UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL39027649-SS Single Sign-On (SSO) Solution For University Information Systems (UIS) May 9, 2013
2 University of Colorado Intent to Sole Source Procurement CU-JL39027649-SS I. General Information UIS needs to implement a new Single Sign-On (SSO) solution to replace the existing service, providing greater reliability, stability and reduced time to deploy to new applications. The SSO solution allows users to login once to access several university applications without having to login again. The current SSO solution (FedAuthN/Token Exchange) is custom developed. Because it is unstable and contains defects, it requires a significant amount of IT technical labor to maintain and support. Connecting new applications to this service is labor intensive and time consuming. The resulting SSO service does not met the needs of the CU user community including students, faculty, staff and others. UIS intends to utilize Ping Identity Corporation for this solution in order to meet all their requirements. This notice is being posted as required by the University of Colorado Procurement Rules. This is not a request for quotes. Should your company be able to meet all of the below features/requirements please submit an email and/or separate Word or PDF document via email with your product information/model(s)/quantities required to meet the features/requirements below. Vendors must also provide a point-by-point response as to how their product will comprehensively meet each feature/requirement. One to three online or in-person demonstrations of your product provided at no charge to the University may also be required to confirm your proposed system meets all the University s features/requirements. With your response to this Intent to Sole Source procurement, please confirm the availability of your system for this no charge demonstration to confirm your system meets all features/requirements. The University of Colorado will be the sole judge of equivalence. Any responses that fail to respond as instructed within this document will be deemed non-responsive and automatically be removed from consideration. Interested parties must read and be familiar with the specifications before responding as the below specifications must be met or exceeded with validation. Responses must be submitted by email to: jeff.lehmann@cu.edu no later than Monday, May 13.2013, by 5:00 p.m. Denver, CO local time with CU-JL39027649-SS referenced in subject line. II. Mandatory Requirements Provide SSO capability to all existing UIS applications as well as some that are planned in the near future Provide support for multiple, industry standard, authentication protocols Provide support for multiple authentication directories in use across CU. Reduce administrative burden of the SSO infrastructure Significantly reduce labor and time required to integrate with new applications
3 Provide support for SaaS solutions Provide a highly reliable, secure and scalable SSO capability Demonstrate success in a multi-campus higher education setting Support for multiple protocols: SAML 1.0, 1.1, 2.0, OAuth, OpenID, etc. Must be highly configurable Must require minimal software development/integration labor to implement Must provide built-in support for existing CU applications Must provide connectivity to multiple authentication directories. Must expedite connectivity to new applications Must easily integrate to cloud based (SaaS) solutions Must support VMWare and RHEL Must support Peoplesoft applications Must enable rapid scalability as user demand changes Can act as both an Identity Provider and a Service Provider Multi-protocol support - SAML 1.0, 1.1, 2.0, OAuth, OpenID and more. 100% Standards-based Wizard-driven GUI 60+ Integration Kits Multiple deployment models - On-Premise, Cloud, Hybrid Adaptive Federation - Adapter Selectors, Composite Adapters, Identity Attribute Aggregation, Token Issuance Criteria Support for all Identity Federation roles and profiles, as outlined in the attached document Rules engine to determine authentication mechanism (which identity, multi-factor or step-up authentication, etc.) Rapid implementation of new Federation connections (hours/days vs. months) III. Product Features Federation Standard Support SAML 1.0 SAML 1.1 SAML 2.0 WS-Federation OpenID OpenIDConnect SCIM (provisioning) Secure Web APIs WS-Security WS-Trust WS-Federation OAuth 2.0 Federation Roles Identity Provider (IdP)
4 Service Provider (SP) Identity Bridge IdP Discovery Token Validation Service Token Exchange Service Authorization Server Policy Service API Gateway Identity Bridge AML Bindings HTTP Post HTTP Artifact HTTP Redirect SOAP Key Capabilities IdP-Initiated SSO SP-Initiated SSO Single Log-Out (SLO) Attribute Query & XASP IdP Discovery Account Linking / Mapping Adaptive Authentication Access Portal Multifactor Authentication Certificate Management Express Provisioning Attribute Sources LDAP JDBC Custom (via SDK) Certificate Validation CRL OCSP Trust Models Unanchored Anchored Logging, Monitoring and HA File-based Common Event Format (CEF) Database Published MIB JMX Support
5 N node Clustering Supporting Capabilities Metadata Exchange Integration with Thales nshield Password Management Integration with MDM products Support for O365 (active and passive) Kantara/Liberty Alliance SAML Interop Certifications IdP Lite SP Lite egov Integra(on Kits NET Integra-on Kit Agentless Integra-on Kit Apache RHEL Integra-on Kit Apache Windows Integra-on Kit Citrix Integra-on Kit IIS Integra-on Kit Java Integra-on Kit NetWeaver Integra-on Kit OAM Integra-on Kit PHP Integra-on Kit RSA SecurID Integra-on Kit SharePoint Integra-on Kit Siteminder Integra-on Kit WebLogic Integra-on Kit WebSphere Integra-on Kit Windows IWA Integra-on Kit X509 Cer-ficate Integra-on Kit VeriSign Iden-ty Protec-on (VIP) SaaS Connectors Google Connector Salesforce Connector WebEx Connector Cloud Iden(ty Connectors Facebook Cloud Iden-ty Connector
6 OpenID Cloud Iden-ty Connector Salesforce Cloud Iden-ty Connector TwiVer Cloud Iden-ty Connector LinkedIn Cloud Iden-ty Connector Windows Live Cloud Iden-ty Connector PingFederate Token Translators Siteminder Token Translator Kerberos Token Translator OAM Token Translator OpenToken Token Translator Username Token Translator X509 Token Translator IV. Specification Configuration The only known solution able to meet above requires is the Ping Identity Enterprise Subscription Production Subscription w/70 Production Connections. V. Security FERPA Requirements: Vendor agrees to comply with all applicable requirements of the Family Educational Rights and Privacy Act ( FERPA ), Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act ( HIPAA ), together hereinafter the Acts, and guarantees that all information covered by the Acts and provided to vendor by the University ( University Information ) will be used only in conjunction with the product or service being provided, that it will not be used for any other purpose, or be released by vendor or copied in any manner for any other use and will be promptly returned or destroyed upon termination of this Agreement. Vendor shall use commercially reasonable efforts to notify all of its foreseeable agents, employees, subcontractors and assigns who will come into contact with University Information that they shall comply with, and are subject to the confidentiality requirements set forth in the Acts and shall provide each with a written explanation of the Acts requirements for confidentiality before they are permitted to access the University Information. Vendor shall provide and maintain a secure environment that ensures confidentiality of all University Information wherever located. No University Information shall be distributed or sold to any third party or used by vendor or its agents in any way, except as authorized by the Agreement and as approved by the University. Vendor agrees to notify the University, within seventy-two (72) hours, of any security breach that could result in the unauthorized disclosure of University Information. University Information shall not be retained in any files or otherwise by vendor or its agents, except as set forth in this Agreement and approved by the University. Disclosure of University Information may be cause for legal action against vendor or its agents. Defense of any such action shall be the sole responsibility of vendor.
7 III. Sole Point of Contact - Purchasing Agent Jeff Lehmann University of Colorado, Office of the President 1800 Grant Street Denver, CO 80203 303.764.3413 Jeff.lehmann@cu.edu