Everfi Signing Algorithm

Everfi signs its SAML messages using the Everfi SAML Certificate and the signing algorithm you set in your identity provider (IDP) configuration.

In mid-2021, Foundry added support for signing SAML messages—such as authentication and logout requests and responses—using the SHA-256 algorithm. SHA-256 is more secure and modern than SHA-1, which was previously the only option. Switching from SHA-1 to SHA-256 requires just a simple configuration update, as explained below.

If you are setting up SSO for the first time, we recommend starting with SHA-256.

If your Foundry SSO currently uses SHA-1 and you want to upgrade to SHA-256, follow the steps outlined below.

Confirm Upgrade Eligibility

1. Check Current Signing Algorithm
   Log in to Foundry as a customer admin. Go to Settings > Single sign-on, edit your identity provider, and look at the Everfi Signing Algorithm setting. It will show either SHA-1 (legacy) or SHA-256.

2. Verify IDP Support for SHA-256
   Make sure your identity provider supports the SHA-256 standard. Most modern identity management systems do.

3. Check IDP Configuration Options
   If your IDP supports SHA-256, find out whether it:

   • Requires you to manually set the service provider’s signing algorithm, or
   • Automatically detects the algorithm from the SAML message.

   If manual configuration is needed, learn how to set this option—you’ll need it to switch from SHA-1 to SHA-256. See Identity Provider Support for SP Signatures below for more details.

Update Identity Provider

Once you’ve confirmed the prerequisites, follow these steps to upgrade Foundry’s signing algorithm from SHA-1 to SHA-256:

1. Log in to the Foundry customer admin portal.
2. Navigate to Settings > Single sign-on and open your identity provider configuration. (See Updating an Identity Provider Configuration for details.)
3. Edit the identity provider settings.
4. Change the Everfi Signing Algorithm to SHA-256 and click Save.
5. If your identity provider has a matching setting for the service provider’s signing algorithm, update that to SHA-256 as well.

Note: If your organization uses multiple identity provider configurations in Foundry—for example, different learner groups tied to different IDPs—you’ll need to upgrade each one individually.

Verify Upgrade

To confirm the update is working, test these three operations:

1. Service Provider–Initiated SSO
   Sign in to Foundry from the Foundry customer login page. This triggers Foundry to send a signed authentication request to your identity provider.

2. Single Logout from Foundry
   If Single Logout (SLO) is enabled, log out from Foundry. This sends a signed logout request from Foundry to your identity provider.

3. Identity Provider–Initiated SSO and SLO
   Sign in to Foundry from your identity provider, then log out from the IDP page. For IDPs that support IDP-initiated SLO, this will cause Foundry to send a signed logout response back to the IDP after receiving its logout request.

Identity Provider Support for SP Signatures

Everfi cannot provide details for your specific identity provider, but here are general guidelines on how different IDPs handle service provider (SP) signatures and algorithms:

• Some IDPs do not verify signatures
  In these cases, the SP’s signing algorithm does not matter. Examples (as of May 2021): Microsoft Azure and Okta.

• Some IDPs let you choose whether to verify SP signatures
  We recommend enabling signature verification for better security.

• IDPs that verify SP signatures handle configuration differently

  • Some allow you to set the SP’s signing algorithm manually. For example, Microsoft ADFS provides this option. To configure it, edit the relying party trust for Foundry, go to the Advanced tab, and set the Secure hash algorithm to SHA-256 after updating Foundry.
  • Others determine the signing algorithm by reading the property in the SAML message itself. If your IDP works this way, you do not need to configure the algorithm manually.