RFP BOR-1511 Federated Identity Services - Response to Questions / Answers



Similar documents
Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

NCSU SSO. Case Study

EXECUTIVE VIEW. Centrify Identity Service. KuppingerCole Report. by Martin Kuppinger January 2015

Speeding Office 365 Implementation Using Identity-as-a-Service

Novell to Microsoft Conversion: Identity Management Design & Plan

SINGLE & SAME SIGN-ON ASPECTS

STATE OF NEW YORK IT Transformation. Request For Information (RFI) Enterprise Identity and Access Management Consolidated Questions and Responses

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Hybrid Cloud Identity and Access Management Challenges

How To Manage A Plethora Of Identities In A Cloud System (Saas)

How to Overcome Challenges in Deploying Cloud Apps to Get the Most from your IAM Investment

Connecting Users with Identity as a Service

RESPONSES TO QUESTIONS AND REQUESTS FOR CLARIFICATION Updated 7/1/15 (Question 53 and 54)

WHITEPAPER. 13 Questions You Must Ask When Integrating Office 365 With Active Directory

Board of Regents for Higher Education. Request for Information (RFI) BOR-1512 SYSTEM DATA WAREHOUSE PROJECT

B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value

owncloud Architecture Overview

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta White paper

Where are Organizations Today? The Cloud. The Current and Future State of IT When, Where, and How To Leverage the Cloud. The Cloud and the Players

The Top 5 Federated Single Sign-On Scenarios

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

Documentation. CloudAnywhere. Page 1

HEDM and Integration. Michael Agnew Vice President, Localization Solutions

Aurora Hosted Services Hosted AD, Identity Management & ADFS

STRONGER AUTHENTICATION for CA SiteMinder

1 Introduction Product Description Strengths and Challenges Copyright... 5

UDiMan. Introduction. Benefits: Name: UDiMan Identity Management service. Service Type: Software as a Service (SaaS Lot 3)

Security Overview Enterprise-Class Secure Mobile File Sharing

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

The Who, What, When, Where and Why of IAM Bob Bentley

The Dangers of Consumer Grade File Sharing in a Compliance Driven World

ADDENDUM #1 TO RFP # cs Facilities Project Management Software

1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

Canadian Access Federation: Trust Assertion Document (TAD)

Automating User Management and Single Sign-on for Salesforce.com OKTA WHITE PAPER. Okta Inc nd Street Suite 350 San Francisco CA, 94107

Mod 2: User Management

Microsoft Enterprise Mobility Suite

Request for Proposals. Statewide Two Factor Authentication Solution. Addendum #2 October 5, Questions and Responses

Flexible Identity Federation

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

Andrej Zdravkovic Regional Vice President, Platform Solutions Intellinet

3Si Managed Authentication Services Service Description

Encore Software Solutions (V3) Identity Lifecycle Management and Federated Security Suite (ILM/FSS) Overview and Technical Requirements

Enterprise Mobility Suite Overview. Joe Kuster Catapult Systems

The Challenges of Managing Multiple Cloud Identities and Enterprise Identity by BlackBerry

Creating a Single Sign on Web Portal using Azure. Robert Crane Office 365

Remote Authentication and Single Sign-on Support in Tk20

Banner overview. Authentication to Banner & 3 rd Party Apps. Authorization to Banner & 3 rd Party Apps

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

Oracle Identity Management: Integration with Windows. An Oracle White Paper December. 2004

Texas Comptroller of Public Accounts

WHITEPAPER. NAPPS: A Game-Changer for Mobile Single Sign-On (SSO)

Enterprise Mobility Services

Infrastructure Deployment for Mobile Device Management with Microsoft System Center Configuration Manager and Windows Intune

Total Cost of Ownership Overview ADFS vs OneLogin WHITEPAPER

Identity. Provide. ...to Office 365 & Beyond

<Insert Picture Here> Oracle Identity And Access Management

Editions Comparison Chart

nexus Hybrid Access Gateway

Sugar Professional. Approvals Competitor tracking Territory management Third-party sales methodologies

Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management

SAP Document Center. May Public

Cloud Identity Buyer s Guide

What s New in Centrify Privilege Service Centrify Identity Platform 15.4

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

Three Ways to Integrate Active Directory with Your SaaS Applications OKTA WHITE PAPER. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

Adding Stronger Authentication to your Portal and Cloud Apps

EXECUTIVE VIEW. EmpowerID KuppingerCole Report. By Peter Cummings October By Peter Cummings

Assumptions. It is assumed that:

identity management in Linux and UNIX environments

SaaS at Pfizer. Challenges, Solutions, Recommendations. Worldwide Business Technology

Sugar Professional. Approvals Competitor tracking Territory management Third-party sales methodologies

Identity in the Cloud

An Overview of Samsung KNOX Active Directory and Group Policy Features

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

ADDING STRONGER AUTHENTICATION for VPN Access Control

Google Apps. Google Apps. On Steroids. Extend Google Apps to your directory services. Extend Google Apps to your directory services

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

AUSTIN PEAY STATE UNIVERSITY RFQ Package Tracking System Questions & Answers

University of Maine System Active Directory Services - RFP# ADDENDUM #01

How to Get to Single Sign-On

Configuring user provisioning for Amazon Web Services (Amazon Specific)

owncloud Architecture Overview

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

State of Tennessee. Questions and Answers. Pre-bid Conference Event # Held on October 8, ServiceNow SAAS IT Service Management

Bill Fiddes Learning and Development Specialist Rob Latino Program Manager in Office 365 Support

TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management

Bid/Proposal No. P15/9888 Business Intelligence Management

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

EXECUTIVE VIEW. SecureAuth IdP. KuppingerCole Report

A HIGH-LEVEL GUIDE TO EFFECTIVE IDENTITY MANAGEMENT IN THE CLOUD

Delivering value to the business with IAM

Stephen Hess. Jim Livingston. Program Name. IAM Executive Sponsors. Identity & Access Management Program Charter Dated 3 Jun 15

Research. Identity and Access Management Defined

Overview of Microsoft Enterprise Mobility Suite (EMS) Cloud University

Business-Driven, Compliant Identity Management

Microsoft Azure Multi-Factor authentication. (Concept Overview Part 1)

24x7 Help Desk Services Questions & Answers for RFP 40016_

Enterprise Mobility Suite (EMS) Sean Lewis Principal Partner Technology Strategist

Implementing Microsoft Azure Infrastructure Solutions

Transcription:

Q # 1 RFP BOR-1511 Federated Identity Services - Response to Questions / Answers Under Technical Requirements the following requirement is listed: 2. The solution is cloud-based softwareas-a-service, requiring minimal or no on-site footprint and maintenance requirements. Is it an acceptable option to run the solution in AWS or must it be a complete 3rd party SaaS based offering? In the case of AWS, Amazon should be treated as a subcontractor, and the relationship should be included in answers pertaining to data center location, business continuity, etc. 2 We are able to access the RFP however we are only able to download a PDF copy. Given this I wanted to ask how you expect us to respond? Can you post a word copy so that we can insert our responses? We have now posted, with all other RFP documents on this site, a.doc version of the Scope-related sections of the RFP. The excerpt covers page 1 through the end of section IV on page 9. 3 4 5 6 Are they considering private cloud / public cloud? What parts of the solution will be hosted on-premise and what parts of the solution will be hosted in the cloud? Will there be a combination of deployments models depending on the user group? Whether the hosting environment is at a vendor-owned facility or by a cloud provider doesn t matter as long as all legal/regulatory/security requirements are met (either by the contractor or by the cloud-host as a subcontractor) and there is no on-going network, hardware or software maintenance required by the IT staff of the BOR or its constituent units. The entire Identity service should be cloud-based and externally hosted. Internally-hosted components are described under section B. ( Installed Technical Base ), consisting of Banner ERP, MS Active Directory and existing Luminis portals. What is the full scope of applications to be included in the federation? We need application name, vendor, and current application version. Primary applications Ellucian Banner ERP Major Version 8 Five instances hosted internally in five separate locations Ellucian Banner Internet Native Banner Major Version 8 Five instances hosted internally in five separate locations Ellucian Luminis Portal Major Version 4/5 Four instances hosted internally in four separate locations and linked to local ERP Blackboard Learning Management System Major Version 9 One instance hosted by vendor Office 365 Current version Five instances hosted by Microsoft Microsoft Exchange MS Exchange 2010 Five instances hosted internally in five separate locations Radius authentication for access to wireless networks at all locations The expectation is that many other applications will be included over time (later phase) through a combination of administrative configuration, available existing connectors and, if necessary, additional API-based development. Any service charges for acquiring and/or maintaining additional product connectors should be noted up-front. Service charges for optional development services to establish additional connectors should also be quoted. Is the scope the same for all campuses included in the RFP or will each campus have their own pain points to be addressed by the selected vendor? The initial scope is the same for all participants. The list of additional applications differs somewhat between locations. Does the selected vendor need to extend the state federation to InCommon or is this solely within the state of Connecticut? The federation does not extend beyond the Connecticut State Colleges and Universities.

7 8 9 10 11 12 13 14 15 What is the dynamic of the state IAM team? Specifically will the selected vendor be required to work with each campus individually to deploy the solution(s)? The vendor will be required to work with technical representatives on each campus to deploy the solutions. How does RFP BOR-1511 for Federated Identity Services differ or relate to RFI BOR-1512 System Data Warehouse Project? There seems to be overlap. Please clarify. The two projects are unrelated except for the fact that both will interact with Banner. Who owns the deployment post production acceptance? Will the selected vendor deal with the state for all issues (support, solution changes, etc) or will each campus name a primary contact through which the selected vendor will communicate? Once the solution has been deployed in production, each campus will have a primary contact for communication of issues that impact an individual institution. Please clarify the following technical requirement: The solution is cloud-based software-as-a-service, requiring minimal or no on-site footprint and maintenance requirements. Is the requirement be that the solution be a software-as-a-service or may it run in the cloud on AWS, Rackspace etc? Whether the hosting environment is at a vendor-owned facility or by a cloud provider doesn t matter as long as all legal/regulatory/security requirements are met (either by the contractor or by the cloud-host as a subcontractor) and there is no on-going network, hardware or software maintenance required by the IT staff of the BOR or its constituent units. If changes are made to this any applicable dates/times how will we be notified or where can this information be obtained? No changes will be made to the dates and times for the acceptance of proposals and the opening of the bids. I would like to confirm the bid due date of Friday February 27th, 2015 @ 2:00 pm as stated on page 11 of 36. The bid due date/time is Friday February 27th, 2015 @ 2:00 pm as stated on page 11 of 36. Bids which have not arrived by that time will not be considered. The bid opening date is stated as February 27th, 2015 @ 2:30 however, there is seemingly no award date listed so I would like to inquire as to when the award date is. The projected award date window is May. A binding date has not as yet been established. It is expected that the rounds of vendor presentation and bid review/analysis will extend through April. Volume and complexity of response to the RFP will necessarily influence the setting of the decision date. Based on the information, there is a possibility that one person can have multiple accounts across the Connecticut State system. Are you expecting the solution to consolidate all of them under one identities and use one login account across all the systems per one person or different accounts? For example, if Vlad has one AD account VladS1 in ConnState1, and VladS2 in ConnState2, then the expected solution should allow Vlad to login with VladS1 no matter where he is and what he is trying to access, or still use VladS1 for ConnState1 portal and VladS2 for ConnState2 portal? The same goes to all other SSO systems, like Banner, Blackboard, etc We expect the solution to consolidate all the accounts and use one login account across any integrated systems. For example, the solution provides one account Vlad that can be used to access integrated applications as VladS1 at ConnState1 and as VladS2 at ConnState2. Does Connecticut State have a unique identifier for each person across the whole system or is it per entity (ConnState1, ConnState2)? If it is per entity, and solution should aggregate the information, in case of different data (say address or phone number, etc.) related to a person, whom should we consider as the source of truth?

There currently exists one unique identifier per entity. Feasibility and priority of authority for the purposes of deduplication of personal data on existing accounts is not yet clear. 16 17 18 19 20 21 22 Does Connecticut State system have plans to migrate from MS Exchange to Office 365 in the near future? The CSCU institutions currently use Office365 for student email, student file-sharing and online meetings. Options are being explored for expanding its use to faculty and staff. In section C Technical requirements, requirement 10 is The solution can provide role-based, rule-based and attribute-based authentication for dependent applications. Are you talking about authentication, authorization or both? If you are talking about authentication too, can you please give us some desired use case scenarios? For example, If teacher is trying to login to Blackboard from the office, then it will require only username/password or AD SSO, but if the teacher is trying to login to Blackboard from home, then in addition to username/password he/she should enter a PIN. The primary concern of this requirement is that, for some applications, access be granted based on a person being identified as being a member of a particular group (institutional affiliation, organizational role or both) or having been assigned some attribute conferring access. Location-based authentication requirements and multi-factor authentication for certain applications are separate questions. In section C Technical requirements, requirement 20 is The solution is browser neutral and platform agnostic. Can you elaborate more on platform agnostic requirement? Does it mean that the solution (all modules, in cloud and on-premises) can run on any hardware and any OS? Or does it mean that onpremises module (like Web Server module) can run on any Web Server (Apache, IIS, WebSphere, etc.)? SSO services should work for all major browsers without third-party plug-ins, and mobile apps (where supplied) are available for all major device OS (ios/android, etc.). Agent software operating on our devices should be able to function on any operating system (Windows, Mac, Linux). Banner, Blackboard, AD, O365, and Jenzabar are listed as target application. Will there be other application that will need to be included? Are you planning to do it all of these applications in Phase 1 or in several Radius-based wireless network authorization will be part of the first phase, as well. Other applications will be added in a later phase. Any costs for existing connectors should be disclosed up-front. Costs for services required to install additional services should be quoted. Does CSCU have developed business policies, rules, approval and fulfillment processes, and if yes, which of them will be in scope for this project? The universities and the community colleges system each have existing policies, rules and fulfillment processes at varying stages of maturity. All are in-scope. Is CSCU planning to have a Web access request system as a part of Web portal built and hosted by the vendor? If yes, does CSCU have defined entitlements catalog and if implementation of the catalog will be in scope for this project? At the initial phase, all entitlements will be granted based on attributes from authoritative data (no special access requests). A web access request system may be a valuable option to include later. How important is it for CSCU to integrate organizational charts into the solution and if org chart should be used for role development? Though we can see potential value in the prospect, integrating staff org charts is not currently considered a priority. 23 What are the requirements for the Web portal, which will be hosted by the vendor? Are they only look-andfeel or structural too?

The vendor-hosted web portal can be as simple as a branded authentication screen for each institution with links to major applications displayed upon successful authentication. We re open to many options. 24 25 26 27 28 29 The RFP calls for an Identity as a service proposal (IDaaS). Would CSUS consider both an IDaaS proposal and a managed services offering where CSUS owns the software either under a perpetual license or term license agreement but the solution is hosted and managed in the vendors cloud environment? The primary concern is that work on the CSCU side is limited to administration of the application no server, network or software patching, plug-ins or other maintenance work required by our staff. Section A.1. Create a system-wide identity for students, faculty, and staff Can you please list the various authoritative sources that currently store the identities for students, faculty and staff across CSCU? Each of the four universities and the community colleges system hosts an Ellucian Banner ERP that contains demographic, academic and employment records upon which entitlements are granted. Charter Oak State College uses Jenzabar for this purpose. Section A.4. Enable system-wide single sign-on (SSO) Can you please list the applications that will be enabled using SSO, also highlight the current user repository or store for each application. During the first phase, we re looking to connect the following applications: Ellucian Banner ERP (Banner Self-Serve) Major Version 8 Five instances hosted internally in five separate locations authenticated by MS Active directory. Ellucian Banner Internet Native Banner Major Version 8 Five instances hosted internally in five separate locations authenticated by MS Active directory. Ellucian Luminis Portal Major Version 4/5 Four instances hosted internally in four separate locations and linked to local ERP authenticated by MS Active directory. Blackboard Learning Management System Major Version 9 One instance hosted by vendor authenticated via multiple active directory connectors. Office 365 Current version Five instances hosted by Microsoft authenticated by MS Active Directory. Microsoft Exchange MS Exchange 2010 Five instances hosted internally in five separate locations Radius authentication for access to wireless networks at all locations The expectation is that many other applications will be included over time (later phase) through a combination of administrative configuration, available existing connectors and, if necessary, additional API-based development. Any service charges for acquiring and/or maintaining additional product connectors should be noted up-front. Service charges for optional development services to establish additional connectors should also be quoted. Section B.4. Several of the institutions run independent portals that provide limited single sign-on and entitlement fulfillment workflows. Three of the four universities and community colleges system are using Ellucian Luminis Portal to provide SSO between the portal, Blackboard and, in some cases, Office 365. The six identity management regimes have developed in independent silos, according to the needs and capabilities of their respective institutions. Can you confirm the six identity regimes are as follows: 4 state colleges, 1 for community colleges and 1 for the Charter Oak State college. This is correct: 4 state universities, 1 for community colleges, and 1 for the Charter Oak State College. Section C.1. - The solution provides single sign-on to application services hosted internal and external to our on-site technical environment. List the number, type and authentication store for these target applications. See the answer provided above.

30 Section C.3. The solution provides the CSCU institutions with the ability to login through individually branded portals hosted on-premise What is the user store or authentication source for these portals today? The user store for each institution is the Ellucian Banner ERP system and in each case authentication is performed against a synchronized instance of MS Active Directory. 31 32 33 34 35 36 37 38 39 Section C.12. The solution can automate synchronization (adds, changes and deletions) of identities to target applications and other repositories. See above Section C.13. The solution can automate provisioning and de-provisioning of accounts across systems. Please list the systems for provisioning and de-provisioning. See above Section C.8 - The solution can provide out-of-the-box SSO to Ellucian Banner Self-Service, Ellucian Internet Native Banner, Blackboard Learning Management System, Office 365, Microsoft Exchange (hosted onpremise). Question: Do these applications support SAML or other federation protocols? "Ellucian Banner Self-Service, Ellucian Internet Native Banner, Blackboard Learning Management System". What is current IAM platform, What is back end data store for these apps? Current SSO between local portals and Banner Self-Serve/INB is via CAS. Blackboard Supports SAML. There is no current IAM platform. All have Oracle databases on back-end. Section C.11 - The solution may be used to implement multi-factor authentication to specific applications designated as requiring more restricted access. Question: Do you have a preference in multi-factor options? are you using any today? We are not using any today. We don t have any preferences at this time. Section C.16. - The solution provides out-of-the-box reports on IGA events, per system and per date. Question: Do you have an IGA solution? what is your process today? We do not have an IGA solution in place today. We currently do not capture and report on this data. Do you currently have any web services front ends, what is back end data store. We do not currently provide any web services front ends to these applications. What is the percentage of full time vs part time staff/employees? Are part time people employees of the State of CT? What percentage will access system more than 5 times a year? The largest proportion of the impacted population are not employees, but students. Almost all will access at least one of the applications more than five times per year. For independent portals what are the back end data stores? Where they are in use, Luminis portals have an Oracle back-end database. Your RFP gives a very strong indication that you have already decided on a SaaS Cloud solution if that is the case have you fully researched all the pros and cons of going in this direction, including components which may/or may not be achievable when you factor in on-premise requirements vs. Cloud based solutions? Yes

40 Prior to this RFP submission did you contract with an assessment security solutions provider to understand your as is state and what your desired future state would look like and if so, who provided assessment services to you? No 41 42 43 44 45 46 47 48 49 50 You mentioned you have six identity management regimes already today, therefore are there existing solutions or processes you have already decided must continue with your future state, and if so, what might they be? There are no existing Identity Management solutions in place, per se, that must be carried through to the future state. Some automated provisioning is done from ERP to AD and Blackboard via proprietary Ellucian connectors. Additional provisioning to MS Exchange and Office 365 is done through Microsoft technologies. These are likely to persist unless the proposed solution can demonstrate a reduction in cost or other benefits. There is some SSO between applications hosted by each institution based on the Ellucian portal. There is no system wide identity or SSO. Each of the institutions will continue to have its own ERP system and manage its own Active Directory in the future state. Password and security processes are so tightly coupled with a help desk service center solution, thus do you have an existing help desk/service center solution and processes today that you will want to integrate into your security future state? Each institution has its own help desk and they all spend time dealing with password reset processes. One of our requirements lists the need for automated password resets. How important is it for you to award this new initiative to a company that has been servicing and supporting the State of Connecticut for a very long time? We re more concerned about a stable company with good references that can help us meet the goals outlined in the RFP. What if any role do you envision the State DAS/BEST agency to have in this initiative? None. In the introduction, it is mentioned that the Board is looking for an Identity Governance and Administration solution. Do you have any requirements for Access certification or Role Management? As stated in that section, we are primarily interested in SSO, entitlement fulfillment and BI on usage. What are the applications / systems that the solution should provision accounts? Are the applications SaaS or hosted on-prem See the answer above regarding existing identity management regimes. Blackboard and Office 365 are vendor hosted. The others are hosted on-prem. The solution should be capable of provisioning accounts across the applications as listed repeatedly. Initial focus will be on creating a system-wide identity and promoting the ability to use that identity to access services at any location with SSO. What do you mean by SSO to Microsoft Exchange (hosted on-prem) SSO to email via OWA when accessing from browser off-site. 4. Does all the applications identified for SSO support SAML? Are they SaaS or on-prem applications Not all do. We envision the need for other means to promote SSO in some cases (if not immediately, then in the future). See other answers for where applications are hosted. What type of MFA? No preferences are being expressed at this time. Will CT BOR require Active Directory Sync? Are the applications to be provisioned to reachable by a single on-premise server (On the same network)?

That depends on the solution requirements. The applications may not be on the same network. The solution needs to have the capability to work across domain boundaries with SaaS providers that we add to our service portfolio over time. 51 Is the expectation for the solution to host multiple portals or is this to be part of the solutions Portal. What kind of individual branding is expected? Users need to login to access services via authentication embedded in an institution-hosted web portal site and through a simply branded portal hosted as part of this RFP. As stated elsewhere, the hosted portal may be as simple as a branded authentication form with a list of connected applications displayed upon successful login. END OF SUBMITTED QUESTIONS

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information