Call: The support and maintenance of the NATO HQ identity and access management systems

Buyer: NATO Headquarters (HQ) in Brussels (Belgium).

Deadline: Nov 30

Background Information: The NATO HQ Identity and Access Management System (IdAMS) is based on the Omada Identity Suite (Enterprise) solution for identity management. Its aim is to manage all identities entering the NATO HQ premises as well as their privileges and accesses, both physical (location) and logical (system), in a controlled manner. It is spread over 3 partially interconnected domains (Domains A, B and C) and has a growing number of interfaces to target systems, as explained below. Workflows, resources and groups are used to manage the identities and their accesses.

The NATO HQ IdAMS system has been in use since the spring of 2018. Currently, the main functionalities include:

i.             Managing newcomers and transfers; 

ii.            Provision of Physical Access Control (PAC) that is assigned manually and supported by automated assignments; requesting Active Directory (AD) accounts; creation of badges with certificates through a Public Key Infrastructure (PKI) solution to allow for Logical Access Control (LAC); registering family members and visitors; provision of identity information to the physical key management system and possibly other systems in the future; and managing stakeholder information.

The system functionality is continuously being extended through further enhancements and integration with existing applications and systems, with the aim of achieving a single person identity within the organization. It should be noted that NATO HQ is using a combination of two Omada license types:

            Full User licenses that are used for identities with full on-site presence.

            Light User licenses that are used for people who are occasionally on-site (e.g. contractors, visitors etc.)

The architecture, depicted in the diagram below, can be summarized as follows:

Domain A: The core of IdAMS is installed in domain A and consists of:

            2 front-end servers

            IdAMS database (DB)

            Omada Warehouse

            Provisioning Engine

            The majority of target systems is also installed in domain A

Domain B

            2 front-end servers, load balanced, with email capability, connected to the core system in domain A

Domain C

            IdAMS Provisioning Engine including DB, receiving information (one-way) from domain A

In most cases, interfaces have been implemented by means of an intermediate DB to store communication between IdAMS and target systems. Target systems include but are not limited to: 

Public Key Infrastructure (PKI) System for certificates

Remedy Help Desk tool for requests to create AD accounts across several domains

DEISTER for management of physical keys

SIPORT (provided by Siemens) for badge controlled physical access to offices

Microsoft Exchange for automated email notifications

ERP EBS

Directory services at other NATO agencies and commands

Customizations are implemented with C#.NET v4, aspx.NET, HTML, and Java-Script technology, using Microsoft SQL Server for the database backend and reporting; and Microsoft Identity Manager (MIM)/Forefront Identity Manager (FIM). These customizations are mainly dedicated to developing workflows, processes and the fine-tuning of the Omada solution in order to meet the organizational requirements that cannot be services by a native Omada functionality. Wherever possible NATO HQ prefers to sue the native Omada functionality. Other software packages used include:

Moreover, there is one Pre-production Environment available for IdAMS. This environments is functionally representative of the Production Environment, but they may lack in terms of performance, redundancy and capacity. Also, some interfaces are not fully implemented end-to-end onto IdAMS Pre-production Environment as the receiving systems have no pre-production equivalent.

The Development Environment is implemented on current provider’s infrastructure, and future provider is expected to set-up their own Development environment.

Finally, the Services to be provided under the Contract will assist NATO HQ with the functional and technical operations, support and maintenance of the IdAMS system and its interfaces with other systems, as well as with the evolution of the IdAMS system, including new requirements development and implementation. The scope of Services is limited to the IdAMS system and interfaces with other systems. During further development, analysis and cooperation with support staff and owners of other systems to be interfaced with may be included in the scope. The exact scope of the new developments has not been fully determined yet, but it is expected to be significant during the contract period.

The Contractor shall provide the Services on-site at the NATO HQ in Brussels, Belgium. No remote access to the system will be allowed for security and technical reasons.