RFP template · reviewed 2026-05-22

Workforce IAM RFP template — the questions to actually ask

A copy-into-Word RFP scaffold for selecting a workforce IdP (Okta, Entra, JumpCloud, Ping, OneLogin, etc.). Focused on the questions that differentiate, not generic capability checkboxes.

We can run this for you

Who uses it

IT / Security leadership at 1K-50K-employee organizations evaluating or replacing their workforce IdP.

Typical timeline

6-10 weeks RFP → shortlist → bake-off → award

29 questions across 8 sections. CC BY 4.0 — copy freely.

1. Vendor + company background

1.1
Briefly describe your company, headquarters, founding year, ownership, and key investors / parent company.
1.2
Provide annual recurring revenue and growth rate for the past 3 years.
Why
Stability signal. Skip if pre-IPO and you trust the reference customers.
1.3
How many customers in our employee-count bracket (e.g. 10K-50K) currently use the product? Provide 3-5 references in our industry.
1.4
What is your product roadmap for the next 12 months? Specifically: which capability areas are receiving the most investment?

2. Authentication + MFA

2.1
List supported MFA factor types. Specifically call out: FIDO2 (security keys + platform passkeys), Microsoft Authenticator / Okta Verify / Duo Push, OTP (TOTP / HOTP), SMS, voice, hardware OTP token (YubiKey OTP, RSA SecurID).
2.2
Describe phishing-resistant authentication options. Specifically: device-bound credentials, certificate-based authentication, support for FIDO2 user verification + attestation.
Why
Privileged users need this. NIST 800-63B drives the bar; FedRAMP elevates it.
2.3
Describe number-matching support for push-based MFA. Is it on by default? Configurable per user / per role?
Why
MFA fatigue compromises (Uber, Cisco, MGM) are mitigated by number-matching.
2.4
Describe risk-based authentication — what signals are evaluated (IP / geo / device / behavior), how risk is scored, and what response options are available.
2.5
How does the product handle account recovery + MFA reset? Specifically: what fraud protections exist on the help-desk-reset path?
Why
IT help desk MFA reset is the most-common social-engineering vector.

3. SSO + federation

3.1
List supported SSO protocols (SAML 2.0, OIDC 1.0, OAuth 2.0 / 2.1) and the version compliance.
3.2
How many pre-built application integrations are in your catalog? Include both SaaS + on-prem.
3.3
Describe support for custom application integrations — admin-side configuration UX, time-to-add-a-custom-SAML-app, custom OIDC client config.
3.4
How do you handle B2B / external identity? Describe the consent + invitation flow.

4. Lifecycle + provisioning

4.1
Describe the joiner / mover / leaver (JML) automation capabilities. How is the authoritative source connected? What events trigger automation?
4.2
How many pre-built SCIM provisioning connectors are available?
4.3
Describe the workflow / automation builder. Can it be version-controlled / managed as code? Native Terraform support?
4.4
How are exceptions handled — provisioning failures, attribute conflicts, role-based mismatches?

5. Conditional access / access policy

5.1
Describe the conditional-access / access-policy engine. What conditions can be evaluated (user / group / device / location / risk / app)?
5.2
How are policies tested before enforcement (report-only mode, simulation)? Can policies be deployed via CI/CD?
5.3
Describe integration with endpoint posture providers (CrowdStrike, SentinelOne, Microsoft Intune, Jamf).

6. Governance + audit

6.1
Describe native access certification capabilities. Reviewer UX. Risk-tiering. Continuous mode vs campaign mode.
6.2
How is identity-related audit evidence emitted and retained? Continuous emission to a SIEM / data lake?
6.3
List supported compliance frameworks (SOC 2, FedRAMP, ISO 27001, HIPAA). Provide most recent third-party audit reports.

7. Integration + platform

7.1
Describe the API surface. Authentication mechanism (OAuth client credentials, API key, mTLS). Rate limits. Pagination semantics.
7.2
List supported infrastructure-as-code tooling (Terraform provider, Pulumi, CloudFormation).
7.3
Describe webhook / event-streaming capabilities. What events fire? What's the latency profile?

8. Pricing + commercial

8.1
Describe the pricing model — per user, per active user, per integration, per feature tier. Provide a sample 3-year TCO for our employee count.
8.2
What is the typical annual escalator on multi-year contracts? Are there cap-out options?
8.3
Describe implementation services pricing. Required services vs optional.

Evaluation rubric

How to score responses.

Criterion	Weight	How to score
Phishing-resistant MFA depth	15%	Score against FIDO2 + platform passkey + smart card support. Bonus for required attestation.
JML automation maturity	15%	Score against HRIS-driven automation, SCIM connector count, custom workflow builder.
Conditional Access policy engine	15%	Score against condition richness, test-mode UX, CI/CD-friendliness.
API + platform extensibility	10%	Score against API completeness, Terraform provider quality, event-streaming maturity.
Total cost of ownership (3yr)	15%	Score against per-user 3-year TCO inclusive of implementation services.
Reference customer signal	15%	Calls with 3-5 customers in your industry + employee bracket. Score on overall satisfaction + specific pain points.
Compliance + audit readiness	10%	Most recent SOC 2 Type 2 + (if relevant) FedRAMP authorization. Evidence-emission capability.
Roadmap fit	5%	Does the roadmap match your needs over the contract term?

Want help running it?

We run vendor selections + bake-offs.

Vendor-neutral procurement assistance — from RFP to shortlist to bake-off to negotiation. We’ve seen every vendor pitch + every contract structure.

Talk to a procurement leadPricing index

1. Vendor + company background

1.1

Briefly describe your company, headquarters, founding year, ownership, and key investors / parent company.

1.2

Provide annual recurring revenue and growth rate for the past 3 years.

Why

Stability signal. Skip if pre-IPO and you trust the reference customers.

1.3

How many customers in our employee-count bracket (e.g. 10K-50K) currently use the product? Provide 3-5 references in our industry.

1.4

What is your product roadmap for the next 12 months? Specifically: which capability areas are receiving the most investment?

2. Authentication + MFA

2.1

List supported MFA factor types. Specifically call out: FIDO2 (security keys + platform passkeys), Microsoft Authenticator / Okta Verify / Duo Push, OTP (TOTP / HOTP), SMS, voice, hardware OTP token (YubiKey OTP, RSA SecurID).

2.2

Describe phishing-resistant authentication options. Specifically: device-bound credentials, certificate-based authentication, support for FIDO2 user verification + attestation.

Why

Privileged users need this. NIST 800-63B drives the bar; FedRAMP elevates it.

2.3

Describe number-matching support for push-based MFA. Is it on by default? Configurable per user / per role?

Why

MFA fatigue compromises (Uber, Cisco, MGM) are mitigated by number-matching.

2.4

Describe risk-based authentication — what signals are evaluated (IP / geo / device / behavior), how risk is scored, and what response options are available.

2.5

How does the product handle account recovery + MFA reset? Specifically: what fraud protections exist on the help-desk-reset path?

Why

IT help desk MFA reset is the most-common social-engineering vector.

3. SSO + federation

3.1

List supported SSO protocols (SAML 2.0, OIDC 1.0, OAuth 2.0 / 2.1) and the version compliance.

3.2

How many pre-built application integrations are in your catalog? Include both SaaS + on-prem.

3.3

Describe support for custom application integrations — admin-side configuration UX, time-to-add-a-custom-SAML-app, custom OIDC client config.

3.4

How do you handle B2B / external identity? Describe the consent + invitation flow.

4. Lifecycle + provisioning

4.1

Describe the joiner / mover / leaver (JML) automation capabilities. How is the authoritative source connected? What events trigger automation?

4.2

How many pre-built SCIM provisioning connectors are available?

4.3

Describe the workflow / automation builder. Can it be version-controlled / managed as code? Native Terraform support?

4.4

How are exceptions handled — provisioning failures, attribute conflicts, role-based mismatches?

5. Conditional access / access policy

5.1

Describe the conditional-access / access-policy engine. What conditions can be evaluated (user / group / device / location / risk / app)?

5.2

How are policies tested before enforcement (report-only mode, simulation)? Can policies be deployed via CI/CD?

5.3

Describe integration with endpoint posture providers (CrowdStrike, SentinelOne, Microsoft Intune, Jamf).

6. Governance + audit

6.1

Describe native access certification capabilities. Reviewer UX. Risk-tiering. Continuous mode vs campaign mode.

6.2

How is identity-related audit evidence emitted and retained? Continuous emission to a SIEM / data lake?

6.3

List supported compliance frameworks (SOC 2, FedRAMP, ISO 27001, HIPAA). Provide most recent third-party audit reports.

7. Integration + platform

7.1

Describe the API surface. Authentication mechanism (OAuth client credentials, API key, mTLS). Rate limits. Pagination semantics.

7.2

List supported infrastructure-as-code tooling (Terraform provider, Pulumi, CloudFormation).

7.3

Describe webhook / event-streaming capabilities. What events fire? What's the latency profile?

8. Pricing + commercial

8.1

Describe the pricing model — per user, per active user, per integration, per feature tier. Provide a sample 3-year TCO for our employee count.

8.2

What is the typical annual escalator on multi-year contracts? Are there cap-out options?

8.3

Describe implementation services pricing. Required services vs optional.

How to score responses.

Criterion	Weight	How to score
Phishing-resistant MFA depth	15%	Score against FIDO2 + platform passkey + smart card support. Bonus for required attestation.
JML automation maturity	15%	Score against HRIS-driven automation, SCIM connector count, custom workflow builder.
Conditional Access policy engine	15%	Score against condition richness, test-mode UX, CI/CD-friendliness.
API + platform extensibility	10%	Score against API completeness, Terraform provider quality, event-streaming maturity.
Total cost of ownership (3yr)	15%	Score against per-user 3-year TCO inclusive of implementation services.
Reference customer signal	15%	Calls with 3-5 customers in your industry + employee bracket. Score on overall satisfaction + specific pain points.
Compliance + audit readiness	10%	Most recent SOC 2 Type 2 + (if relevant) FedRAMP authorization. Evidence-emission capability.
Roadmap fit	5%	Does the roadmap match your needs over the contract term?