Contents

• Specification Publication History
• Principal References
• General: Articles, Papers, News

The OASIS Provisioning Services Technical Committee (PSTC) was chartered to "to define an XML-based framework for exchanging user, resource, and service provisioning information."

Specification Publication History

In April 2006, OASIS announced that its members had "approved the Service Provisioning Markup Language (SPML) version 2.0 as an OASIS Standard, a status that signifies the highest level of ratification. SPML provides an XML-based framework for managing the allocation of system resources within and between organizations. Encompassing the entire life-cycle management of resources, SPML defines the provisioning of digital services such as user accounts and access privileges on systems, networks and applications, as well as non-digital or physical resources such as cell phones and credit cards."

[October 16, 2003]   SPML Provisioning and Identity Management Specification Balloted for Approval.    The Service Provisioning Markup Language (SPML) Version 1.0 has been released in Committee Draft for approval as an OASIS Standard. The OASIS Provisioning Services Technical Committee (PSTC) was formed in late 2001 "to define an XML-based framework for exchanging user, resource and service provisioning information. The resulting Version 1.0 specification defines the concepts, operations, deployment and XML schema, for an XML based request and response protocol for provisioning. SPML will be of interest to any organization that develops custom built provisioning solutions or is involved in identity management." The Core SPML document is accompanied by Bindings for the Service Provisioning Markup Language (SPML) Version 1.0 (defining protocol bindings and profiles for the use of SPML request-response elements in communications protocols and applications) and the Core XML Schema. The SPML 1.0 specification "supports identifying principles using the OASIS Security Assertion Markup Language (SAML) and Project Liberty standards. Additionally, the SPML 1.0 specification has been designed to accommodate the use of the OASIS Web Services Security (WSS) specification, XML Digital Signatures, and XML Encryption." Implementation code for SPML is provided on the OpenSPML.org web site, dedicated to "the promotion and distribution of an open source client code that supports SPML; OpenSPML is a cooperative initiative by independent software vendors and implementers of the SPML version 1.0 specification. Initially developed in Java, the OpenSPML client code is expected to be available in other languages." In November 2003, OASIS announced the release of Service Provisioning Markup Language (SPML) as an approved OASIS Standard.

[June 05, 2003]   OASIS TC Releases Committee Specifications for Service Provisioning Markup Language (SPML).    A posting from Darran Rolls (OASIS PSTC Chair) announces the adoption of three documents as a Committee Specification set for the Service Provisioning Markup Language (SPML). "Provisioning" in the context of this TC activity is "the automation of all the steps required to manage (setup, amend, and revoke) user or system access entitlements or data relative to electronically published services." The OASIS Provisioning Services Technical Committee (PSTC) was chartered to "define an XML-based framework for exchanging user, resource, and service provisioning information. The resulting Committee Specification defines the concepts, operations deployment and XML schema for an XML based request and response protocol for provisioning." The specification set includes Service Provisioning Markup Language (SPML) Version 1.0 (Core), Bindings for the Service Provisioning Markup Language (SPML) Version 1.0, and SPML Core XML Schema. Waveset Technologies, Business Layers, and OpenNetwork Technologies have certified their use of the SPML V1.0 specification. The SPML specification is being advanced for public review under the OASIS process toward approval as an OASIS Open Standard. The public review period for SPML (CS) begins June 05, 2003 and closes July 05, 2003.

[October 03, 2001] OASIS Technical Committee Proposed for Provisioning Services (PSTC). A new OASIS technical committee for Provisioning Services has been proposed by company representatives from Access360, Business Layers, Jamcracker, Novell, Oblix, OpenNetwork, Sena Consulting, Thor Technologies, VeriSign, and Waveset. Initially, the TC Chair is Darran Rolls (Waveset). The purpose of the proposed OASIS Provisioning Services Technical Committee (PSTC) is "to define an XML-based framework for exchanging user, resource, and service provisioning information. The TC will develop an end-to-end, open, provisioning specification developed from existing provisioning specifications which are of public knowledge, accessible, and freely distributed. [Specifically,] the work proposes to take into consideration the Active Digital Profile (ADPr), the Extensible Resource Provisioning Management (XRPM), and the Information Technology Markup Language (ITML) Provisioning specifications, along with any other relevant and timely submissions. The PSTC will produce a set of one or more Committee Specifications that will cover use cases and requirements, information model, protocol(s), bindings, and conformance; all of the aforementioned are to be examined with respect to security considerations. The goal [subject to revision] is to submit a Committee Specification to the OASIS membership for its approval by September 2002." [Full context]

"An Introduction to the Provisioning Services Technical Committee." Draft 10/16/2001 or later. "The purpose of the OASIS Provisioning Services Technical Committee (PSTC) is to define an XML-based framework for exchanging user, resource, and service provisioning information. The Technical Committee will develop an end-to-end, open, provisioning specification developed from several supporting XML specifications... This document is intended to precede the formal standards definition process within the PSTC and set the stage for the initial discussions of the committee, compiling pre-existing XRPM and ADPR efforts, into a single, high level outline. It is intentionally devoid of much of the detail already defined and discussed in supporting materials. It aims provide a high level definition of provisioning within the context of the PSTC, an overview of the proposed scope, and a suggested road map for the first committee meeting... In our context, provisioning refers to the 'preparation beforehand' of IT systems' 'materials or supplies' required to carry out some defined activity. In general, it goes further than the initial 'contingency' to the onward management lifecycle of the managed items. This could include the provisioning of purely digital services like user accounts and access privileges on systems, networks and applications. It could also include the provisioning of non-digital or 'physical' resources like the requesting of office space, cell phones and credit cards..." [.DOC source]

Representatives from twelve companies met to discuss XML provisioning in a F2F meeting on September 10, 2001 in San Jose, producing a provisional/draft working committee charter and a brainstorming document. Background materials may be found on the XRPM web site or on the XRPM main reference page.

[November 06, 2001] "OASIS Forms Provisioning Services Technical Committee to Standardize Automated Provisioning for Enterprise Resources. Access360, Business Layers, Jamcracker, Novell, Oblix, OpenNetwork Technologies, and Others Unite to Develop Provisioning Specification." - "OASIS, the XML interoperability consortium, announced that its members have formed the OASIS Provisioning Services Technical Committee to define an XML-based framework for exchanging user, resource, and service provisioning information. The new OASIS Technical Committee will collaborate to develop the Provisioning Services Markup Language (PSML), an end-to-end specification for the automation of user or system access and entitlement rights to electronic services. 'Provisioning is a key component of Web services,' noted Patrick Gannon, president and CEO of OASIS. 'Whether you're talking about provisioning accounts into a partners' extranet, an outsourced application, an Application Service Provider (ASP), or a trading exchange, ultimately all these areas are going to be offered as Web services. Without a standardized approach, provisioning will add a significant administrative burden to Web services. The OASIS Provisioning Services Technical Committee will provide a fundamental benefit to enable Web services as a practical business tool.' In keeping with the consortium's mission to promote convergence and unite disparate efforts, the OASIS Provisioning Services Technical Committee will consider contributions of related work from other groups and companies. The XRPM (eXtensible Resource Provisioning Management) Working Group, the Active Digital Profile (ADpr) Initiative and developers of the Information Technology Markup Language (ITML) all plan to submit specifications to the new OASIS technical committee."

Principal References

Technical Committee References:

• Provisioning Services Technical Committee web site
• OASIS Provisioning Services TC FAQ document
• PSTC Charter
• PSTC Mailing list archives
• OASIS TC Call For Participation 2001-10-02.
• Announcement 2003-06-04: "SPML Committee Specification for OASIS Review."

Approved Specifications:

• Service Provisioning Markup Language (SPML) Version 2.0, extracted from the ZIP archive [filelist, source]:
  • OASIS Service Provisioning Markup Language (SPML) Version 2. OASIS Standard. April 01, 2006. Document identifier: pstc-spml2-os.pdf. Edited by Gary Cole (Sun Microsystems).
  • SPML v2.0: DSML v2 Profile
  • SPML v2.0: XSD Profile
• Service Provisioning Markup Lanaguage (SPML) Version 1.0. Approved OASIS Standard. October 2003.
  • SPML Core Specification. PDF. 75 pages. [source]
  • Bindings for the Service Provisioning Markup Language (SPML) Version 1.0. 14 pages. Contains normative description of SOAP/HTTP and file based transport bindings. [source]
  • SPML Version 1.0 XML Schema. Contains the definition of message and protocol formats for SPML V1.0. [source]
• Sources for SPML Version 1.0 Committee Specification Documents
  • Service Provisioning Markup Language (SPML) Version 1.0 [cache]
  • Bindings for the Service Provisioning Markup Language (SPML) Version 1.0 [cache]
  • SPML Core XML Schema [cache]

Other:

• OpenSPML.org web site
• SPML and OpenSPML FAQ document
• "Provisioning Services Technical Committee (PSTC) FAQ Document." By Kelly Emo, John Aisien, and Gavenraj Sodhi. 2001-10-28 or later.
• "An Introduction to the Provisioning Services Technical Committee." Draft 10/16/2001.

General: Articles, Papers, News

• [May 02, 2006] "Web Services Gets SPML 2.0 Boost." By Mathew Schwartz. From Enterprise Systems (May 02, 2006). "How do businesses securely tie together systems with business partners using Web Services technology or service-oriented architectures? Today, such business-to-business (B2B) efforts typically require business partners to standardize on identical identity-management software or code laborious workarounds. A new standard should help. The international standards consortium OASIS announced it has ratified Service Provisioning Markup Language (SPML) version 2.0, which should facilitate easier out-of-the-box, B2B identity-management integration. The new OASIS Standard specifies an XML framework for identity management and provisioning. An XML-based framework, SPML defines how resources should be allocated between systems and organizations. It also handles provisioning — managing user accounts and access rights — in a variety of environments, including access to systems, networks, and applications, as well as to such physical resources as mobile phones and credit cards. According to Gavenraj Sodhi, the director of product management for security information management solutions at CA Inc. (formerly Computer Associates), and a co-chair of the SPML technical committee: 'SPML can become a major component of the identity management stack... this will allow vendors to build hooks into their applications,' to create easier out-of-the-box interoperability between applications, which should better facilitate B2B Web Services integration. That's because a growing requirement in Web services rollouts, as well as in the implementation of service-oriented architectures, is sharing user information across businesses — and not just identities, but also permissions, groups, and access rights.' [...] SPML 2.0 also competes with WS-Provisioning, created by IBM and Microsoft. Interestingly, SPML did adapt some WS-Provisioning functionality. 'SPML was developed alongside other key security specifications, including the Security Assertion Markup Language (SAML) and WS-Security, both of which are also OASIS Standards,' notes Patrick Gannon, the president and CEO of OASIS. 'Our security committees work together to exploit the benefits of reuse and coordination to the greatest extent possible'..."

• [April 11, 2006] "Service Provisioning Markup Language (SPML) v2.0 Ratified as OASIS Standard. BEA Systems, BMC Software, Capgemini, CA, Hewlett-Packard, IBM, Microsoft, Oracle, RSA Security, SAP, SOA Software, Sun Microsystems, and Others Develop OASIS Standard for Exchanging User, Resource, and Service Provisioning Information." -- "The OASIS international standards consortium today announced that its members have approved the Service Provisioning Markup Language (SPML) version 2.0 as an OASIS Standard, a status that signifies the highest level of ratification. SPML provides an XML-based framework for managing the allocation of system resources within and between organizations. Encompassing the entire life-cycle management of resources, SPML defines the provisioning of digital services such as user accounts and access privileges on systems, networks and applications, as well as non-digital or physical resources such as cell phones and credit cards. 'One of the hardest parts of provisioning is interoperability,' noted analyst, Mark Diodati of Burton Group's Identity and Privacy Strategies. 'SPML provides a standards-based approach, and version 2.0 adds important functionality that is required for robust provisioning services.' 'SPML v2.0 will further facilitate the seamless application of identity management solutions to the day-to-day challenges of provisioning and de-provisioning business services,' said Gavenraj Sodhi of CA, co-chair of the OASIS Provisioning Services Technical Committee. 'The result will be more efficient IT administration, improved security, and easier extension of services beyond organizational boundaries.' 'SPML 2.0 provides a service-oriented identity protocol that goes far beyond just enterprise provisioning while enabling customers to spend less time connecting systems and applications, and more time focusing on the technology issues and implementations most important to their business needs and services,' said Jeff Bohren, of BMC Software, co-chair of the OASIS Provisioning Services Technical Committee. The SPML v2.0 OASIS Standard offers enhanced functionality as well as a new profile that lets users and other objects be manipulated more easily. Additional features include improved password management, user suspension capabilities, and user attribute schema discovery..."

• [January 06, 2005] "XML Security: Manage Identities More Effectively with SPML. The Objectives, Architecture, and Basic Concepts of Service Provisioning Markup Language." By Manish Verma (Center Head & VP Delivery, Second Foundation). From IBM developerWorks (January 05, 2005). "The past couple of years have seen an increased interest in identity management. Managing identities effectively and efficiently is a critical issue for businesses, and various standards have been proposed to handle different aspects of identity management. One such standard is Service Provisioning Markup Language (SPML), which deals with resource provisioning for these identities. It brings standardization to the mundane but error prone job of preparing IT and support infrastructure to accomplish business activity. For example, with SPML it is possible to automate the provisioning workflow that results when an organization hires a new employee. Provisioning workflow can include activities that are either digital or physical. As an example, when a new employee is hired, digital activities can include the creation of a user account in various systems and applications, while physical activities can include procurement of a new laptop for that individual. In this article the author will explores the objectives and importance of the SPML standard, providing some sample programs that demonstrate how the standard helps you automate provisioning activities. The sample code uses openSPML, an open source implementation of SPML... With the ever-increasing number and complexity of systems and networks, managing digital identities is now a major challenge. Identity management refers to the management of the entire lifecycle of one or more identities, from creation to destruction, and the things that happen in between — such as managing permissions, privileges, and modifications..."

• [January 23, 2004] "SAML Tops Federation Projects Survey." By Dave Kearns. In Network World (January 09, 2004). Ping Identity, sponsor of the SourceID Web site, recently surveyed folks who downloaded its open-source Liberty Alliance tool kit. "When asked about the priority of federation protocols, it wasn't surprising that the Liberty Alliance protocols out-polled the WS-Federation protocol (favored by IBM and Microsoft) since the respondents were specifically those who downloaded a Liberty Alliance tool kit. But even adding together those who preferred Liberty phase II with those who preferred Liberty phase I (a total of 42% of the respondents) they were still outweighed (at 49%) by those who favored Versions 1.0, 1.1 and 2.0 of the Security Assertion Markup Language (SAML). SAML is the transport mechanism for the Liberty Alliance proposals, and one of the allowed transports for WS-Federation, but it appears that a number of projects are working directly with SAML and by-passing the 'higher' layers of the two competing standards. It might be that the projects being talked about are all early stage developments, with the SAML parts being worked on now while the developers look to see which of the two competing standards will emerge with an edge -- or, perhaps, a consolidation or merger might occur with one standard being created from the two we currently have. If you think that's a likely scenario, then it would be wise to put off any development at that upper level until the parameters of the eventual standard begin to take shape. Another of the survey questions asked downloaders what additional protocols were 'of interest' to them vis-à-vis federation. The big winner there was OASIS' Extensible Access Control Markup Language (XACML), with 49%, followed by Service Provisioning Markup Language (SPML) at 29%, and eXtensible Resource Identifier (XRI) with 14%. A scattering of other protocols took 8% of the responses. XRI could be considered a competitor to Universal Description, Discovery and Integration..." See also: "Security Assertion Markup Language (SAML)."

• [November 19, 2003] "Service Provisioning Markup Language (SPML) Ratified as OASIS Standard. Abridean, BEA Systems, BMC Software, Business Layers, Computer Associates, Entrust, Netegrity, OpenNetwork, Waveset, and Others Develop OASIS Standard for Exchanging User, Resource, and Service Provisioning Information." - "The OASIS standards consortium today announced that its members have approved the Service Provisioning Markup Language (SPML) version 1.0 as an OASIS Standard, a status that signifies the highest level of ratification. SPML provides an XML-based framework for managing the allocation of system resources within and between organizations. Encompassing the entire life-cycle management of resources, SPML defines the provisioning of digital services such as user accounts and access privileges on systems, networks and applications, as well as non-digital or physical resources such as cell phones and credit cards. 'As provisioning becomes a more widely available network service, the need for an open standard to support the integration of account and service management in identity infrastructures is clear,' says Darran Rolls of Waveset, chair of the OASIS Provisioning Services Technical Committee. 'By fostering interoperability across business units or with business partners, SPML frees companies to focus on the business rules for provisioning user accounts and not on the technology to wire everything together.' 'Enterprise architects should consider SPML real and deployable,' said Patrick Gannon, president and CEO of OASIS. 'It provides a much needed starting point for a long-term user access provisioning strategy that can be implemented today within the enterprise and will work in the future for integrating with Web services implementations. We congratulate the developers of SPML 1.0 and invite additional participation from the community on advancing SPML 2.0 to achieve full Web services compatibility.' Members of the OASIS Provisioning Services Technical Committee include Abridean, BEA Systems, BMC Software, Business Layers, Computer Associates, Entrust, Netegrity, OpenNetwork, Waveset, and other users and providers of identity management software. SPML relates closely to another OASIS Standard, the Security Assertion Markup Language (SAML). Together, SPML and SAML provide a standard way to create user accounts and validate users as part of an identity management infrastructure. The two offer the basis for integrating single sign-on and provisioning software for Web services..."

• [October 07, 2003]   IBM Releases Web Services Provisioning (WS-Provisioning) Specification.    A draft version of Web Services Provisioning (WS-Provisioning) has been presented by IBM/Tivoli as a submission for consideration by the OASIS Provisioning Services TC. The contribution is provided as input to technical work on SPML Version 2, as Service Provisioning Markup Language (SPML) Version 1.0 is currently up for review and ballot as an OASIS Standard. The WS-Provisioning specification "describes the APIs and schemas necessary to facilitate interoperability between provisioning systems and to allow software vendors to provide provisioning facilities in a consistent way. The specification addresses many of the problems faced by provisioning vendors in their use of existing protocols, commonly based on directory concepts, and confronts the challenges involved in provisioning Web Services described using WSDL and XML Schema. WS-Provisioning defines a model for the primary entities and operations common to provisioning systems including the provisioning and de-provisioning of resources, retrieval of target data and target schema information, and provides a mechanism to describe and control the lifecycle of provisioned state." The WS-Provisioning authors envision that the technical work of the OASIS PSTC may at some point converge with the IBM specification.

• [September 24, 2003] "CA's eTrust Admin Identity Management Solution to Support OASIS SPML. CA Demonstrates Interoperability With Emerging Web Services Standard at Recent PeopleSoft Conference." - "Computer Associates International, Inc. (CA) announced today that its eTrust Admin identity management solution will support the new OASIS Service Provisioning Markup Language (SPML) 1.0 specification, an emerging industry standard designed to streamline and automate the provisioning of systems and Web services across organizations. eTrust Admin increases user account management security while reducing administration costs. SPML is intended to provide a standards-based approach to removing user accounts across heterogeneous systems. This common administration can significantly reduce IT workloads, help ensure compliance with security policies, and provide employees with immediate access to critical resources. Changes in human resource systems can be propagated automatically to IT applications without human intervention. CA has tested eTrust Admin's SPML capabilities with PeopleSoft's leading human resources platform, and demonstrated interoperability with SPML at the recent PeopleSoft Connect 2003 Conference in Anaheim, California. 'CA's adoption of SPML enables a flexible and portable approach to leveraging HR information when managing and enforcing identity-based security policies,' said Phil Schacter, vice president and service director at Burton Group, a leading enterprise IT research and advisory services firm. 'Standards-based identity solutions, driven by authoritative HR information, improve overall security and substantially reduce the risk of exposing valuable business systems and information assets.' SPML has been approved by the OASIS Provisioning Services Technical Committee prior to submission to the consortium's membership at-large for voting as an OASIS Standard. As an XML-based framework, SPML allows eTrust Admin's capabilities to be extended to any enterprise system or Web service with the necessary compliant interface. 'The use of standards is essential as the number of applications and services proliferates,' said Karl Best, vice president of OASIS. 'CA's embrace of SPML is a welcome contribution to the advancement of efficient, open standards-based IT management architectures.' 'As organizations integrate business processes with their partners, they need to dynamically manage the authorization and de-authorization of access rights for users,' said Gavenraj Sodhi, CA product manager for eTrust Admin. 'By leveraging both the SPML specification and existing investments in PeopleSoft technology, eTrust Admin provides an ideal means of achieving these objectives'..."

• [September 04, 2003] "Proposed Provisioning Technology Set to Go." By John Fontana. In ComputerWorld (September 04, 2003). "A forthcoming XML-based standard is living a double life. It is expected to foster integration of current provisioning and identity management software now and will evolve to support Web service in the future. The proposed standard is the Service Provisioning Markup Language (SPML) 1.0, which is set for ratification October 31, 2003 by the Organization for the Advancement of Structured Information Standards (OASIS). The 1.0 specification is designed to help network executives break the logjam that holds back interoperability among current provisioning systems. These systems let companies automatically set up and deactivate user accounts across corporate networks and applications. But critics, namely IBM Corp. and Microsoft Corp., say SPML in its 1.0 form lacks features beyond simple addition and deletion of users. They say it's not flexible enough to integrate into the palette of Web services standards they are developing, known as WS-* (pronounced WS-Star), which includes WS-Security and WS-Federation. The two companies are working with OASIS to correct those shortcomings. The protocol, therefore, appears to satisfy short-term corporate needs while creating a starting point for developing a long-term solution that will work within Web services deployments. 'What this means is that SPML 1.0 will not become the be-all and end-all provisioning standard,' says Daniel Blum, an analyst with Burton Group. 'Something else will come along.' He says Microsoft and Web services standards partner IBM, which last year acquired provisioning vendor and SPML co-creator Access360, have valid points on the long-term viability of SPML... The interoperability SPML fosters was demonstrated in July when 10 vendors - BMC Software Inc., Business Layers Inc., Critical Path Inc., Entrust Inc., MyCroft, OpenNetwork Technologies Inc., PeopleSoft Inc., Sun Microsystems Inc., Thor Technologies Inc. and Waveset Technologies Inc. - held an interoperability test to show the addition and creation of users across their provisioning systems. 'Enterprise architects should start to consider SPML as real, deployable and valuable,' says Darran Rolls, chairman of the Provisioning Services Technical Committee (PSTC) at OASIS and director of technology for Waveset. What's also becoming real is the relationship between SPML and the Security Assertion Markup Language (SAML), an XML-based standard for exchanging user authentication and authorization data across corporate systems that OASIS ratified in October 2002. Together, SAML and SPML provide a standard way to create user accounts and then validate these users as part of an identity management infrastructure. The two are the glue for integrating Web single sign-on and provisioning software. SPML can use a SAML credential as one way to identify users to be provisioned to corporate systems..."

• [September 02, 2003] "SPML: An Integration Framework for Enterprise Resource Provisioning as a Network Service." By Darran Rolls (Waveset Technologies). In DIM Report (September 02, 2003). "This article introduces the Secure Provisioning Markup Language (SPML), an XML standard from OASIS that addresses the interoperability issues around service provisioning... Provisioning and de-provisioning user access may sound simple. However, when one considers this in the context of complex, inter-related systems with potentially thousands of users needing full life-cycle user and account management, the process of establishing a common, well-understood framework for the provisioning these rights can become very challenging... By supporting widespread deployment of applications that can issue standardized service provisioning requests, SPML minimizes the complexity of the client interface. SPML provides a simple set of core operations for add, modify, delete and search functions, and an open model for the definition and discovery of service schema (the data required to subscribe to a service). The general model for SPML enables a client to issue an SPML request describing the operation to be performed at a given service point or endpoint. The service point is then responsible for performing the necessary operations to implement the request. Once the operation is complete, the service point sends the client an SPML response detailing results or errors. SPML version 1.0 provides an operations extension model and a synchronous and asynchronous batch request/response processing model. This lets a requesting authority batch sets of provisioning actions and control the execution semantics for individual requests as well as for the batch as a whole. For organizations extending identity management to portal and extranet projects, SPML provides a logical and easily understood operating model to allow standardization in the service request and subscription process flow between the end-user and the back-end security service. This allows de-centralized 'business driven' initiatives to make full re-use of centralized corporate provisioning policies and help to drive consolidated management of accounts and subscriptions to help drive the increasing audit and security requirements for the extended enterprise..."

• [July 11, 2003]   Sun and Waveset Provide Identity Management Solution for PeopleSoft Using SPML.    Sun Microsystems, Waveset Technologies, and PeopleSoft have announced an "expansion of the companies' strategic alliance to deliver an integrated, standards-based identity management solution for use with PeopleSoft applications. The integrated solution is expected to provide users with the ability to initiate and manage the lifecycle of workforce identity information from a single portal interface, spanning Human Resource, IT and facilities resources." Featuring automated provisioning processes based upon the Service Provisioning Markup Language (SPML), this innovative identity management solution "is designed to combine the functionality of the Liberty Alliance-enabled Sun ONE Identity Server, Sun ONE Directory Server, and Waveset Lighthouse to reduce the time it takes to establish or change access rights, privileges and profile data across multiple applications. The first iteration of the solution is designed to enable business process integration between Human Capital Management and IT security/identity management, that will help drive down costs in the on-boarding and off-boarding of employees and to increase workforce productivity."

• [July 09, 2003] "BMC Software Enhances Provisioning Solution. Marked By Industry First, Enhancements Ease Provisioning Management Challenges." - "BMC Software, Inc., a leader in enterprise management, today announced key enhancements to its user provisioning solution, CONTROL-SA. Dedicated to promoting open standards, CONTROL-SA will offer Service Provisioning Markup Language (SPML) based provisioning. SPML is an open standard defined by the Organization for the Advancement of Structured Information Standards (OASIS) that allows supply chain partners to provision employees on each others' systems even when using different provisioning solutions. Additional enhancements to CONTROL-SA include the product's integration with Remedy, a leading provider of service management software, and a new interface that enables CONTROL-SA to leverage Lightweight Directory Access Protocol (LDAP) connectivity... This new capability makes CONTROL-SA the only provisioning solution in the marketplace that allows multiple workflows to interact with the provisioning solution thereby providing customers with provisioning options to select the best workflow to meet their requirements. CONTROL-SA enables users today to seamlessly integrate into workflow environments from other leading vendors such as Business Layers, Oblix, PeopleSoft, and Remedy. In addition to affording customers the freedom of choosing the right workflow for their environment, CONTROL-SA's open provisioning initiative enhances the usability of their provisioning solution, and provides a foundation for ensuring secure identity management. BMC Software will be demonstrating the open provisioning capabilities of CONTROL-SA at the Catalyst Conference in San Francisco on July 9, 2003. This demo will feature integration between CONTROL-SA and PeopleSoft's human resource (HR) provisioning component using the OASIS Service Provisioning Markup Language (SPML) standard. The SPML standard allows technologies to securely manage the identity lifecycle of a user -- including the dynamic allocation of their associated resources -- across a trusted boundary using a common language. The demonstration will also show CONTROL-SA's ability to engage with PeopleSoft's HR provisioning component while using SPML standards. These capabilities answer the need for integration and interoperability of disparate provisioning components..."

• [June 30, 2003] "SPML Eases Information Exchange." By Darran Rolls (Waveset Technologies, Inc). In Network World (June 30, 2003). "Provisioning is the process of managing the allocation of system resources to employees, partners and contractors as part of identity management... Service Provisioning Markup Language (SPML) is an XML-based framework for exchanging user, resource and service provisioning information between organizations. The framework is expected to establish an open, standard protocol for the integration and interoperability of service provisioning requests. Developed by the OASIS Provisioning Technical Service Committee (PTSC), SPML 1.0 is slated for ratification in summer [2003]. PTSC interprets provisioning to mean the upfront preparation of IT system materials or supplies required to carry out pre-defined business activities. The committee goes beyond the initial contingency of providing resources to encompass the entire life-cycle management of these resources. This includes provisioning of digital services such as user accounts and access privileges on systems, networks and applications, as well as the provisioning of non-digital or physical resources such as cell phones and credit cards. The sole purpose of a provisioning service in a network is to execute and manage provisioning requests. A given requesting authority, or client, sends the provisioning service a set of requests via a well-formed SPML document (an XML document that conforms to the SPML standard). Based on a pre-defined service execution model, the provisioning service takes the operations specified within the SPML document and executes provisioning actions on a pre-defined set of service targets or resources. The general model for SPML is one in which clients perform protocol operations on servers. In this model, a client issues an SPML request describing the operation to be performed at a given service point or endpoint. The service point is then responsible for performing the necessary operations to implement the request. Once the operation is complete, the service point sends the client an SPML response detailing results or errors... As more infrastructure becomes identity-centric and companies start to build and deploy Web services, SPML will be a critical element of an end-to-end standards-based identity management strategy..."

• [June 27, 2003]   OASIS Member Companies Host SPML Identity Management Interoperability Event.    OASIS has announced a first public demonstration of the Service Provisioning Markup Language Specification (SPML) Version 1.0 in an interoperability event to be held on July 9, 2003 at the Burton Catalyst Conference in San Francisco. "SPML is an XML-based framework for exchanging and administering user access rights and resource information across heterogeneous environments. Ten members of the OASIS standards consortium will come together at Catalyst to prove the stability of the new specification and demonstrate interoperability between SPML-conformant security software products. SPML lets organizations automate, centralize, and manage the process of provisioning user access to internal and external corporate systems and data. SPML has been designed to work with the World Wide Web Consortium's SOAP, the OASIS Standard SAML, the OASIS WS-Security specification, and other open standards that allow companies to securely leverage Web services. The SPML specification is currently in a public review period which occurs prior to being submitted to the OASIS membership at-large for consideration as an OASIS Standard. SPML is one of several security standards being developed at OASIS. Other standards and specifications include WS-Security for high-level security services, XACML for access control, XCBF for describing biometrics data, and SAML for exchanging authentication and authorization information."

• [June 16, 2003] "OASIS Provisioning Services Technical Committee SPML V1.0 Interoperability Event." Technical and Operations Plan. Edited by Darran Rolls (Waveset Technologies) for the OASIS SPTC. Committee Working Draft. 06-June-2003. 20 pages. "This document describes the message exchanges to be tested during the Burton Catalyst interoperability event in San Francisco, July 9-11, 2003. This interoperability test is designed to show the interoperation of service subscription and provisioning based on the draft SPML V1.0 specification. This interop event is based around a defined scenario intended to test the interoperability of different implementations performing a common set of SPML operations, to test the soundness of the specification and clarity the mutual understanding of its meaning and application in a given business scenario. Note the scenario and context of this interop is not intended to represent a definitive implementation of the SPML V1.0 specification... The interop scenario is based on interactive attendee participation. Interop Users (IUs) will be directed through a defined scenario, in which they input 'New Hire' user data into a PeopleSoft HRMS system. This action will cause a set of SPML protocol exchanges to create service subscriptions at each vendor station participating at the interop. The business scenario is based around a fictional company SPML Contractors Inc. When a new employee starts at SPML Contractors, an SPML enabled system is used to manage account subscriptions with a defined set of SPML Contracts' customers. New employees are added to the SPML Contractors PeopleSoft HRMS using the standard PeopleSoft web based interface. The creation of records within HRMS is used to trigger SPML service subscription requests to be sent to each PV at the interop. In this scenario PeopleSoft HRMS will be acting in the role of SPML Contractors Inc. and will be functioning as an SPML Requesting Authority (RA). Mycroft will be providing an integration 'SPML multiplexer' module that takes the SPML request from PeopleSoft and creates individual SPML service requests for each of the PVs. Each of the PVs will be modeled as SPML Contractors Inc customers and will receive, process and respond to their own service requests in accordance with their own systems models and PSP/PST implementations... The SPML Contractors Inc PeopleSoft HRMS installation will be running a centralized server, accessible and available to all of the PVs. By employing the PeopleSoft HRMS web based user access model, new SPML Contractors Inc employees will be able to be added from any of the workstations at the interop event room. This will prevent a bottleneck from forming at the PeopleSoft workstation and allow an IU to approach the scenario from any PV, thus making more staff available to help IUs with questions and generally spread the traffic more evenly across the event..."

• [April 14, 2003] "Business Layers and Netegrity Partner on Industry's First Demonstration of SPML at RSA Conference. Vendors Present First XML Specification to Leverage Web Services for Secure Federated Resource Allocation." - "Business Layers, the eProvisioning Company and Netegrity, Inc., a leading provider of identity and access management solutions, will today demonstrate the industry's first XML-based solution for identity management at the RSA User Conference in San Francisco, Calif. As a pioneer of industry standards, Business Layers is responsible for submitting the original provisioning specification to the Organization for the Advancement of Structured Information (OASIS). Business Layers and Netegrity are committed to driving the development of SPML to provide the enterprise with the first XML specification designed to leverage the reuse of Web services to achieve secure, federated user resource allocation to maximize existing IT resources, reduce administrative costs and enhance security. Business Layers and Netegrity will demonstrate the industry's first identity management solution using the current SPML specification, with Simple Object Access Protocol (SOAP) and Security Assertions Markup Language (SAML), which will allow companies to securely leverage Web services to automate, centralize and manage the process of provisioning user access to internal and external corporate systems and data. Led by Business Layers' Gavenraj Sodhi and Netegrity's Amit Jasuja, the presentation will illustrate how SPML allows for businesses, via a common language, to more securely manage the identity lifecycle of a user including the dynamic allocation of their associated resources, across a trusted boundary. 'One of the biggest obstacles impeding the rapid adoption of Web services technologies is the enterprise's concern about the security holes that exist when sharing sensitive information in an open IT environment,' said Pete Lindstrom, Research Director of Spire Security. 'Business Layers and Netegrity are addressing this issue head-on with an interoperable SPML/SAML environment, offering users an open standard in which businesses can leverage Web services to achieve secure, federated resource provisioning with their trusted business partners.' Today's SPML demonstration will address the challenges associated with complex resource provisioning for inter-organizational business transactions. As businesses move towards service-oriented architectures, internal and external users require secure access to applications and corporate systems that often contain sensitive data. To illustrate SPML in this setting, Netegrity and Business Layers will provide real-world examples of Web services-enabled identity management and provisioning scenarios. For example, a large manufacturing company may work with several suppliers and business partners to provide a complete set of product lines. To help ensure that its supply chain is managed most effectively, the manufacturer must grant each set of users -employees, customers and partners- the appropriate access to information and applications. Using SPML, the manufacturer is able to automatically register, authenticate, and accommodate the provisioned information requests in a secure environment to protect each of these business relationships. This standards-based offering utilizes the SPML specification in conjunction with Web services technologies to create a secure, dynamic workflow..."

• [February 11, 2003] "Netegrity and Business Layers to Demonstrate Support for Service Provisioning Markup Language (SPML). Vendors Are First to Exhibit XML Based Solution for Identity Management." - "Netegrity, Inc., a leading provider of identity and access management solutions, and Business Layers, the eProvisioning Company, today announced the development of the first identity management solution to support the Service Provisioning Markup Language (SPML) standard. SPML provides companies with a standard way to automate, centralize, and manage the process of provisioning user access to corporate systems and data in order to maximize existing IT resources, reduce administrative costs, and enhance security. The OASIS Provisioning Services Technical Committee is meeting today to finalize the SPML specification. 'Creating a standard way in which to communicate user provisioning information between enterprises will greatly improve corporate efficiency, contribute to cost reduction and increase productivity,' said Roberta Witty, Research Director of Gartner, Inc. 'The adoption of open standards such as SPML provides market assurance that customers do not need to be dependent on their user provisioning solution vendor for proprietary customization which only adds to the cost of the user provisioning implementation.' The challenge of resource provisioning only becomes more complex as companies reach beyond organizational boundaries to conduct business. The move towards service-oriented architectures adds yet another layer of complexity as not only users, but also pieces of applications require access to corporate systems. For example, a large auto manufacturer may have multiple warehouses across the country, some of which are owned by the auto manufacturer and others owned by partners. In order to provide the appropriate parts to the manufacturing plant at the appropriate time, employees at the warehouse must have access to various applications. In order to provision these users to the appropriate applications in a cost effective and timely manner, the company could deploy a provisioning Web service that supports SPML. Using standards based solutions from Netegrity and Business Layers, the auto manufacturer could seamlessly authenticate and authorize the issuer of the provisioning request and perform the appropriate provisioning tasks..."

• See: "Information Technology Markup Language (ITML)" - Main reference page.

• See: "XRPM Working Group for Extensible Resource Provisioning Management (XRPM)" - Main reference page.

• See: "Active Digital Profile (ADPr)" - Main reference page.

• See: Extensible Provisioning Protocol (EPP) - Main reference page.

• Background documents from the XRPM Working Group:

  • Brainstorming Document. From PSTC F2F (9/10/2001)
  • "Peer-to-Peer Provisioning: Problem Statement" "Provisioning systems are currently designed with a master-slave relationship between themselves and the resources that they provision. Traditionally, the only true peer-to-peer relationship between the provisioning system and another system is with the provisioning systems relationship with an identity management (human resources) system. In this relationship, the identity management system will notify the provisioning system of identity changes, which may then trigger provisioning actions to take place against its managed resources."
  • Draft of Preliminary [PSTC] Charter, [cache]
  • XRPM Working Document. By Jeff Bohren, Tony Gullotta, Gavenraj Sodhi, and John Aisien. August 2, 2001. Supplies an initial set of use cases for XRPM. "This document describes the requirements and use cases for eXtensible Resource Provisioning Management (XRPM). It provides an initial set of use cases for the eXtensible Resource Provisioning Management, XRPM, Working Group. XRPM's objective is to provide an XML standard for the open interoperability between provisioning systems and resources in order for access rights to be provisioned... This section contains a set of primary use cases for XRPM. Each use case consists of a description, actors involved, pre-conditions, steps involved, post-conditions, and finally. many use cases contain a diagram depicting the actions occurring. We have attempted to address a good majority of use cases that would cover the workings of the group and it is understood that there are other use cases which XRPM may have not yet addressed (e.g., Modify, Suspend, Restore), which may be added to future use case list as stated in this draft." [cache]
  • "Resource Provisioning, Interoperability, and XML." Invitational Industry Discussion. By Phil Schacter (Director, Network Strategy Service, The Burton Group). September 10, 2001. See the original .PPT file.