Skip to main content

Permissions

Add user
Done

Start your AI search

AI search
Outbound call compliance Gamification for customer service Outsourcing services

How to write an RFP for IDaaS

Requirements, questions, and evaluation criteria specific to IDaaS procurement

7 min read

Identity as a Service (IDaaS) procurement requires careful planning because it involves entrusting a third party with your organization's digital keys. A well-crafted RFP ensures you select a solution that not only meets your current needs but also scales with your evolving security landscape.

What makes IDaaS RFPs different

IDaaS RFPs are unique due to the critical nature of identity management and its impact on overall security posture. Unlike other software categories, IDaaS directly controls access to sensitive resources and data, making security, reliability, and compliance paramount.

Furthermore, IDaaS solutions must integrate seamlessly with a diverse range of existing systems, including on-premises directories, cloud applications, and identity providers, requiring a flexible and adaptable architecture.nnProcuring IDaaS also involves navigating complex regulatory requirements related to data privacy and security.

Organizations must ensure that the chosen solution complies with applicable regulations such as GDPR, HIPAA, and SOC 2, depending on their industry and geographic location. This necessitates a thorough evaluation of the vendor's security practices, data residency options, and compliance certifications.

Finally, the evolving threat landscape demands that IDaaS solutions incorporate advanced security features such as adaptive authentication, behavioral analytics, and AI-powered threat detection, adding another layer of complexity to the procurement process.

  • Scalability to accommodate future growth and fluctuating user demands
  • Integration capabilities with existing IT infrastructure and applications
  • Compliance with relevant industry regulations and data privacy laws
  • Vendor's security posture and track record in protecting sensitive data

RFP vs RFI vs RFQ

Here's when to use each document type when procuring IDaaS software.

RFI

Request for Information

Use early in your search to understand what vendors offer and narrow your list. Gather general capabilities, company background, and high-level pricing ranges.

RFP

Request for Proposal

Use when you know your requirements and want detailed vendor solutions and pricing. This is your main evaluation document for shortlisted vendors.

RFQ

Request for Quote

Use when requirements are fixed and you just need final pricing. Often used after RFP when you're ready to negotiate with finalists.

When procuring IDaaS, an RFI is useful for initial market scanning and understanding the range of available solutions. An RFP is essential for detailed evaluation of vendor capabilities, security features, and integration options, while an RFQ is generally not suitable due to the complexity and customization required.

Technical requirements checklist

Use this checklist when defining your RFP scope.

Authentication Methods

  • Multi-factor authentication (MFA) support (specify methods)
  • Passwordless authentication options (e.g., biometrics, FIDO2)
  • Adaptive authentication based on risk factors
  • Single Sign-On (SSO) capabilities

Identity Governance and Administration (IGA)

  • Automated user provisioning and deprovisioning
  • Role-based access control (RBAC)
  • Access certification and review workflows
  • Privileged access management (PAM) integration

Integration Capabilities

  • Integration with existing directory services (e.g., Active Directory, LDAP)
  • API-based integration with cloud applications and services
  • Support for SAML, OIDC, and other federation protocols
  • SCIM (System for Cross-domain Identity Management) support

Security and Compliance

  • Data encryption at rest and in transit
  • Compliance with relevant industry regulations (e.g., GDPR, HIPAA, SOC 2)
  • Vulnerability management and penetration testing
  • Incident response and security monitoring

Reporting and Analytics

  • Real-time security dashboards and alerts
  • Auditing and logging of user activity
  • Customizable reports for compliance and security analysis
  • Behavioral analytics for anomaly detection

Questions to include in your RFP

Architecture & Deployment

  • Describe your IDaaS architecture, including data residency and redundancy.
    Ensures the solution meets data sovereignty requirements and provides high availability.
  • What deployment models do you support (cloud, hybrid)?
    Determines compatibility with your existing infrastructure.
  • How do you ensure data isolation and security for each customer in a multi-tenant environment?
    Critical for data privacy and preventing cross-customer contamination.
  • What is your disaster recovery and business continuity plan?
    Ensures minimal downtime in case of a major incident.

Authentication & Access Management

  • What MFA methods do you support, and how do you prevent phishing attacks?
    MFA is crucial, but some methods are more secure than others.
  • Describe your adaptive authentication capabilities and how you assess risk.
    Balances security with user experience by adjusting authentication requirements based on risk.
  • How does your solution handle passwordless authentication?
    Reduces reliance on passwords, improving security and user convenience.
  • How do you manage access to applications and resources based on user roles and attributes?
    Ensures users have appropriate access levels, minimizing the risk of unauthorized access.

Integration & Interoperability

  • What pre-built integrations do you offer with common cloud applications and services?
    Reduces integration effort and speeds up deployment.
  • How does your solution integrate with existing directory services (e.g., Active Directory)?
    Ensures seamless synchronization of user identities and attributes.
  • Do you support SCIM for automated provisioning and deprovisioning?
    Automates user lifecycle management, reducing manual effort and errors.
  • What APIs are available for custom integrations?
    Provides flexibility to integrate with less common or custom applications.

Security & Compliance

  • What security certifications do you hold (e.g., SOC 2, ISO 27001)?
    Demonstrates commitment to security best practices.
  • How do you protect against common identity-based attacks (e.g., credential stuffing, phishing)?
    Ensures the solution can withstand modern threats.
  • What data privacy and residency options do you offer to comply with regulations like GDPR?
    Essential for meeting legal and regulatory requirements.
  • Describe your incident response plan and how you handle security breaches.
    Knowing how a vendor responds to incidents is crucial for minimizing damage.

Reporting & Analytics

  • What reporting and analytics capabilities do you offer for monitoring user activity and security events?
    Provides visibility into potential security threats and compliance issues.
  • Can you provide customizable reports for compliance audits?
    Simplifies compliance reporting and reduces audit preparation time.
  • Do you offer real-time security dashboards and alerts?
    Enables proactive threat detection and response.
  • Can you provide metrics on user adoption and usage of the IDaaS platform?
    Helps measure the success of the IDaaS implementation and identify areas for improvement.

Pricing & Licensing

  • Describe your pricing model and licensing options.
    Understanding the pricing structure is critical for budgeting and cost forecasting.
  • What are the costs associated with implementation, training, and support?
    Hidden costs can significantly impact the total cost of ownership.
  • Do you offer volume discounts or enterprise agreements?
    Can reduce costs for larger organizations.
  • What are the terms of your service level agreement (SLA)?
    Ensures the vendor commits to a certain level of uptime and performance.

Compliance and security requirements

Depending on your industry, you may need to require proof of these certifications and standards.

GDPR

Required if processing personal data of eu citizens. If applicable, request documentation on GDPR compliance measures, data processing agreements, and data residency options

HIPAA

Required if handling protected health information (phi). If applicable, request a Business Associate Agreement (BAA) and documentation on HIPAA compliance controls

SOC 2 Type II

Required generally recommended for all saas providers. If applicable, request a copy of the latest SOC 2 Type II report

ISO 27001

Required demonstrates a strong commitment to information security. If applicable, request a copy of the ISO 27001 certification

CCPA/CPRA

Required if processing personal data of california residents. If applicable, request documentation on CCPA/CPRA compliance measures and data privacy practices

Evaluation criteria

Here is the suggested weighting for IDaaS RFPs.

Functionality Fit How well the solution meets the stated requirements for authentication, access management, and governance.
25%
Security and Compliance Strength of security features, compliance certifications, and data privacy practices.
20%
Integration Capabilities Ease of integration with existing directory services, cloud applications, and IT infrastructure.
15%
Total Cost of Ownership Implementation costs, licensing fees, support costs, and ongoing maintenance expenses.
15%
Vendor Reputation and Stability Vendor's track record, financial stability, and customer references.
10%
Scalability and Performance Ability to handle increasing user volumes and maintain performance under peak loads.
10%
Usability and User Experience Ease of use for both administrators and end-users.
5%

Red flags to watch

  • Lack of transparency in pricing

    Vendors who are unwilling to provide detailed pricing information may have hidden costs or complex fee structures.

  • Weak security certifications or compliance documentation

    Indicates a lack of commitment to security best practices and regulatory compliance.

  • Limited integration options with existing systems

    Can lead to integration challenges and increased implementation costs.

  • Poor customer reviews or lack of references

    Suggests potential issues with product quality, support, or vendor reliability.

  • Inability to meet data residency requirements

    Can violate data privacy regulations and expose the organization to legal risks.

Key metrics to request

Ask vendors to provide benchmarks from similar customers.

Average time to implement the IDaaS solution

Helps estimate the time and resources required for deployment.

Percentage of users successfully enrolled in MFA

Indicates the effectiveness of the MFA rollout and user adoption.

Number of security incidents related to compromised credentials

Measures the effectiveness of the IDaaS solution in preventing identity-based attacks.

Help desk ticket volume related to password resets

Demonstrates the impact of passwordless authentication on reducing user friction.

Time taken to provision or deprovision a user account

Indicates the efficiency of automated user lifecycle management.