OASIS Adopts SPML 1.0 Spec, On To SPML 2.0

SPML 1.0, an XML approach for cross-platform provisioning and for secure web services, was adopted Nov. 3 by OASIS. Supported by heavyweights IBM, Microsoft, CA, work is already underway for SPML 2.0 to bring more provisioning and security features to web services and SOA devs. Get the latest on SPML's use, the final docs, and insights from Darran Rolls, chair of the OASIS Service Provisioning Markup Language Technical Committee, for using SPML.

Tags: SPML, Provisioning, Web Services, Developers, OASIS, Standards, Support,

SPML 1.0, an XML approach for cross-platform provisioning and for secure web services, was adopted Nov. 3 by OASIS. Supported by heavyweights IBM, Microsoft, CA, work is already underway for SPML 2.0 to bring more provisioning and security features to web services and SOA devs.

The SP (Service Provisioning) portion of SPML 1.0 goes beyond the initial "contingency" of providing resources to encompass the entire lifecycle management of these resources. This includes the provisioning of digital services such as user accounts and access privileges on systems, networks and applications, as well as the provisioning of non-digital or "physical" resources such as cell phones and credit cards.

SPML 1.0 docs are available from OASIS SPML backers cite several key benefits for speeding deployment and management of interoperable web services security among enterprises. Among them, they note SPML-compliant applications or services will:

  • Validate access to resources and services;
  • Provide full end-to-end audit trail processes providing consolidated reporting;
  • Enable the inclusion of "two-factor authentication" methods for security; and
  • Ease administration of access to back-end resources/services.

  • In addition to these capabilities, SPML concedes that interoperability with other standards, such as WS-Security and SAML, is also key.

    In a statement released upon SPML 1.0's adoption, OASIS SPML Technical Committee chair, Darran Rolls said he's looking forward to keeping the momentum going, and moving on quickly to SPML 2.0. In part, his statement read:

    "Now that 1.0 is complete, we can truly focus on the 2.0 effort. At the highest level, the main goal of 2.0 is to further the adoption of a single set of provisioning standards with the support of the broadest majority of OASIS members and the acceptance of the industry at large. We have take some very encouraging steps towards this goal with the member submissions made last month.

    "We have already starting to see a renewed focus of this TC as the forum for bringing provisioning standards to the market, it is our challenge to continue this process and through the delicate balance of technology and politics, to bring forward an updated specification that meets the needs of a widening forum."

    Inside SPML -- Uses and Goals

    IDN spoke in depth with Rolls to learn how devs can use SPML to make web services easier and more secure, how devs can get free SDKs and other SPML software, and which vendors will have SPML support.

    We notably asked Rolls if this or future SPML versions might help devs come up with interoperability strategies to deal with different security/identity software from different vendors, such as SAML, Passport and others.

    Rolls said the goals for SPML standards include ensuring that SPML components interoperate with SAML request and response. The bridging of the two would enable a variety of interoperabilities, he said, including:
    • Delegated administration of digital resources to the extended enterprise (e.g., access to back-end resources for supply chain users);
    • Exchange of provisioning requests between users; and
    • Exchange of provisioning request and response between organizations.
    The remainder of our interview with Darran Rolls follows:

    IDN: What is the current status on standards (implementations, specs, etc.) for SPML? If not yet finalized, do you have a timetable?

    Rolls: The specification has been an OASIS Technical Committee Specification since June of this year and is now in the final stages of adoption as an OASIS Open Standard. This process will conclude by the end of October 2003.

    IDN: I understand that IBM and Microsoft, among others, are supporting SPML 1.0 work, both as a spec and a bundled technology?

    Rolls: Both IBM and MSFT co-developed the SPML 1.0 specification. In the closing stages of the effort, IBM and MSFT felt strongly that support for complex XML objects needed to be done differently. The OASIS TC voted to postpone this effort until 2.0. As a result, IBM unofficially stated that they wouldn't be implementing 1.0 and would wait on the conclusion of the 2.0 process.

    IDN: What are the core provisioning benefits to developers of SPML, and what specific types of projects or implementations will SPML be most useful for? Will there be tools, profiles, etc. for developers available as Open Source?

    Rolls: As identity has become a "core" element of secure value-oriented computing practices, the often complex process of resource provisioning relative to these identities has become widely regarded as the cornerstone of an identity management strategy. With this increased focus comes the need for open standards to support the integration of provisioning tools and practices with other elements of the IT security and general supporting infrastructure.

    As is often the case, the first step in such a process requires the definition of a basic protocol for message exchange upon which more complex application-level interoperability models can be built. In many ways SPML is to provisioning what TCP is to Internet Protocol: It provides a basic model for the reliable exchange of understandable provisioning request and a model upon which more complex application-level provisioning models can be built.

    Tools are already starting to emerge for SPML. Java (and soon .NET) developers can already download free tools and sample code to help understand and put to work SPML from www.openspml.org.

    IDN: How should developers think of SPML in context of other identify/security technology initiatives (particularly WS-Security, WS-Policy and the Liberty Alliance)?

    Rolls: SPML is a small (but critically important) part of the standardization stack for Identity Management. Consider an operating model like Liberty. It defines the application-level semantics of a federated identity model. It defines how and where sign-on happens and where identity-related data may flow within the system. Liberty does not, however, define the process or protocol for the creation of the underlying accounts around which much of the model operates. Moving forward, we expect to see SPML providing this role within Liberty and several other standards.

    IDN: Is SPML something developers will need to "learn" as a language, or will SPML simply be something that vendors will implement, so that the core SPML identity/provisioning technologies will be hidden from developers?

    Rolls: At first pass, it's easy to write SPML off as something that only ISVs working directly in provisioning space need to consider, but this would be wrong. Any developer working on a problem in the realm of account creation, identity-related lifecycle management or any generalized form of subscription management should consider SPML "work in hand."

    Say a developer is working on a portal project that requires self-service subscription management, and needs to create accounts and account-related data on system resources. Assume this information needs to be transferred from the requestor (say, a servlet at the portal) to some arbitrary set of back-end systems. SPML would be the open standards-based way for the requestor to say, "Hey, system X, I'd like to create an account for user Y and have it available for use next Tuesday week at 10 a.m."

    IDN: Can you offer an example of an early-use project that developers/sysadmins might be working on (web services, B2B, integration, etc.) where you envision SPML having some great "bang for the buck"? What commercial products do you expect will first offer/bundle SPML?

    Rolls: There are already several commercially available solutions that make use of SPML. For example, the Waveset Lighthouse provisioning and identity management solution is fully SPML-enabled today. In addition, other third-party vendors are working on portal-based applications for both .NET and Java.

    In addition, several large financial organizations are already well underway, integrating enterprise provisioning with the IT security infrastructure and related portal initiatives using the SPML model. At Burton Catalyst 2003, 10 commercial software vendors displayed interoperability based on the Committee spec of SPML v1.0.

    The list of vendors that participated in SPML demonstrations includes Sun, PeopleSoft, Entrust, BMC, Mycroft, Business Layers, Waveset, OpenNetwork Technologies, Thor Technologies and TrueLogica. Many of these vendors are deploying and planning to deliver SPML enablement in the next release of their products.

    Other SPML Resources

  • The full text of the SPML specification is available from OASIS.

  • To give developers a headstart in their prep and code support work, the SPML XML Schema is available for download from OASIS and

  • SPML Bindings can be downloaded from OASIS or from the Open SPML site.

  • back