Active Directory Federation Services (ADFS) Upgrade Project ID: TP5186AD

Oakland County Department of Information Technology Project Scope and Approach

Project Name: Active Directory Federation Services (ADFS) Upgrade Project ID: TP5186AD

Leadership Group: IT Steering Committee

Department: Information Technology Division: Technical Services & Network

Project Sponsor: Carl Wilson Date Requested: 11/5/2015 PM Customer No. 186

Request Type: New Development Enhancement Customer Support Planned System Maintenance or Upgrade

IT Team Name: Technical Services IT Team No: P

Project Manager/Leader: Sherry Yagiela Account Account Customer Information 19030 Tech Syst Planned Maint Number: Description: Name: Technology

Grant Funded? Yes No Mandate? Yes No Mandate Source: N/A

Project Goal

To improve Active Directory Federation Services (ADFS), a critical Oakland County IT architecture building block, to the latest toolset release so that a highly available infrastructure can be established.

Business Objective Develop an upgraded Dev and QA ADFS environment so that security, redundancy, resiliency and accessibility can be improved.

Major Deliverables  Detailed project plan  DEV, QA, PROD ADFS infrastructure  SSO for Internal users  Migrate ADFS to latest release (3.0)  Migrate applications  Forms Authentication for External users  Customized login screen for OC  RP configuration template with and without group membership checks  Sample web application with Claims based authentication (with signout)  Sample web application which replaces Siteminder authentication (with signout)  Sample web application which replaces Windows authentication (with signout)

Form Rev. 11/05/2015 Page 1 Project Rev. 12/1/2015 Oakland County Department of Information Technology Project Scope and Approach

Project Name: Active Directory Federation Services (ADFS) Upgrade Project ID: TP5186AD

Approach

 Create development environment  Build QA environment that mirrors production  Produce a production instance that will have redundancy and load balancing  Testing of all applications migrated o Office 365 o ArcGIS Online o EUM o OC Time o Envision IT Time o Kronos o SP2013  Deployment

Research & Analysis Gartner Research Recommendation – See attached

NACo Application Store – Research Conducted; Nothing Found

Benefits See Return on Investment (ROI) Analysis Document

Impact Number of Users – County Employees Divisions – Technical Services Leadership Groups – Technical Systems and Network

Risk Business Environment – Medium – Project will require some changes to existing business technologies. Technical Environment – Medium – Previously implemented technologies with new aspects and/or new requirements.

Form Rev. 11/05/2015 Page 2 Project Rev. 12/1/2015 Oakland County Department of Information Technology Project Scope and Approach

Project Name: Active Directory Federation Services (ADFS) Upgrade Project ID: TP5186AD

Assumptions Staffing IT Staffing: resources will be dedicated to the project in order to keep efficiencies Other Staffing: additional staffing will be available as follows: Role: Name Hours per Day Project Sponsor: Carl Wilson As needed

Facilities  Technical  Funding  Information Technology

Other 

Priority

Constraints  

Exclusions  Additional applications not currently using ADFS

Form Rev. 11/05/2015 Page 3 Project Rev. 12/1/2015 Oakland County Department of Information Technology Project Scope and Approach

Project Name: Active Directory Federation Services (ADFS) Upgrade Project ID: TP5186AD

PROJECT PHASE AUTHORIZATION

Phase(s): Project Management, Business Area Requirements, Development Environment Build, QA Environment Build, Production Environment Build, Migration & Testing and Post Implementation Support

Total Estimated Application Services Hours: 692 Cost: $88,576

Total Estimated Technical Systems Hours: 267 Cost: $0

Total Estimated CLEMIS Hours: Cost:

Total Estimated Internal Services Hours: Cost:

IT Application Services Division Manager Approval: Date:

IT Technical Systems Division Manager Approval: Date:

IT CLEMIS Division Manager Approval: Date:

IT Internal Services Division Manager Approval: Date:

IT Management Approval:

Approved: Yes No Date:

Reason:

Project Sponsor Approval:

Title: Date:

PROJECT SUMMARY

Authorized Development (see above) Hours: 959 Cost: $88,576

Preliminary Estimated Development for Future Phases Hours: Cost:

Grand Total Estimated Development Hours: 959 Cost: $88,576

Form Rev. 11/05/2015 Page 4 Project Rev. 12/1/2015 Oakland County Department of Information Technology Project Scope and Approach

Project Name: Active Directory Federation Services (ADFS) Upgrade Project ID: TP5186AD

PROJECT COMPLETION AUTHORIZATION

Customer Acceptance of Product:

Title: Date:

Project Office Review: Date:

Form Rev. 11/05/2015 Page 5 Project Rev. 12/1/2015 This research note is restricted to the personal use of [email protected]

G00239178 Choosing Among Federated Identity Management Options Published: 25 September 2012

Analyst(s): Gregg Kreizman

Software-as-a-service application adoption continues to spur the need for federated identity management. Enterprises have an increasing number of options to obtain this functionality.

Key Challenges ■ Software as a service (SaaS) application adoption is the primary market driver for federated identity management. SaaS applications usually have proprietary authentication services. However, federation standards increasingly will be supported to provide enterprises with single sign-on (SSO).

■ Commercial and open-source options can provide federated authentication to SaaS applications. Maintaining adequate staff to support these solutions remains a challenge for many organizations.

■ Enterprises most commonly want to leverage users' authentication to Active Directory for SSO to SaaS applications. Microsoft's federation components may fulfill the requirements at little or no additional cost.

■ Federated authentication is only one identity and access management (IAM) capability needed when enterprises use SaaS. Identity administration and intelligence functions are usually also needed and are generally not included as base federation software products.

Recommendations ■ Enterprises with no access management tools, but that want to leverage Active Directory authentication for federation based on SAML 2.0 or WS-Federation, should strongly consider Microsoft Active Directory Federation Services (ADFS) 2.0.

■ Enterprises that have deployed Web access management (WAM) tools should consider using the federation capabilities that are included or sold as add-on products for possible cost- benefits over other options.

■ Consider open-source federation capabilities, but recognize that there is no "free lunch"; support contracts will likely be needed.

This research note is restricted to the personal use of [email protected] This research note is restricted to the personal use of [email protected]

■ Identity access management as a service (IDaaS) should be considered when the enterprise does not want to manage an on-premises IAM infrastructure or many federation partnerships.

■ Consider using the federation extensions to networking and authentication products when users' sessions will be routed through these products.

Strategic Planning Assumption Federated single sign-on will be a commodity by year-end 2014.

Introduction During the early 2000s, identity federation was needed predominantly in B2B scenarios. However, this need was small relative to other access requirements. In 2010, the growing adoption of SaaS applications began to generate an increasing level of Gartner client inquiries on the topic of enabling SSO to SaaS applications. In "Options for Coping With New Identity Islands in the Cloud" (note: this research has been archived; it may not reflect current conditions), we analyzed how most SaaS applications have failed to deliver integration with enterprise IAM capabilities. However, we also noted that authentication and federation were the most mature IAM disciplines and had the most options for integrating SaaS applications with enterprise IAM infrastructures. Federated SSO is increasingly being supported by SaaS providers.

Whether or not enterprises are considering their entire sets of IAM needs for SaaS applications, SSO and federation needs are acute. What are the decision factors and the best market options for supporting federated identity management to meet enterprise needs?

Federated identity management capabilities can increasingly be obtained as a subset of a variety of products and services. Here, we identify solution groupings to accomplish federation objectives along with best practices for choosing each type (see "Technology Overview for Federated Identity Management" for a technology overview and content on standards).

Analysis

Enterprises With No Access Management Tools, but That Want to Leverage Active Directory Authentication for Federations Based on SAML 2.0 or WS-Federation, Should Strongly Consider ADFS 2.0 Microsoft has long had federation capability with ADFS v1. However, the WS-Federation specification was the only one supported. ADFS v1 lacked SAML protocol capability until the release of ADFS v2.0 in 2010. ADFS 2.0 supports limited SAML profiles, but these are the most commonly deployed profiles and use cases for service and identity providers (see "Technology Overview for Federated Identity Management"). ADFS 2.0 is provided at no additional charge to

Page 2 of 7 Gartner, Inc. | G00239178

This research note is restricted to the personal use of [email protected] This research note is restricted to the personal use of [email protected]

organizations that have maintained their licenses for Microsoft Windows Server. It requires Windows Server 2008 or above to run.

Gartner has spoken with many satisfied clients who have implemented ADFS 2.0. The technology can be daunting to set up for first timers, but clients report that it works as advertised. At this time, we believe ADFS 2.0 is well-positioned to support enterprises that do not own WAM with built-in federation or stand-alone federation capability, only have Active Directory, and wish to leverage their users' Active Directory authentication for at least a few federated SSO partners.

ADFS's limitations are that it only supports Active Directory as an underlying identity repository, and ADFS does not support other versions of SAML (for example v1.1), nor does it support the newer RESTful specifications OpenID or OAuth. However, Microsoft has built support for these specifications into Azure Access Control Services, which could be relevant for enterprises building applications using Azure (see "Technology Overview for Federated Identity Management" for an overview of these specifications).

Enterprises That Have Deployed WAM Tools Should Consider Using the Federation Capabilities That Are Included or Sold as an Add-on Product for Possible Cost- Benefits Over Other Options

WAM tools are mature, broadly implemented technologies. The majority of established WAM implementations use commercial products that support federation in the base product or use a vendor's stand-alone federation product that integrates with the vendor's WAM tool. The combination can provide consistent security policy management for applications inside and outside the enterprise. Multiple authentication methods can be supported with WAM.

Authorization policies such as those defining which users, roles or groups can access applications can be managed consistently with a WAM tool. WAM vendors are more frequently supporting the newer RESTful federation specifications. Adding the same vendor's federation products to an existing WAM deployment may produce greater cost savings than adding a second vendor's commercial products. Therefore, using a WAM tool's native functionality or "bolting on" a vendor's federation product to WAM is often the best choice for enterprises that already own WAM tools. It is usually not worth the resource investment to implement WAM when the enterprise's Web application server environment is homogeneous (for example, all applications run on Microsoft .NET and Internet Information Services [IIS]) and the authorization or advanced authentication functions are not required.

Ping Identity, a well-established federation software pure-play vendor, offers the PingFederate product set. It is well-regarded for its relative ease of implementation, application integration kits and standards support. PingFederate historically lacked the authorization policy engine that WAM tools had. However, Ping Identity has added the ability to read directory-held attributes to determine whether users are entitled to access federated application targets. Ping's products often are implemented in lieu of a full-fledged WAM tool, or to augment a WAM implementation that has no federation support built in.

Gartner, Inc. | G00239178 Page 3 of 7

This research note is restricted to the personal use of [email protected] This research note is restricted to the personal use of [email protected]

Example vendors that include federation with their base WAM products include Entrust, Evidian, ForgeRock, NetIQ, Oracle, SecureAuth and Siemens. CA Technologies; IBM; and RSA, The Security Division of EMC, sell stand-alone or bundled federation products (see "MarketScope for Web Access Management" and its upcoming update for more information on these vendors and products).

Consider Open-Source Federation Capabilities, but Recognize That There Is No Free Lunch; Support Contracts Will Likely Be Needed Enterprises that desire to implement and support open-source solutions as alternatives to commercial offerings have some choices.

Oracle acquired Sun's OpenSSO WAM and federation products in 2009. Oracle's strategic WAM and federation products are its Oracle Access Manager (OAM) and Oracle Identity Federation, which Oracle is now combining into one product offering. OpenSSO Enterprise was not strategic for Oracle. ForgeRock, a startup that joined the IAM market in 2010, also provides support for OpenSSO branded as OpenAM. ForgeRock continues to develop and extend the product, and sells support for its version.

The Shibboleth stack is the most well-established open-source federation software. It is used in hundreds of higher education institutions, some governments and private sector organizations. Shibboleth was not completely interoperable with other SAML implementations in its early days. However, developers moved the implementation toward SAML 2.0, and it has been interoperable with other SAML 2.0-compliant products for several years. OpenSAML, also developed as part of the Shibboleth initiative, and SimpleSAMLphp are other examples of open-source federation implementations (see wiki.shibboleth.net/confluence/display/OpenSAML/Home and simplesamlphp.org).

With the exception of ForgeRock, which supports OpenAM directly and through partners, enterprises must be prepared to support open-source federation implementations on their own, through community support, or by finding a vendor or integrator that is well-versed in the chosen implementation's intricacies.

IDaaS Should Be Considered When the Enterprise Does Not Want to Manage On- Premises IAM Infrastructure or Many Federation Partnerships

IDaaS providers offer alternatives to completely on-premises solutions. Vendors in this small, but growing and volatile market have been adding and maturing functions to help organizations extend or replace internal IAM functions, completely, or to integrate with SaaS applications. This removes the integration burden and potentially gets the customer out of the IAM operations business. In the federation use case, the IDaaS provider establishes the federations with SaaS providers, thereby relieving the enterprise of having to establish and manage those federations. IDaaS can be completely delivered in the cloud. However, there is often a bridge component of the service that is implemented on-premises to provide a secure connection between an enterprise's authentication and identity attribute store (often Active Directory) and the service. The directory is used as an identity repository and for initial user authentication that is leveraged for subsequent SSO to target SaaS applications. The directory group objects often can be used by the service to check for

Page 4 of 7 Gartner, Inc. | G00239178

This research note is restricted to the personal use of [email protected] This research note is restricted to the personal use of [email protected]

membership and subsequent authorization to use target applications. IDaaS vendors can, in varying degrees, provision accounts to SaaS applications that have provisioning or directory synchronization interfaces.

The small and midsize business market has contributed most of the growth for IDaaS, although some larger customers are beginning to come on board. ("A Guide to Making the Right Choices in the Expanding IDaaS Market" identifies vendors and the functions their services provide.)

Use IDaaS for federation when the enterprise does not want to manage a solution itself, when it would prefer a subscription-based licensing model, and when your enterprise use-case needs can be met.

Use Federation Extensions to Networking or Authentication Products When Users' Sessions Will Be Routed Through These Products In addition to the main solution groupings for which we see client interest, there is a trend for authentication, and network infrastructure and service providers to federation-enable their offerings so that these products can be directly joined to a federation. For example, Cisco builds its SAML- compliant SaaS Access Control solution into its IronPort S-Series Web Security Appliances. SecureAuth, an IAM vendor that previously emphasized authentication with VPN integration, has extended its products to support federation and emphasize the enterprise-to-cloud and mobile endpoint use cases. This trend of extending existing products with federation support should continue, and enterprises may find that some products they already own can fulfill part of their federation requirements. Federation support being provided by networking infrastructure vendors has not been implemented for consumer-facing requirements to the scale that WAM/federation tools have. Gartner generally sees clients use the networking vendors' federation capabilities in VPN and networking gear usage scenarios where remote employees enter the corporate network through a VPN, and then can get SSO to SaaS applications based on the VPN sign-on event.

Federation and SSO provide user convenience and some elements of common authentication policy management for access to SaaS applications. However, enterprises must also consider the aforementioned provisioning, authorization and intelligence requirements that may be inhibited by SaaS providers that have not provided programmatic methods to support these requirements.

Federation capability will continue to be added to authentication products and services, to networking products, and is sometimes built into application platforms. For example, virtual directory vendor, Radiant Logic, has extended its products to support federation. With so many options for federated SSO, basic capabilities have been commoditized. WAM vendors and federation specialists will seek to differentiate with support for advanced use cases, multiprotocol support and application integration. However, these capabilities will be commoditized as well as applications slowly, inexorably move to standardized Web architectures and cloud services.

Recommended Reading Some documents may not be available as part of your current Gartner subscription.

Gartner, Inc. | G00239178 Page 5 of 7

This research note is restricted to the personal use of [email protected] This research note is restricted to the personal use of [email protected]

"Options for Coping With New Identity Islands in the Cloud"

"Technology Overview for Federated Identity Management"

"MarketScope for Web Access Management"

"A Guide to Making the Right Choices in the Expanding IDaaS Market"

Page 6 of 7 Gartner, Inc. | G00239178

This research note is restricted to the personal use of [email protected] This research note is restricted to the personal use of [email protected]

GARTNER HEADQUARTERS

Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 USA +1 203 964 0096

Regional Headquarters AUSTRALIA BRAZIL JAPAN UNITED KINGDOM

For a complete list of worldwide locations, visit http://www.gartner.com/technology/about.jsp

© 2012 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity.”

Gartner, Inc. | G00239178 Page 7 of 7

This research note is restricted to the personal use of [email protected] Information Technology Strategic Plan Alignment

TP5186AD - Active Directory Federation Services (ADFS) Upgrade

3.1 - Provide an Enhanced Application Service Offering

3.1.1 - Increased application integration and 3.1.5 - Increase the agility and responsiveness of standardization through web services business units by expanding customer analytics

3.1.2 - Integrate mobility and location based 3.1.6 - Leverage the County's web presence as a services in business applications branded consolidated point of access to all County information and services 3.1.3 - Promote and utilize shared services through the use of cloud technologies to offset costs and 3.1.7 - Centralize and standardize identity and expland product offerings to customers access management for all applications and content X

3.1.4 - Improve the quality, reliability, and availability of all applications X

3.2 - Enhance ability to provide effective and timely customer service

3.2.1 - Advance the use of IT Infrastructure Library 3.2.4 - Utilize a formalized customer communication (ITIL) best practice framework for IT Service plan Management

3.2.2 - Implement Configuration Management 3.2.5 - Build IT Staff expertise through professional Database to better identify IT Assets development

3.2.3 - Provide a high-quality training program to 3.2.6 - Expand capacity through ongoing organization empower employees through technology review and right sourcing

3.3 - Implement a Standardized Infrastructure Strategy

3.3.1 - Deliver services using a standardized shared 3.3.4 - Improve service availability through network technology infrastructure whereever possible design and management strategies X

3.3.2 - Implement a consolidated security 3.3.5 - Enhance capacity planning and recovery management strategy managment strategies

3.3.3 - Develop and implement a policy for 3.3.6 - Adopt an enterprise architecture approach personally owned devices and services to technology planning, design, and implementation

Run Date 12/1/2015 Page 1 of 1 TP5186AD Oakland County -- Active Directory Federation Services (ADFS) Upgrade As Of: November 17, 2015 Return on Investment Analysis

Project Summary

Description Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Total Benefits/Savings: Tangible Benefits Subtotal: 0 0 0 0 0 0 0 Cost Avoidance Subtotal: 0 0 0 0 0 0 0 Costs: Development Services Subtotal: 110,737 0 0 0 0 0 110,737 Hardware Subtotal: 0 0 0 0 0 0 0 Software Subtotal: 0 0 0 0 0 0 0 Infrastructure Subtotal 0 0 0 0 0 0 0 Training Subtotal: 0 0 0 0 0 0 0 Other Subtotal: 0 0 0 0 0 0 0 Annual Statistics: Annual Total Savings 0 0 0 0 0 0 0 Annual Total Costs 110,737 0 0 0 0 0 110,737

Annual Return on Investment (110,737) (110,737) Annual Costs/Savings Ratio 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% Project Cumulative Statistics: Cumulative Total Savings 000000 0 Cumulative Total Costs 110,737 110,737 110,737 110,737 110,737 110,737 110,737

Cumulative Return on Investment (110,737) (110,737) (110,737) (110,737) (110,737) (110,737) (110,737) Cumulative Cost/Savings Ratio 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00%

Year Positive Payback Achieved NO PAYBACK State or Federal Mandate? Signatures:

Benefits Reviewed By Project Sponsor Date:

Costs (including IT Resources) Reviewed By Information Technology Project Manager Date:

ADFS Upgrade_ROI_v2.xls/Project Summary Date Printed: 12/1/2015 Page 1 REV: June 27, 2011 TP5186AD Oakland County -- Active Directory Federation Services (ADFS) Upgrade As Of: November 17, 2015 Return on Investment Analysis

Savings Detail

Project Savings Unit Rate per Total Annual Benefit/Savings Description Category Budget Category/Funding Source Desc Units Unit Savings Multiplier Fortifying the critical environment will Intangible Benefit mitigate many risks 0 Intangible Benefit Adding forms based component will eliminate security risk as the gab with Web email allows cookies to re- authenticate a user to the environment. 0 Adding a Dev and QA region will enable Intangible Benefit better testing and improve migrations to production. 0 Intangible Benefit Increase maximum availability and provide zero downtime upgrades by adding an internal and external failover. 0 Increase trust in IT due to uptime of Intangible Benefit ADFS improving customer experience 0

ADFS Upgrade_ROI_v2.xls/Savings Detail Date Printed: 12/1/2015 Page 2 REV: June 27, 2011 TP5186AD Oakland County -- Active Directory Federation Services (ADFS) Upgrade As Of: November 17, 2015 Return on Investment Analysis

Savings Detail

Affects Project ROI? Potential Savings Extensions Project Savings Benefit/Savings Description Category Y1 Y2 Y3 Y4 Y5 Y6 Y1 Y2 Y3 Y4 Y5 Y6 Fortifying the critical environment will Intangible Benefit mitigate many risks Intangible Benefit Adding forms based component will eliminate security risk as the gab with Web email allows cookies to re- authenticate a user to the environment. Adding a Dev and QA region will enable Intangible Benefit better testing and improve migrations to production. Intangible Benefit Increase maximum availability and provide zero downtime upgrades by adding an internal and external failover. Increase trust in IT due to uptime of Intangible Benefit ADFS improving customer experience

ADFS Upgrade_ROI_v2.xls/Savings Detail Date Printed: 12/1/2015 Page 3 REV: June 27, 2011 TP5186AD Oakland County -- Active Directory Federation Services (ADFS) Upgrade As Of: November 17, 2015 Return on Investment Analysis

Savings Summary

Benefit/Savings Description Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Total Tangible Benefit:

Tangible Benefits Subtotal:

Cost Avoidance:

Cost Avoidance Subtotal:

Intangible Benefit: Fortifying the critical environment will mitigate many risks Adding forms based component will eliminate security risk as the gab with Web email allows cookies to re-authenticate a user to the environment. Adding a Dev and QA region will enable better testing and improve migrations to production. Increase maximum availability and provide zero downtime upgrades by adding an internal and external failover. Increase trust in IT due to uptime of ADFS improving customer experience

Savings Total:

ADFS Upgrade_ROI_v2.xls/Savings Summary Date Printed: 12/1/2015 Page 4 REV: June 27, 2011 TP5186AD Oakland County -- Active Directory Federation Services (ADFS) Upgrade As Of: November 17, 2015 Return on Investment Analysis

Cost Detail

Affects Project ROI? Project Cost Budget Category/Funding Unit Rate per Annual Cost Description Category Source Desc Units Unit Total Cost Multiplier Y1 Y2 Y3 Y4 Y5 Y6 IT Hours - New Development Development Svcs HR 959 115 110,737 x IT Hours - New Development HR IT Hours - New Development HR IT Hours - System Maintenance Development Svcs HR 0 122 0 xxxxx IT Hours - Customer Support Development Svcs HR 0 122 0 xxxxx IT Hours - Planned Maintenance Development Svcs 122 0 Contractor Professional Services Development Svcs 0 0 PC System - Acquisition Hardware 814 0 PC System - Maintenance Hardware 2,304 0 Notebook - Acquisition Hardware 1,223 0 Notebook - Maintenance Hardware 2,372 0 Tablet Notebook - Acquisition Hardware 2,012 0 Tablet Notebook - Maintenance Hardware 0 Laserprinter - Acquisition Hardware 1,432 0 Laserprinter - Maintenance Hardware 1,104 0 Image Workstations - Acquisition Hardware 0 Image Workstations - Maintenance Hardware 3,496 0 PC Maintenance User Owned Hardware 2,304 0 Printer Maintenance User Owned Hardware 1,072 0 Package Software - Acquisition Software 0 Package Software - Maintenance Software 0 Business Objects Access Software 0 Term Emulation SFTW-Acquisition Software 0 Term Emulation SFTW-Maintenance Software 0 Server - Acquisition/Upgrade Infrastructure 8,000 0 Server - Maintenance Infrastructure 360 0 Server Sftwre - Acquisition/Upgrade Infrastructure 335 0 Server Sftwre - Maintenance Infrastructure 0 Server Rack Mount Infrastructure 400 0 Oracle Enterprise Per Processor - Includes Year 1 Maintenance Infrastructure 21,372 0

ADFS Upgrade_ROI_v2.xls/Cost Detail Date Printed: 12/1/2015 Page 5 REV: June 27, 2011 TP5186AD Oakland County -- Active Directory Federation Services (ADFS) Upgrade As Of: November 17, 2015 Return on Investment Analysis

Cost Detail

Affects Project ROI? Project Cost Budget Category/Funding Unit Rate per Annual Cost Description Category Source Desc Units Unit Total Cost Multiplier Y1 Y2 Y3 Y4 Y5 Y6 Oracle Enterprise Per Processor - Year 2 and Beyond Infrastructure 3,432 0 MS SQL Server Standard Per Processor - Includes Year 1 Maintenance Infrastructure 4,725 0 MS SQL Server Standard Per Processor - Year 2 and Beyond Infrastructure 946 0 MS SQL Server Enterprise Per Processor - Includes Year 1 Maintenance Infrastructure 19,693 0 MS SQL Server Enterprise Per Processor - Year 2 and Beyond Infrastructure 3,939 0 Websphere Basic Per Processor Single/Dual Core - Includes Year 1 Maintenance Infrastructure 3,506 0

Websphere Basic Per Processor Single/Dual Core - Year 2 and Beyond Infrastructure 701 0 Websphere ND Per Processor Single/Dual Core - Includes Year 1 Maintenance Infrastructure 13,180 0

Websphere ND Per Processor Single/Dual Core - Year 2 and Beyond Infrastructure 2,635 0 SSL Certificate Infrastructure 845 0 TBD Infrastructure 0 TBD Infrastructure 0 TBD Infrastructure 0 TBD Infrastructure 0 Internet Access Infrastructure 180 0 Project Staff Training Training 0 User Training Training 0

ADFS Upgrade_ROI_v2.xls/Cost Detail Date Printed: 12/1/2015 Page 6 REV: June 27, 2011 TP5186AD Oakland County -- Active Directory Federation Services (ADFS) Upgrade As Of: November 17, 2015 Return on Investment Analysis

Cost Detail

Potential Cost Extensions Project Cost Cost Description Category Y1 Y2 Y3 Y4 Y5 Y6 IT Hours - New Development Development Svcs 110,737.00 IT Hours - New Development 0.00 IT Hours - New Development 0.00 IT Hours - System Maintenance Development Svcs 0.00 0.00 0.00 0.00 0.00 IT Hours - Customer Support Development Svcs 0.00 0.00 0.00 0.00 0.00 IT Hours - Planned Maintenance Development Svcs Contractor Professional Services Development Svcs

PC System - Acquisition Hardware PC System - Maintenance Hardware Notebook - Acquisition Hardware Notebook - Maintenance Hardware Tablet Notebook - Acquisition Hardware Tablet Notebook - Maintenance Hardware Laserprinter - Acquisition Hardware Laserprinter - Maintenance Hardware Image Workstations - Acquisition Hardware Image Workstations - Maintenance Hardware PC Maintenance User Owned Hardware Printer Maintenance User Owned Hardware Package Software - Acquisition Software Package Software - Maintenance Software Business Objects Access Software Term Emulation SFTW-Acquisition Software Term Emulation SFTW-Maintenance Software Server - Acquisition/Upgrade Infrastructure Server - Maintenance Infrastructure Server Sftwre - Acquisition/Upgrade Infrastructure Server Sftwre - Maintenance Infrastructure Server Rack Mount Infrastructure Oracle Enterprise Per Processor - Includes Year 1 Maintenance Infrastructure

ADFS Upgrade_ROI_v2.xls/Cost Detail Date Printed: 12/1/2015 Page 7 REV: June 27, 2011 TP5186AD Oakland County -- Active Directory Federation Services (ADFS) Upgrade As Of: November 17, 2015 Return on Investment Analysis

Cost Detail

Potential Cost Extensions Project Cost Cost Description Category Y1 Y2 Y3 Y4 Y5 Y6 Oracle Enterprise Per Processor - Year 2 and Beyond Infrastructure MS SQL Server Standard Per Processor - Includes Year 1 Maintenance Infrastructure MS SQL Server Standard Per Processor - Year 2 and Beyond Infrastructure MS SQL Server Enterprise Per Processor - Includes Year 1 Maintenance Infrastructure MS SQL Server Enterprise Per Processor - Year 2 and Beyond Infrastructure Websphere Basic Per Processor Single/Dual Core - Includes Year 1 Maintenance Infrastructure

Websphere Basic Per Processor Single/Dual Core - Year 2 and Beyond Infrastructure Websphere ND Per Processor Single/Dual Core - Includes Year 1 Maintenance Infrastructure

Websphere ND Per Processor Single/Dual Core - Year 2 and Beyond Infrastructure SSL Certificate Infrastructure TBD Infrastructure TBD Infrastructure TBD Infrastructure TBD Infrastructure Internet Access Infrastructure Project Staff Training Training User Training Training

ADFS Upgrade_ROI_v2.xls/Cost Detail Date Printed: 12/1/2015 Page 8 REV: June 27, 2011 TP5186AD Oakland County -- Active Directory Federation Services (ADFS) Upgrade As Of: November 17, 2015 Return on Investment Analysis

Cost Summary

Cost Description Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Total Development Services: IT Hours - New Development 110,737 110,737 IT Hours - New Development 0 IT Hours - New Development 0 IT Hours - System Maintenance 0 0 0 0 0 IT Hours - Customer Support 0 0 0 0 0 IT Hours - Planned Maintenance Contractor Professional Services Development Services Subtotal: 110,737 110,737 Hardware:

Hardware Subtotal: Software: Usertesting.com account for nav. Usability 0 .

Software Subtotal: Infrastructure:

Infrastructure Subtotal Training:

Training Subtotal: Other:

Other Subtotal: Costs Total: 110,737 110,737

ADFS Upgrade_ROI_v2.xls/Cost Summary Date Printed: 12/1/2015 Page 9 REV: June 27, 2011 TP5186AD Oakland County -- Active Directory Federation Services (ADFS) Upgrade As Of: November 17, 2015 Return on Investment Analysis

Assumptions

Date Assumption Description

ADFS Upgrade_ROI_v2.xls/Assumptions Date Printed: 12/1/2015 Page 10 REV: June 27, 2011