Frequently asked questions your organization may have about HSI Blue Ocean Brain's SAML and Learner management configurations are answered here.
What kind of application is HSI Blue Ocean Brain (BOB)?
HSI Blue Ocean Brain is a SaaS application.
What is the application used for?
HSI Blue Ocean Brain provides online learning content.
How are employees set up in HSI Blue Ocean Brain?
Employees are added to HSI BOB with individual Learner (user) accounts.
Are there specific roles or different tiers of access for Learners in HSI Blue Ocean Brain?
All employees will have the same role in HSI BOB. The HSI BOB Team will manually enable any Admin permissions for people who need them.
What personal identifying information (PII) is required in HSI Blue Ocean Brain?
First Name, Last Name, and Email are required in order to set up user accounts. The NameID is also required and may be sent in your desired format.
You may send up to 25 additional attributes via SSO for reporting purposes.
What PII is stored in HSI Blue Ocean Brain?
The default fields, First Name, Last Name, and Email, are stored in HSI Blue Ocean Brain. If you have chosen to report on any additional fields (location, department, job code, etc.), those fields may be stored as well.
How is PII protected for data at rest and in transit?
All tenant-specific information (such as PII) is stored on encrypted volumes. AWS is leveraged and AWS holds the keys, managed by AWS KMS. Data is encrypted over a secure link, and HSI Blue Ocean Brain enforces a minimum of TLS 1.2 for web-based communications.
How does HSI Blue Ocean Brain authenticate/authorize users?
Learners are authenticated and authorized via the SSO profile customers set up with HSI Blue Ocean Brain and using the provisioning set up by the customer.
What type of SSO does HSI Blue Ocean Brain use?
HSI Blue Ocean Brain implements SSO using SAML 2.0.
Which style of SAML connection do you support, IDP-initiated or SP-initiated?
HSI Blue Ocean Brain supports both IDP-initiated and SP-initiated SAML connections.
Does HSI Blue Ocean Brain send out email communications?
Organizations may choose to have HSI Blue Ocean Brain send out the following email communications:
- Welcome emails containing the employee's email and the SSO login link
- Micro-communication emails containing the HSI BOB learning content
The Sender Name may be customized, but the Sender Email is always team@blueoceanbrain.com. For security purposes, we never spoof customer domains.
How is HSI Blue Ocean Brain accessible to all employees?
HSI Blue Ocean Brain is WCAG 2.1 AA compliant.
Do all my employees need SSO accounts to access HSI Blue Ocean Brain?
Once SSO is set up for your organization, all of your employees accessing HSI BOB will need SSO accounts to access your organization's instance of HSI BOB.
How does HSI Blue Ocean Brain manage my users?
There are a few options for adding and deactivating employees in HSI BOB. More information is available here.
Is there a mobile application?
Yes. The mobile application is web-based.
Does HSI Blue Ocean Brain have a test environment?
No, we do not have a test environment. However, we can configure multiple HSI BOB groups as needed for SSO testing purposes.
To test SSO, we configure the SSO profile on a test/non-Prod group. Once we have confirmed SSO is working as expected, we will move the SSO profile to the Prod group set up for your company.
If you prefer, we are able to set up a staging/testing SSO profile first. Most customers do not need a staging/testing SSO profile, as we will test it before it goes live to your employees.
What should be used as SSO identifier/NameID?
Most of our customers use email address as the SSO identifier/NameID. You are welcome to use another field such as UPN or employee ID. Email is still required to be passed as an attribute, even if it is not being used as nameID.