Skip to content
English
Contact Support
  • There are no suggestions because the search field is empty.

Single Sign-On (SSO) FAQ 

Get answers to frequently asked questions related to single sign-on

For any new Identity Provider setups added on or after August 5, 2025, Foundry will include the signature and signature algorithm in querystring parameters.  If you added your Identity Provider setup prior to that, contact us and we will update it to the new way. Alternately, you can delete the existing Identity Provider setup and add it again.



Custom Registration Questions

Can I use custom registration questions with SSO?
Yes. Custom registration questions are supported in both SSO scenarios:

  • IDP-initiated SSO: You can configure questions to appear during registration, first activity, or incentive completion. These questions must be answered manually by the user. The ability to automatically pass additional user data during login is currently in development.

  • SP-initiated SSO: You can either prompt users to answer questions manually or use pass-through URLs to pre-fill responses.


SP-Initiated SSO Configuration

Can I disable SP-initiated SSO?
Yes. SP-initiated SSO can be enabled or disabled for any identity provider.

Can I disable SP-initiated SSO for a specific program or identity provider?
No. SP-initiated SSO settings apply at the identity provider level and cannot be configured per program.


SAML Metadata and Integration

Is there a public URL for Foundry’s SAML metadata?
Yes. Use the following URL format:

  • Standard:
    https://admin.fifoundry.net/{org-slug}/saml/metadata.xml
    Replace {org-slug} with your organization’s unique slug.

  • Legacy SAML model:
    https://admin.fifoundry.net/saml/metadata.xml

Note: Foundry does not currently support automatic updates to the service provider metadata in your identity provider. Refer to the SAML Single Sign-On System Requirements for more information.


SSO ID Visibility

Why don’t I see the SSO ID field in Foundry?
Your account must have SAML SSO enabled. To verify:

  1. Log in to the Customer Admin Portal.
  2. Navigate to Settings > Single Sign-On.

If you do not see this option, contact your Everfi representative for assistance.


RelayState Redirects

Can I configure a redirect URL after IDP-initiated SSO?
Yes. If your identity provider supports RelayState, you can specify a default URL to redirect users after successful login. This only applies to IDP-initiated SSO.

This configuration must be made in your identity provider, not in Foundry.


Email Changes and Attribute Mapping

What happens if a user’s email changes in the identity provider?
This depends on how the NameID is configured:

  • If the NameID is not an email address (e.g., Employee ID), Foundry can still identify the user and update their email and other mapped attributes during SSO.

  • If the NameID is an email address and it changes, Foundry will not recognize the user unless the SSO ID in Foundry is also updated.

If the NameID remains the same, Foundry will authenticate the user and update their email, first name, last name, and location based on the mapped SAML attributes in the response.

Best practice: Use a persistent, non-changing identifier (e.g., Employee ID) for NameID. If using an email address, ensure you have a process to update the user’s SSO ID in Foundry when the email changes—either manually or via API.


SAML AuthnRequest Signature Format

Can the SAML AuthnRequest signature be sent in the query string instead of the body?
Yes. For identity providers added on or after August 5, 2025, Foundry includes the signature and signature algorithm in query string parameters.

If your identity provider was added before this date, contact Everfi to update your configuration, or delete and re-add the identity provider to apply the new format.

 


Case Sensitivity in NameID Matching

Can NameID and SSO ID matching be case-insensitive?
No. Foundry follows the SAML 2.0 specification, which requires case-sensitive matching for NameID values.

To avoid issues:

  • Ensure the SSO ID in Foundry exactly matches the NameID from your identity provider.
  • If your IDP supports it, transform the NameID to lowercase before sending it.
  • Store SSO IDs in lowercase in Foundry to match.

The SAML 2.0 specification mandates exact binary comparison for string values, including NameID. This means no normalization, trimming, or case-insensitive matching is allowed.

 


Certificate Expiration

Why does the Foundry x.509 certificate expire every three years? Can it be extended?
Everfi uses a three-year certificate lifespan to align with security best practices. This approach:

  • Ensures use of current cryptographic standards
  • Balances customer convenience with security and compliance requirements
  • Avoids reliance on outdated certificates


Login Flow with SSO

What is the login experience like for learners using SSO?
When a learner clicks a link in a Foundry email (e.g., training invitation or reminder):

  • If the user has an SSO ID in Foundry, the system initiates SP-initiated SSO and redirects the user to your identity provider.
    • If the user is already logged in to the IDP, they are returned to Foundry without needing to log in again.
  • If the user does not have an SSO ID, they are taken to the standard Foundry login page.

This flow is designed to streamline and simplify the login experience for SSO-enabled users.