CIAM RFP template

A starting RFP you can send to CIAM vendors. Copy the sections, delete what does not apply, and weight the requirements for your situation. Pair it with the buyer’s guide process.

1. Context

Company, product, and the user population (consumer, B2B, regulated).
Current authentication setup and why you are evaluating now.
Projected monthly active users at launch, 12 months, and 24 months.

2. Authentication requirements

Methods required: password, social, passwordless and passkeys.
MFA: adaptive policy, supported factors, step-up on sensitive actions.
Session management and token lifetimes.

3. Enterprise and B2B requirements

SSO: OIDC and SAML, identity provider and service provider roles.
Multi-tenant SSO so each customer connects their own provider.
SCIM provisioning and immediate deprovisioning.
Organizations, roles, and permissions per tenant.

4. Privacy and compliance

Consent: versioned receipts, preference center, withdrawal.
Data subject rights: access, export, deletion, and how deletion propagates.
Data residency options and a signed Data Processing Agreement.
Relevant certifications (SOC 2, ISO 27001) and audit log export.

5. Pricing and commercials

Pricing model and the all-in cost at projected scale (see the pricing guide).
Which features sit in which tier, especially SSO, SCIM, adaptive MFA.
Overage rate, annual increase, and SMS pass-through cost.
Migration path off the platform and any export limits.

6. Support and reliability

SLA, support tiers, and incident history or status page.
Implementation support and professional services.

7. Evaluation

Trial or proof of concept covering the hard paths: passkey recovery, multi-tenant SSO, SCIM deprovisioning, deletion request.
References in your segment.

Score responses against your weighted requirement list. To get a shortlist before you send this, use the vendor matcher.