IAM Recommended Language for Procurement of IT Solutions

The IAM Technical Team has worked with UWM Purchasing Office and UWM Legal Affairs to establish language that would meet the general requirements for most request for proposal (RFP), bid, or contract documents.

The IAM Technical Team is available to discuss aspects related to procurement of IT solutions. Contact the team via the Help Desk.

This language is provided to assist the UWM community and is not meant to replace involvement of UWM Purchasing Office, UWM Legal Affairs, UWM Internal Audit, UWM Information Security Office or the IAM Technical Team in IT solution procurement.

 Language for RFP

Describe the technical aspects of proposed solution.

User Access. Include a statement of ability to comply with SAML 2.0, a standards-based single-sign on authentication method, in which the software/site in question allows UW-Milwaukee to authenticate a user and accepts UW-Milwaukee’s assertion of authorization via SAML. At login, UW-Milwaukee will be the identity provider and will determine whether the user has authenticated properly using his/her local credentials. If the user authenticates correctly, UW-Milwaukee will redirect the user’s browser and pass a SAML assertion to the system/site in question, which the system/site will consume in order to grant access.

SAML 2.0 is strongly preferred, but if system/site is unable to comply with SAML 2.0, include a statement of ability to support authentication via a proxy as identified by UW-Milwaukee.

Use of Internet2 Middleware Initiative eduPerson schema defined attributes (Version 200806) for the SAML assertion is strongly preferred. If system/site is unable to consume eduPerson attributes, include a statement of the ability to consume attributes as defined by UW-Milwaukee in a SAML assertion.

Use Of Identifier. Include a statement of understanding that the system/site shall not require its own internal username and password for users, nor shall it rely solely on a user’s inclusion in UW-Milwaukee’s Identity and Access Management System, but shall use the appropriate unique identifier as identified by UW-Milwaukee.

Use of eduPersonPrincipleName or eduPersonTargetedID are strongly preferred. If system/site is unable to comply with use of eduPersonPrincipleName or eduPersonTargetedID, include a statement of ability to support appropriate unique identifer as identified by UW-Milwaukee.

Language for Bid Request

Describe the technical aspects of proposed solution.

User Access. Include a statement of ability to comply with SAML 2.0, a standards-based single-sign on authentication method, in which the software/site in question allows UW-Milwaukee to authenticate a user and accepts UW-Milwaukee’s assertion of authorization via SAML. At login, UW-Milwaukee will be the identity provider and will determine whether the user has authenticated properly using his/her local credentials. If the user authenticates correctly, UW-Milwaukee will redirect the user’s browser and pass a SAML assertion to the system/site in question, which the system/site will consume in order to grant access.

SAML 2.0 is strongly preferred, but if system/site is unable to comply with SAML 2.0, include a statement of ability to support authentication via a proxy, in which case UW-Milwaukee reserves full and sole discretion to determine whether potential implementation or operational issues reasonably allow the non-utilization of a SAML 2.0 authentication method under the details of the submitted bid.

Use of Internet2 Middleware Initiative eduPerson schema defined attributes (Version 200806) for the SAML assertion is strongly preferred. If system/site is unable to consume eduPerson attributes, include a statement of the ability to consume attributes as defined by UW-Milwaukee in a SAML assertion. If system/site is unable to consume eduPerson attributes, UW-Milwaukee reserves full and sole discretion to determine whether potential implementation or operational issues reasonably allow the non-utilization of eduPerson attributes under the details of the submitted bid.

Use Of Identifier. Include a statement of understanding that the system/site shall not require its own internal username and password for users, nor shall it rely solely on a user’s inclusion in UW-Milwaukee’s Identity and Access Management System, but shall use the appropriate unique identifer as identified by UW-Milwaukee.

Use of eduPersonPrincipleName or eduPersonTargetedID are strongly preferred. If system/site is unable to comply with use of eduPersonPrincipleName or eduPersonTargetedID, include a statement of ability to support appropriate unique identifer as identified by UW-Milwaukee. If system/site is unable to comply with use of eduPersonPrincipleName or eduPersonTargetedID, UW-Milwaukee reserves full and sole discretion to determine whether potential implementation or operational issues reasonably allow the non-utilization of eduPersonPrincipleName or eduPersonTargetedID as the unique identifier under the details of the submitted bid.

Requirements for SAML support in contracts

SAML Support: Contractor will ensure that the solution support SAML 2.0 or later authentication and attribute assertions in lieu of direct authentication by the solution’s web application by UW-Milwaukee employees. Contract will ensure that the solution support the ability to consume eduPerson schema attributes (version 200806) or attributes as defined by UW-Milwaukee in the SAML 2.0 attribute assertion in lieu of Contractor defined attributes. Contractor shall abide by UW-Milwaukee’s security policies regarding data security and requirements of credential assurance. It is recommended that Contractor provide and implement Shibboleth software in the solution in order to meet this requirement. It is recommended that Contractor adopt eduPerson schema attributes (version 200806) in the solution in order to meet this requirement.