Overview

Florida PALM is designed to allow for single sign-on for end users. Single sign-on is established through the integration of the Florida PALM Identity Access Management (IAM) tool and agencies’ Identity Provider (IdP). Florida PALM’s authentication approach is similar to how the Statewide Travel Management System (STMS) authenticates agency users. For agencies using an IdP to authenticate their users, Florida PALM uses standards-based authentication protocols such as Open Authentication 2 (OAUTH2), OpenID Connect (OIDC) or Security Assertion Markup Language (SAML2) to interface with agency IdPs.

Agencies use their IdP as an agency user directory or active directory that contains user credentials. The Florida PALM IAM tool must be configured with the agency’s IdP to authenticate end users when signing on. Agencies have provided and maintain a list of IdP Subject Matter Experts (SMEs) who are the primary point of contact for Florida PALM and their agency end users. 

Agencies are responsible for identity management and authentication controls (e.g., password policies) for their end users, as well as for configuring and maintaining their IdP interface with Florida PALM. All agencies established an IdP interface with the Florida PALM IAM tool for the CMS wave. Agencies may need to establish additional IdP interfaces with the Florida PALM IAM tool for the next implementation. Guidance will be provided in related Readiness Workplan tasks. 

End User Role Access

For end users to gain access to Florida PALM, the agency IdP must grant them access. This allows for an end user account to be established in Florida PALM. Additional security and access is managed in Florida PALM through end user role assignment. End user role provisioning and deprovisioning is conducted in the Florida PALM IAM tool by the agency’s Security Access Manager (SAM). Agency IdP SMEs and agency SAMs must work collaboratively to ensure all end users have the access needed for Florida PALM.

To establish a new end user in Florida PALM, the end user first needs to be added to their IdP by the IdP SME. The new end user must then log in to Florida PALM, which will auto-generate a Florida PALM account. If the end user is not added to the IdP, the end user will not be able to log in to Florida PALM. End users who have logged in to create an account, will have limited access to Florida PALM until permission and role assignment updates are made by the SAM within the Florida PALM IAM tool. The below diagram depicts the steps required to establish a new end user in Florida PALM.

If an end user cannot access Florida PALM, they should coordinate with the IdP SME to confirm they have been added to the agency’s IdP. If an end user is able to log into Florida PALM but not access the necessary modules or pages to complete job functions, they should confirm the needed end user roles with the agency SAM. 

When a SAM is notified an end user is separating from the agency or that the end user’s responsibilities have changed, where access to Florida PALM is no longer required, the SAM must inactivate the end user. Inactivating an existing end user requires removing all roles, Username/Route Control, Primary Permission List (PPL), and entering a status of “Inactive.” The steps below depict how to inactivate an end user in Florida PALM IAM. 

The Florida PALM profile remains active in Florida PALM; however, without assigned roles, the user cannot perform functions in Florida PALM. The end user may be removed from the agency IdP to remove access from Florida PALM.

IAM Maintenance

Agencies retain full control over their agency’s end users. The following account administrative functions are maintained and controlled through an agency’s IdP:

• Account creation
• Account deactivation/deprovisioning
• Password management functionality
• Account lock and unlocking
• Any additional security mechanisms that are currently provided by your agency such as multifactor authentication 
• Device/workstation management

Each agency has ongoing activity to continue to maintain their IdP and to ensure successful, ongoing integration with Florida PALM. At a minimum, the agency must coordinate with Florida PALM for agency identity provider certificate, metadata, or domain name changes to ensure ongoing successful integration with Florida PALM.

Version History