IAM RFP Guidance
Purpose
This document provides a guideline to the Identity and Access Management (IAM) requirements that should be taken into account during any planning or purchasing process such as a formal or non-formal Request for Proposal (RFP) or similar. Software purchased via the Low Risk Software Procurement process are not eligible for integrations with VT systems and services and are not covered.
Overview
This document is organized into three sections: Application Account Provisioning & De-provisioning, Authentication, Authorization Management. Each section will have a requirement goal and some number of sub elements that can be leveraged to reach that goal. Items are listed in order of preference. Not all items have to be accounted for in integrating a given application.
Account Provisioning & De-Provisioning Requirement
The application will integrate with VT IAM Services for the application account lifecycle (create, update, and delete operations). Methods of satisfying this requirement in order of preference:
- [ACT-1] The application will enable create, update, and delete user account operations within the application through an API using a VT-supported protocol (e.g. SCIM) that VT IAM Services has access to (push method).
- [ACT-2] The application will create, update, and delete user accounts within the applications domain using a batch feed process fed by VT IAM Services.
- [ACT-3] The application will enable create and updates to user account objects within the application by consuming SAML or OIDC attributes at the time of user login (JIT method). Note: Using this method does not allow for de-provisioning of account objects on the application side. See the requirements for OIDC and SAML2.0 authentication below.
- [ACT-4] The application will create, update, and delete user accounts within the application by consuming LDAP identities from an approved VT LDAP directory.
- [ACT-4A] Enterprise Directory.
- [ACT-4B] Hokies Active Directory.
- [ACT-4A] Enterprise Directory.
Authentication Requirement
The application will integrate with current VT IAM Services and protocols to provide access to the application. Which VT IAM Services are used will be determined by Secure Identity Services.
- [AUTHN-1] VT authentication will be verified using the OIDC protocol via an approved VT OIDC IdP.
- [AUTHN-1A] The Approved VT OIDC IdP for VT Usernames is Gateway. Currently, this option is only available for services within the vt.edu domain.
- [AUTHN-1B] The Approved VT OIDC IdP for Hokies ID is Azure SSO.
- [AUTHN-1A] The Approved VT OIDC IdP for VT Usernames is Gateway. Currently, this option is only available for services within the vt.edu domain.
- [AUTHN-2] VT authentication will be verified using SAML2.0 protocol via an approved VT SAML2.0 IdP.
- [AUTHN-2A] Attribute naming must be consistent with the SAML2.0 standard including use of NameID for the SAML subject attribute.
- [AUTHN-2B] The approved VT SAML IdP for VT Usernames and VT Guest Accounts is Login/Shibbolth.
- [AUTHN-2C] The application will use InCommon as the source for VT SAML metadata (applies to SAML [AUTHN-1]).
- [AUTHN-2D] The application may authenticate users external to VT using external identities (external to VT) via the InCommon Federation.
- [AUTHN-2A] Attribute naming must be consistent with the SAML2.0 standard including use of NameID for the SAML subject attribute.
- [AUTHN-3] VT authentication will be verified using CAS protocol via an approved VT Central Authentication Service (CAS).
- [AUTHN-3A] The approved CAS server for VT Usernames and VT Guest accounts is Login/Shibboleth.
- [AUTHN-3A] The approved CAS server for VT Usernames and VT Guest accounts is Login/Shibboleth.
- [AUTHN-4] VT authentication will be verified using LDAP protocol via an approved VT LDAP directory.
- [AUTHN-4A] Enterprise Directory.
- [AUTHN-4B] Hokies Active Directory.
- [AUTHN-4A] Enterprise Directory.
Authorization & Role Management Requirement
The application will support RBAC and will integrate with current VT IAM Services to manage application authorizations (roles, groups, and/or permissions).
- [AUTHZ-1] Application Authorization - Integration Capabilities:
- [AUTHZ-1A] The application can manage authorizations by providing a provisioning/user management API using a VT-supported protocol (e.g. SCIM) that VT IAM Services can call programmatically.
- [AUTHZ-1B] The application can manage groups, roles, or permissions by consuming SAML authorization attributes or OIDC scopes at user logon time to update authorizations (may apply if OIDC (AUTHN-1] or SAML2.0 [AUTHN-2] chosen above).
- [AUTHZ-1C] The application can manage groups and roles based on a batch file feed from VT IAM Services with an agreed-upon format and schedule.
- [AUTHZ-1D] The application can manage groups, roles, or permissions by consuming SAML authorization attributes or OIDC scopes at initial user login only (may apply if OIDC (AUTHN-1] or SAML2.0 [AUTHN-2] chosen above).
- [AUTHZ-1E] The application will provision and de-provision user authorizations within the application by consuming LDAP groups from an approved VT LDAP directory.
- [AUTHZ-1E1] Enterprise Directory.
- [AUTHZ-1E2] Hokies Active Directory.
- [AUTHZ-1E1] Enterprise Directory.
- [AUTHZ-1A] The application can manage authorizations by providing a provisioning/user management API using a VT-supported protocol (e.g. SCIM) that VT IAM Services can call programmatically.
- [AUTHZ-2] Application Authorization - Internal RBAC Capabilities:
- [AUTHZ-2A] The application has an access control model that can be extended to accommodate VT custom authorizations.
- [AUTHZ-2B] The application can map groups or individuals into authorizations.
- [AUTHZ-2C] The application allows VT to customize the permissions applied to groups or roles.
- [AUTHZ-2D] The application supports multiple authorizations/roles per user without requiring multiple accounts.
- [AUTHZ-2A] The application has an access control model that can be extended to accommodate VT custom authorizations.