OASIS has announced a first public demonstration of the Service Provisioning Markup Language Specification (SPML) Version 1.0 in an interoperability event to be held on July 9, 2003 at the Burton Catalyst Conference in San Francisco. "SPML is an XML-based framework for exchanging and administering user access rights and resource information across heterogeneous environments. Ten members of the OASIS standards consortium will come together at Catalyst to prove the stability of the new specification and demonstrate interoperability between SPML-conformant security software products. SPML lets organizations automate, centralize, and manage the process of provisioning user access to internal and external corporate systems and data. SPML has been designed to work with the World Wide Web Consortium's SOAP, the OASIS Standard SAML, the OASIS WS-Security specification, and other open standards that allow companies to securely leverage Web services. The SPML specification is currently in a public review period which occurs prior to being submitted to the OASIS membership at-large for consideration as an OASIS Standard. SPML is one of several security standards being developed at OASIS. Other standards and specifications include WS-Security for high-level security services, XACML for access control, XCBF for describing biometrics data, and SAML for exchanging authentication and authorization information."
From the Interop Technical and Operations Plan
A document describing the technical and operations plan was released under the title "OASIS Provisioning Services Technical Committee SPML V1.0 Interoperability Event," edited by Darran Rolls (Waveset Technologies). An excerpt:
"This document describes the message exchanges to be tested during the Burton Catalyst interoperability event in San Francisco, July 9-11, 2003. This interoperability test is designed to show the interoperation of service subscription and provisioning based on the draft SPML V1.0 specification. This interop event is based around a defined scenario intended to test the interoperability of different implementations performing a common set of SPML operations, to test the soundness of the specification and clarity the mutual understanding of its meaning and application in a given business scenario. Note the scenario and context of this interop is not intended to represent a definitive implementation of the SPML V1.0 specification... The interop scenario is based on interactive attendee participation. Interop Users (IUs) will be directed through a defined scenario, in which they input 'New Hire' user data into a PeopleSoft HRMS system. This action will cause a set of SPML protocol exchanges to create service subscriptions at each vendor station participating at the interop. The business scenario is based around a fictional company SPML Contractors Inc. When a new employee starts at SPML Contractors, an SPML enabled system is used to manage account subscriptions with a defined set of SPML Contracts' customers. New employees are added to the SPML Contractors PeopleSoft HRMS using the standard PeopleSoft web based interface. The creation of records within HRMS is used to trigger SPML service subscription requests to be sent to each PV at the interop. In this scenario PeopleSoft HRMS will be acting in the role of SPML Contractors Inc. and will be functioning as an SPML Requesting Authority (RA). Mycroft will be providing an integration 'SPML multiplexer' module that takes the SPML request from PeopleSoft and creates individual SPML service requests for each of the PVs. Each of the PVs will be modeled as SPML Contractors Inc customers and will receive, process and respond to their own service requests in accordance with their own systems models and PSP/PST implementations... The SPML Contractors Inc PeopleSoft HRMS installation will be running a centralized server, accessible and available to all of the PVs. By employing the PeopleSoft HRMS web based user access model, new SPML Contractors Inc employees will be able to be added from any of the workstations at the interop event room. This will prevent a bottleneck from forming at the PeopleSoft workstation and allow an IU to approach the scenario from any PV, thus making more staff available to help IU's with questions and generally spread the traffic more evenly across the event..."
From the OASIS Announcement
"SPML is the product of an open collaboration process involving identity management vendors committed to the creation of a standard that any application or software product could use to request provisioning services," said Phil Schacter vice president and director, directory and security strategies, Burton Group. "The effort and commitment by these vendors to create SPML demonstrates their recognition of the key role standards play in enabling the virtual enterprise. Provisioning is clearly becoming a key component in the identity management infrastructure for many companies."
"SPML allows cooperating elements of an Identity Management infrastructure to securely exchange provisioning and service subscription requests using an open standards-based protocol," explained Darran Rolls of Waveset, chair of the OASIS Provisioning Services Technical Committee. "This demonstration highlights interoperability between the industry's leading provisioning and identity management vendors, based on our committee's specification. As infrastructure becomes more identity-centric and companies start to model and deploy Web services, SPML will be a critical element of an end-to-end standards-based identity management strategy."
"We are very pleased with the work surrounding the development of the SPML specification," said Gavenraj Sodhi of Business Layers, secretary for the OASIS Provisioning Services Technical Committee. "This is a collective effort by industry leaders to take an administrative burden off the customer by creating an open standard that will be applied to Web services strategies moving forward." Sodhi will make an SPML presentation at the Catalyst Conference.
"Clearly, security is essential for the proliferation of Web services. That's why it's so significant that these SPML developers are proving interoperability on a major scale, in a public forum," said Karl Best, vice president of OASIS. "The demonstration is a milestone in the development and recognition of SPML 1.0 as an crucial security layer in the Web services stack."
Principal references:
- Announcement 2003-06-26: "OASIS Members Demonstrate Support for New Provisioning Identity Management Solution for Web Services. BMC Software, Business Layers, Entrust, OpenNetwork, PeopleSoft, Sun Microsystems, Waveset, Thor Technologies, TruLogica, and Others Showcase Specification for Exchanging Information Between Provisioning Service Points on the Internet."
- "Entrust to Demonstrate Support for Web Services Identity Management Standards at 2003 Burton Catalyst Conference. Service Provisioning Markup Language (SPML) Support Reflective of Entrust's Ongoing Commitment To Identity Management And Web Services Open Standards." Announcement 2003-06-25. See also the technical summary.
- "OASIS Provisioning Services Technical Committee SPML V1.0 Interoperability Event." Technical and Operations Plan.
- "OASIS Takes the Wraps Off SPML." By Michael Singer. In InternetNews.com (July 09, 2003).
- Burton Catalyst Interoperability Event in San Francisco, July 9-11, 2003. See also local references.
- Burton Catalyst Interoperability Event Overview
- "OASIS TC Releases Committee Specifications for Service Provisioning Markup Language (SPML)." News story 2003-06-05.
- Sources for SPML V1.0 Committee Specification Documents
- Companies certifying the use of SPML V1.0:
- "Business Layers and Netegrity Partner on Industry's First Demonstration of SPML at RSA Conference. Vendors Present First XML Specification to Leverage Web Services for Secure Federated Resource Allocation." Announcement April 14, 2003.
- OASIS Provisioning Services TC website
- OASIS PSTC Mailing List Archives
- "XML-Based Provisioning Services" - Main reference page.