ProofID IGA is an Identity and Access Management solution built specifically for managing the identity lifecycle of the various user communities, both internal and external, which interact with the modern business. IGA is optimised to deal with external users, across multiple use cases including customer, contractor and B2B.
- Inbound SCIM API
- Outbound SCIM provisioning module
- SCIM Bridge to interface with source/target applications
- OAuth 2 support
- Integrated with PingFeederate and PingOne
- Integrated with Okta
- Integrated with Microsoft MIM
- Integrated with NetIQ Identity Manager
- Manage lifecycle of internal and external users from first contact
- Synchronisation of identities from authoritative sources to target applications
- Manage workforce, B2B, B2C and contractor scenarios in common platform
- Authoritative source and source of authentication for external identities
- Devolved administration model
- Out of the box delegated approval and certification workflows
- Role-based architecture
- Flexible resource model allowing for coarse and fine grained authorisation
- Detailed audit trail, capturing attribute level changes to identities
- Self-service features including self-registration form and secure forgotten password reset
£15000 per instance per year
- Education pricing available
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||
IGA features modules for integration with the following commercial Identity and Access Management products.
NetIQ Identity Manager
|Cloud deployment model||Public cloud|
|System requirements||SCIM Bridge may need to hosted on-premise|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
1 hour for a Priority 1 incident
08:00 to 18:00 Mon-Fri
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Telephone and email support is provided as part of the subscription license fee.
Solution specific support can be provided via ProofID's Identity Management Technical Support and Managed Service services, listed separately on GCloud 9. Please review relevant Service Descriptions for details and pricing.
|Support available to third parties||Yes|
Onboarding and offboarding
ProofID provides 'starter pack' consultancy to assist customers with initial configuration of the system. This is provide as a block of 40 hours of remote consultancy on a T&M basis, to be consumed within three months of purchase.
ProofID provides a workbook to assist customers with collecting core information to underpin the configuration of the system.
|End-of-contract data extraction||
Configuration data can be exported from the administrative console.
User data can be extracted via the API or via CSV export.
Customers may request a copy of their database at any time.
|End-of-contract process||ProofID will assist the customer with exporting their data at the end of the contract.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Application is designed responsively, and can be run in a browser on a mobile device.|
|Accessibility standards||WCAG 2.0 AA or EN 301 549|
|Accessibility testing||Screen reader testing.|
|What users can and can't do using the API||
IGA has a REST API based on SCIM (System for Cross-Domain Identity Management) version 1.1.14 which helps integrate IGA with other applications or cloud based services.
The API uses JSON as a data format and the schema used is as per the SCIM core schema 15. The SCIM Enterprise User Schema Extension is also used. While the SCIM core and Enterprise User schema provide a fixed set of default attributes for the user object, IGA has its own Schema Extension which defines attributes that IGA supports that are not covered in either SCIM Schema.
The API requires mod_rewrite to be loaded within Apache to function.
The API requires HTTP Basic authentication using a local IGA administrative user, which must be created in advance. The user should be a member of the 'API' group. See the section on Local Administrative Users.
The REST API can support a tenancy ID in the URL, this is not enabled by default, but can be enabled as required via a configuration setting.
|API documentation formats||
|API sandbox or test environment||Yes|
|Description of customisation||IGA has a private SDK which allows per-tenancy customisations. ProofID can build customisations according to customer requirements, at additional cost (see SFIA rate card for developer fees).|
|Independence of resources||ProofID carefully monitor usage of the service and onboarding of new customers to ensure sufficient capacity to handle expected user loads and scaling requirements which feed into capacity planning for the platforms.|
|Service usage metrics||No|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||In-house|
|Protecting data at rest||Physical access control, complying with CSA CCM v3.0|
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||
Data can be export the results of any screen or search from within the system to a CVS file.
Data can be extracted in JSON format via the SCIM API.
Configuration data can be exported from the administrative console.
|Data export formats||
|Other data export formats||JSON|
|Data import formats||
|Other data import formats||JSON (Via SCIM API)|
|Data protection between buyer and supplier networks||
|Data protection within supplier network||
Availability and resilience
|Guaranteed availability||ProofID offer a service availability of 99.5%|
|Approach to resilience||
The service is operated across multiple geographically located data centres in an active/active fashion. Data centre centre includes full local resilience with multiple resilient at all tiers of the infrastructure including perimeter, application and data layers.
The data centres provide full resilience including
N+1 Redundant air conditioning units to
guarantee stable temperature and humidity
• Redundant UPS conditioned power @ N+1
• Dual HV redundant power supplies from
physically diverse paths
• Dual 1700 KVA auto generator back-up sets
• Dual HV sub stations.
* Multiple internet providers through diverse links and risers to the data floor.
|Outage reporting||Email alerts are distributed to customers to inform of any outage within the platform that affects their service. Customers are notified in advance of any planned changes that may affect availability|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||IGA has a fine grained Role based access control system, governing all administrative actions available within the system. Customers can use out of the box administration roles, or create their own according to their requirements.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||Alcumus ISOQAR|
|ISO/IEC 27001 accreditation date||09/09/2016|
|What the ISO/IEC 27001 doesn’t cover||N/A ProofID's ISO27001:2013 certification covers the entire business, staff, processes and assets in the provision of Identity and Access Management facilities at ProofID's Old Trafford office, remote staff and 3rd Party Hosted cloud provision in accordance with statement of applicability v13|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security accreditations||No|
|Named board-level person responsible for service security||Yes|
|Security governance accreditation||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
ProofID operate a comprehensive Information Security Manual which is aligned and certified as ISO27001:2013 as part of our ISO certification. This certification covers all areas of the business and services provided to customers.
ProofID have an information security committee which meets quarterly to review the organisations ISMS and associated policies, this committee is comprised of individuals from across the business and chaired by the Technical Director which is part of the ProofID board of directors. Information Security status, updates and events are reported as part of the regular management meetings and also covered as part of the board meetings (every 2 months).
All line managers within the business are responsible for ensuring the adherence to the organisations information security policies within their area of the business and where relevant drafting and owning policies relevant to their business areas under the supervision of the Technical Director. Information Security is a key part of ProofID and is included in employees induction and are brief on the policies, event reporting etc. Breaching of the information security policies is covered as part of the organisations employment and disciplinary procedures.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
As part of ProofID's ISMS and ISO27001:2013 certification change and configuration management procedure is followed.
All components of the service are covered through the procedure including servers, network links, applications, security components etc.
When a change is required a change request is created detailing the assets impacted, change, backout plan, details of relevant testing, any security implications are flagged by the requestor. The change board then reviews the requested change to ensure sufficient details and also compliance with the organisations information security policies and associated risks, as required a risk assessment will be performed is a security risk is identified.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
Vulnerabilities are assesses using the following criteria which drives the patching approach
Is the vulnerability exploitable outside of the network?
How complex must an attack be to exploit the vulnerability?
Is authentication required to attack?
Does the vulnerability expose confidential data?
The Organization has established the following timeline requirements for reacting to notifications of relevant vulnerabilities:
Remote, unauthenticated, non-complex attacks: < 1 day
Remote, authenticated, non-complex attacks: 1 day
Remote, complex attacks exposing confidential information: 1 day
All others: 1 week
Notifications are received through subscribing to the applications vulnerability notification systems (emails, RSS feeds etc)
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Potential compromises are identified through system monitoring and log file analysis looking for unusual patterns of activity and configuration changes
Should a security breach (physical and systems) be identified or suspected which directly or indirectly involves customer data then the Information Security Manager is responsible for immediately notifying the relevant customer(s).
Incidents involving high-value or business critical systems (as identified under section 8.1 of the Manual) are immediately reported to the Information Security Manager.
|Incident management type||Supplier-defined controls|
|Incident management approach||
All information security events and weaknesses are, immediately upon receipt, recorded by Support team in WebTrack, then assessed and categorized by the Information Security Manager (whom automatically receives confirmation by email of a new recorded incident/event or update).
ProofID have a standard process of handling events, vulnerabilities, incidents and unknown events with associated process and priorities.
Root cause analysis and corrective actions are recorded and where relevant feed back to the affected individuals, these are reviewed at the quarterly information security committee meetings.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£15000 per instance per year|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||
Free demo instance of IGA available here:
Free to use for testing and development purposes. Tenancy deleted after 7 days of inactivity.
|Link to free trial||https://iga.demo.proofid.co.uk/login.php|
|Pricing document||View uploaded document|
|Skills Framework for the Information Age rate card||View uploaded document|
|Service definition document||View uploaded document|
|Terms and conditions document||View uploaded document|