SPML Passes Demo As Multi-Platform Provisioning Spec

OASIS execs passed a hurdle earlier this month, as they successfully demoed the Service Provisioning Markup Language (SPML) as an XML-derived standard for multi-platform provisioning. While not yet an adopted standard, SPML advocates are eyeing OASIS adoption by the end of the summer. See if this proposed standard passes muster with your needs.

Tags: SPML, Standard, Provisioning, OASIS, Identity Management, Request, Security,

OASIS execs passed a hurdle last week, as they successfully demoed the Service Provisioning Markup Language (SPML) as an XML-derived standard for multi-platform provisioning during last week's Catalyst Conference, produced by the Burton Group.

In specific, SPML 1.0 is an XML-derivative that proposes to enable organizations to automate, centralize, and manage the process of provisioning user access to internal and external corporate systems and data. SPML was designed to work with the W3C's recently ratified SOAP 1.2 and the OASIS SAML and WS-Security specifications.

Just published on June 1, SPML is now out of OASIS technical committee consideration, and being reviewed by OASIS at large membership, which could approve the standard in late August.

In the demo, a fictitious PeopleSoft employee was remotely created, sending an SPML "document" via SOAP to the PeopleSoft application. Before arriving directly at the PeopleSoft, the document -- or the XML schema -- was sent through a messaging multiplexer, which created a duplicate (or "sub-document") and sent it to other privileged systems.

The implication is that vendor-specific adapters could be replaced by open, standard XML schema which would allow different enterprise systems to more easily, and cost-effectively interoperate and keep one another in synch.
Aside from PeopleSoft, supporters of SPML include BMC Software, BEA Systems, Novell, Sun Microsystems, Business Layers, Entrust, OpenNetwork, Waveset, Thor Technologies, and TruLogica,

SPML backers note several key benefits for speeding deployment and management of interoperable web services security between enterprises. Among them, they note SPML-compliant applications or services will:
  • Validate access to resources and services;
  • Provide full end-to-end Audit trail processes providing consolidated reporting;
  • Enable the inclusion of "Two-Factor Authentication" methods for security; and
  • Ease administration of access to back-end resources/services.

SPML also concedes that interoperability with other standards, such as WS-Security and SAML, is also key.

Among their goals is to ensure that SPML components interoperate with SAML request and response. The bridging of the two would enable:
  • Delegated administration of digital resources to the extended enterprise (e.g., access to back-end resources for supply chain users);
  • Exchange of provisioning requests between users; and
  • Exchange of provisioning request and response between organizations.

Provision Is Complex, Key to Deployment
"Provisioning is clearly becoming a key component in the identity management infrastructure for many companies," said Phil Schacter, vice president and director, directory and security strategies, at The Burton Group, producers of the Catalyst Conference in a prepared statement. "SPML is the product of an open collaboration process involving identity management vendors committed to the creation of a standard that any application or software product could use to request provisioning services. The effort and commitment by these vendors to create SPML demonstrates their recognition of the key role standards play in enabling the virtual enterprise," Schacter's statement added.

"As infrastructure becomes more identity-centric and companies start to model and deploy Web services, SPML will be a critical element of an end-to-end standards-based identity management strategy," predicted Darran Rolls, chair of the OASIS Provisioning Services Technical Committee, and an executive with SPML sponsor Waveset. "SPML allows cooperating elements of an Identity Management infrastructure to securely exchange provisioning and service subscription requests using an open standards-based protocol," he added.

The SPML specification is now in a public review period, and has not yet been submitted to OASIS membership at-large for consideration as an OASIS standard. For more information on SPML, an SPML briefing file (in .pdf) prepared by OASIS committee execs from the firm Business Layers is available.

Aside from SPML, other security standards in process at OASIS include WS-Security for high-level security services, XACML for access control, XCBF for describing biometrics data and SAML for exchanging authentication and authorization information.