Update: More current information on the Service Provisioning Markup Language may be found in the main reference document, including complete OASIS PSTC References, List of Approved Specifications, and Articles/Blogs/Reports.

The Service Provisioning Markup Language (SPML) Version 1.0 has been released in Committee Draft for approval as an OASIS Standard. The OASIS Provisioning Services Technical Committee (PSTC) was formed in late 2001 "to define an XML-based framework for exchanging user, resource and service provisioning information. The resulting Version 1.0 specification defines the concepts, operations, deployment and XML schema, for an XML based request and response protocol for provisioning. SPML will be of interest to any organization that develops custom built provisioning solutions or is involved in identity management."

The Core SPML document is accompanied by Bindings for the Service Provisioning Markup Language (SPML) Version 1.0 (defining protocol bindings and profiles for the use of SPML request-response elements in communications protocols and applications) and the Core XML Schema. The SPML 1.0 specification "supports identifying principles using the OASIS Security Assertion Markup Language (SAML) and Project Liberty standards. Additionally, the SPML 1.0 specification has been designed to accommodate the use of the OASIS Web Services Security (WSS) specification, XML Digital Signatures, and XML Encryption."

Implementation code for SPML is provided on the OpenSPML.org web site, dedicated to "the promotion and distribution of an open source client code that supports SPML; OpenSPML is a cooperative initiative by independent software vendors and implementers of the SPML version 1.0 specification. Initially developed in Java, the OpenSPML client code is expected to be available in other languages."

Bibliographic Information

SPML Version 1.0 (Committee Specification) source documents:

• Service Provisioning Markup Language (SPML) Version 1.0. Edited by Darran Rolls (Waveset Technologies). Contributions by Archie Reed (Critical Path), Doron Cohen (BMC), Gavenraj Sodhi (Business Layers), Gerry Woods (IBM), Hal Lockhart (BEA), Jeff Bohren (OpenNetwork Technologies), Jeff Larson (Waveset Technologies), Jesus Fernandez (Computer Associates), Matthias Leibmann (Microsoft), Mike Polan (IBM), Paul Madsen (Entrust), Rami Elron (BMC), Tony Gallotta (Access, IBM), and Yoav Kirsh (Business Layers). June 03, 2003. Document identifier: 'cs-pstc-spml-core-1.0.doc'. 75 pages. Core specification document; contains both normative and non-normative description of the 1.0 specification. [source PDF]

• Bindings for the Service Provisioning Markup Language (SPML) Version 1.0. Edited by Jeff Bohren (OpenNetwork Technologies). Contributions by Steve Anderson (OpenNetwork Technologies) and Darran Rolls (Waveset Technologies). June 03, 2003. 14 pages. Bindings document; contains normative description of SOAP/HTTP and file based transport bindings. [source PDF]

• SPML V1.0 XML Core Schema. Edited by Jeff Bohren and Yoav Kirsch. Contains the definition of message and protocol formats for SPML V1.0, and requires the DSMLv2 schema. [source XSD]

SPML Overview

"The following short definition has been adopted by the Provisioning Services Technical Committee as its formal definition of the general term 'provisioning': Provisioning is the automation of all the steps required to manage (setup, amend, and revoke) user or system access entitlements or data relative to electronically published services.

The general model adopted by this protocol is one of clients performing protocol operations against servers. In this model, a client issues an SPML request describing the operation to be performed at a given service point. The service point is then responsible for performing the necessary operation(s) to constitute the implementation of the requested service. Upon completion of the operation(s), the service point returns to the client an SPML response detailing any results or errors pertinent to that request.

In order to promote standardization of the service subscription and provisioning interface, it is an active goal of this protocol to minimize the complexity of the client interface in order to promote widespread deployment of applications capable of issuing standardized service provisioning requests. With this goal in mind SPML builds on a simplistic core operations model in which the semantics of an individual provisioning action lay in the definition of the underlying service schema. The core operations schema provides a small number of generic operations (Add, Modify, Delete, Search) and an open model for the definition and discovery of that schema as a set of simple name=(multi)value pairs. To complement this, SPML V1.0 also provides an operations extension model based on an <ExtendedRequest> operation that allows individual providers to define new operations that do not overlap with V1.0 core operations..." [adapted from the V1 Core spec]

About OpenSPML.org

OpenSPML.org is a Web site "dedicated to the promotion and distribution of an open source client code that supports the Service Provisioning Markup Language (SPML) developed by the OASIS Provisioning Services Technical Committee (PSTC). OpenSPML is a cooperative initiative by independent software vendors and implementers of the SPML version 1.0 specification. Initially developed in Java, the OpenSPML client code is expected [post 2003-10-15] to be available in other languages in the near future."

The OpenSPML.org website provides online documentation for the toolkit, available for download. Redistribution and use of the software in source and binary forms, with or without modification, is permitted under the terms of the open source Waveset SPML General License.

Background on SPML is provided by the online SPML FAQ Document from which these excerpts are taken:

• Service Provisioning: "Service provisioning refers to the 'preparation beforehand' of IT systems' materials or supplies required to carry out a specific activity. It goes beyond the initial 'contingency' of providing resources, to encompass the entire lifecycle management of these resources. This includes the provisioning of digital services such as user accounts and access privileges on systems, networks and applications, as well as the provisioning of non-digital or 'physical' resources such as cell phones and credit cards..."

• Provisioning System: "It is not necessary to define the implementation or physical makeup of a service provisioning system. Simply assume the existence of a network service whose sole purpose is the execution and management of provisioning requests. A given Requesting Authority (client) sends the provisioning service a set of requests in the form of a well formed SPML document. Based on a pre-defined service execution model, the provisioning service takes the operations specified within the SPML document and executes provisioning actions against pre-defined service targets or resources... [See the figure in the FAQ which] shows a high-level schematic of the operational components of an SPML model system. In SPML request flow A, the Requesting Authority (client) constructs an SPML document subscribing to a pre-defined service offered by Provisioning System One (PS One). PS One takes the data passed in this SPML document, constructs its own SPML document and sends it to Provisioning Service Target One, PST One (SPML request flow B). PST One represents an independent resource that provides an SPML-compliant service interface. In order to fully service the initial Requesting Authority's request, PS One then forwards a provisioning request (SPML request flow C) to a second network service called Provisioning System Two (PS Two). PS Two is autonomously offering a provisioning service it refers to as Resource E. In this case, Resource E is a relational database within which PS Two creates some data set. Having successfully received PS One's request, PS Two carries out the implementation of its service by opening a JDBC connection to Resource E and adding the relevant data (data flow D)..."

• Service Provisioning Standards: "Why do we need service provisioning standards? The exchange of user information between two points, or identity management systems, depends upon the acceptance of an open, XML-based standard such as SPML. Previous standardization efforts from XRPM (eXtensible Resource Provisioning Markup) and ADPR (Active Digital Profile) identified this need... XRPM set out to define a standard for interoperability and functioning between Provisioning Systems. ADPR set out to define a standard for interoperability and functioning between the Provisioning System and the managed resource. The PSTC and was formed to address the specification of a single XML-based framework for the exchange of information at all levels by allowing a Provisioning Service Target (the resource) to adopt the role of a Provisioning Service Point (a server), respond to client requests and operate as a full service point responsible for a single service or resource, itself..." [adapted from the OpenSPML.org FAQ document]