Professional Documents
Culture Documents
BACKGROUND
Currently, Kenya Airways is experiencing the following main IAM challenges and control gaps:
SCOPE OF SERVICE
The partner will be expected to provide a solution that will;
Single Sign On
Importance Vendor Response
(SSO)
Ability to utilize open standards for authentication (e.g. SAML v1.1 and v2.0, WS‐Fed, WS‐Trust, OpenID Connect) as well as proprietary SSO methods (e.g. for forms‐based auth or
A.1 Critical
basic auth).
Forms‐based authentication SSO must only require a user to enter their password for initial configuration of a target application. A user can then log in to the identity service from
A.3 Critical
any machine and any browser, and not have to enter in an app password again.
For forms‐based applications, user can go directly to a target application in a browser window and identity service will recognize the application is configured for SSO and offer to
A.4 Critical
automatically authenticate the user.
Integrations with leading network gateway products (e.g. F5 BIG‐IP, Citrix NetScaler) for reverse proxy behind the firewall and support for legacy applications (e.g. header‐based
A.16 Secondary
authentication).
Multi Factor Authentication
Mobilile Capability Requirement
Mobile web SSO support via purpose‐built native mobile application for iOS (iPad, iPhone) and Android. SSO native app includes a UI designed for appropriate phone or tablet form
C.2 Critical
factor and has multi‐tab capability for multiple web apps to be open at the same time.
Mobility Management Requirements
Q.1 Mobility Management should automatically wipe business applications from user’s device when user is deactivated in Active Directory, and leave personal applications untouched. Critical
Directory Integration
Active Directory integration components / agents must be able to deploy with redundancy for High Availability. Additionally, High Availability should be achieved without
D.2 Critical
additional configuration, i.e. the Agents should automatically recognize each other and provide redundancy.
Ability to integrate a single cloud‐based directory with multiple Active Directory domains/forests and multiple LDAP directories and manage access across all users to a single set of
D.8 Critical
integrated applications.
Active Directory synchronization should include not just user attributes, but also AD Security Group definitions, structure, and membership. This group information should be
D.14 Critical
automatically imported as part of initial configuration, and automatically kept up to date if AD groups change.
Data & Analytics
Fully searchable system log that is updated within milliseconds with events happing in the IAM system, to enable real‐time investigation and remediation of potential security
E.1 Critical
incidents.
Provisioning
Solution Architecture Requirements
G.1 Programmatic access to the IAM to allow the IAM solution to be used as the identity layer within a custom‐built web application or multi‐tenant cloud service. Secondary
REST API that enables custom‐built applications to create, read, update and delete (CRUD) users, groups and organizations, manage sessions, authenticate users, and provide
G.4 Secondary
application links for any user
Login widget that supports login, password change and reset, MFA and other authentication flows, can be inserted into a custom web page with a few lines of code, and easily
G.7 Secondary
configured.
Customization and Flexibility
‐Self Service Registration
G.8 ‐Customer email domains and URLs Secondary
‐Custom URL domains
‐Hosted and Self Hosted Sign‐in Page
Directory
Directory must provide for separate user profile schemas for each external directory integrated to the service and for each app integrated. The directory must then allow
I.3 administrators to custom‐map fields between each directory or app and the main directory of the service. Mappings should be able to be configured differently for inbound or Critical
outbound flows.
General Product Requirement
Vendor Management Product Road‐map & Viability
Company should have Sales Engineers located in your area for dedicated pre‐sales and evaluation support, and should also have 24x7 live support options for post‐deployment
L.1 Critical
technical questions.
Company should be able to show reference customer case studies, but should also be able to provide customers for specific reference questions. The customers should include
L.5 Critical
deployments of 5,000 employee end users, or over 500k customer/partner end users, and should include customers with global deployments.
L.7 Provide your product road‐map and strategy for the next 3 Years?
L.8 Describe how you are managing your product strategy? Competition, Market, Positioning, Customer requirements? How is this communicated and how often?
Security and Reliability Requirments
Company should be CSA STAR Level 2 (attestation) compliant and able to provide SOC 2 (Type I and Type II) reports documenting the security practices of their product, technology,
M.4 Critical
personnel and company.
An on‐demand IAM company should be able to show how data is encrypted, how personnel are managed and secured, and how user information is kept safe. Detailed
M.5 Critical
documentation should be provided in this area.
Company that is offering an on‐demand or cloud‐based service should be able to provide 3+ years of uptime reporting for their service. All outages, even those for maintenance or
M.6 Critical
upgrades, should be reported.
Company should be able to show how High Availability (HA) is achieved with their product or service. If the IAM product is deployed on‐prem, how many versions of the product
M.7 Critical
must be deployed to achieve HA?
Adaptive Authentication
Governance Requirements
Orchestration Requirements
API Access Management