Secure web portal

Subject

The UPU seeks a platform/service to aggregate its various web resources into one workplace, providing end users with access using one set of credentials (SSO).

The deadline for the submission of tenders is 12 May 2023 at 18.00 CEST.

Documents

Questions and answers

  1. What exact information is expected from the bidder to provide as a response to the “Market position and share in relevant markets” requirement? Reference: Section 3.2

we want to be sure the product is stable and use widely. We are asking for references.

 

2.         Do you have any fixed guidelines or templates for writing a Technical and Financial proposal? If yes, please provide the necessary information. If not, are we free to use our own templates? Reference: Sections 3.5 and 3.6 

you can use your own template

 

3.         What is expected; fixed cost quotation based on the number of deliverables/milestones in the project or rates of resources who will be working on the project? Reference: section 3.6

yes this is correct. You can also split the offer in different parts which can be done separately. It can be useful if we want to split the project

 

4.         What does "equipment" refer to in the statement "the quality of their partnerships with equipment suppliers"? Is the supply of any hardware/equipment under the current work scope?

Reference: Section 4.9 

the scope of the project does not include hardware. This is not well formulated. It should be understood as integration with software providers. (authentication or application for example) 

 

5.         Are you looking for a vendor located within Switzerland, or would you be open to considering a vendor based in Austria who is capable of providing resources within Switzerland? 

Reference: Section 4.11 the partner can be based is any country as long as support or consultancy services are located within Switzerland not more than 2.5 hours from Bern by train.

 

6.         Are case studies and/or client references required in the technical proposal? If yes, what is the minimum number of case studies/references we should provide? 

it is not required but would be an advantage

 

7.         Do we need to provide the CVs of team members who might be assigned to the project? If yes, could you please specify the number of resumes required and preferred roles (like front-end and backend developers etc.), if any?

you do not need to but you can

 

8.         Can we provide sample resumes instead of the ones who will be assigned to the project?

this is not necessary

 

 

  1. Are you in search of a vendor who can offer a pre-built portal or Do you want to develop the web portal from scratch?

We want a product from the market. Not something to be developed.

 

 

  1. Is schedule given in RFP to be negotiated?

you can propose implementation IN 2 phases.

 

In our approach, where set of functionalities is standardized and can be configured it is possible to execute phase 1 with configuration only and preparation of blueprints for applications to be integrated and after that, move to phase 2 with customized functionalities to be delivered. We assume, the full schedule to be 6-8 months with first phase delivered Live after 3 months.

 

  1. The portal should be able to host web apps that support SAML, OAuth and OpenID Connect
     Please confirm that hosting means:- application is registered in to the Portal so it's icon is presented to the user

yes this is correct
 - application uses portal as identity source (sso)

we want SSO but the IDP can be other than portal.

 

  1. "Access to apps must be based on assigned roles, with the possibility of delegating role assignment"
     Please explain "Access to apps". Does it mean, that the Portal should dim / hide application's icon in the Portal due to lack of necessary privileges? 

 yes this is right. 

 

Does the Portal need to restrict returning identity token to the application unless user has appropriate role that allows him to use said application? 

Usually, application decides whether user can access it or not and handles insufficient access rights accordingly.

 yes this is OK

 

  1. "Ease of delegation of roles and rights. Once the structure and roles are defined, it should be possible for someone with limited experience of content management systems to manage and assign roles and rights"
     Is it expected that Portal's end user will be able to delegate his/her rights to other user?

No 

 

Or this action is only available to Operator / Admin User?

we want to have “super User” who can grant access to a specific application. Tese users have more right than standard users but are not admin

 

  1. Multi-factor authentication should be available based on the criticality of the published apps
     What kind of MFA is required? SMS/email based OTP? Time-based OTP like Google / Microsoft Authenticator?

MFA needs to be available but we do not know which since we are not using it yet.

 

  1. Ability to automate provisioning (workflows) of apps or roles based on certain events or conditions
     Please elaborate, what could be the scope of the workflows

Exemple for registration: if a user is authenticating on a certain AD he be added to a certain group.

 

  1. Self-registration form allowing users to register and gain access to various apps
     Is there any acceptance process anticipated?

so far we have other registration for users accessing other app. But if a new user registers he will be created only after someone allows him to use an app.

 

Do we expect to have any interaction with external data sources (i.e. to confirm user identity

if data sources include idps. Yes.

 

  1. Is there requirement to host the Portal on-prem or in the cloud (and what cloud services are considered)?

cloud can be consider but most of our application are on premises.

 

  1. Is it expected that the solution will be used to create and manage all user roles and permissions or just pass user record from a master system (i.e. Azure AD/LDAP)

the best for us would be if the portal could manage users and permission. At the moment permissions are based on AD groups in several ADs.

 

  1. E-mail notifications of various events or conditions
     What types of events can trigger notifications?

new users created. Users want to access this app (to the super user responsible for the app)

 

  1. Dynamic and interactive input fields
     Does it include cascading fields like Region->province->city?

Yes

 

Does it include external services on-line (i.e. user input verification in a dedicated service (hosted internally or externally)

No

 

  1. Information collected via the form used for role or group assignment
     Please provide an example of such role assignment.

same answer than 6 

 

Are the business rules custom tailored for each of the apps or rather global?

rather global. The principle will be same for different apps with different super user.

 

  1. We assume that particular applications integrated with the System will be responsible for management of privileges and System will pass information about user role which will be mapped into proper privileges into application itself. Is that right assumption?

in theory yes. But this is dependent on the application. For example if we can add a user to an AD group when he is granted access to an app we do a part of the access management as most of our application are based on AD.

 

 

Is UPU looking for a vendor to supply a ready-to-use product which is already functional in the market or does it want a product to be developed from scratch?

we are looking for a product already done with good integration and with time on the market.

 

  • En quoi est-ce que Okta ne permet pas de couvrir vos besoins ? 

we are vendor independant. We do not know if OKta can or not provide the service

 

  • Quels composants Okta sont actuellement déployés et pour quel périmètre fonctionnel ? 

Not relevant

 

  • Utilisez-vous déjà Okta comme agrégateur de vos différents annuaires ?

no please consider we do not have Okta

 

  • Avez-vous déjà un contrat de licence Sharepoint pour vos 50000 utilisateurs ?

not relevant  

 

  • A partir d'office 365 ?
  •  
  • Quelle(s) licence(s) Microsoft avez-vous actuellement pour les différents types d'utilisateurs ?

not relevant  

 

  • Avez-vous déjà en place une solution MDM (Mobile Device Management) pour votre parc mobile ? Si oui, laquelle ? 

No

 

  • Est-ce que l’espace de travail pour l’utilisateur final se comprend comme l’affichage de la liste des applications web auxquelles l’utilisateur a accès ou peut demander l’accès, et rien de plus ?

Yes

 

  • Qu’entendez-vous pas « Gestion des accès API » ?

management of the portal over API calls

 

  • Est-il possible d’organiser une séance d'alignement / de clarifications orale pour détailler votre besoin ? Nous souhaitons comprendre le périmètre de votre demande en termes de choix techniques / hébergement / support etc. 

no

 

 

Is the 2.5 hour "on call" time a hard requirement? Could meetings not be scheduled ahead of time? Our team is spread across the USA and Europe and can attend meetings, but they would have to be scheduled 7 days ahead of time. Would that be possible?

no. this would not be possible for support reason

 

Does it include the support to the end users? Are L1 and L2 support covered by UPU and L3 by the supplier? 

Yes

 

Do you have an estimate of the number of tickets per year that are expected? 

No

 

 

How many and what types of Azure licenses have you got? This is to evaluate whether we should evaluate Azure as an option or not. 

We have an Enterprise agreement covering Azure.

 

Are all apps compatible with OpenID Connect or SAML ?

yes

 

What does "host" mean in "The portal should be able to host web apps..." ?
Could you confirm the portal feature is limited to an aggregation of links/buttons/tiles to access to some web apps but those apps are not directly hosted by the portal itself ?
 Could you confirm the hosting of web apps is out of scope of this RFP ?

YES

 

Where are the users coming from ? 

differents Active directories

 

Is there already an IDP to use ? 

No

 

Will there be multiple IDP to integrate ?

No

 

Will the end users be migrated or enrolled from scratch ?

Both

 

Will the universal source be one of our choosing, or should we provide a solution compatible with every item in the list of directories (Active Directory, Azure AD, Okta, ...)  ?

compatible with existing

 

 

Could you provide more precise exemple and scenario which are expected to be covered by "the possibility of delegating role assignment" ?

one super user can give access to other users to one or several app

 

If an admin can have the right to assign/remove roles on a specific group of users, does it cover your expectation ?

no we need to have “super users” more than a user but less than an admin

 

Could you provide exemples of use cases that are to be covered by this requirement ? 

adding a user to an Active directory group based on source AD or/and the selected app in the portal.

 

Are you expecting creation of new roles or trust with new web application to be done automatically ?

No

 

Are you opened to having the apps integrated by the supplier? 

No

 

UPU would have to open a ticket to the supplier and the latter will integrate the application (exchange of metadata etc). This can be seen as a "managed services".

 

Could you provide a use case exemple to help to understand this requirement ?

if email ends with @post.ch assign member to Swiss post group. This after validation by internal user

 

What would be the use case for this ?

if you choose postal operator then you have the list of postal operator to choose from

 

Could you provide an example ? 

done previous answer

 

What feature is expected as API access management ? Could you provide an example ? 

publishing an App through API call

 

Would the IP address of the user be enough ? What kind of location is expected? 

geolocation