Embed Size (px)
Citation preview
Page 1 of 13
California State University, Chico
Questions & Answers, and Addendum #1 RFP 2015-01SR
IDENTITY & ACCESS MANAGEMENT SYSTEM
PROPOSAL DUE DATE: MARCH 18, 2015 – 4:30 P.M. PST
This document includes information in regard to questions concerning the RFP.
Revisions to RFP – Addendum #1
The following revisions/clarifications are hereby included as Addendum #1 for RFP 2015-01SR Summary of changes: Cover Page - On page 1 of the RFP there was an incorrect statement regarding proposal submissions. The screenshot below includes a red highlighted section that was incorrect. Please see section 5.18 (SUBMISSION OF PROPOSALS) of the IAM RFP for the correct submission instructions. Electronic submissions are encouraged.
Section 3.9.k - Hereby amended to read as follows: (Optional/Phase II+) Implementation of role-based access (as necessary, in addition to or on top of item #e above) (if available). As clarification, these roles are for users of applications.
Questions/Responses
1 Question: For AD/OpenLDAP what is the complexity and configuration of your group management?
Response: There are currently approximately 1,800 groups in AD, but only 29 groups in OpenLDAP. Groups in both directories are currently created manually based on request from user community. Users are typically added/removed from these groups in a number of different – mostly inefficient – manners (via runbooks, PowerShell, or manually ad hoc by delegated rights to users and/or system administrators). There are currently no naming conventions (group names are typically ad hoc), and there are no standard types. As part of this implementation the University intends on moving from processes that are manual, non-standardized/ad-hoc, and non-synchronized, to those that are automated, standardized, and synchronized to the greatest extent possible. Group membership should be driven by data in PeopleSoft (e.g. job codes, departments, reporting lines, etc.) to the greatest extent possible.
2 Question: Please detail the features of your “homegrown password management” to replace?
Response: There are four Java web applications (with some JavaScript) running under a combination of Apache HTTPD and Tomcat on Red Hat Linux servers; there are also some C#/.NET scripts. Java application #1, “AccountInit”: allows students to set an initial PW. Workflow: User inputs emplid + birthdate, which are validated against OpenLDAP
Page 2 of 13
(emplid) and homegrown Registry (birthdate). Validates that the user is not faculty or staff (faculty/staff are redirected to the Avatier PW management application), and determines if the student has already initialized the account. A student with an uninitialized account is redirected to another page to establish answers for three security questions and then to another page to set the PW. Java application #2, “ChicoLDAP”: used by help desk staff to reset a user’s PW. Workflow: None, really. A help desk staff member clicks on a button on the main menu and is redirected to another page to set the PW. Java application #3, “AccountMaint”: allows students to reset security questions and answers or reset PW. Workflow: User inputs uid + password, which are validated against OpenLDAP. If the user has not already established security questions and answers, s/he is redirected to a page to do so; otherwise the user is redirected to the main menu, where they can click on a button to go to another page to set the PW. Java application #4, “PasswordReset”: allows a student to reset their PW when they don’t not remember their current PW. Workflow: User inputs uid + emplid, which are validated against OpenLDAP. User is redirected to a security question and answer challenge page, where s/he must successfully provide answers to three security questions. If s/he succeeds, s/he is redirected to another page to set the PW. Note: All four of these web applications also update the password in the user’s student email account, which is externally hosted by Google (i.e., all four web applications use a Google API). The C#.NET scripts provides the following features:
Notify AD users about expiring passwords (via email)
Mark AD user accounts for expiration
Reset passwords in AD/OpenLDAP/Google Apps (via web interface only)
Using this current set of homegrown tools is not the best benchmark. The tools do not offer the same type of robust features that are available by many of the off-the-shelf products available today.
3 Question: Please provide the calStateEduPerson schema.
Response: Per Section 3.7.a The schema is provided and has been posted on the Procurement website.
4 Question: [Section] II.2.2 Should the implementation plan be for only O365 or phased with Exchange first and O365 in following phase?
Response: See response to Question #28.
5 Question: [Section] II.2.2 What is the current automation used to provision Blackboard Learn?
Response: The primary Bb Learn account type covers students/faculty/staff; this comprises the overwhelming majority of accounts (e.g. 95%+). Accounts are created automatically in Bb Learn based on data from PeopleSoft (via a combination of Perl scripts and Bb SIS integration). Students are then added/removed to/from specific Learn course shells, based on enrollment data that is in PeopleSoft (i.e. if a student enrolls into Math 001 Section 1 within PeopleSoft, then s/he will be added to that course shell in Learn automatically, based on batch jobs). There
Page 3 of 13
have been errors and inefficiencies with the current integration solution. There are a small handful of other non-primary account types which comprise the other 5% of accounts (these include account types such as guests, etc.). These are generally created manually. None of the accounts are currently de-provisioned. Authentication can occur in 2 ways. Users can login to the campus portal (which is fronted by CAS) and can then do SSO into Learn. Or, they access the Learn login page directly, which authenticates directly against OpenLDAP (and is not fronted by CAS).
6 Question: [Section] III.3.1 Does Chico expect us to bid/provide the computing hardware?
Response: The University’s technical team will purchase and install the server hardware and operating system based on the proposer’s technical specifications and recommendations. Also see response to Question #52.
7 Question: [Section] III.3.1 Please differentiate “lifecycle management” and “account provisioning / deprovisioning”
Response: The University considers “provisioning/de-provisioning” to mean the creation and destruction of user accounts. The University considers “lifecycle management” to mean the management of data/attributes that form a digital identity and the resultant management of access/controls that may be based on the identity. The University considers these concepts to be highly related in that provisioning an account is the beginning of the lifecycle, attribute changes that occur due to users changing relationship with the University is the middle of the lifecycle, and de-provisioning an account is the end of the lifecycle.
8 Question: [Section] III.3.1 By group management, do you mean the management of a user in the membership of a group, or the management of the group and its membership?
Response: Both.
9 Question: How many total users are in the OpenLDAP directory? Does that OpenLDAP Directory include every unique identity that would be managed across the entire organization (students, employees, contractors, guest accounts, etc.) or are there different Directories for different identity types?
Response: There are approximately 175,000 OpenLDAP accounts; these include every unique identity (as enumerated in your question, plus parents, retired staff, retired faculty, faculty emeritus, technical service accounts, and temporary vendor accounts). AD contains approximately 7,400 accounts – far less than OpenLDAP because AD only contains accounts for a subset of the population (all faculty and staff, and a very small number of students).
10 Question: Will the OpenLDAP be considered the User Identity Store or will it be a combination of OpenLDAP and AD? PeopleSoft will be the authoritative data source
Response: PeopleSoft will be the source of authority for most user records, and the registry function of the new IAM solution would be considered the user identity store, with data being pushed to OpenLDAP and AD. As pointed out in the response to Question #9, OpenLDAP currently includes accounts for all unique identities, but AD only includes a subset. When the University implements the new proposed IAM system we intend on changing this design such that accounts are created and managed in both directories for all users, and intend on having both directories synchronized to the greatest extent possible. It’s also worth note that
Page 4 of 13
the University currently do not de-provision student accounts in OpenLDAP, which will be another change that we intend on implementing. Also see the response to Question #21.
11 Question: Do you expect the provider to possess Certification for InCommon Bronze or Silver, or does the solution simply need to meet the intent of the InCommon framework?
Response: The new IAM system should meet the technical requirements for InCommon silver so that the campus can achieve InCommon silver certification.
12 Question: For your targeted systems below, what identity store do the following applications use? (LDAP or RDBM?): Blackboard Learn, TeamDynamix, ImageNow, AdAstra
Response: Blackboard Learn: please see the response to Question #5. TeamDynamix: the University is presently in the beginning of planning the TeamDynamix implementation and are still learning the specifics. As we understand it, TeamDynamix (TD) authenticates against OpenLDAP, fronted by Shibboleth. For non-administrative accounts (e.g. the majority of users including students, faculty, non-IT staff, etc.), when a user authenticates into TD, an account will automatically be created for them if one does not already exist. A TD administrator can also manually provision an account for another administrator user. the University has not determined how de-provisioning in TD will work yet. The University is also not familiar with the manner in which affiliation/attributes are pushed from an upstream identity repository/directory into TD (e.g. if a user is identified as a “student” or “faculty”, etc.); it is possible that these data are determined at run time based on Shibboleth attributes/metadata. ImageNow: accounts are manually created within the ImageNow application (identity store is a RDBMS). Authentication occurs against AD. AdAstra: accounts are manually created within the AdAstra application (identity store is a RDBMS). Authentication occurs against OpenLDAP.
13 Question: How many users access the Oracle DB?
Response: If you are asking about the Oracle DB that comprises the homegrown Registry, there are a small number of technical system administrators/developers who access the Oracle DB. Other end-users don’t really “access the Oracle DB” per se. However, students’ security questions and answers are stored in the Registry, so students indirectly access it via web applications that allow them to set/reset security questions and answers (please also see the response to Question #2 for a description of students’ entry of security questions).
14 Question: With PeopleSoft do the administrative accounts have a different naming convention from regular users?
Response: Yes. Self-service accounts are a 9-digit numeric account equal to the PS emplid. Administrative accounts are usually first initial and last name (equal to the AD username), although there are departmental accounts that are based on the department abbreviation.
15 Question: With PeopleSoft are there users with multiple accounts in PeopleSoft? How is this handled currently?
Response: Yes. Most users with Administrative accounts also have self-service accounts to access their employee and/or student information.
16 Question: In Section 3.5 Dual factor authentication/OTP, do you currently have a SMS gateway in the enterprise?
Response: No.
Page 5 of 13
17 Question: In Section 3.5 Dual factor authentication /OTP, do you have user mobile number for all users in the enterprise?
Response: Not necessarily. Students and employees can store a variety of phone numbers in PS, but it is not necessarily a mobile phone number. For example, the “local” or “home” phone type records have no way to indicate if the number is a mobile phone vs. a land line. Students and employees do enter a number for emergency notification, but the University cannot currently determine with certainty if that is a mobile number.
18 Question: In Section 3.5 question “a” - This certification Is typically a Federation related certification, are there additional Federation requirements you are looking to address.
Response: No.
19 Question: In Section 3.5 question “a” – The RFP This question is pertaining to the InCommon Identity Assurance certification, what is the intent behind this.
Response: Please see the response to Question #11.
20 Question: In Section 3.5 question “g” - This question refers to the Level of Assurance as defined by NIST, this relates to Risk Based Access Control or Step Up Authentication. Are there requirements or specific questions related to replacement of Access Management Infrastructure?
Response: The new IAM system should use queries against PeopleSoft or other source of authority systems to calculate Level of Assurance. There may be more than one query used for calculating Level of Assurance. The IAM system should reflect NIST level of assurance in the user records (including AD/OpenLDAP) based on the calStateEduPerson schema. Please also see the response to Question #3.
21 Question: Can you provide user count information for alumni, guests, contractors and volunteers?
Response: It is currently difficult for us to gather this information. The University can tell you that there are currently roughly 175,000 accounts in OpenLDAP (including groups and service accounts). This number is so large because OpenLDAP accounts are not presently being de-provisioned. In this regard, any person who has become an alumnus in the past decade (since implemented OpenLDAP) still has an active OpenLDAP account. There are currently approximately 7,400 accounts in AD. The number is much smaller because AD does not include students (except for student employees), and because AD accounts are deprovisioned (albeit, manually). As part of this implementation, the University needs to determine how to handle ongoing maintenance/lifecycles for all accounts, including alumni accounts. Presently, these accounts are left active to allow students to continue to access some services after they graduate (e.g. the most visible of which is requesting unofficial transcripts). The University does not intend on continuing to leave accounts active for long periods after users separate from the University (e.g. either through graduation, or any other type of separation).
22 Question: From Section 1.3 - the implementation timeframe is over a year in length, would you please provide a better breakdown of milestones that you expect from this project, and highlight any rapid successes you would like to see in order of their importance to you?
Response: Please see section 3.9 (PROFESSIONAL SERVICES). Mandatory and optional activities for Phase I, II, and beyond are indicated. All items in that section are listed in relative order of importance.
Page 6 of 13
23 Question: From section 1.3 & 6 – This RFP is very large in scope. Would CSU Chico evenly evaluate a solution that can meet (or exceed) part of its needs only, or is the requirement of this RFP to only submit an RFP Proposal for the entire scope. If, for example, a submittal only covers 75% of the scope, how would that vendor’s submittal be evaluated (see section 6.2)?
Response: Proposals must meet some portion of each of the major Scope of Services sections 3.4 – 3.9. A proposal will still be evaluated even if it cannot provide for every single feature within a given major section(s). However, if a proposal cannot provide at least some of the features within each section, then it will not be considered. As an example, if the proposal can provide some/most of the features that are requested/discussed in Section 3.6 PASSWORD MANAGEMENT, the proposal would still be considered; however, if the proposal cannot provide any of the features in section 3.6 PASSWORD MANAGEMENT, then the proposal will not be considered (and this example could be extended to each of the major sections 3.4 – 3.9). The University recognize that some proposals may be submitted in partnership by multiple vendors (e.g. one vendor may provide software and another may provide the professional services).
24 Question: Does computer hardware need to also be provided, or will a recommendation be sufficient (see 3.1)?
Response: Please see the response to Question #6.
25 Question: From Section 2.2 – how would data be accessed from the PeopleSoft system at the Unisys Data Center? What protocols or methods are available for access to PeopleSoft Data for sync? (e.g – ODBC, Web Service, etc. Registry queries PeopleSoft – what methods are used?)
Response: For Registry the University currently runs queries using SQLplus. There is an Oracle client installed on the Registry server that provides connectivity to PS and our local data warehouse. PeopleSoft sync methods would include Web Services. Although, the University could produce a file from PS to update the IAM system (similar to how we do Registry processing) and could update PS with a file from the IAM system. There are various ways to accomplish this, and the University would want to understand the best practices or best supported ways for doing this within the new IAM system.`
26 Question: Section 2.2 – Is the function of the current “Registry” to act as a data store for identities only? What functionality is there that needs to be replaced?
Response: Based on defined business rules, the current homegrown Registry queries PeopleSoft and creates/updates user account data within Registry, which is then propagated to other campus systems such as OpenLDAP (but not AD). In this regard, the Registry is primarily an identity repository. This basic functionality needs to be replaced; but the University also expects to implement a new IAM solution that can meet the majority of technical and functional needs as outlined in major sections 3.4 – 3.9 (and the majority of those features are not currently available within the Registry). Please also see the response to Question #23.
27 Question: Since the downstream systems are all hosted at CSU, are they managed through CSU Chico’s Active Directory (AD)?
Response: Authentication to most campus systems occurs against OpenLDAP or AD. Those directories are fronted by a variety of technologies (e.g. OpenLDAP is typically fronted by CAS or Shibboleth; AD is sometimes fronted by ADFS). Although authentication is managed by OpenLDAP and AD, access (e.g. to features and/or data) within downstream applications is only occasionally
Page 7 of 13
managed via directory groups, but the University would like to move in that direction. There are a very small number of campus applications for which authentication/access are completely managed by the downstream application’s internal registry; the University would like to change this wherever possible.
28 Question: In section 2.2, you state you will be moving from Exchange 2013 to Office 365. Are you going to implement Active Directory Federated Services (ADFS)? Will this RFP project start after the Office 365 project, or will it be concurrent? In our RFP response, should O365 be included in our response?
Response: Users and groups are currently being provisioned on premise and then dir-sync to Windows Azure Active Directory. When the University moves to Office 365 (scheduled for Summer 2015), it intends to continue provisioning on premise and dir-sync’ing to WAAD with provisioning to O365. As a side note, the University already uses ADFS for federated authentication to a handful of applications.
29 Question: In Google apps for Edu, are you currently using GADS?
Response: No. However, the University has four campus-developed web applications that reset a student’s Google Mail password. Please also see the response to Question #2.
30 Question: Regarding Blackboard Learn, can you expand on how the automatic provisioning occurs?
Response: Please see the response to Question #5
31 Question: What systems does the Home Grown Password Management system reset passwords for? (AD, OpenLDAP, both?)
Response: The four web applications that set/reset a student’s password only update the password in the user’s OpenLDAP record and Google Mail account unless the student is enrolled in a virtual software delivery (VSD) class (which involves MS Windows products). Students in VSD classes are provisioned Active Directory accounts only for the duration of that class – for those students only, the web applications call a Windows-based web service to also update the student’s Active Directory password. Please also see the response to Question #2.
32 Question: Section 3.3 states "We are interested in self hosting the proposed solution in our data center". Will Identity as a Service (IDaaS) solution be seriously considered by CSU Chico? Or is On Prem solutions a hard requirement?
Response: The University is only interested in on-premise solutions.
33 Question: Page 1 states: Fax or e-mail proposals will not be accepted, Page 18 states: Electronic proposals are encouraged, by email submission to the email address posted in the Schedule of Events section of this document. Please clarify/confirm which method of submittal is encouraged.
Response: The statement as written in the original RFP was incorrect. Please see Addendum #1 above for the correction. The University encourages electronic proposals,
34 Question: Section 2.2. What are the backend repositories of these downstream systems/applications (page 5 of 21) Blackboard Learn, BMC Footprints (ITSM), ImageNow, AdAstra
Will the solution interface in any way with CAS/Shibboleth? If yes, please provide examples of the desired integration
Response: Blackboard Learn: Please see the response to Question #5.
Page 8 of 13
Authentication into Footprints occurs against OpenLDAP, fronted by CAS. However, the University is actively implementing TeamDynamix ITSM software to replace Footprints and is planning to move into production with that system in Summer 2015. At this point, for purposes of this RFP, the University believes that any integration with Footprints would be wasted effort. Account creation/management within Footprints can continue to operate in the same fashion as it does today until it’s decommission (hopefully by end of calendar year 2015). ImageNow. Please see the response to Question #12. AdAstra. Please see the response to Question #12.
35 Question: Section 3.4 (f) 8. Please provide a relevant example
Response: If we have a smaller application with which the proposed IAM solution does not integrate (i.e. the proposed solution does not provision or manage accounts to/within the target application) what options (if any) would we have for tracking the target application’s accounts and access levels? In other words, would there be some way for us to extract a list of accounts/access and feed it back into the IAM solution so that the IAM solution is at least aware of the accounts’ existence? If we cannot do feeds in this manner, could you describe a typical set of manual steps that would be used to track those accounts/access? In a perfect world, we would want the IAM solution to store information about the accounts/access for all applications across campus.
36 Question: Section 3.4 (i) 1. Is RBAC here for the provisioning solution only, or does it pertain to other applications external to the solution?
Response: RBAC is for the provisioning/lifecycle-management solution. In other words, as roles change (e.g. from the PeopleSoft source of authority), the University wants to feed that information into the proposed IAM solution, which would then feed that information into other downstream systems. The University would assume that from the perspective of target applications, RBAC would primarily be managed users’ membership in directory groups. However, the University wants to understand any features/options that the proposed solution can provide with which we are not familiar.
37 Question: Section 3.4 (j) 3. Please provide an example.
Response: Please see the answer to Question #35. The University wants to determine how the proposed IAM solution would be used to manage account/access certifications in those systems for which the proposed IAM system does not directly provision/manage.
38 Question: Section 3.7 (c) 5. Please provide an example.
Response: This question was intended to be a catch-all to allow respondents to indicate any functionality not specifically asked about.
39 Question: Section 3.7 (c). How many groups are presently maintained in AD/OpenLDAP directories?
Response: Please see the responses to Question #1, #9, and #21
40 Question: Section 3.9 (b). How many different AD domains and OpenLDAP instances are there today?
Response: There is one OpenLDAP master and two replicas, one of which is not yet being
Page 9 of 13
used. All the OpenLDAP instances run on Red Hat Linux systems. The University has one main AD domain, which is Windows 2012 r2 native. Please also see the response to Question #1.
41 Question: Section 3.9 (k). (Optional/Phase II+) Implementation of role-based access (as necessary, in addition to or on top of item #4 above) (if available). What does item #4 refer to (there is no #4 above)? Are these roles for users of applications, roles for users in the Identity Management system itself, or roles in both?
Response: The statement as written in the original RFP was incorrect. It should reference “#e above”. Please see Addendum #1 above for the corrected statement.
42 Question: From Section 2.2 and 3.9.e.2: It is critical to understand the applications and where their user stores are to understand compatibility and level of effort. Each system or application that users will need to be provisioned into; do they use a standard shared LDAP, self-contained LDAP, DB, and/or flat file? Example MS Exchange 2013 uses MS AD for user attributes and integration. And the Oracle database can use LDAP or have all users internal to each DB instance. Please identify all user stores for the applications?
Response: For purposes of the bid/cost, please ignore the original phrasing of “a representative list” and just treat the list of applications in 3.9.e.2 as the exact list of downstream applications for which the affiliations lifecycle will be implemented. The exact versions of all these applications are outlined in section 2.2 (CURRENT ENVIRONMENT).
43 Question: From Section 2.2 and 3.9.e.2: Indicate some applications AD; OpenLDAP; Exchange; Google Apps for Education; Blackboard LMS that the solution will need to integrate with. We understand that the RFP indicates that the list of applications will be decided later; however, that list affects scope, can you provide the full list of applications that needs to be integrated into this work during phase I of the work? Also please provide where the user data is stored.
Response: See response to question #42.
44 Question: Is part of the password management keeping passwords in systems across the enterprise in sync? For example: If a user changes desktop password (which is in AD) it is also changed in the central LDAP and in other locations. If yes, will the identity management solution be the only place users can change passwords? If no, what other systems will users be able to change passwords in that must be synchronized across the enterprise?
Response: The intent is that the proposed IAM solution would provide for password management, and the passwords will be synched between OpenLDAP and AD at minimum. This password synchronization must not be invalidated by other methodologies, and your response should indicate how that is to be accomplished. As an example, the University wants to understand if the proposed IAM solution requires us to disable desktop passwords, or if it provides DLLs that can “intercept” desktop password changes and propagate those to AD/OpenLDAP. The University recognizes that there may be applications that are not managed by the proposed IAM solution and/or applications that have their own internal account registries, and that the proposed IAM solution may not manage passwords in those systems.
45 Question: Of the user base how many concurrent activities do you expect in any given period? For example during student registration or at the beginning of a new semester is there expected to be a large number of users needing to do self service activities, automatic user provisioning to systems for new accesses,
Page 10 of 13
etc..? Of the 15000 students and 2000 employees how many might be making modifications at one time?
Response: It is difficult for us to provide concurrent usage numbers. The University can tell you that we have a two-step process for new student applicants: (1) account creation and (2) account activation. Account creation is done automatically based on batch data processing, for all students who apply to University. During the course of a year, the number of student accounts created ranges from 1 – 3000 per day. Account activation is performed manually by the students, by using a homegrown web application (see the response to Question #2). The number of accounts that are activated is a subset of the number of accounts that are created. As an example of account activation, there were 960 successful account activations during 5/5/14 - 9/2/14 (beginning of fall semester); there were 2,301 successful account activations from 1/6/15 – 2/2/15 (beginning of spring semester). As far as system authentication is concerned, student housing sign-up in early April is the biggest short-term concurrent load on OpenLDAP fronted by CAS; as an example, the University had 1,200 unique accesses in 10 minutes last spring.
46 Question: A large part of any identity management project is working through the manual processes and working with management to make decisions on what those processes should look like when automated in the system. As a rule part of that process is standardizing those processes between applications and groups. How many applications that will be integrated into the identity management system currently use manual process?
Response: Account provisioning is currently performed as follows: OpenLDAP: automatic. AD: manual using runbooks. Exchange: manual using runbooks. Google Apps for Education: automatic. Blackboard: Please see the response to question #5. Account de-provisioning is currently performed as follows: OpenLDAP and Google Apps for Education: de-provisioning is performed automatically for admitted students who do not matriculate, and manually for faculty/staff (there are some rare exceptions, in which case the de-provisioning is semi-automatic). AD: manual. Exchange: manual. Blackboard: not performed. When employees change departments or reporting lines, some of their identity attributes/affiliations are updated (e.g. their HR department or their job code, etc.). These attribute/affiliation changes sometimes result in additions to those employees’ levels of access to applications and data, but the changes don’t typically result in access being revoked. This is obviously problematic. Given all of this, the University anticipates that from a technical level-of-effort standpoint, it will be easier to implement provisioning, and harder to implement application/data access changes account de-provisioning. However, culturally speaking, the University feels that key functional and technical stakeholders are well-prepared to design/implement these changes in a cooperative and
Page 11 of 13
collaborative manner. In fall of 2014 the University went through an analytical exercise between functional and technical teams, and the analysis from that effort was used to prepare the IAM RFP. The key cultural take away is that the technical and functional teams have already been working in partnership and anticipate the execution of the new IAM solution to be a continuation of that partnership.
47 Question: Of the currently automated process in your current home grown identity management system how many will remain the same? Are there any that will need to be updated or modified from their current process flow?
Response: Generally speaking, the processes that will require the least change are the provisioning of accounts in OpenLDAP, Google Apps for Education, and Blackboard (with the understanding that while the processes themselves might not need much change, the underlying technical wiring will need changes). However, the provisioning of accounts for AD and Exchange will require changes, as will account/access lifecycle changes (e.g. access control changes that result from employee/student role changes, and ultimate deprovisioning).
48 Question: How many systems will the winner be responsible to build? Development, test, staging, production, Disaster recovery, etc.
Response: The University requires a robust system that is well-positioned for disaster recovery and business continuity, and an overall environment that has a minimum of one production system and one non-production system. The University is relying on respondents’ expertise to indicate how best to accomplish those objectives.
49 Question: Will this need to be a highly available (HA) system? If yes, what is the uptime needed? 99.99% available (down time less than 52.56 minutes a year, 4.32 minutes a month, or 1.01 minutes a week) If HA is needed, does the down time include patching and upgrades or are those done on a schedule that is not included in the down time?
Response: Although the University desires a HA system, we do not have stated RPO/RTO requirements. The University would hope/expect to see different options included in the proposal so that we can do a cost/benefit analysis. All major campus systems have pre-defined patch/upgrade windows that occur on regular intervals. E.g. for many large systems we have a weekly 4 hour patch window that occurs early morning to minimize disruption (although patch installation does not typically require the entire window, and most patches are completed within 2 hours). It is not uncommon for systems to be completely unavailable to end users when these patch windows occur.
50 Question: Section 3.4 Accounts, Identities, and Access: Each asks how the solution would do it; however, the question is how do you want it accomplished? Systems can be very flexible so can perform a task in a number of ways based on customer desire. Without an in depth look at goals and process can we make any recommendations.
Response: Some systems may provide different ways to accomplish tasks; however, many systems (generally speaking, outside of IAM solutions) are designed to accomplish tasks in very specific ways. The University has had many experiences of forcing systems to accommodate our pre-defined assumptions and conditions when the systems were not designed to do so, and it has been problematic; it has required high degrees of customization in ways that were not intended, and it has created usage and maintenance problems. The University wants to understand how your solution is intended to work. If there are multiple
Page 12 of 13
ways to accomplish tasks, we want to understand that; however, if there is a single methodology or a best-practice way to accomplish the task then we want to understand that as well.
51 Question: Paragraph 3.9.a indicates that CSU Chico IT staff will assist in installation and configuration. At what level does this mean? CSU Chico IT staff will be doing the installs with our professional services overseeing or more our professional services staff install and configuring with some CSU Chico IT staff oversight
Response: The University would prefer that the proposer’s professional services team perform the software installation/configuration with some observance by the Chico technical team. Also, please see the response to Question 6.
52 Question: Is there any requirement on OS?
Response: The University requires either Windows 2012 r2 (or greater) or RHEL 6 (or greater). Presently the University can only support 4 vCPU’s per virtual machine in our VM environment.
53 Question: After system requirements and OS are defined, will those systems be pre-built?
Response: Please see the response to Question #6.
54 Question: Is there a defined attribute in PeopleSoft that defines which users fit into which roles that will be automatically generated from PeopleSoft?
Response: In most cases, there is a combination of attributes in PeopleSoft (as opposed to a single attribute) that are used to define the roles that users fit into. For our current roles (AKA affiliations), the University already have SQL that is used in the current homegrown Registry. There will be a small handful of roles that need to be added that are not currently defined, and for these the University will identify the appropriate PeopleSoft attributes and provide the necessary SQL.
55 Question: Would the proposed Identity management solution need to provision users to O365 ?
Response: See response to Question #28.
56 Question: Are you using any specific tool to automate for Google Apps for education? Is it AD based?
Response: See response to Question #2, #29, and #46.
57 Question: Blackboard Learn - Is the current provisioning AD based?
Response: See response to Question #5.
58 Question: BMC Footprints - Do you use BMC Identity Provisioning Modules - Data Stores?
Response: See response to Question #34.
59 Question: Does OpenLDAP also control AdAstra, ImageNow?
Response: Please see responses to Question #12.
60 Question: Directory Management - Are the same set of users present in AD and also in OpenLDAP?
Response: Please see answers to Questions #1, #9, #10, and #21.
61 Question: Vendor contends the Acceptance Testing clause as it is written is not industry standard, and therefore takes exception to its current form. Vendor proffers that “no charge” evaluation licenses, and proof of concepts can be provided along with corresponding warranty agreements offering a refund remedy for those cases where a problem is not resolved. The clause as currently written causes revenue recognition problems. Therefore, we respectfully ask if the clause can be removed in its present form or modified accordingly.
