Identity and Access Management Modernization Solution

The Vendor is required to provide identity and access management (IAM) modernization solution that is secure, accurate, scalable, and user-friendly.
- Access management (AM)
1. Authentication and single sign on
•    Support for password-based, adaptive, and password less authentication
•    Enforcement of Microsoft Entra password conventions and lockout, complexity, and password reuse policies.
•    Support for MFA across all users, roles, and integrated applications, with centralized management of MFA policies.
•    A modern SSO experience with support for SAML 2.0, OIDC, WS-Fed, and optional CAS for legacy systems.
•    Integration with Microsoft Entra id for consistent authentication and policy enforcement.
2. Federation and integration
•    Native support for both IDP and SP roles for major federation protocols.
•    Ability to onboard new applications without disruption to existing integrations.
•    Direct LDAP bind support for radius services.
3. Multi-factor authentication (MFA)
•    Support for multiple authenticator options (biometric, app-based authenticators, hardware tokens, SMS, Phone).
•    Support for MFA fatigue reduction features.
•    Self-service MFA enrollment and recovery (device replacement, backup codes).
•    Delegated helpdesk MFA reset capabilities.
4. Password management
•    Strong password policy enforcement and support for bulk password resets.
•    Bidirectional password sync with ad where federation is not supported.
•    Consistent password policies across all reset flows.
5. Policy enforcement and conditional access
•    A policy engine that supports contextual, attribute-based, and role-based decisions (zero trust aligned).
•    The ability to consume governance-defined roles and entitlements from IGA.
•    Support for explain ability, simulation (“what-if”), conflict detection, and reusable policy components.
6. Session management
•    Configurable idle, absolute, and rolling session timeouts.
•    Support for limiting or blocking concurrent sessions.
- Identity management
1. Provisioning and synchronization
•    SCIM, rest API-based provisioning, and connector extensibility.
•    Multi-domain provisioning to ad, Entra id, google workspace, LDAP, AWS identity center, and SaaS platforms.
•    High fidelity, error-tolerant provisioning with retry logic and SLA-based synchronization.
2. Attribute management and schema
•    Configurable attribute mapping, transformation, and schema extensibility without vendor intervention.
•    Handling of special characters (accent removal and normalization) during account creation.
3. Eventing and extensibility
•    Support for event-driven integrations, web hooks, and real-time alerting for suspicious or high-risk activity.
- Identity governance (IGA)
1. Certification and entitlement review
•    Support for periodic access reviews (annual, quarterly, ad hoc) across roles, entitlements, groups, and user types.
•    Automated remediation for uncertified access, reviewer escalation workflows, and audit ready reporting.
•    Dashboards for campaign tracking, review progress, and compliance insights.
2. Access requests and approvals
•    Flexible approval workflows that escalate based on risk.
•    Integration with external systems to initiate and track access requests.
•    Support for service-based access requests that map automatically to entitlements.
3. Authorization models
•    Support for creation and lifecycle management of roles
•    Role hierarchies, dynamic group membership, sod detection, entitlement catalogs, and dependency mapping.
•    Full audit trails for all role, group, and entitlement changes.
4. Time bound and just-in-time access
•    Assignment of temporary access with automated expiry and notifications.
5. Lifecycle governance (joiner/mover/leaver)
•    Support for identity transitions (e.g., applicant to student, student to alumni, and employee to retiree).
•    Automatic provisioning and deprovisioning based on authoritative source updates.
•    Management of external and contractor and nonperson identities with sponsor-based governance
- Platform wide capabilities
1. Logging, monitoring and forensics
•    Centralized logging of authentication, provisioning, lifecycle events, admin actions, and policy enforcement.
•    Immutable and tamper evident logs with configurable retention policies.
•    Integration with SPLUNK for SIEM ingestion, alerting, and reporting.
•    Role-based dashboards and report exports (csv, excel).
2. Architecture, reliability and performance
•    Multi environment architecture with data segregation.
•    High availability, DR and backup capabilities, defined RTO and RPO, and support for seasonal load spikes (e.g., term start).
•    Modular, scalable platform capable of supporting institutional growth.
3. Security and compliance
•    API protection using Oauth 2.0, OIDC, and IP-restricted access to admin interfaces.
•    Compliance with security and privacy standards
•    Support for secure data purging and alignment with university data retention policies.
4. Workflow and automation
•    A configurable workflow engine for approvals, escalations, and integration triggered automation.