-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
287 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,287 @@ | ||
|
|
||
| === Identity Provisioning Category (1) | ||
| ====== Identity Matching | ||
|
|
||
| ** Does the product provide an identity matching service? | ||
|
|
||
| ** Describe how the identity matching service is configured, and any scoring or weighting of attributes? | ||
|
|
||
| ** Describe how low quality matches are handled, and if there is a notion of matches in suspense, what are the mechanisms for making assertions about them.? | ||
|
|
||
| ** Can the matching service be run against an existing population seeking duplicates? | ||
|
|
||
| ** Does the product have the ability to use an external matching service? | ||
|
|
||
| ** Describe the configuration of the external service. | ||
|
|
||
| ** Describe how low quality matches indications are handled, and if there is a notion of matches in suspense, what are the mechanisms for making assertions about them? | ||
|
|
||
| ** Describe and standards that are used in messaging or APIs for matching services. | ||
|
|
||
| ====== User Name Assignment | ||
|
|
||
| ** Does the product support user selected usernames?, if so, how are attempted duplicates handled. | ||
|
|
||
| ** Does the product support generated usernames?, if so, describe the options and configuration | ||
|
|
||
| ** Does the product support enrollment of new users?, if so, please describe the configuration of the enrollment portal, and any support for workflow. | ||
|
|
||
| ** Describe how the product handles username changes, including support for namespace protection and auditing, and any workflows? | ||
|
|
||
| ** Describe how the product can communicate username changes to other systems that might need to be informed? | ||
|
|
||
| ====== Identifiers | ||
|
|
||
| ** Describe how the your product handles the creation of Identifiers. | ||
|
|
||
| ** Describe how does the product handles the use of external vs internal identifiers ? | ||
|
|
||
| ** Describe how the product maintain immutable/opaque identifiers that are used system to system ? How do these identifiers help when user id's change ? | ||
|
|
||
| ** Describe the product support for social IDs (Facebook, Google, etc.) in place of local identities. | ||
|
|
||
| ** Describe the product support for social IDs that are connected to local identities. | ||
|
|
||
| ** Describe whether social ID can be a step in onboarding/offboarding? | ||
|
|
||
| ** Describe how does the product consider Level of Assurance LOA when using social IDs.? | ||
|
|
||
| ** Describe Identity Matching even with Identity matching, even with social ID | ||
|
|
||
| === Credential Provisioning Category (2) | ||
| ====== Password Rules and Policies | ||
|
|
||
| ** Describe how the product the support of limiting the number of different passwords that users need to remember to one central password connected to a central password store or if you have multiple password stores of the same password, how does the product synchronize it? | ||
|
|
||
| ** Describe the password policies you support with regard to complexity, length, and any dictionary checks. Include character classes supported in complexity checks. | ||
|
|
||
| ** Does the product support flexible password policy based on password length? For example support pass phrases but requiring additional character sets for shorter passwords.. | ||
|
|
||
| ** Describe the products support for password expiration, including any support for flexible expiration based on grouping, assurance, or other factors such as password quality. | ||
|
|
||
| ** Describe how the product conveys password quality to end users? | ||
|
|
||
| ** Describe how the product meets accessibility guidelines? | ||
|
|
||
| ** Describe how does the product deal with passwordless? | ||
|
|
||
| ====== Password Setting/Activation | ||
|
|
||
| ** Describe how the product assures initial password setting is being done by the appropriate authority, such as invitations, one time and/or short lived tokens etc. | ||
|
|
||
| ** Describe the products support for terms of use and informed consent when getting a credential. | ||
|
|
||
| ** What platforms are supported for end user devices setting initial and subsequent passwords, including any required technologies. | ||
|
|
||
| ** Describe any features your product has to deter attacks on unclaimed credentials. | ||
|
|
||
| ** Describe how the product works with identity proofing during the account claiming process? | ||
|
|
||
| ====== Authentication Types (Factors) | ||
|
|
||
| ** Describe the support for certificate based authentication. | ||
|
|
||
| ** Describe the product support for multifactor enrollment, specifying supported technologies and products, explicitly address U2F support. | ||
|
|
||
| ** Describe any support you have for challenge response questions. | ||
|
|
||
| ** Describe any unlisted additional authentication factors, and any features that help user recognition such as image validation. | ||
|
|
||
| ** How does the product handle loss of a (perhaps only) two factor device, such as one time tokens? | ||
|
|
||
| ====== Provisioning/De-provisioning of credential | ||
|
|
||
| ** Describe how the product enforces control over provisioning password to a SP when Federation option is available? | ||
|
|
||
| ** Describe the states supported by the product for credentials, such as open, expired, disabled, locked/unlocked, security deny, etc. | ||
|
|
||
| ** Describe any workflow available for deprovisioning, time based, approval based, and any attribute or membership checks that can be used for deprovisioning workflow. | ||
|
|
||
| ** Describe any controls for sanity checks in your product to prevent accidental mass deprovisioning. | ||
|
|
||
| ** Describe the administrative capabilities the product has for deprovisioning and deprovisioning intervention, include any delegation features. | ||
|
|
||
| ** Describe how the product handles deprovisioning of credentials w/r/t propagation to multiple credential stores.? | ||
|
|
||
| ** Describe how the product handles de-provisioning of MFA (Authentication methods) after the user is no longer active and how do deal with re-provisioning when the same user returns? | ||
|
|
||
| === Service Provisioning (3) | ||
| ====== Provisioning/Reconciliation | ||
|
|
||
| ** Describe how does the product ensure that source and destination are in sync? | ||
|
|
||
| ** Describe both targeted and full reconciliation (fully match accounts). Incremental vs full. | ||
|
|
||
| ** Describe how does the product identify and handle orphan accounts ? | ||
|
|
||
| ** Describe how the product handles manual intervention by an admin. | ||
|
|
||
| ** How flexible is customization of the IDM connector that provisions the account? | ||
|
|
||
| ** Does the product support a threshold to alert for large quantity of updates? | ||
|
|
||
| ====== JIT/JIC (Cloud Services) | ||
|
|
||
| ** Describe how the product integrate with a “Just-in-Time” provisioning model-- on demand provisioning when the user logs in. How does you product learn about this access from IGA perspective? | ||
|
|
||
| ** Describe how you support the “Just-in-Case” provisioning model in relation to the Cloud Services? | ||
|
|
||
| ====== WorkFlows | ||
|
|
||
| ** Describe how the product handles automated workflows.? | ||
|
|
||
| ** Describe how the product supports end-user self-service workflows. | ||
|
|
||
| ** Describe how does your product support the Workflow-based provisioning model in general. | ||
|
|
||
| ====== Deprovisioning and repatriation | ||
|
|
||
| ** Describe how the your product handle a service account de-provisioning with flexibility ( account disabled vs account remove) in accordance with the service and business needs? | ||
|
|
||
| ** Describe how the product triggers deprovisioning to a service. | ||
|
|
||
| ** How is authorization removal handled for deprovisioned users? | ||
|
|
||
| ** Describe how the product supports repatriating a service account from institutional to personal. | ||
|
|
||
| ** Does the product support a threshold to alert for large quantity of changes? | ||
|
|
||
| ====== Life Cycle | ||
|
|
||
| ** Describe how does the product captures changes in affiliations/roles that matter for service entitlements? | ||
|
|
||
| ** Describe how does the product handle grace periods used in extending services to users beyond a specific period of time . Does the product have a Business Rule Engine to handle this need? | ||
|
|
||
| ** Does the product support the establishments of policies and processes to reinstate disabled identities/services? | ||
|
|
||
| === Target directory provisioning Category (4) | ||
| ====== Linking identities between directories or services | ||
| ** Describe how the product links an identity in a source directory to the same identity in the target (and service?) | ||
|
|
||
| ** Are your user linkage attributes characterized as follows: | ||
|
|
||
| *** Immutable | ||
| *** Static | ||
| *** Globally unique | ||
|
|
||
| ** What is the process of account matching if accounts already exist? | ||
|
|
||
| ====== Reconciliation | ||
| ** How does the product ensure the target directory or service has state in sync with the source? | ||
|
|
||
| ** Does the product support rollback or transaction? | ||
|
|
||
| ** Does the product support incremental/full sync with the target directories ? | ||
|
|
||
| ====== Deprovisioning and repatriation | ||
| ** Describe how the product triggers deprovisioning of identities in a target directory or service. | ||
|
|
||
| ** Describe the process of deprovisioning identities in a target directory or service. | ||
|
|
||
| ** How is authorization removal handled for deprovisioned users? | ||
|
|
||
| ** Does the product support a threshold to alert for large quantity of changes? | ||
|
|
||
| === Roles and Groups Category (5)+ | ||
| ====== Type of Roles/Groups | ||
| ** Describe how the product support RBAC/ABAC/Groups models ? | ||
|
|
||
| ** Describe how the product supports a list of definable /extendible groups/roles?. | ||
|
|
||
|
|
||
| ** Describe how the product supports a hierarchy of groups (i.e., nesting and relationships between groups/roles) | ||
|
|
||
| ** What upstream data sources does the product readily support to derive roles/groups? | ||
|
|
||
| ** Does the product support sets of groups/roles associated together? (i.e., base, exceptions, includes/excludes). | ||
|
|
||
| ====== Administration | ||
| ** Describe delegated access administration features for group management. | ||
|
|
||
| ** How does the product deal with “orphaned” delegation? (When previous admins are no longer there.) | ||
|
|
||
| ** Does the product provide APIs that would allow an external group and access management tool to drive your product’s groups and group memberships? | ||
|
|
||
| ** Does the product support attribute-based (ABAC) or role-based (RBAC) concepts to drive groups and group membership? | ||
|
|
||
| ** Can groups have permissions associated with them? | ||
|
|
||
| ** What sort of attributes or metadata about groups are available? | ||
|
|
||
| ** Does the product support automatic review of roles/groups (attestation) | ||
|
|
||
| ** How does the product expose or link groups or roles for fine-grained service authorizations? | ||
|
|
||
| ====== Guidance for architecting | ||
| ** How does your product define a default role or template (set of groups) for new entities? | ||
|
|
||
| ** Does the product provide any tool for role mining ? | ||
|
|
||
| ** Does the product provide a deployment /architecture guidelines for implementing roles/groups ? | ||
|
|
||
| === Reporting/Auditing Category (6)+ | ||
| ====== Integration with External Reporting Engine | ||
| ** Does the product support the export of data to external sources for building reports? | ||
|
|
||
| ====== Target Systems | ||
| ** Does the product support reports on: | ||
|
|
||
| *** Access for an application (target system) | ||
|
|
||
| *** All access for a user, all users in a unit, all users for a supervisor | ||
|
|
||
| *** Elevated or high-risk access | ||
|
|
||
| *** Separation of Duties | ||
|
|
||
| ====== Auditing | ||
| ** Can the product provide a tool to compare intended provisioning to the actual state of an application on demand? | ||
|
|
||
| ** Does the product audit changes made within it (eg, who made a change to group membership logic when, and what the change was)? | ||
|
|
||
| ** Does the product support Separation of Duties audits? | ||
| (If you do access reviews / attestations) does the product provide adequate support? | ||
|
|
||
| *** review by person, unit, application | ||
|
|
||
| *** review of only manually-decided access, exceptions only, etc | ||
|
|
||
| ** Can audit results include “comments” (eg, “access being removed because …”) that become part of the record | ||
|
|
||
| ** Can the auditing work with an external ticketing system (eg, ServiceNow, Remedy) | ||
|
|
||
| ** How does the product define and schedule reviews, notify and remind reviewers, etc? Can the product send emails and/or use an external ticketing system? Are reviews done within the product, or in a document sent to the reviewer? | ||
|
|
||
| ** How does the reviewer to report results? Is the effort required proportional to the number of changes? | ||
|
|
||
| ** Does the product support workflows, logic, etc. needed to implement access changes determined by a review? | ||
|
|
||
| === Cost/Vendor Considerations Category (7) | ||
| ====== On Going Maintenance/Cost | ||
| ** What is the product on-goin service support contract structure ? | ||
|
|
||
| ** What is the Software licensing cost structure (Enterprise vs non)? | ||
|
|
||
| ** If one of the product license model is pay-per-active-account , how does the product consider the following populations? : | ||
| *** Alumni users | ||
| *** Guest users | ||
| *** Extended Community users (Parents, Propsect Students , Applicants, Continuing Ed students ,ec..) | ||
| *** Social identities that are linked to Idm system | ||
|
|
||
| ** Does the product provide any Higher Ed discount ? | ||
|
|
||
| ====== Vendor Stability | ||
| ** How long is the product being in the market ? | ||
|
|
||
| ** How many Higher Ed clients does the product have ? | ||
|
|
||
| ====== Ease Of Deployment | ||
| ** Ease of Deployment under the following categories: | ||
| *** Software Package | ||
| *** Cloud ready | ||
| *** Containers/orchestration support | ||
| *** Install from binary | ||
| *** Install from source code | ||
| *** Security Updates | ||
| *** Patch updates | ||
| *** Install/Deploy/Tuning Documentations |