing Algorithm that you specify in the IDP configuration.

In mid-2021, Foundry began offering the option to have Foundry sign its SAML messages (authentication requests and logout requests and responses) using the SHA-256 algorithm, which is a newer and better technology compared to SHA-1. Previously, Foundry signed its messages only with SHA-1. Switching Foundry from SHA-1 to SHA-256 requires only a simple configuration change as described below.

If you are setting up SSO for the first time, then we recommend using the SHA-256 algorithm from the start.

If you launched Foundry SSO with SHA-1 (the legacy algorithm) and want to upgrade to SHA-256, then follow the steps below to upgrade.

Confirm Upgrade Eligibility

  1. Make sure that Foundry isn’t already signing with SHA-256. Log in to Foundry as a customer admin, navigate to Settings > Single sign-on, edit your identity provider, and check the EVERFI Signing Algorithm property. It will be either SHA-1 (legacy) or SHA-256.
  2. Ensure your identity provider supports the SHA-256 standard. Most modern identity management solutions do.
  3. If your IDP does support SHA-256, then find out if your IDP has a configurable setting for the signing algorithm of a SP, or if the IDP does this automatically by checking the signature algorithm property included in the SP’s SAML message. If the case of the former, then learn how to set this configuration because you’ll need to do so in order to switch from SHA-1 to SHA-256. See more at Identity Provider Support for SP Signatures below.

Update Identity Provider

After you have completed or verified the preconditions above, the steps to upgrade Foundry’s signing algorithm to SHA-256 from SHA-1 are:

  1. Login to the Foundry customer admin portal, and navigate to Settings > Single sign-on to update your identity provider configuration. See Updating An Identity Provider Configuration for more details.
  2. Edit the identity provider.
  3. Change the EVERFI Signing Algorithm to SHA-256 and Save the identity provider.
  4. If your identity provider has a corresponding setting for the Foundry service provider’s signing algorithm, change it to SHA-256.

Note: some organizations have more than 1 identity provider configuration in Foundry, for instance when there are different learner populations that authenticate to different IDPs in the organization. In this case, you will need to upgrade each IDP separately.

Verify Upgrade

To verify the change is working successfully, perform the following three SSO and SLO operation and ensure they all happen correctly.

  1. SSO into Foundry from the Foundry customer login-page. This is called service provider initiated single sign-on which causes Foundry to send a signed authentication request to your identity provider.
  2. If you have Single Logout enabled, then log out in Foundry. This will cause Foundry to send a signed logout request from Foundry to your identity provider.
  3. Next, SSO from your identity provider into Foundry. Then log out from your identity provider page. For identity providers that support IDP-initiated SLO, this operation will ultimately trigger Foundry to send a signed logout response to your IDP in response to the IDP’s logout request to Foundry.

Identity Provider Support for SP Signatures

While EVERFI cannot advise you about the specific details of your own identity provider product, here are some additional details about how various identity provider products handle SP signatures and algorithms:

  • Some identity provider products do not verify signatures at all, so the SP’s signing algorithm is irrelevant. Two examples (as of May 2021) are Microsoft Azure and Okta.
  • Some identity provider products have a configurable option for whether to verify each SP’s signature or not; we recommend you do verify the signature.
  • For identity provider products that do verify SP signatures, some have a configuration setting for the service provider’s signing algorithm, and others do not. One IDP product that does have such a setting is Microsoft ADFS. To set this property, edit the relying party trust for the Foundry service provider, go to the Advanced tab, and set the Secure hash algorithm to SHA-256 (Step 4 above) after having done the same in Foundry (Step 3 above).
  • Other identity provider products that verify the signature of the service provider determine the SP signature’s signing algorithm by checking the signing algorithm property in the SAML message itself, rather than relying on a configuration setting in the service provider setup. If this is the case, then you do not need to perform Step 4 above.