OASIS to Demo Interoperable Web Services Security

Next week, OASIS looks to tackle head on the vexing issue of provisioning web services security, as it gives the first public demo of SPML, a proposed XML-based B2B framework for provisioning, exchanging and administering user access and other resource rights. At the debut, execs also intend an interoperability demo of multiple vendors' software products that have implemented first-generation Service Provisioning Markup Language.

Tags: Provisioning, SPML, Security, OASIS, Standards, Identity Management, Request,

Next week, OASIS looks to tackle head on the vexing issue of provisioning web services security as it gives the first public demo of its proposed XML-based B2B framework for exchanging and administering user access and other resource rights.

At the debut, scheduled during the Catalyst Conference on July 9, execs also said they intend an interoperability demo between multiple vendors' security software products that have implemented first-generation SPML.

Dubbed SPML (Service Provisioning Markup Language) v1.0, the XML-based proposal would speed the provisioning of web services security by enabling developers and/or sysadmins to automate, centralize and manage the process of provisioning user access to internal and external corporate systems and data.

SPML has been designed to work with the W3C's SOAP standards, as well as OASIS' SAML and WS-Security specs.
SPML backers note several key benefits for speeding deployment and management of interoperable web services security between enterprises. Among them, they note SPML-compliant applications or services will:
  • Validate access to resources and services;
  • Provide full end-to-end Audit trail processes providing consolidated reporting;
  • Enable the inclusion of "Two-Factor Authentication" methods for security; and
  • Ease administration of access to back-end resources/services.
SPML also concedes that interoperability with other standards, such as WS-Security and SAML, is also key.

Among their goals is to ensure that SPML components interoperate with SAML request and response. The bridging of the two would enable:
  • Delegated administration of digital resources to the extended enterprise (e.g., access to back-end resources for supply chain users);
  • Exchange of provisioning requests between users; and
  • Exchange of provisioning request and response between organizations.

Provisioning Is Complex, Key to Deployment
"Provisioning is clearly becoming a key component in the identity management infrastructure for many companies," said Phil Schacter, vice president and director, directory and security strategies, at The Burton Group, producers of the Catalyst Conference in a prepared statement.

SPML is the product of an open collaboration process involving identity management vendors committed to the creation of a standard that any application or software product could use to request provisioning services," Schacter's statement added.

"As infrastructure becomes more identity-centric and companies start to model and deploy Web services, SPML will be a critical element of an end-to-end standards-based identity management strategy," predicted Darran Rolls, chair of the OASIS Provisioning Services Technical Committee, and an executive with SPML sponsor Waveset. "SPML allows cooperating elements of an Identity Management infrastructure to securely exchange provisioning and service subscription requests using an open standards-based protocol," he added.

The SPML specification is now in a public review period, and has not yet been submitted to OASIS membership at-large for consideration as an OASIS standard. For more information on SPML, an SPML briefing file (in .pdf) prepared by OASIS committee execs from the firm Business Layers is available.

Aside from SPML, other security standards in process at OASIS include WS-Security for high-level security services, XACML for access control, XCBF for describing biometrics data and SAML for exchanging authentication and authorization information.
Other firms serving on OASIS' SPML technical committee include BMC Software, Business Layers, Entrust, and OpenNetwork.