Skip to main content

Permissions

Add user
Done

Start your AI search

AI search
Outbound call compliance Gamification for customer service Outsourcing services

How to write an RFP for single sign-on

Requirements, questions, and evaluation criteria specific to single sign-on procurement

7 min read

Single sign-on (SSO) procurement demands a strategic RFP due to the critical role identity plays in security and user experience. A well-crafted RFP ensures the chosen solution aligns with the organization's unique hybrid environment, balances security with usability, and avoids vendor lock-in or hidden costs.

What makes single sign-on RFPs different

SSO RFPs are unique due to the need to bridge diverse environments, from legacy on-premise applications to modern SaaS solutions. The RFP must address the complexity of integrating with existing directory services (Active Directory, LDAP, HRIS) while supporting various authentication protocols (SAML, OIDC, Kerberos).

Furthermore, compliance requirements and data residency concerns add another layer of complexity, especially for global organizations. nnSSO is no longer a standalone utility but the core of an identity fabric, requiring integration with other security tools like MFA, IGA, and PAM. The RFP must evaluate the vendor's ability to orchestrate identity across these systems, manage the identity lifecycle of both human and non-human users, and detect and respond to identity-based threats in real-time.

Failing to address these factors can lead to a fragmented security posture, increased operational costs, and a poor user experience.nnFinally, the pricing models for SSO can be complex, with hidden costs like the "SSO Tax" from downstream vendors and usage-based overage fees. The RFP must include detailed questions about pricing, licensing, and potential cost escalations to ensure a transparent and predictable total cost of ownership.

  • Protocol support for legacy and modern applications
  • Integration with existing directory services and HRIS
  • Compliance with relevant data privacy regulations (e.g., GDPR, CCPA)
  • Scalability and reliability to support the entire organization

RFP vs RFI vs RFQ

Here's when to use each document type when procuring single sign-on software.

RFI

Request for Information

Use early in your search to understand what vendors offer and narrow your list. Gather general capabilities, company background, and high-level pricing ranges.

RFP

Request for Proposal

Use when you know your requirements and want detailed vendor solutions and pricing. This is your main evaluation document for shortlisted vendors.

RFQ

Request for Quote

Use when requirements are fixed and you just need final pricing. Often used after RFP when you're ready to negotiate with finalists.

For single sign-on, an RFI is useful for initial exploration of available solutions and vendor capabilities, while an RFP is essential for a detailed evaluation of technical specifications, security features, and integration capabilities. An RFQ is less applicable due to the complexity and customization required for SSO implementations.

Technical requirements checklist

Use this checklist when defining your RFP scope.

Authentication Protocols

  • SAML 2.0 support
  • OIDC support
  • WS-Federation support
  • Kerberos support
  • Header-based authentication support

Directory Integration

  • Active Directory synchronization
  • LDAP directory integration
  • HRIS integration (specify systems)
  • Automated provisioning/deprovisioning (SCIM)
  • Universal Directory capabilities

Security Features

  • Multi-factor authentication (MFA) integration
  • Adaptive authentication
  • Identity threat detection and response (ITDR)
  • Passwordless authentication (FIDO2/WebAuthn)
  • Compromised credential detection

High Availability & Reliability

  • 99.99% uptime SLA
  • Active-active failover architecture
  • Disaster recovery plan
  • Service outage post-mortem documentation
  • Offline access capabilities

Identity Governance

  • Access certification workflows
  • Role-based access control (RBAC)
  • Segregation of duties (SoD) enforcement
  • Audit logging and reporting
  • Compliance reporting (SOC 2, GDPR, etc.)

Questions to include in your RFP

Architecture & Deployment

  • Describe your solution's architecture, including details on multi-tenancy, data isolation, and geographic data residency options.
    Ensures data security and compliance with regional regulations.
  • What deployment models are supported (cloud, on-premise, hybrid), and what are the advantages and disadvantages of each?
    Determines flexibility and alignment with existing infrastructure.
  • Detail your disaster recovery and business continuity plan, including RTO (Recovery Time Objective) and RPO (Recovery Point Objective).
    Validates resilience in case of outages.
  • Explain how your solution handles upgrades and maintenance with minimal disruption to users.
    Reduces operational overhead and user downtime.

Integration Capabilities

  • Describe your pre-built integrations with common applications (Salesforce, Microsoft 365, etc.) and directory services (Active Directory, LDAP).
    Reduces implementation time and integration costs.
  • Explain your support for SCIM (System for Cross-domain Identity Management) for automated provisioning and deprovisioning.
    Streamlines user lifecycle management and improves security.
  • How does your solution handle integration with legacy applications that don't support modern authentication protocols?
    Addresses the challenge of integrating with older systems.
  • Detail your API capabilities and available SDKs for custom integration requirements.
    Enables flexibility for unique integration scenarios.

Security & Compliance

  • Describe your support for multi-factor authentication (MFA) methods (push notifications, biometrics, FIDO2) and adaptive authentication policies.
    Strengthens security and reduces the risk of unauthorized access.
  • Explain your approach to identity threat detection and response (ITDR), including real-time risk analysis and automated remediation.
    Proactively identifies and mitigates identity-based attacks.
  • Detail your compliance certifications (SOC 2, ISO 27001, GDPR) and data privacy practices.
    Ensures adherence to industry standards and legal requirements.
  • How does your solution protect against common attacks like phishing, credential stuffing, and account takeover?
    Mitigates major identity-related security risks.

User Experience

  • Describe the user experience for accessing applications through your SSO portal, including mobile device support.
    Influences user adoption and reduces help desk tickets.
  • Explain your self-service password reset (SSPR) capabilities and identity verification methods.
    Reduces IT support burden and improves user productivity.
  • Detail your support for passwordless authentication methods (FIDO2, passkeys) and their implementation.
    Enhances security and simplifies the login process.
  • What options are available for customizing the SSO portal and login pages to match our corporate branding?
    Maintains brand consistency and improves user trust.

Pricing & Licensing

  • Provide a detailed breakdown of your pricing model, including licensing fees, implementation costs, and ongoing support charges.
    Ensures transparency and accurate budget forecasting.
  • Explain how your pricing accounts for Monthly Active Users (MAU) versus total user seats, and what are the overage penalties.
    Avoids unexpected costs due to seasonal usage spikes.
  • Are there any additional costs for integrating with specific applications or directory services?
    Identifies potential hidden expenses.
  • Do you offer volume discounts or special pricing for non-profit organizations?
    Explores potential cost savings.

Support & Maintenance

  • Describe your support services, including response times, escalation procedures, and available support channels.
    Ensures timely assistance and problem resolution.
  • What is your track record for uptime and service availability, and what guarantees do you offer in your SLA?
    Validates reliability and minimizes potential disruptions.
  • Do you provide training and documentation for administrators and end-users?
    Facilitates successful implementation and ongoing usage.
  • What is your roadmap for future product development and innovation, including support for emerging standards like decentralized identity (DID)?
    Ensures long-term viability and alignment with future trends.

Compliance and security requirements

Depending on your industry, you may need to require proof of these certifications and standards.

SOC 2 Type II

Required for all organizations handling sensitive customer data. If applicable, request a copy of the latest SOC 2 Type II report.

GDPR (General Data Protection Regulation)

Required if processing data of eu residents. If applicable, request documentation on GDPR compliance measures and data residency options.

CCPA (California Consumer Privacy Act)

Required if processing data of california residents. If applicable, request documentation on CCPA compliance measures.

HIPAA (Health Insurance Portability and Accountability Act)

Required if handling protected health information (phi). If applicable, request a Business Associate Agreement (BAA) and HIPAA compliance documentation.

ISO 27001

Required for organizations requiring a formal information security management system. If applicable, request a copy of the ISO 27001 certificate.

Evaluation criteria

Here is the suggested weighting for single sign-on RFPs.

Functionality Fit How well the solution meets the stated functional requirements.
30%
Security Features Strength of security measures and compliance with relevant standards.
25%
Integration Capabilities
15%
Total Cost of Ownership (TCO) Implementation, licensing, and ongoing costs.
15%
Vendor Stability & Roadmap Financial health and commitment to future innovation.
10%
User Experience Ease of use and adoption by end-users.
5%

Some weights were adjusted based on your priorities.

  • Increase if replacing a complex legacy system.
  • Increase if complex integration landscape exists.

Red flags to watch

  • Vague pricing responses

    Vendors who can't provide clear pricing often have hidden costs or complex fee structures that inflate TCO.

  • No customer references in your industry

    Lack of relevant references suggests limited experience with your specific requirements and use cases.

  • Limited protocol support

    Inability to support legacy protocols indicates difficulty integrating with existing systems.

  • Weak disaster recovery plan

    Inadequate failover mechanisms suggest potential for significant downtime.

  • Proprietary protocols

    Avoid vendors who don't support open standards (SAML/OIDC), as this creates massive vendor lock-in.

Key metrics to request

Ask vendors to provide benchmarks from similar customers.

Implementation timeline for similar customers

Helps set realistic expectations and identify potential delays.

Average time to first value

Indicates how quickly you'll see ROI from the investment.

Password reset ticket reduction after implementation

Demonstrates the impact on IT support workload.

Onboarding time reduction

Shows the impact on new employee productivity.

Uptime percentage

Validates the reliability and stability of the service.