UtahID: Identity and Access Management (IAM)

UtahID: Identity and Access Management (IAM) is the State of Utah’s identity provider and the standard method of authentication. It is a complete identity access management solution implementation. The system is a single sign-on (SSO) solution for both identifying and authenticating users. It is the infrastructure DTS has implemented for IAM. IAM is a framework of policies and technologies for ensuring that users have access to the resources they need and are authorized to use. Authorized systems are able to be federated to UtahID: IAM for authentication. Authorization of users is handled in the Utah ID application and is managed by the application owner or administrators.

Systems, applications, and mobile applications are connected to the UtahID: IAM system in multiple ways. Web applications connect using OpenID Connect or using the AM agent installed on the web server. Other systems can connect using OpenID Connect, SAML, or OAuth2 as the preferred methods.

For employees, UtahID: IAM is connected to the state human resources system, which provisions the user lifecycle from onboarding to termination. For citizen accounts, user identity is self-service to create and manage the user profile. 

Many state resources and systems are protected by, and use, UtahID: IAM for SSO, user management, security, and passing tokens to the applications for authorization.

Hours of Support
Application	Support Hours	Days of Week
AM	24×7, excluding scheduled maintenance	Sunday–Saturday

Product Features and Descriptions

User Authentication

UtahID: IAM is an SSO solution used for authenticating and managing users.

User Authorization

UtahID: IAM is an identity provider and can be federated to store and pass tokens to systems for user authorization. It can provide authorization based on application integration.

Software Token

A software token is an application installed on a mobile smart phone. Use of RSA SecureID Software Token or the UtahID Authenticator are the state standards.

Hard Token

RSA SecurID 700 is a small key fob that provides a one-time passcode (OTP) every 60 seconds. UtahID Key is a USB A or C device that is used in a computer’s port for two-factor. Both hard tokens are the state standard.

VPN Authentication

Using two-factor authentication to connect to the VPN, the user is prompted for their username (UtahID), password, and two-factor token (when applicable).

SMS (Text) Notification

SMS notification is for public users only and provides a one-time passcode sent by the UtahID authentication system to a user via their text messaging service on their mobile device.

Email Notification

Email notification is for public users only and provides a one-time passcode sent by the UtahID authentication system to a user to their validated email address stored in the database.

Trusted Device (Device Fingerprint)

A trusted device is for public users only and is a device requested to be remembered during the authentication process by selecting “trust this device.”

Trusted IP Address

A trusted IP address is for public users only and allows users to access protected sites on successive logins with the same originating IP address. Once an IP address is set as a trusted IP address, it can then be used as an additional factor in multifactor authentication.

Features Not Included

Role Management: Not included

Rates and Billing
Feature	Description	Base Rate
DTS Consulting Billing	As needed.	See DTS Billing Rates

Ordering and Provisioning

Users can submit requests for AM integration and federation via a form located in ServiceNow.

DTS Responsibilities

DTS will: 

• monitor server infrastructure to ensure that servers are working correctly; 
• monitor authentication services to ensure that services are available and working correctly;
• upgrade AM agents to latest stable version within thirty days of release of version;
• work with administrators and application owners to create authentication and authorization policies for users’ rights and access; and
• work with users (for up to two hours; billing rate applies after two hours) to enable SAML, if needed.

Agency Responsibilities

If there is an issue specific to authentication or access to a protected resource, agencies and end users shall submit a ticket via the DTS Help Desk. If after-hours support is required, the DTS Help Desk will contact the Capitol Hosting on-call phone.

Agencies will work with DTS to ensure that:

• AM agents are upgraded to the latest stable version;
• all new applications or vendor products use UtahID for authentication;
• all applications, during rewrites or modifications, will incorporate UtahID for authentication; and
• authorization and role management for users is built within the agency application.

DTS Service Levels and Metrics

In an effort to improve service to our customer agencies, DTS will measure and report on the following enterprise metric goals:

• Application Availability
• Resolution Time
• Initial Response
• First Contact Resolution 
• Customer Satisfaction Surveys and Reporting

Application Availability

Application availability measures DTS’s efforts to ensure that agency key business applications meet the percentage of availability goals identified in each agency’s service level agreement. DTS will determine application availability based upon the collective measurement of the configuration items (both hardware and software) that are required in order to support the agency business services applications. These metrics will be reported each month, by agency, and will be presented in a cumulative report showing DTS’s efforts over several months. These reports will then be posted on the DTS Metrics Web page at http://dts.utah.gov/metrics/index.php. 

Metric Description	Target Percentage of Application Availability*
UtahID: IAM	99.9%

Table Note: *Times exclude those tickets in a “Pending” status waiting for a known bug fix.

Resolution Time

Resolution time measures DTS’s efforts to resolve customer incidents within the timelines set below based on urgent, high, medium, and low priorities. These metrics will be reported each month, by agency, and will be presented in a cumulative report showing DTS’s efforts over several months. These reports will then be posted on the DTS Metrics Web page at http://dts.utah.gov/metrics/index.php. 

Total Time to Resolution	Target Percentage of Tickets Meeting Priority Timelines
Low priority: 6 business hours	90%
Medium priority: 4 business hours	90%
High priority: 3 clock hours	90%
Critical priority: 3 clock hours	90%

Initial Response

Initial response measures DTS’s efforts to respond to customer incidents within the timelines set below based on urgent, high, medium, and low priorities. These metrics will be reported each month, by agency, and will be presented in a cumulative report showing DTS’s efforts over several months. These reports will then be posted on the DTS Metrics Web page at http://dts.utah.gov/metrics/index.php. 

Time to Initial Response	Target Percentage of Tickets Meeting Priority Timelines
Low priority: 1 business hour	85%
Medium priority: 1 business hour	85%
High priority: 1 clock hour	90%
Critical priority: 30 clock minutes	95%

First Contact Resolution

First contact resolution measures DTS’s efforts to resolve customer incidents on a customer’s initial contact with either our help desk or a technical specialist. These metrics will be reported each month, by agency, and will be presented in a cumulative report showing DTS’s efforts over several months. These reports will then be posted on the DTS Metrics Web page at http://dts.utah.gov/metrics/index.php. 

Metric Description	Target Percentage of Reported Incidents Resolved on Initial Contact
First Contact Resolution	65%

Customer Satisfaction Surveys and Reporting 

All users/customers whose technical incidents are resolved by DTS staff will be given the opportunity to respond to an online survey regarding their level of satisfaction with the support received from DTS. Responding to the survey is voluntary. 

The chart below identifies DTS enterprise goals for customer satisfaction. Cumulative monthly reports will be created displaying the level of customer satisfaction with DTS support. These reports will then be posted on the DTS Metrics Web page at http://dts.utah.gov/metrics/index.php. 

Metric Description	Target Levels of Customer Satisfaction
Average level of satisfaction with resolution efforts	≥ 4.5 on a scale of 0–5
Percentage of respondents expressing satisfaction (vs. dissatisfaction)	93% of respondents satisfied