Transcription
Q#RFP BOR-1511 Federated Identity Services - Response to Questions / Answers1 Under Technical Requirements the following requirement is listed: 2. The solution is cloud-based softwareas-a-service, requiring minimal or no on-site footprint and maintenance requirements. Is it an acceptableoption to run the solution in AWS or must it be a complete 3rd party SaaS based offering?In the case of AWS, Amazon should be treated as a subcontractor, and the relationship should be included inanswers pertaining to data center location, business continuity, etc.2We are able to access the RFP however we are only able to download a PDF copy. Given this I wanted toask how you expect us to respond? Can you post a word copy so that we can insert our responses?We have now posted, with all other RFP documents on this site, a .doc version of the Scope-related sections ofthe RFP. The excerpt covers page 1 through the end of section IV on page 9.3 Are they considering private cloud / public cloud? What parts of the solution will be hosted on-premiseand what parts of the solution will be hosted in the cloud? Will there be a combination of deploymentsmodels depending on the user group?Whether the hosting environment is at a vendor-owned facility or by a cloud provider doesn’t matter as long asall legal/regulatory/security requirements are met (either by the contractor or by the cloud-host as asubcontractor) and there is no on-going network, hardware or software maintenance required by the IT staff ofthe BOR or its constituent units. The entire Identity service should be cloud-based and externally hosted.Internally-hosted components are described under section B. (“Installed Technical Base”), consisting of BannerERP, MS Active Directory and existing Luminis portals.4 What is the full scope of applications to be included in the federation? We need application name, vendor,and current application version.Primary applications Ellucian Banner ERP – Major Version 8 – Five instances hosted internally in five separate locations Ellucian Banner Internet Native Banner – Major Version 8 – Five instances hosted internally in five separatelocations Ellucian Luminis Portal – Major Version 4/5 – Four instances hosted internally in four separate locations andlinked to local ERP Blackboard Learning Management System – Major Version 9 – One instance hosted by vendor Office 365 – Current version – Five instances hosted by Microsoft Microsoft Exchange – MS Exchange 2010 – Five instances hosted internally in five separate locations Radius authentication for access to wireless networks at all locationsThe expectation is that many other applications will be included over time (later phase) through a combination ofadministrative configuration, available existing connectors and, if necessary, additional API-based development.Any service charges for acquiring and/or maintaining additional product connectors should be noted up-front.Service charges for optional development services to establish additional connectors should also be quoted.5 Is the scope the same for all campuses included in the RFP or will each campus have their own pain pointsto be addressed by the selected vendor?The initial scope is the same for all participants. The list of additional applications differs somewhat betweenlocations.6 Does the selected vendor need to extend the state federation to InCommon or is this solely within thestate of Connecticut?The federation does not extend beyond the Connecticut State Colleges and Universities.
7 What is the dynamic of the state IAM team? Specifically will the selected vendor be required to work witheach campus individually to deploy the solution(s)?The vendor will be required to work with technical representatives on each campus to deploy the solutions.8 How does RFP BOR-1511 for Federated Identity Services differ or relate to RFI BOR-1512 System DataWarehouse Project? There seems to be overlap. Please clarify.The two projects are unrelated except for the fact that both will interact with Banner.9 Who “owns” the deployment post production acceptance? Will the selected vendor deal with the state forall issues (support, solution changes, etc) or will each campus name a primary contact through which theselected vendor will communicate?Once the solution has been deployed in production, each campus will have a primary contact for communicationof issues that impact an individual institution.10 Please clarify the following technical requirement: The solution is cloud-based software-as-a-service,requiring minimal or no on-site footprint and maintenance requirements. Is the requirement be that thesolution be a software-as-a-service or may it run in the cloud on AWS, Rackspace etc?Whether the hosting environment is at a vendor-owned facility or by a cloud provider doesn’t matter as long asall legal/regulatory/security requirements are met (either by the contractor or by the cloud-host as asubcontractor) and there is no on-going network, hardware or software maintenance required by the IT staff ofthe BOR or its constituent units.11 If changes are made to this any applicable dates/times how will we be notified or where can thisinformation be obtained?No changes will be made to the dates and times for the acceptance of proposals and the opening of the bids.12 I would like to confirm the bid due date of Friday February 27th, 2015 @ 2:00 pm as stated on page 11 of 36.The bid due date/time is Friday February 27th, 2015 @ 2:00 pm as stated on page 11 of 36. Bids which have notarrived by that time will not be considered.13 The bid opening date is stated as February 27th, 2015 @ 2:30 however, there is seemingly no award datelisted so I would like to inquire as to when the award date is.The projected award date window is May. A binding date has not as yet been established. It is expected that therounds of vendor presentation and bid review/analysis will extend through April. Volume and complexity ofresponse to the RFP will necessarily influence the setting of the decision date.14 Based on the information, there is a possibility that one person can have multiple accounts across theConnecticut State system. Are you expecting the solution to consolidate all of them under one identitiesand use one login account across all the systems per one person or different accounts? For example, if Vladhas one AD account “VladS1” in ConnState1, and “VladS2” in ConnState2, then the expected solutionshould allow Vlad to login with “VladS1” no matter where he is and what he is trying to access, or still use“VladS1” for ConnState1 portal and “VladS2” for ConnState2 portal? The same goes to all other SSOsystems, like Banner, Blackboard, etcWe expect the solution to consolidate all the accounts and use one login account across any integrated systems.For example, the solution provides one account “Vlad” that can be used to access integrated applications as“VladS1” at ConnState1 and as “VladS2” at ConnState2.15 Does Connecticut State have a unique identifier for each person across the whole system or is it per entity(ConnState1, ConnState2)? If it is per entity, and solution should aggregate the information, in case ofdifferent data (say address or phone number, etc.) related to a person, whom should we consider as thesource of truth?
There currently exists one unique identifier per entity. Feasibility and priority of authority for the purposes ofdeduplication of personal data on existing accounts is not yet clear.16Does Connecticut State system have plans to migrate from MS Exchange to Office 365 in the near future?The CSCU institutions currently use Office365 for student email, student file-sharing and online meetings. Optionsare being explored for expanding its use to faculty and staff.17 In section C “Technical requirements”, requirement 10 is “The solution can provide role-based, rule-basedand attribute-based authentication for dependent applications”. Are you talking about authentication,authorization or both? If you are talking about authentication too, can you please give us some desired usecase scenarios? For example, “If teacher is trying to login to Blackboard from the office, then it will requireonly username/password or AD SSO, but if the teacher is trying to login to Blackboard from home, then inaddition to username/password he/she should enter a PIN”.The primary concern of this requirement is that, for some applications, access be granted based on a person beingidentified as being a member of a particular group (institutional affiliation, organizational role or both) or havingbeen assigned some attribute conferring access. Location-based authentication requirements and multi-factorauthentication for certain applications are separate questions.18In section C “Technical requirements”, requirement 20 is “The solution is browser neutral and platformagnostic.” Can you elaborate more on platform agnostic requirement? Does it mean that the solution (allmodules, in cloud and on-premises) can run on any hardware and any OS? Or does it mean that onpremises module (like Web Server module) can run on any Web Server (Apache, IIS, WebSphere, etc.)?SSO services should work for all major browsers without third-party plug-ins, and mobile apps (where supplied)are available for all major device OS (iOS/Android, etc.). Agent software operating on our devices should be ableto function on any operating system (Windows, Mac, Linux).19 Banner, Blackboard, AD, O365, and Jenzabar are listed as target application. Will there be other applicationthat will need to be included? Are you planning to do it all of these applications in Phase 1 or in severalRadius-based wireless network authorization will be part of the first phase, as well. Other applications will beadded in a later phase. Any costs for existing connectors should be disclosed up-front. Costs for services requiredto install additional services should be quoted.20 Does CSCU have developed business policies, rules, approval and fulfillment processes, and if yes, which ofthem will be in scope for this project?The universities and the community colleges system each have existing policies, rules and fulfillment processes atvarying stages of maturity. All are in-scope.21 Is CSCU planning to have a Web access request system as a part of Web portal built and hosted by thevendor? If yes, does CSCU have defined entitlements catalog and if implementation of the catalog will be inscope for this project?At the initial phase, all entitlements will be granted based on attributes from authoritative data (no special accessrequests). A web access request system may be a valuable option to include later.22 How important is it for CSCU to integrate organizational charts into the solution and if org chart should beused for role development?Though we can see potential value in the prospect, integrating staff org charts is not currently considered apriority.23 What are the requirements for the Web portal, which will be hosted by the vendor? Are they only look-andfeel or structural too?
The vendor-hosted web portal can be as simple as a branded authentication screen for each institution with linksto major applications displayed upon successful authentication. We’re open to many options.24The RFP calls for an Identity as a service proposal (IDaaS). Would CSUS consider both an IDaaS proposal anda managed services offering where CSUS owns the software either under a perpetual license or termlicense agreement but the solution is hosted and managed in the vendors cloud environment?The primary concern is that work on the CSCU side is limited to administration of the application – no server,network or software patching, plug-ins or other maintenance work required by our staff.25 Section A.1. Create a system-wide identity for students, faculty, and staffCan you please list the various authoritative sources that currently store the identities for students, facultyand staff across CSCU?Each of the four universities and the community colleges system hosts an Ellucian Banner ERP that containsdemographic, academic and employment records upon which entitlements are granted. Charter Oak StateCollege uses Jenzabar for this purpose.26 Section A.4. Enable system-wide single sign-on (SSO)Can you please list the applications that will be enabled using SSO, also highlight the current userrepository or store for each application.During the first phase, we’re looking to connect the following applications: Ellucian Banner ERP (Banner Self-Serve) – Major Version 8 – Five instances hosted internally in five separatelocations authenticated by MS Active directory. Ellucian Banner Internet Native Banner – Major Version 8 – Five instances hosted internally in five separatelocations authenticated by MS Active directory. Ellucian Luminis Portal – Major Version 4/5 – Four instances hosted internally in four separate locations andlinked to local ERP authenticated by MS Active directory. Blackboard Learning Management System – Major Version 9 – One instance hosted by vendor authenticated viamultiple active directory connectors. Office 365 – Current version – Five instances hosted by Microsoft authenticated by MS Active Directory. Microsoft Exchange – MS Exchange 2010 – Five instances hosted internally in five separate locations Radius authentication for access to wireless networks at all locationsThe expectation is that many other applications will be included over time (later phase) through a combination ofadministrative configuration, available existing connectors and, if necessary, additional API-based development.Any service charges for acquiring and/or maintaining additional product connectors should be noted up-front.Service charges for optional development services to establish additional connectors should also be quoted.27 Section B.4. Several of the institutions run independent portals that provide limited single sign-on andentitlement fulfillment workflows.Three of the four universities and community colleges system are using Ellucian Luminis Portal to provide SSObetween the portal, Blackboard and, in some cases, Office 365.28 The six identity management regimes have developed in independent silos, according to the needs andcapabilities of their respective institutions.Can you confirm the six identity regimes are as follows: 4 state colleges, 1 for community colleges and 1 forthe Charter Oak State college.This is correct: 4 state universities, 1 for community colleges, and 1 for the Charter Oak State College.29 Section C.1. - The solution provides single sign-on to application services hosted internal and external toour on-site technical environment.List the number, type and authentication store for these target applications.See the answer provided above.
30 Section C.3. The solution provides the CSCU institutions with the ability to login through individuallybranded portals hosted on-premiseWhat is the user store or authentication source for these portals today?The user store for each institution is the Ellucian Banner ERP system and in each case authentication is performedagainst a synchronized instance of MS Active Directory.31 Section C.12. The solution can automate synchronization (adds, changes and deletions) of identities totarget applications and other repositories.See above32 Section C.13. The solution can automate provisioning and de-provisioning of accounts across systems.Please list the systems for provisioning and de-provisioning.See above33 Section C.8 - The solution can provide out-of-the-box SSO to Ellucian Banner Self-Service, Ellucian InternetNative Banner, Blackboard Learning Management System, Office 365, Microsoft Exchange (hosted onpremise).Question: Do these applications support SAML or other federation protocols?"Ellucian Banner Self-Service, Ellucian Internet Native Banner, Blackboard Learning Management System".What is current IAM platform, What is back end data store for these apps?Current SSO between local portals and Banner Self-Serve/INB is via CAS. Blackboard Supports SAML. There is nocurrent IAM platform. All have Oracle databases on back-end.34 Section C.11 - The solution may be used to implement multi-factor authentication to specific applicationsdesignated as requiring more restricted access.Question: Do you have a preference in multi-factor options? are you using any today?We are not using any today. We don’t have any preferences at this time.35 Section C.16. - The solution provides out-of-the-box reports on IGAevents, per system and per date.Question: Do you have an IGA solution? what is your process today?We do not have an IGA solution in place today. We currently do not capture and report on this data.36 Do you currently have any web services front ends, what is back end data store.We do not currently provide any web services front ends to these applications.37 What is the percentage of full time vs part time staff/employees? Are part time people employees of theState of CT? What percentage will access system more than 5 times a year?The largest proportion of the impacted population are not employees, but students. Almost all will access at leastone of the applications more than five times per year.38 For independent portals what are the back end data stores?Where they are in use, Luminis portals have an Oracle back-end database.39Your RFP gives a very strong indication that you have already decided on a SaaS Cloud solution if that is thecase have you fully researched all the pros and cons of going in this direction, including components whichmay/or may not be achievable when you factor in on-premise requirements vs. Cloud based solutions ?Yes
40 Prior to this RFP submission did you contract with an assessment security solutions provider to understandyour as is state and what your desired future state would look like and if so, who provided assessmentservices to you?No41 You mentioned you have six identity management regimes already today, therefore are there existingsolutions or processes you have already decided must continue with your future state, and if so, whatmight they be?There are no existing Identity Management solutions in place, per se, that must be carried through to the futurestate. Some automated provisioning is done from ERP to AD and Blackboard via proprietary Ellucian connectors.Additional provisioning to MS Exchange and Office 365 is done through Microsoft technologies. These are likelyto persist unless the proposed solution can demonstrate a reduction in cost or other benefits. There is some SSObetween applications hosted by each institution based on the Ellucian portal. There is no system wide identity orSSO. Each of the institutions will continue to have its own ERP system and manage its own Active Directory in thefuture state.42 Password and security processes are so tightly coupled with a help desk service center solution, thus doyou have an existing help desk/service center solution and processes today that you will want to integrateinto your security future state?Each institution has its own help desk and they all spend time dealing with password reset processes. One of ourrequirements lists the need for automated password resets.43 How important is it for you to award this new initiative to a company that has been servicing andsupporting the State of Connecticut for a very long time ?We’re more concerned about a stable company with good references that can help us meet the goals outlined inthe RFP.44 What if any role do you envision the State DAS/BEST agency to have in this initiative ?None.45 In the introduction, it is mentioned that the Board is looking for an Identity Governance and Administrationsolution. Do you have any requirements for Access certification or Role Management?As stated in that section, we are primarily interested in SSO, entitlement fulfillment and BI on usage.46 What are the applications / systems that the solution should provision accounts? Are the applications SaaSor hosted on-premSee the answer above regarding existing identity management regimes. Blackboard and Office 365 are vendorhosted. The others are hosted on-prem. The solution should be capable of provisioning accounts across theapplications as listed repeatedly. Initial focus will be on creating a system-wide identity and promoting the abilityto use that identity to access services at any location with SSO.47 What do you mean by SSO to Microsoft Exchange (hosted on-prem)SSO to email via OWA when accessing from browser off-site.48 4. Does all the applications identified for SSO support SAML? Are they SaaS or on-prem applicationsNot all do. We envision the need for other means to promote SSO in some cases (if not immediately, then in thefuture). See other answers for where applications are hosted.49 What type of MFA?No preferences are being expressed at this time.50 Will CT BOR require Active Directory Sync? Are the applications to be provisioned to reachable by a singleon-premise server (On the same network)?
That depends on the solution requirements. The applications may not be on the same network. The solutionneeds to have the capability to work across domain boundaries with SaaS providers that we add to our serviceportfolio over time.51 Is the expectation for the solution to host multiple portals or is this to be part of the solutions Portal. Whatkind of individual branding is expected?Users need to login to access services via authentication embedded in an institution-hosted web portal site andthrough a simply branded portal hosted as part of this RFP. As stated elsewhere, the hosted portal may be assimple as a branded authentication form with a list of connected applications displayed upon successful login.END OF SUBMITTED QUESTIONS
lackboard Learning Management System - Major Version 9 - One instance hosted by vendor . Radius authentication for access to wireless networks at all locations The expectation is that many other applications will be included over time (later phase) through a combination of . RFP BOR-1511 Federated Identity Services - Response to .
