I need to set up my SSO profile, exchange metadata, and test user access to the HSI BOB SSO profile.
The HSI Blue Ocean Brain team can implement single sign-on access for any SSO provider your organization may use. Below is our general process of setting up SSO.
For provider-specific SSO setup instructions, please select from below:
- Microsoft Azure configuration instructions - Please set up the app as a manually-created app. DO NOT use the HSI Blue Ocean Brain app available in the Azure App Gallery. This app is in the process of being sunsetted on the HSI BOB end.
- Okta configuration instructions
Step 1: Set up the SSO profile.
Once you're ready to start setting up SSO, the HSI Blue Ocean Brain team will need:
- The contact information (name and email) of your IT contact.
- If you require any additional SSO profiles besides Prod (dev/test/staging/QA/UAT/etc.).
The HSI Blue Ocean Brain IT contact will reach out to your organization's IT contact to start the process. The HSI BOB team will provide:
- The XML metadata file containing the Entity ID and the Service URL.
- For Azure and Okta, they will provide the friendly ID.
- The employee file template and the employee file instructions if you have purchased HSI Blue Ocean Brain licenses for your employees or if your employees will be receiving welcome emails.
- If you will be sending welcome or micro-communication emails containing the lessons to your employees, you will need to add to your "Allow List":
- The IP address 167.89.15.60
- The domains blueoceanbrain.com and email.blueoceanbrain.com
- The email addresses support@blueoceanbrain.com, team@blueoceanbrain.com, and bob@blueoceanbrain.com
You can use the metadata/information provided in order to set up the SSO profile on your end:
- During the SSO profile setup, you must map the attributes First Name, Last Name, and Email.
- The HSI BOB team prefers that you map the SAML Identifier/NameID to Email. If you use a different unique identifier (Employee ID, UPN, etc.), please let your HSI Blue Ocean Brain IT contact know.
- If your team wants to do any reporting on additional fields (department, level, location, etc.), those attributes will need to be mapped as well.
If you have any questions on how to set up your SSO profile, please let your HSI BOB IT contact know.
Step 2: Send your XML metadata to your HSI BOB IT contact.
Once you've finished setting the SSO profile on your end, the BOB IT contact will need your metadata including the Entity ID, Service URL, and X-509 security certificate.
Any SSO cert file provided to BOB must be in .txt format or zipped in a folder.
You'll also need to let the HSI BOB team know:
- What the SAML Identifier/NameID is mapping to (email, employee ID, employee number, UPN, user-principal-name, etc.)
- How users are assigned to the HSI BOB SSO app on your end (everyone who has SSO access or specific groups).
The HSI Blue Ocean Brain team will let you know once they've updated the XML file on their end.
Step 3: Test the SSO profile in a non-Prod group.
After the HSI BOB IT contact has made the updates to their XML file, they will place the SSO profile on a non-Prod group on their end. Testing of the SSO profile can be done either via email or during a scheduled meeting.
To complete testing, you will need to:
- Send the names and emails of your test users to your HSI BOB IT contact (your testers will not be able to access until HSI BOB has moved or added those testers to the non-Prod group).
- If the SAML Identifier/NameID is mapped to a value other than Email, send that value for each of your test users to your HSI BOB IT contact.
HSI BOB IT will move or add the users to the correct group for testing and then send you the specific SSO login URL for your company. After your testers log in for the first time, the HSI BOB IT contact will ensure that the attributes are coming over properly.
If you need to enable just-in-time (JIT) auto-provisioning so your users can auto-create their own accounts, the BOB IT contact will coordinate this testing as well.
If your employees are able to access other company SSO apps on their mobile devices, please ask them to download the mobile app and test to see if they are able to access via mobile device as well. The BOB team will confirm if and how employees are able to access the mobile app so that our team can troubleshoot any potential user mobile app issues.
If your company uses JIT auto-provisioning to auto-add users, those users will need to initially access HSI BOB through the desktop or in their browser on their mobile device using your company's specific login link to generate their user accounts before accessing the mobile app.
Step 4: Test the SSO profile in the Prod group.
Once you've confirmed that your testers are able to access the SSO profile, please let the HSI BOB IT contact know. They will then move the SSO profile and any testers to the Prod group for your organization.
Step 5: Confirm whether to enable just-in-time auto-provisioning.
HSI Blue Ocean Brain can enable just-in-time (JIT) auto-provisioning for users who are assigned to the BOB SSO app to auto-create their own accounts. This can be enabled for customers who:
- Have purchased licenses enterprise-wide.
- Have purchased lessons-based content.
- Have assigned the HSI BOB SSO app to only a specific group and the login link is only visible to those users.
Before finishing the SSO setup, the HSI BOB IT contact will clarify with you if you wish to turn off the JIT auto-provisioning or leave it on.
Step 6: Assign your users to the HSI BOB SSO app.
Before launching with HSI BOB, please confirm that the correct individuals are assigned to the HSI BOB app. If users are not assigned to the HSI BOB app on your end and try to access, they will receive an error.
Step 7: Unhide the HSI BOB SSO app.
If your organization has hidden the HSI BOB app in your company portal after SSO was set up, make sure you've unhidden the app on launch day so that it is visible to your employees.