The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
Advanced Search
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

Cover Stories
Articles & Papers
Press Releases

XML Query

XML Applications
General Apps
Government Apps
Academic Apps

Technology and Society
Tech Topics
Related Standards
Last modified: November 19, 2010
Service Provisioning Markup Language (SPML)


The OASIS Provisioning Services Technical Committee (PSTC) was chartered to "to define an XML-based framework for exchanging user, resource, and service provisioning information. The Service Provisioning Markup Language (SPML) was motivated by a desire to address one of the biggest challenges in provisioning: adapting to a disparate set of protocol and methodologies. This poses a challenge to both provisioning vendors and implementers of custom provisioning systems. The industry would benefit if some level of standardization could be brought to bear on this problem..."

OASIS Service Provisioning Markup Language (SPML) Version 2.0 defines the concepts and operations of an XML-based provisioning request-and-response protocol. A requestor (client) asks a provider (server) to perform an operation. A requestor asks a provider to perform an operation by sending to the provider an SPML request that describes the operation. The provider examines the request and, if the provider determines that the request is valid, the provider does whatever is necessary to implement the requested operation. The provider also returns to the requestor an SPML response that details any status or error that pertains to the request...

In SPML, a Requesting Authority (RA) or requestor is a software component that issues well-formed SPML requests to a Provisioning Service Provider. Examples of requestors include: portal applications that broker the subscription of client requests to system resources, and service subscription interfaces within an Application Service Provider. A Provisioning Service Provider (PSP) or provider is a software component that listens for, processes, and returns the results for well-formed SPML requests from a known requestor. For example, an installation of an Identity Management system could serve as a provider. A Provisioning Service Target (PST) or target represents a destination or endpoint that a provider makes available for provisioning actions. A Provisioning Service Object (PSO), sometimes simply called an object, represents a data entity or an information object on a target. For example, a provider would represent as an object each account that the provider manages.

The SPMLv2 Core XSD defines basic operations (such as add, lookup, modify and delete), basic and extensible data types and elements, and a means to expose individual targets and optional operations. The SPMLv2 Core XSD also defines modal mechanisms that allow a requestor to: (a) specify that a requested operation must be executed asynchronously, or to specify that a requested operation must be executed synchronously; (b) recognize that a provider has chosen to execute an operation asynchronously; (c) cbtain the status (and any result) of an asynchronous request; (d) stop execution of an asynchronous request. SPMLv2 also defines two profiles in which a requestor and provider may exchange SPML protocol; a requestor and a provider may exchange SPML protocol in any profile to which they agree: SPMLv2 XSD Profile and SPMLv2 DSMLv2 Profile...

Specification Publication History

In April 2006, OASIS announced that its members had "approved the Service Provisioning Markup Language (SPML) version 2.0 as an OASIS Standard, a status that signifies the highest level of ratification. SPML provides an XML-based framework for managing the allocation of system resources within and between organizations. Encompassing the entire life-cycle management of resources, SPML defines the provisioning of digital services such as user accounts and access privileges on systems, networks and applications, as well as non-digital or physical resources such as cell phones and credit cards." Subsequently, an approved Errata document was published.

[October 16, 2003]   SPML Provisioning and Identity Management Specification Balloted for Approval.    The Service Provisioning Markup Language (SPML) Version 1.0 has been released in Committee Draft for approval as an OASIS Standard. The OASIS Provisioning Services Technical Committee (PSTC) was formed in late 2001 "to define an XML-based framework for exchanging user, resource and service provisioning information. The resulting Version 1.0 specification defines the concepts, operations, deployment and XML schema, for an XML based request and response protocol for provisioning. SPML will be of interest to any organization that develops custom built provisioning solutions or is involved in identity management." The Core SPML document is accompanied by Bindings for the Service Provisioning Markup Language (SPML) Version 1.0 (defining protocol bindings and profiles for the use of SPML request-response elements in communications protocols and applications) and the Core XML Schema. The SPML 1.0 specification "supports identifying principles using the OASIS Security Assertion Markup Language (SAML) and Project Liberty standards. Additionally, the SPML 1.0 specification has been designed to accommodate the use of the OASIS Web Services Security (WSS) specification, XML Digital Signatures, and XML Encryption." Implementation code for SPML is provided on the web site, dedicated to "the promotion and distribution of an open source client code that supports SPML; OpenSPML is a cooperative initiative by independent software vendors and implementers of the SPML version 1.0 specification. Initially developed in Java, the OpenSPML client code is expected to be available in other languages." In November 2003, OASIS announced the release of Service Provisioning Markup Language (SPML) as an approved OASIS Standard.

[June 05, 2003]   OASIS TC Releases Committee Specifications for Service Provisioning Markup Language (SPML).    A posting from Darran Rolls (OASIS PSTC Chair) announces the adoption of three documents as a Committee Specification set for the Service Provisioning Markup Language (SPML). "Provisioning" in the context of this TC activity is "the automation of all the steps required to manage (setup, amend, and revoke) user or system access entitlements or data relative to electronically published services." The OASIS Provisioning Services Technical Committee (PSTC) was chartered to "define an XML-based framework for exchanging user, resource, and service provisioning information. The resulting Committee Specification defines the concepts, operations deployment and XML schema for an XML based request and response protocol for provisioning." The specification set includes Service Provisioning Markup Language (SPML) Version 1.0 (Core), Bindings for the Service Provisioning Markup Language (SPML) Version 1.0, and SPML Core XML Schema. Waveset Technologies, Business Layers, and OpenNetwork Technologies have certified their use of the SPML V1.0 specification. The SPML specification is being advanced for public review under the OASIS process toward approval as an OASIS Open Standard. The public review period for SPML (CS) begins June 05, 2003 and closes July 05, 2003.

[October 03, 2001] OASIS Technical Committee Proposed for Provisioning Services (PSTC). A new OASIS technical committee for Provisioning Services has been proposed by company representatives from Access360, Business Layers, Jamcracker, Novell, Oblix, OpenNetwork, Sena Consulting, Thor Technologies, VeriSign, and Waveset. Initially, the TC Chair is Darran Rolls (Waveset). The purpose of the proposed OASIS Provisioning Services Technical Committee (PSTC) is "to define an XML-based framework for exchanging user, resource, and service provisioning information. The TC will develop an end-to-end, open, provisioning specification developed from existing provisioning specifications which are of public knowledge, accessible, and freely distributed. [Specifically,] the work proposes to take into consideration the Active Digital Profile (ADPr), the Extensible Resource Provisioning Management (XRPM), and the Information Technology Markup Language (ITML) Provisioning specifications, along with any other relevant and timely submissions. The PSTC will produce a set of one or more Committee Specifications that will cover use cases and requirements, information model, protocol(s), bindings, and conformance; all of the aforementioned are to be examined with respect to security considerations. The goal [subject to revision] is to submit a Committee Specification to the OASIS membership for its approval by September 2002." [Full context]

"An Introduction to the Provisioning Services Technical Committee." Draft 10/16/2001 or later. "The purpose of the OASIS Provisioning Services Technical Committee (PSTC) is to define an XML-based framework for exchanging user, resource, and service provisioning information. The Technical Committee will develop an end-to-end, open, provisioning specification developed from several supporting XML specifications... This document is intended to precede the formal standards definition process within the PSTC and set the stage for the initial discussions of the committee, compiling pre-existing XRPM and ADPR efforts, into a single, high level outline. It is intentionally devoid of much of the detail already defined and discussed in supporting materials. It aims provide a high level definition of provisioning within the context of the PSTC, an overview of the proposed scope, and a suggested road map for the first committee meeting... In our context, provisioning refers to the 'preparation beforehand' of IT systems' 'materials or supplies' required to carry out some defined activity. In general, it goes further than the initial 'contingency' to the onward management lifecycle of the managed items. This could include the provisioning of purely digital services like user accounts and access privileges on systems, networks and applications. It could also include the provisioning of non-digital or 'physical' resources like the requesting of office space, cell phones and credit cards..." [.DOC source]

Representatives from twelve companies met to discuss XML provisioning in a F2F meeting on September 10, 2001 in San Jose, producing a provisional/draft working committee charter and a brainstorming document. Background materials may be found on the XRPM web site or on the XRPM main reference page.

[November 06, 2001] "OASIS Forms Provisioning Services Technical Committee to Standardize Automated Provisioning for Enterprise Resources. Access360, Business Layers, Jamcracker, Novell, Oblix, OpenNetwork Technologies, and Others Unite to Develop Provisioning Specification." - "OASIS, the XML interoperability consortium, announced that its members have formed the OASIS Provisioning Services Technical Committee to define an XML-based framework for exchanging user, resource, and service provisioning information. The new OASIS Technical Committee will collaborate to develop the Provisioning Services Markup Language (PSML), an end-to-end specification for the automation of user or system access and entitlement rights to electronic services. 'Provisioning is a key component of Web services,' noted Patrick Gannon, president and CEO of OASIS. 'Whether you're talking about provisioning accounts into a partners' extranet, an outsourced application, an Application Service Provider (ASP), or a trading exchange, ultimately all these areas are going to be offered as Web services. Without a standardized approach, provisioning will add a significant administrative burden to Web services. The OASIS Provisioning Services Technical Committee will provide a fundamental benefit to enable Web services as a practical business tool.' In keeping with the consortium's mission to promote convergence and unite disparate efforts, the OASIS Provisioning Services Technical Committee will consider contributions of related work from other groups and companies. The XRPM (eXtensible Resource Provisioning Management) Working Group, the Active Digital Profile (ADpr) Initiative and developers of the Information Technology Markup Language (ITML) all plan to submit specifications to the new OASIS technical committee."

Principal References

Technical Committee References:

Approved Specifications:

Other References:

General: Articles, Papers, Presentations, News, Drafts

  • [November 18, 2010] "Provisioning: The Shifting Sands of a Hell-Raising Technology." Ping Talk Blog. Posted by John Fontana. "Provisioning, born of promise but raising hell ever since, is in a transition phase that hopefully accentuates the good, incorporates the new and leaves behind the bad... At the Gartner Identity and Access Management Summit in San Diego, Lori Rowland picked at nagging provisioning legacies, detailed changes brought by regulations such as Sarbanes Oxley, explained evolutions such as identity and access governance (IAG) and looked ahead to the cloud. The cloud is where provisioning, federated to cloud-based apps, should be playing a significant role in adoption, but today provisioning is a work in transition. In fact, IT's sore chapters in provisioning's history (namely connectors) are being recreated in the cloud, a development Rowland calls 'frightening': 'Stop the connector madness whenever possible; especially out to the cloud', Rowland said; 'right now cloud vendors have their own APIs and we are again building proprietary connectors. She admitted connectors will not go away completely then outlined how provisioning has changed and what the alternatives are now. Rowland says the 'push' model, which provisions users accounts to an application, must be replaced by transaction-based authorizations that 'pull' data from systems like virtual repositories (such as those from UnboundID or Radiant Logic) and deliver it to applications... The pull model is a popular idea, however, it is not universally accepted. In the pull model, which is contextual and operates in real-time, data delivery can be accomplished using established federation protocols such as SAML, along with authorization and policy tools based on XACML from vendors such as Axiomatics, which this week inked a major deal with PayPal. Other standard pieces that might get a look include the Security Provisioning Markup Language (SPML). The standards group OASIS recently rescued the spec from death, but the group has yet to make any meaningful changes. Rowland heaped much of the blame for SPML's churn on vendors, but added that the technology is not well suited for federated provisioning..."

  • [August 24, 2010] "Provisioning Searching for Door Out of No Man's Land." By John Fontana. Ping Talk Blog. "Standards-based provisioning, which is lining up to be the next major evolution of cloud computing, is facing some significant gyrations in the near future. Major players staking major bets on the cloud want to see something get done given that SPML 2 has not garnered any takers. Cloud providers need a standard specification that speaks squarely to their particular use cases. Large enterprises need reliable, standards-based tools for deploying users in mass to cloud applications in order to preserve cost and agility benefits. Will the solution eventually be an evolution of SPML, the OASIS Provisioning Services Technical Committee is going again after a near death experience, or will something different come to pass? [...] Some of the big cloud vendors are not yet convinced that SPML can meet their requirements. One vendor told me that there is also concern that SPML comes with a lot of baggage. But there is agreement that provisioning is a sore spot for cloud providers who need an answer to customer questions about on-boarding users in an efficient and relatively painless manner. SPML 2 failed at passing the acid test on those requirements. Does a provisioning standard need to be hashed out among an independent group of motivated participants who can set a framework and then move it into a more formalized standards body for critique and refinement? That is how it worked with many of the early SOA standards that Microsoft and IBM developed. Not all survived scrutiny, but many are still around today after going through the wash at standards bodies. The notion of an independent group framing a provisioning specification is a 180-degree turn from the path SPML has taken... [Richard Sand] said he would like to simplify some of the use cases and add some higher level ones. In addition, he favors REST over SOAP. But what he needs is support for a majority of the major cloud vendors — including Microsoft, Google and Amazon. None of those companies were part of the Catalyst meeting nor are they currently part of the OASIS TC..."

  • [August 24, 2010] "A New SPML? A Provisioning Problem." By Jonathan Sander (Quest). "Mark Diodati of Gartner [...] has published the results of the SPML SIG held at #cat10. I think it captures the feeling of those present very well. At about the same time the minutes of the first meeting of the SPML PSTC for a long while were published. It seems there's a much different split there than there was at the SIG. The split is basically between folks who want to see a 'clean start' with a version 3 and those who want to see version 2 revved so it's more realistic. I'm on the latter side, and so are the folks at Quest that I've spoken to. In fact, both and Quest and at customers, everyone I've spoken to about this outside a tight circle of 'identity gurus' have all agreed that SPML would best serve the larger community as means to have systems communicate. Anything beyond that is overkill. At least for now. If all the different solutions had a standard way to do CRUD operations between one another, that would go a long way to solving many practical issues in heterogeneous IT environments... I'd like to get more involved and I'm working with Quest to see if that can happen. This is something I'd like to see done from start to end..."

  • [August 24, 2010] "Pushing Forward on Standards-based Provisioning." By Nishant Kaushik (Oracle). Blog. "Lest all the recent posts about 'pull'-based identity make you think that I have completely forgotten about good old 'push'-based identity provisioning, here is some news on that. As I have discussed here in the past, SPML has been under a cloud in recent years, with low adoption and a litany of issues being documented. At the same time, the need for a standards-based approach has never been clearer. So something needs to be done. This was the topic of discussion at a SIG on Standards-based Provisioning organized by Gartner's Mark Diodati at the recent Catalyst conference. The meeting was attended by some really smart folks in the community, and engendered a lively discussion on the future of SPML and the direction it should take.... The path to success in the standards world is based on a focused approach to solving specific use cases. No standard can be all things to all people, and with provisioning in particular, we need to recognize that there are different approaches that solve the challenge in optimal ways for their use cases (my recent assertion regarding IGF as underlying pull-based provisioning is an example). So there need to be an effort to continue refinement of SPML 2.0, making it simpler to implement and based on specific use-cases that are of interest to the community. If you have such use-cases, please consider joining the discussion within the PSTC and submitting them there. There is much that needs to be done..."

  • [August 20, 2010] "Consensus on the Future of Standards-Based Provisioning and SPML." By Mark Diodati (Gartner Research Director). Gartner Blog Network. "I had the honor of facilitating the Standards-Based Provisioning Special Interest Group at this year's Catalyst conference. The participants believe that standards-based provisioning is at a crossroads and wish to publish the following statement. The statement is based upon our conversation; all of the participants have reviewed it. I hope that the perspectives of these industry luminaries push the industry (and the especially the newly-reformed OASIS Provisioning Services Technical Committee) towards a viable provisioning standard... On Tuesday, July 27, 2010 a group met at the annual Burton Group North America Conference in San Diego to discuss the future of standardized provisioning and Service Provisioning Markup Language (SPML). The group readily achieved a consensus about two things: the need for standards-based provisioning and the qualities required for successful provisioning standard... The participants [list] have firsthand experience with the difficulties of proprietary provisioning from the perspective of both vendor and end-user organizations. The SIG meeting was particularly timely, as OASIS is evaluating the need for an SPML v3 standard. Additionally, the SaaS market is at a critical juncture as vendors look for standards-based solutions to the provisioning problem... The second iteration of the SPML standard was approved in the spring of 2006 and included additional capabilities and operational modes. In trying to address every possible use case, interoperable provisioning services leveraging the SPML v2 standard became impractical. Since the approval, few (if any) conformant implementations exist due to the complexity of the v2 standard. Organizations wishing to use SPML must write provisioning services specifically for each vendor's SPML implementation (if the vendor supports SPML at all). The difficulty in building a single, interoperable provisioning service has made the adoption of SPML by application developers a non-starter. Without adoption by enterprise and cloud application developers, SPML will not be adopted. In conclusion, the SPML v2 standard is broken... The next iteration of SPML should focus on solving 'the connector problem' and provisioning use cases for cloud-based applications. That is, the next version of SPML should readily enable the development of simple, standards-conformant provisioning services for both enterprise and cloud applications. The participants agree that a standards-based provisioning protocol is needed... It is up to vendor and end-user organizations to move the SPML standard forward so that the industry can begin to build interoperable provisioning services..."

  • [August 16, 2010] [Draft Proposal for] SPML3 Charter. Posted to the OASIS PSTC List by Richard Sand. With comments in the thread. See similarly from June 27, 2010. Note that this is just one proposal: "I've written here my draft proposal for an SPML 3 charter. It basically hints at the shortfallings of SPML 2 and gives general guidelines from a methodology standpoint how we plan to address those shortfalls, and then gives some details on the various additions we'd like to see added to the specification to give it more relevance, solve real problems, and provide ease of deployment. This is not an official document...

    SPML 3.0 Charter: The purpose of the OASIS Provisioning Services Technical Committee (PSTC) is to define an XML-based framework for exchanging user, resource, and service provisioning event information. The Technical Committee will develop an end-to-end, open provisioning specification designed to handle cases both within an organization and federated cases, such as those encountered in B2B and service-based environments. The previous version of SPML, version 2.0, provided the basic semantics for expressing atomic provisioning operations and for batching multiple operations into single requests. SPML 3.0 will include all of this functionality, and will build upon it to provide higher level complex operations required by identity management systems for managing the full lifecycle of user identities both within the enterprise and between enterprises. It will also put forth simple yet extensible standard templates for identity schema, role models, and organizational design for easing adoption of SPML 3.0 implementations. The focus will be on providing breadth of functionality but in a simple and straightforward fashion for the majority of cases. Some of the focus areas of SPML 3.0 will be: (1) Solving more business provisioning problems — such as bidirectional account flow and synchronization ? which are even more prevalent in B2B or service provider scenarios (2) Adding higher level IDM tasks, such as: an employee moving between departments, various forgotten password reset and recovery tasks, temporary delegation of rights, other self service requests such as for additional roles or access rights (3) Adding support for common service provider models (such as multi-tenancy, delegation, registration and identification of organizations) (4) Defining multiple standard schema that can be used and extended upon for various use cases. Some examples for these standard schema could be based (5) upon LDAP InetOrgPerson, Active Directory User, industry specific schema for education, healthcare, government, retail. (6) Defining provisioning metadata for all operations that can be used for workflow, automation, audit & compliance purposes (7) Defining one or more flexible, extensible role model(s) to serve common role-based access control use case (8) Creating an extensible set of templates which can be used to accelerate implementations for the common cases, and can be easily extended or even replaced as needed. Templates would include a bit of all of the facets of SPML, e.g. standard schema, supported operations, metadata definition, role and org structure, so that these can be selected as a starting point for the whole provisioning rollout for an organization and extended from there..."

  • [August 08, 2010] "Remote Invocation Of Core IDM Component Through SPML Gateway." By Pankaj Kumar Wahane. Blog. "Problem Statement: To design and develop Identity Management Core Componenet for service provisioning in distributed environment and to invoke the Identity Management Core Component remotely through SPML. The primary aim of our project is to create an Identity Management Solution for distributed environments in IT companies where a lot of IT administration overhead is due to service provisioning requests. The core functions of Identity Management Core Components will be as follows. (1) Give users control of identity service requests and apply rigor to identity related processes with integrated identity and service management. (2) Enterprise class password and user provisioning management. (3) Access policy definition and enforcement. Once the core component is tested against functionality we will design and develop the SPML (Service Provisioning Markup Lanaguage) Gateway that can invoke the IDM Core Componenet remotely and for processing SPML requests for the client..."

  • [August 04, 2010] "XML-based Additions To A Virtual Directory Infrastructure." by Fernando García Vegas. Blog. "Recent events and our desire to constantly advance the 'state of the industry' have converged to bring the subject of identity-related XML-based frameworks and webservices back into our focus. This has prompted some very interesting internal discussions about the various ways they can be supported in a virtual directory environment. We've already explored one, SPML or Service Provisioning Markup Language, in some detail as a result of customer interest. In fact, we currently have an active deployment with very a large client in the energy industry that is using SPML 2.0 as a protocol within Symlabs Virtual Directory Server. While we're pleased with how quick and relatively painless it was to accomplish, plus how successfully it's operating, this is not really something we've had any significant demand to do... Even though this hasn't yet become a core requirement in the market, we've been examining the implications. It's clear that the "de facto" standard for exchanging XML-formatted information in modern infrastructures has settled on SOAP (or some less rigorous variation), with HTTP as the transport protocol. So, because Symlabs Virtual Directory Server has built-in HTTP support, we can already handle most, if not all, of these as web services..."

  • [August 03, 2010] "Future of Identity Management Is: Now!" By Anil John. Blog. "At the Gartner/Burton Group conference I spoke in my role as the Technical Lead for DHS Science & Technology Directorate's Identity Management Testbed about how we are taking the Federal ICAM Backend Attribute Exchange Interface and Architecture Specification from Profile to Usage. The biggest buzz in the Identity Management track, where I spent most of my time, was around the 'pull' based architecture that Bob Blakley and the rest of the Burton crew have been writing and speaking about for a while as being the future of Identity Management... Potential implementation technologies proposed include virtual directories as mechanisms that can consolidate and correlate across multiple sources of attributes, standards such as LDAP(S), SAML and SPML as the plumbing standards, and External Authorization Mangers ('XACMLoids') as decision engines... My presentation was about how we are working an information sharing effort between two organizations who need to collaborate and share information in the event of a natural or man-made disaster where there is no way we could pre-provision users since we won't know who those users are until they try to access systems. Our end-to-end implementation architecture really reflects pretty much everything noted in the Burton vision of the future. Relevant bits from the abstract: 'The Backend Attribute Exchange (BAE) Interface and Architecture Specifications define capabilities that provide for both the real time exchange of user attributes across federated domains using SAML and for the batch exchange of user attributes using SPML'... All of this, BTW, is taking place using existing standards such as SAML and XACML and technologies such as Virtual Directories, XML Security Gateways, Externalized Access Management solutions etc. This works now using existing technology and standards and gets us away from the often proprietary, connector-driven, provisioning-dependent architectures and moves us to something that works very well in a federated world..."

  • [July 30, 2010] "Beyond SPML: Access Provisioning in a Services World." By Nishant Kaushik (Oracle). Blog. "Burton Group Catalyst conference... On Wednesday, I gave a talk entitled 'Beyond SPML: Access Provisioning in a Services World' which built on my Gluecon talk and work with Fusion architecture to provide a vision for the future of provisioning. The central thesis is that as we move from Push to Pull models in Identity, provisioning becomes a key component in making sure that policy and process controls are still enforced. But this requires a fundamental evolution in application and middleware architecture towards services-oriented security and externalized identity. [Feedback] fit in with the theme flowing through the presentations in the provisioning section, which was focused on moving to a more streamlined, manageable, scalable provisioning future. It also echoed sentiment that provisioning is a multi-faceted problem with different interaction points and flows and will therefore require a combination of standards rather than just one standard. This was really driven home by the extremely interactive SPML SIG meeting that I participated in (organized by Mark Diodati) where there was generally agreement that SPML needs to get really focused on specific use cases rather than trying to be all things to all possibilities..."

  • [July 26, 2010] "Radiant Logic's Provisioning Focus: Support for SPML 2.0." From the announcement "Radiant Logic Announces the Release of RadiantOne Virtual Directory Server Context Edition 5.3. Expanded Identity and Context Virtualization Delivers Contextual Security Via XACML, Data Management Support Via Full SQL, and Provisioning Benefits Via SPML 2.0" — "Provisioning Focus: Support for SPML 2.0: New support for SPML 2.0 also allows Radiant Logic to extend its Identity and Context Virtualization Platform beyond LDAP and SQL clients. SPML clients can now issue provisioning requests directly to the VDS 5.3, which routes them to the appropriate sources. VDS 5.3 also simplifies existing architectures by abstracting and connecting to multiple provisioning end-points. 'The incorporation of SPML capability is excellent news for us,' said Bob White, CEO, eB2Bcom, Radiant Logic's reseller in the Asia Pacific region. 'We are working with large identity management prospects who are adopting a service oriented architecture model for which SPML functionality is important. We believe that this market is growing rapidly in our region and this adds to our offering with RadiantOne.' For SPML clients, Radiant Logic's VDS 5.3 acts as a provisioning service provider that supports both DSML and XSD formats. This enables virtualized backend sources to become provisioning targets. VDS 5.3 can hook into existing provisioning solutions, such as SailPoint, providing the benefit of workflow and business logic with the added bonus of a one-stop connection to a virtual source. 'Radiant Logic's use of the SPML 2.0 standard helps make their VDS more lightweight to deploy. That allows our next-generation provisioning customers to benefit from flexible options to address provisioning's last mile,' said Darran Rolls, Chief Technology Officer, SailPoint. Radiant Logic is providing demos of RadiantOne VDS Context Edition 5.3 at the Burton Group Catalyst Conference taking place July 26-30, 2010..."

  • [June 10, 2010] "SPML and DSML Search Filters Not So Hard." By Jeff Bohren. Blog. "One issue that has been raised in regards to SPML is search filters. SPML allows searches that optionally specify a starting point (in terms of an SPML container), a subset of data to return, and a search filter. In the DSML Profile, the search filter is naturally a DSML filter. DSML filters can be arbitrarily complex, just like the LDAP filters they model. For instances a DSML filter could be something like 'get everyone with the last name of smith'... what if your back end data store doesn't support a query mechanism? What if the data is in a flat file, or a NOSQL DB? What if the data is only accessible through an API that doesn't allow for filtering? There are several ways to solve that problem, but the easiest is to recursively walk the DSML filter and create a decision tree where each node determines if a given instance passes the part of the filter it knows. The code for this is pretty simple in .NET and I posted an example here. Note that this example is just a partial implementation of the SPML search request for the purposes of demonstrating this concept. It is not a full featured implementation of SPML..."

  • [June 21, 2010] "Three Ways to Implement SPML in your Environment." By Peter Gyurko. CIO Magazine. "If you look under the cover of your user provisioning system, chances are it supports several open standards. One in particular can be very powerful if used within your enterprise implementation. I am talking about Service Provisioning Markup Language or SPML. Leveraging this open standard can help expand your provisioning systems reach into the enterprise while integrating disparate systems — custom built or commoditized... SPML is an XML-based framework, for exchanging user, resource and service provisioning information between systems or organizations. Its adoption dates back to 2003 with the emergence of v1.0 and its successor v2.0 in 2006. The goal was to provide a standard format for the exchange of identity information for the purpose of provisioning. The result was a specification calling for XML based documents within SOAP messages passed to provisioning endpoints for fulfillment. In large organizations where many disparate repositories of identity information exists, SPML is a powerful tool that can help automate user provisioning amongst those systems... Hey, my IDM system includes adapters and/or agents for different systems; why shouldn't I just use them? Well, usage of connectors based on proprietary API's result in tight coupling of those systems as well as versions of system software. More often than not an upgrade to one of the connected systems requires some update and testing of the IDM system. By utilizing open standards, upgrades do not result in these dependencies and overhead. Three ways: (1) Access Request Front End: Many organizations already have systems that allow users to make requests. Naturally, it would make sense for those organizations to leverage these applications to create and submit requests for system access. SPML can allow these front-end systems to initiate these provisioning events. There is a readily available JAVA API that allows you to quickly build in SPML client functionality. (2) System of Record trigger for provisioning: Many organizations leverage an HR system as the system of record for Employees. Typical implementations involve using specific 'adapters' or 'agents' to communicate between the provisioning system and the hr system. As discussed earlier, this type of implementation tightly couples the two platforms and often requires a substantial effort when upgrading one or both of the products. A simple implementation could be to have the HR system submit SPML provisioning requests to the identity management system on demand. (3) Geographically Connected Provisioning Services: One of the challenges of user provisioning systems comes into play with geographically dispersed provisioning endpoints. Network latency can play havoc with a provisioning implementation when remote systems are involved. One solution could be to implement local instances of the provisioning engines and transfer provisioning requests across those provisioning endpoints..."

  • [June 07, 2010] "Fed-Prov and the Cloud: JIT Provisioning.Next." By Nishant Kaushik. Blog. Part 4 of 4 parts. "Just-In-Time Provisioning [faces] challenges in addressing enterprise needs related to cloud computing. In this post, I will propose some possible enhancements to the basic architecture that could address those challenges. Each of these solutions could be viable, though each seems to have its pros and cons that makes them optimal for different situations. (1) Option 1: OpenID Attribute Exchange: Some view provisioning as being little more than an attribute exchange. So it is natural to consider OpenID Attribute Exchange, which allows the federation service to request additional attributes from the OpenID Provider during the authentication flow... Since the federation service can no longer just work off a static list of attributes that it should always query for, this adds the need for the federation service to able to ask the provisioning service for the list of attributes it needs, in the context of the specific service being provisioned. While the SchemaRequest operation in SPML could be used here, there needs to be a way to differentiate (in a standard way) the complete schema supported for the target by the provisioning system from that subset needed to create an account... (2) Option 2: SAML Attribute Query. (3) Option 3: OAuth + ArisID (IGF)... These models obviously need to be explored and poked at in depth... there is a lot of other standards work happening (in particular in the OpenID and OAuth arenas) that could supplant these options completely..."

  • [June 03, 2010] "Fed-Prov and the Cloud: JIT Provisioning to the Rescue?" By Nishant Kaushik. Blog. Part 3 of 4 parts. "Advance Provisioning [is] problematic in the cloud world because of the integration work and pre-defined business relationships (at an IT level) it requires. A lot of the appeal in using and delivering cloud-based services is the ability to enable short-lived and limited-use business relationships, and advance provisioning is just not suited for this. So, can Just-In-Time Provisioning help here? [...] Enterprises that have tackled JIT Provisioning have been forced to build custom integrations between those two services, something that becomes a real challenge and burden. It creates vendor lock-in, and blocks the ability to upgrade or enhance the services. So what is really needed is an effort to standardize the channel between the federation service and the provisioning service. One approach would be to allow the federation service to use a SAML token as the data element within an SPML request. I know work was started (but never completed) on a SAML Profile for SPML, but as Jeff points out, the design center for that was actually Advance Provisioning, not JIT Provisioning. Another possibility would be for the provisioning service to accept SAML tokens directly, but then there would be a need to enhance SAML to introduce provisioning operations into it... How can we support discovery, data retrieval and policy enforcement while still keeping the JIT Provisioning model (relatively) simple? Well, there are a few architectural options that I would like to throw out there in the next post.."

  • [June 02, 2010] "Federated Provisioning." By Jeff Bohren. Blog. "Nishant Kaushik has a great (and funny) slide deck on federated provisioning on his blog. He discusses some distinctions between two flavors of federated provisioning, the Just-in-time (JIT) and what he terms advanced provisioning (often referred to as bulk provisioning). I would like to clarify a couple of points in his presentation, however. He talks about a possible SAML profile of SPML for JIT provisioning. There was already an effort (which I lead) to define a SAML profile of SPML in Project Liberty (most of the work has already been done if anyone wants to revive it). But this was not for JIT provisioning as there is really no need for SPML when doing JIT provisioning. JIT provisioning can be done by SAML alone (or OpenID+other stuff). Rather the SAML profile of SPML was intended for advanced (bulk) provisioning. While the DSML profile could be used for advanced provisioning the Liberty TEG felt that using the SAML attributes assertions as the provisioning data structure was a better fit for advance provisioning accounts that would later be used in a SAML sign-on..."

  • [June 02, 2010] "Advance (Federated) Provisioning and the Cloud." By Nishant Kaushik. Blog. Part 2 of 4 parts. "In my last post, I laid out the case for why federated provisioning is important for the cloud. Now let's look at a deeper look at Advance Provisioning and it's suitability for the cloud. Advance Provisioning is pretty much the same as our classic understanding of user provisioning. It usually involves user accounts getting managed in batch mode through data file (XLS, LDIF or CSV) exchange or via connectors. I do want to point out that it is not just bulk provisioning, as Jeff Bohren suggests, since it supports ad-hoc individual account creation in response to requests for access users make in their Helpdesk, Ticketing or Provisioning system or triggered by policy events like hiring, promotions, etc [...] So, one of the possible solutions here would be to develop a way for these small cloud-based SPs to deploy a lightweight SPML-based provisioning service in front of their offerings, essentially providing an API abstraction for provisioning to these services. The SP could quickly integrate this service with their business service's underlying identity infrastructure, and their enterprise customers can quickly enable connectivity to this service in their provisioning environments..."

  • [June 01, 2010] "My GlueCon Talk on 'Federated Provisioning and the Cloud'." By Nishant Kaushik. Blog. Part 1 of 4 parts. "[GlueCon 2010 was a 2-day developer-oriented conference focusing on the technologies that make/will make the cloud go... A lot of the talk in the new architecture of identity management is about externalizing identity from applications and services. There are going to be a ton of services in the cloud that have their own little identity silos that will need to be managed; in other words, provisioned. Also, provisioning tools are at the heart of any Enterprise's identity GRC solution. Enterprise's have spent a lot of time and money defining policy and workflow based controls that provide them both security and regulatory compliance. And they don't have the ability to just throw all that out. So being able to continue to leverage those investments in their incremental move to the cloud is also important... This is where federated provisioning comes in. Because in order to leverage the cloud for these services, the user provisioning of these services has to mimic the dynamic, highly automated nature of the cloud. It has to be built on standards, be light-touch and loosely coupled, and it has to just work (at scale)... There are two kinds of federated provisioning: Advance Provisioning and Just-In-Time Provisioning..."

  • [May 18, 2010] "Thoughts on SPML 3.0." By James McGovern. Blog. "Much of the discussion around identity provisioning is centered on employees where the authoritative source of data is usually an HR system. As the conversation moves away from the employee-demographic to business partners, several additional things need to be considered. I am glad to see that SPML is not on life support and that the identity community is committed to improving the OASIS SPML specification... (1) Metadata: Currently, the SPML specification describes the operations that can occur against a given user schema but does not define either a model for any particular user nor even provides a mechanism to discover supported models. If companies wanted to expose their SPML services to their business partners, they would need to first manually define what the user model looks like and then duplicate the information within each implementation. This approach is fragile and error-proven. (2) >Virtualization: There is an implied coupling between SPML operations and the underlying data store. For example, if you wanted to store a person and an organization, you would need to potentially invoke this as two separate operations. More importantly, one of the general principles of a service-oriented architecture is to avoid coupling, it would be bad form for you to describe your internal data structure externally and therefore a virtualization layer is needed. (3) Entitlements: Imagine a scenario where exposes a SPML gateway to allow its clients to support provisioning and de-provisioning activities. This raises several questions related to entitlements such as can Client A provision an account that allows access to Client B's data? We all know the contractual answer, but in terms of how this is enforced within current SPML solutions is all over the place. Since SPML only defines the operations but doesn't define a common way to even understand who is making the request nor having any understanding of the target resource, an entitlements model is left up to the discretion of the implementer and may introduce additional security risks... (4) Attestation: The requirement for an organization to provide attestation capabilities for whomever accesses their IT ecosystem is at the center of many organizational SoX controls. While enterprises can be enterprisey in their thinking and insular in their focus, shouldn't they also be thinking about how their business partners attest to access to their systems as well?... Attestation standards usually specify standards of reporting. Each business will have their own take on what needs to be audited but we need a general way to record the obligations of different parties in a federated provisioning scenario. This all should be driven by standards..."

  • [May 11, 2010] "Service Provisioning Markup Language (SPML) Special Interest Group at Catalyst." By Bob Blakley. Blog. "As you may recall, Burton Group has been closely tracking the SPML v2 standard and its adoption by the industry and the enterprise prior to its approval in early 2006. We have called the standard's viability into question via our recent blog entries... We are very pleased to have Anil and Nishant speaking at our Catalyst NA conference in San Diego this summer as part of our New Identity Architecture track. In the spirit of our conference name (and the fact that the conference is the most important identity conference on the planet, where the identerati converge for a week), we will be hosting an SPML special interest group (SIG) on July 27 (Tuesday) for a few hours in the early afternoon. Anil, Nishant, Patrick Harding (Ping Identity), Nick Nikols (Novell) and other additional industry luminaries will be participating. I will be hosting the SIG. We want to conclude the meeting with the answers to at least several questions: (1) What is wrong with SPML v2 today? (2) What should the next version or profile of SPML look like? (3) If deficiencies are corrected, will people use the next version of SPML? We're looking for a few more people to participate in the SIG, especially from the enterprise. Are you interested? If so, please send me a few sentences about your background, your experience with provisioning services, and why you would like to participate..."

  • [May 04, 2010] "SPML 3.0 in 3D." Jeff Bohren. Blog. "I am starting to hear from various identity folks that it's time to start thinking about SPML 3.0. The latest is John Fontana's post on that... While I don't think that there are any technical reasons SPML 2.0 can't be used for interoperable provisioning, the market has clearly not embraced it yet. There are some SPML enabled products out there, but not nearly enough to reach the critical mass that is needed. So would an SPML 3.0 effort succeed where SPML 2.0 has so far not succeeded? I honestly can't say, but I feel it's worth giving it a go. The industry really needs this. My employers products need it..."

  • [May 03, 2010] "SPML 3.0. Coming Next Week to a TC Near You?" By John Fontana. "Here's a sad statement on standards-based provisioning: 'likely unachievable'. That is the conclusion from Mark Diodati, a senior analyst in the identity and privacy practice at the Burton Group, who last week published his new report on the topic. The report concludes that complexity, performance and lack of vendor support for SPML v2 is a crippler for seamless interoperability between provisioning systems and target applications But it is not the final word. I spoke today to Richard Sand, CEO for Skyworth TTG, a global systems integrator, who said he is working to revive the OASIS SPML TC, dormant for nearly two years, and work toward a SPML 3.0 focused more on needs for the cloud. Sand said we should hear news on the new or revised TC this week or next. He is talking to a number of companies about joining in... Sand says he is looking at simplification of some of the use cases: 'I also want to put in some higher level use cases; one problem with SPML is that adoption is a low-level thing. I want to give it some higher level function so it solves more of the integration challenges'. He says he would like to spec out a REST specification and minimize the focus on SOAP: 'I think this can make adoption a bit easier and make it more appealing to existing products. I want to get ahead of the curve for use cases around cloud enablement and what products will need to support.' And Sand wants to attack the standard schema issue that was never really finished by the SPML TC: 'I want to put a stake in the ground. There can be more than one common schema. There could be one SPML recognizes out of the box so to speak. In the long term that could facilitate adoption because there would be a basic pre-fab schema that end points can translate into.' Sand has a heavy rock to push up a steep hill, but he hopes SPML has a Chapter 3. This time with some tangible results..."

  • [April 29, 2010] "OASIS or Mirage: Standards-Based Provisioning." By Mark Diodati (Research Director, Gartner's IT Professionals Research Service). Burton/Gartner Research Report Number G00203925. "In this technical case study, Identity and Privacy Strategies Senior Analyst Mark Diodati reveals the results of Burton Group's hands-on experience with Service Provisioning Markup Language (SPML) and his multiple-month discussions with vendors and user organizations about standards-based provisioning. The goal of the case study is to gain insight into the low adoption rate of SPML, the possibility of building SPML-conformant provisioning services, and the likelihood of interoperability between provisioning components that use SPML. In addition, he makes recommendations for those enterprises interested in standards-based provisioning."

  • [April 28, 2010] "Softerra Releases Open Source SPML Library for .NET." Softerra Product Announcement. Softerra announced that it has developed an open source SPML (Service Provisioning Markup Language) library that allows any interested party to enable SPML-interchange between its corporate applications and management platforms. The "OASIS Service Provisioning Markup Language (SPML) Version 2" specification, ratified as an OASIS Standard in April 2006, "defines the concepts and operations of an XML-based provisioning request-and-response protocol. In the SPML model, a Requesting Authority (RA) or requestor is a software component that issues well-formed SPML requests to a Provisioning Service Provider (for example, portal applications that broker the subscription of client requests to system resources, or service subscription interfaces within an Application Service Provider). In an end-to-end integrated provisioning scenario, any component that issues an SPML request is said to be operating as a requestor. This description assumes that the requestor and its provider have established a trust relationship between them... A Provisioning Service Provider (PSP) or provider is a software component that listens for, processes, and returns the results for well-formed SPML requests from a known requestor. For example, an installation of an Identity Management system could serve as a provider..." The Softerra SPML2 Library "is written in C# for creating SPML-enabled applications using Microsoft's .NET development framework. It supports the SPML version 2.0 specification based on DSML v2 Profile. However, it is flexible enough to be extended for using with any custom capabilities and profiles, according to Eugene Pavlov, Softerra Product Manger..."

  • [February 22, 2010] "SPML: Life Support Redux." By Mark Diodati (Burton). Blog. "Two weeks ago, Burton Group published a blog post on the viability of using SPML to build viable, interoperable provisioning services. Many thanks to those who have contributed to the discussion. In particular, Jeff Bohren, Anil John, Nishant Kaushik, and Jackson Shaw shared some sound insights about SPML. I have great respect for these gentlemen. If you are interested in the topic, I recommend that you read their blog posts. I'd like to comment on several topics from these blog posts... Our [Burton] position is based upon speaking to many organizations with deployed provisioning systems, as well as organizations that are considering the purchase of a provisioning product. For many customers, standards support is a 'checklist' item. For other customers, leveraging SPML to build provisioning services is a long-term goal. Provisioning RFPs which specify SPML support is expected. But very few organizations have created provisioning services based upon SPML... Quest Software is to be applauded for building one of the few commercial SPML provisioning service points. Last month, we spoke to a leader of the Quest Active Roles Server development team. The conversation focused specifically on interoperability between ARS and the different provisioning products via SPML. To accommodate the different vendor implementations, Quest must customize the ARS SPML interface for each provisioning product. The customization includes using different operations supported by each provisioning vendor. A future reference implementation for SPML v2 (that is, Core operations and optional Capabilities) would help facilitate interoperability between provisioning components..."

  • [February 21, 2010] "SPML Use Cases and Profiling Choices." By Anil John. Blog. "To be conformant to SPML v2 means that the SPML interface (Provisioning Service Provider / PSP) MUST: (1) Support the set of Core operations [a discovery operation {listTargets} on the provider; basic operations {add, lookup, modify, delete} that apply to objects on a target]; (2) Support basic operations for every schema entity that a target supports; (3) Support modal mechanisms for asynchronous operations... The clear thing to keep in mind is that each operations adds a data management burden onto the provider, so the choice of whether or not to implement them should be considered very carefully. From the perspective of deployment topologies, the PSP could be deployed separately from the Target or could very well be integrated tightly with the Target e.g., an SPML compliant web service interface on a target system. One of the frustrating items for me when enquiring about SPML support in products has been the lack of clarity and visibility around exactly what has been implemented. All too often, vendors seem to have cherry picked a chosen set of operations (whether from the Core or from the Standard list) and used that to claim SPML support. I would be very curious to see if anyone can claim full SPML v2 compliance..."

  • [February 16, 2010] "SPML: Not Dead Yet!" Blog by Jackson Shaw. "Lots of commentary over the last few weeks on SPML. Each of these is worth reading [Mark Diodati; Ingrid Melve; Nishant Kaushik; Jeff Bohren] Mark Diodati kicked this all of with his post on SPML. Mark makes some pretty good points in his article: 'None of the major provisioning vendors have developed an SPML v2-conformant product. Many of the vendors who have created commercial SPML connectors tell us that they must create specific SPML implementations for each of the major provisioning products. An SPML reference implementation does not exist, but would surely help.' Many of us in the industry waited around for the SPML v2 standard. It really was a V2 of the standard adding things like "modify" and "password" capabilities which actually made SPML useful. It's really unfortunate that many of the vendors haven't adopted it. I dearly want to see SPML as the enabler of loosely-coupled identity architectures. Unfortunately, software vendors usually equate loosely-coupled with 'easily replaceable' and the best way to prevent that is to either not support the standard or use custom capabilities that require a specific implementation like Mark refers to above... My experience so far with SPML has been good. Quest Software supports SPML V2 in our ActiveRoles Server product. We have a number of customers who have used Sun's Identity Manager to provision and manage Active Directory, Exchange and SharePoint by via ARS and its SPML provider. When SPML works it really works and the benefit is quite clear to the customer..."

  • [February 12, 2010] "Whither SPML or wither SPML?" By Jeff Bohren. Blog. "Whither SPML or wither SPML? This is the question Mark Diodati asks in his post SPML on Life Support. Ingrid Melve and Nishant Kaushik have follow ups... The problem with SPML still the same more than ten years after the effort was started. Right now the choice is between home grown provisioning or bringing in a provisioning vendor. In the latter case the provisioning vendors are forced to absorb the pain of integrating to all the disparate provisioning targets (a pain I know all too well). Since the provisioning vendors make it all work, the customers don't force the enterprise system vendors to add SPML interfaces... We can talk about the standards or 'pull models' all we want, but it takes two to Tango. Until the enterprise systems support a common interface of some kind, provisioning will still be as problematic as it was 10 years ago...."

  • [February 11, 2010] "Provisioning: Will SPML Emerge?" By Ingrid Melve (Federation Manager, Feide). "Some interesting thoughts on SPML were presented in the Burton Group posting SPML is on life support. Everyone involved in identity management, at least all those trying to do a good job, spends way too much time on provisioning. Some of the Too Much Time is spent on non-standard integration, because every single integration has to be hand made. Hand made integration is: expensive and consultant-intensive; not even close to scaling, since every integration is between two individual systems; error prone, since hand tailoring is by definition one shot wonders; tailored to the needs of the team specifying the integration, usually not the needs of the organization as a whole, unless there is a clear architecture... The two main alternatives to provisioning both involve exposing information from the distributed infrastructure..."

  • [February 01, 2010] "SPML Is On Life Support..." By Mark Diodati (Burton). Blog. "At Burton Group, we closely watch emerging identity standards. In particular, we pay close attention to the development and adoption of the Service Provisioning Markup Language. We have hosted two interoperability events at our Catalyst conference. We issued our first research document on SPML in early 2006 — coincident with the release of the SPML v2 standard. The publishing of our second document is imminent, and it is based upon some 'hands-on' work with the standard, as well as ongoing discussions with vendors, end-user organizations, and OASIS Provisioning Service Technical Committee members (past and present). The primary goal of SPML is provisioning without the use of proprietary connectors. The reality is that SPML is not currently viable for building useful, standards-based provisioning services because it is too complex and places too much of a performance burden on the connector... SPML may prevail if the industry simplifies the standard and supports it in commercial products. It may be too late to pull it out of the fire, though. Another alternative is a 'pull' model — LDAP-based directory services supported by virtual directories. For example, both and Google provide a pull capability via LDAP. The applications query existing enterprise directories for authentication and identity information. Many organizations express concern about exposing a directory (especially Active Directory) to cloud-based applications. Burton group believes that virtual directories can mitigate these concerns. It is worth noting that neither vendor supports SPML. Both and Google expose a relatively simple (compared to SPML) SOAP interface for provisioning. Another path to standards-based provisioning may be SAML..."

  • [August 18, 2009] "SPML: Exploiting the New Lingua Franca of Provisioning Identity and Access Management." By Jackson Shaw. Blog. "If you have any interest in SPML here's an opportunity for education [...] Webinar Thursday, August 20 at 11:00 a.m. EDT. During this informative webcast, Randy Franklin Smith explains how Service Provisioning Markup Language (SPML) can help you easily integrate self-service portals, provisioning systems and target applications in your heterogeneous environment. You will learn where to find support for SPML in a Microsoft-centric network now and in the future, as well as see a live demonstration of SPML in action..."

  • [January 20, 2009] "The Value of SPML Gateways." By Mark Diodati. Blog. "A grateful thank you goes out to James McGovern, who steered me to Project Keychain and Jerry Waldorf's associated blog. Project Keychain is an SPML gateway which leverages Sun's open source enterprise service bus (fittingly called OpenESB). You can find Project Keychain's list of supported target platforms (including LDAP, RACF, and [online]. Recently, I was asked if there is any value to using an SPML gateway. I believe there is. A picture is worth a thousand words (a cliché to be sure, but a good one), so here are a few thousand words. This picture describes the provisioning world, pre-SPML. I think we'd all agree that the world would be a better place if provisioning systems did not require connectors or the use of a proprietary API to manage users... So, what are the benefits of the SPML gateway (as personified by Project Keychain)? One benefit is the ability to insulate the complexity of the target platform's proprietary API from the provisioning system. This insulation means that the creation of a custom provisioning connector is not required, and any changes to the target platform's API will not break the provisioning process (though it does place the burden on the SPML gateway). Another benefit is a smooth transition once the target platform natively supports SPML in future releases, because the provisioning system can speak directly to the target platform without the gateway... SPML may fix the plumbing issues with provisioning, but the user attribute schema issue remains. The provisioning system (that is, the SPML requesting authority) and target application (in the simplest architecture, this would be the combined SPML provisioning service point and provisioning service target) must use an agreed-upon set of attributes. The provisioning system must then map the SPML attribute schema to its internal schema. The provisioning system must do this for every target application, as it is likely that each target application will require a separate attribute schema..."

  • [January 07, 2009] "Let's Talk More about SPML (Service Provisioning Markup Language)." By Mark Diodati. Burton Group Blog. "Jackson Shaw and James McGovern have been blogging recently about one of my favorite topics: Service Provisioning Markup Language (SPML). I'd like to contribute to the discussion... One thing that organizations using SPML should do is to secure the service from an authentication, authorization, and encryption perspective. In most instances, because the number of SPML requestors and providers (this is terminology specific to SPML) are small, most organizations are opting to manually configure the requesting authority and the provisioning service provider with static passwords or certificate lists to establish trust between the provisioning services components. These authentication techniques don't provide authorization services in any meaningful sense. A large SPML implementation requires authorization services to determine the rights of the requesting authority to manage the specific user on the respective provisioning service target. In our opinion, the multi-tenancy (call it cloud-based if you like) use case is an example of a large SPML implementation — one must build the requisite authorization and authentication services to support the provisioning service. SPML's lack of authentication and authorization capabilities highlights the broader issues we see with the emergence of identity services. An authorization service requires authentication services in order to have any utility whatsoever. The authorization and authentication services may be consolidated (one big authorization and authentication service) or discrete (two separate services). One example of a discrete authorization service is a XACML authorization service that leverages the user's SiteMinder SMSESSION ticket for authentication... As for federation and federated provisioning, the lack of provisioning capabilities remains an operational impediment. Several years ago, a Liberty Alliance Technical Expert Group began working on a way to 'harmonize' SPML and SAML. While the services would remain separate 'pipes', the TEG was working on a way to harmonize the user attribute schema across the two services..."

  • [January 07, 2009] "Down with Federated Provisioning." By Ian Glazer. Blog. "There's been a bit of recent blogging activity about federated provisioning and SPML... there really ought not to be a concept of federated provisioning. Provisioning an application in the data center must be the same as provisioning an application in the cloud. However, in the course of the conversation between James, Jackson, and Mark, it seemed SaaS applications and in-house applications were different from a provisioning perspective. SaaS applications may be harder to provision and de-provision than non-SaaS application, but that doesn't make them fundamentally different animals. The point was made that SaaS apps lack a standards-based provisioning interface, an SPML interface. The fact is the vast majority of applications, SaaS or not, lack a standards-based provisioning interface and this makes dealing with them very much the same... Provisioning vendors spent lots of time and money to build connectivity to traditional applications. Lots. And in doing so provided a bit of absolution for application vendors from their failing to provide a standards-based provisioning interface. Having gone through all that pain and suffering, vendors are not eager to go through it again with SaaS applications, coding connectors to each one's different web service. Customers aren't too keen on the idea either..." See also "Will the 'Real' Federated Provisioning Please Stand Up?"

  • [September 2008] spml-gateway-1c. Google Code Project. By: abashev. "What is it? The main target of this project is to provide SPML communication for 1C:Enterprise platform. The Service Provisioning Markup language (SPML) is the open standard protocol for the integration and interoperation of service provisioning requests. SPML version 1.0 is a draft OASIS standard due for ratification in Summer 2003. More detailer information you can get here Why? Right now 1C:Enterprise is not supporting any protocols for exchanging provision information. That is why many companies can't do fully automated identity management for internal resources. As user you can use this gateway for integrating different systems with one identity management product. As developer you can use 1C for storing user accounts and manage them with SPML requests..." Available for download ['', SPML gateway for 1C version 1.0 (binaries) ]

  • [August 07, 2008] "Introduction to Project Keychain." By Julie Knight (Sun). Blog. "Project Keychain brings together several technologies to allow user provisioning of multiple external systems. The backbone of Project Keychain is the OASIS Service Provisioning Markup Language (SPML) Version 2 standard. Using Open ESB we have created the SPML Gateway which takes SPML requests to provision external systems. Currently we have solutions to provision LDAP, RACF and external systems. However these are just initial examples to get users started. Any system available to Open ESB can be provisioned. For example, provisioning information can be just as easily stored in an Oracle table using the Oracle Binding Component. Open ESB allows the user the flexibility to perform modifications to the provisioning messages as well as message routing. For example one SPML request can be sent to multiple systems. If modifications need to be made to the SPML message, such as converting state names to state codes, such transformations can be easily done in Open ESB. If you would like to see how the the SPML Gateway works, there are Netbeans solution projects..." And see: Project Keychain. The goal of Project Keychain is to manage user access provisioning to multiple types of external applications by implementing an SPML Gateway... Solutions are simply any piece of code that can take SPML-based messages and transform them to invoke appropriate APIs on the provisioning system. Since our runtime is based on Open ESB, we can support a wide-range of "code" to do this transformation. Our standard set of solutions, released as part of TPR1, is based on Netbeans SOA Projects, although even that may change in the future. Details in Getting Started With the SPML Gateway.

  • [February 21, 2008] "Oracle Unveils New Release of Oracle Identity Manager." By Hasan Rizvi (VP Security and Identity Management, Oracle). From Sarbanes Oxley Compliance Journal. "Oracle has announced the immediate availability of a new release of Oracle Identity Manager. The latest release of Oracle Identity Manager addresses the growing concerns organizations have regarding compliance and the time it takes to complete an audit with the following new features... WS-SPML 2.0 Inbound Gateway — industry standard based interface that enables rapid integration across heterogeneous environments, helping to accelerate deployment... Oracle Identity Management was the market's fastest growing suite of Identity Management products in 2006, based on total software revenues worldwide. Oracle Identity Management's support of industry standards such as WS*, XACML, SAML and SPML helps enable customers and partners to more easily integrate applications with the framework..." (Earlier: WS-SPML Inbound Interface. From Datasheet, Oracle Identity Manager Release 9.1.0. "OIM 9.1.0 provides an SPML 2.0 Web Service inbound interface to key OIM administration functions. The service supports creation, modification, deletion and lookup of OIM users, groups and organizations. It also provides management of references (such as assignment and revocation of group memberships, group administrator and user's manager), reset of user passwords, and suspension and resumption of users...)

  • [December 05, 2007] WSDL for SPMLv2. Draft 0.01. December 5, 2007. Edited by James Hu. 13 pages. "SPMLv20 provides a specification that defines concept and operations of version 2 of service provisioning markup language. SPML is an XML-based provisioning operation protocol, and defines request-and-response message structure in a set of .XSD schema files. It provides a core operation xsd schema to define a set of core operation messages. It also provides a set of capability xsd schemas, each of which defines optional operations. Provisioning service providers must support all the operations in the core xsd schema and may support part of operations defined in optional capability xsd schemas. SPML service providers typically host SPML service requests through Web service SOAP protocol, and use WSDL to describe the supported SPML operations. The service clients can use the published WSDL along with ListTarget operation to introspect meta data for the supported service operations to construct and send request messages. The SPMLv2 specification does not include WSDL interface. In SPMLv1, a SPML/WSDL white paper document was published to demonstrate how to map operations in SPML schema to WSDL interface. This document provides a container based SPMLv2/WSDL component model and a set of SPMLv2/WSDL components that can be possibly standardized in the SPML space..." [source PDF]

  • [October 01, 2007] "Service Provisioning via SPML in SOA." By Manivannan Gopalan. From SOA World Magazine. "The Provisioning Services Technical Committee (PSTC) at OASIS defined an XML-based framework named Service Provisioning Markup Language (SPML) for exchanging user information, resource information, and service provisioning information in systems. In this article, we explore the role of SPML in managing identity and resource information in SOA environments. SPML is an XML-based request response protocol that is used to integrate and interoperate service provisioning requests. The use of SPML is to enable organizations to set up interfaces for Web Services and applications quickly and securely. This is done by letting portals, application servers, and service centers generate provisioning requests in and across organizations. If you take a typical SOA security stack, SPML satisfies a complementary requirement for authentication, authorization and fine-grained access control. SPML is used for service provisioning whereas the authentication and authorization of data is done through SAML. Fine-grained XML access control is done through XACML. Managing user identity is challenging in today's environment given the increasing diversity and complexity of systems. Identity management refers to the management of the entire lifecycle of one or more identities, from creation to destruction, and managing privileges. SPML deals with provisioning identities in enterprise ecosystems. It brings standardization in preparing system infrastructure to accomplish business activities. A typical SPML use case scenario in organizations is the situation of hiring a new employee, which involves lots of procedures that can be included in a provisioning workflow. Provisioning involves both digital as well as physical activities. A physical activity involves procuring a PC or laptop and a digital activity involves creating a user account in various applications..."

  • [September 2007] "Managing Identities Efficiently Using SPMLv2." By Manish Verma (Oracle). September 2007. Abstract: "Service Provisioning Markup Language (SPML) deals with user, resource, and service provisioning. It is an extension to the identity management solution space. When identities (mostly users) are created, they need access to the digital and physical assets of the organization in order to become productive. In addition, as soon as identities become invalid, they need to be stripped of their access to the resources and services. SPML promises to effectively, efficiently, and in a standard and structured way, address these mundane tasks. My earlier article on this topic, Manage Identities More Effectively with SPML, was based on SPMLv1. In April 2006, the Organization for the Advancement of Structured Information Standards (OASIS) released SPMLv2, which includes many changes. This vastly improved specification makes it worthwhile for user organizations to take a serious look at adopting SPMLv2 for their provisioning tasks. In this article I will take you through the SPMLv2 specification and explain the features it offers. Finally, I'll provide a small application to demonstrate how some mundane provisioning tasks can be delegated to machines..."

  • [July 18, 2007] Service Provisioning Markup Language (SPML): Where We Are, How We Got Here, and Where We Are Going." OASIS Webinar Presentation delivered July 09, 2007. By Kent Spaulding (CTO, Tripod Technology Group) and Jeff Bohren (Software Architect, BMC Software Software). See also the presentation from the OASIS Events site, per the posting. As announced: "Beginning 9 July, the OASIS international open standards consortium will present six free webinars covering everything from access control to provisioning, from authentication to encryption, from biometrics to digital signatures. Each webinar will be hosted by a different OASIS Technical Committee and cover established standards including SAML, XACML, SPML, and DSS, as well as exciting new work... The OASIS Provisioning Services Technical Committee was charted to create an industry standard web service provisioning protocol. This Webinar will give history of SPML, starting with the effort to consolidate three vendor standards (ADPr, ITML, and XRPM) to the more recent drafting of the SPML 2.0 specification. An overview of the SPML 2.0 standard will be provided with examples of how it is used in different provisioning scenarios. Additional topics that be covered include Federated Provisioning and Standard Provisioning Schemas. SPML is a milestone in the development of a standards-based approach for the management of user identities across heterogeneous applications. Products that leverage SPML can help organizations provide user access to resources without custom provisioning connectors..." [source PDF]

  • [June 01, 2007] SAML 2.0 Profile of SPML 2.0 Submission. Contributed to the OASIS PSTC by (contributing authors / submitting organizations): AOL, BMC Software, HP, Intel, Neustar, Sun Microsystems, and Tripod Technology Group. Posted to the PSTC Discussion List on June 04, 2007 by Jeff Bohren (BMC Software). See the Word .doc format and the ZIP archive which contains excerpts from a related mailing list discussion thread [file: spml-saml-profile.txt]. From the 'Introduction': "This document describes a submission to the OASIS Security Services Technical Committee for a new SAML 2.0 Profile of SPML 2.0 for federated provisioning. The Federated Provisioning Profile is designed to support the 'Bulk Provisioning' use case where an Identity Management Lifecycle exists between the IdP and SP. The proposed profile will use the OASIS Service Provisioning Markup Language (SPML) 2.0 standard as the provisioning protocol with elements from the SAML 2.0 Assertion schema as the provisioning data. For the purposes of this submission, the examples are given in terms of the IdP making provisioning requests to the SP. There are valid use cases for the SP to make provisioning requests to the IdP, but there are no examples of this in this submission, as they would be redundant and would add no additional insight... Object Identifiers: All objects used in SPML 2.0 must have an identifier that is unique within the namespace of the provisioning service. This is known as the Provisioning Service Object ID (PSO ID). The format of the PSO ID is profile-specific. For the SAML 2.0 Federated Provisioning Profile, the SAML 2.0 NameIdentifier element is used... Object Data: Each Provisioning Service Object (PSO) contains an identifier and data. For the SAML 2.0 Federated Provisioning Profile, the PSO Data consists of a set of SAML 2.0 Attribute elements... Schema: SPML 2.0 supports a provisioning schema (metadata) that allows for a provisioning service to publish definitions of supported object types. The schema definition language is profile-specific. As SAML 2.0 defines no such schema definition language, this proposed Federated Provisioning Profile defines one....

  • [June 14, 2006] "Companies Demonstrate Interoperability of Service Provisioning Markup Language (SPML) 2.0 Standard." By OASIS Staff, Consortium Announcement. "OASIS announced that six international companies joined together at the Burton Catalyst 06 conference in San Francisco to demonstrate interoperability of the Service Provisioning Markup Language (SPML) version 2.0. Developed by the OASIS Provisioning Services Technical Committee, SPML is an approved OASIS Standard that lets companies manage the provisioning and allocation of identity information and system resources within and between organizations. The Catalyst demonstration scenarios involve a group of companies that outsource various services to application service providers (ASPs). Each ASP publishes a SPML interface for provisioning accounts. Each company uses a SPML client that makes provisioning requests to the ASPs as needed. The roles of company and ASP are interchangeable among all six Interop participants. Members of the OASIS Provisioning Services TC include representatives of BEA Systems, BMC Software, CA, Capgemini, Hewlett-Packard, IBM, Microsoft, Oracle, SAP, SOA Software, Sun Microsystems, and others..." [Source HTML]

  • [May 02, 2006] "Web Services Gets SPML 2.0 Boost." By Mathew Schwartz. From Enterprise Systems (May 02, 2006). "How do businesses securely tie together systems with business partners using Web Services technology or service-oriented architectures? Today, such business-to-business (B2B) efforts typically require business partners to standardize on identical identity-management software or code laborious workarounds. A new standard should help. The international standards consortium OASIS announced it has ratified Service Provisioning Markup Language (SPML) version 2.0, which should facilitate easier out-of-the-box, B2B identity-management integration. The new OASIS Standard specifies an XML framework for identity management and provisioning. An XML-based framework, SPML defines how resources should be allocated between systems and organizations. It also handles provisioning — managing user accounts and access rights — in a variety of environments, including access to systems, networks, and applications, as well as to such physical resources as mobile phones and credit cards. According to Gavenraj Sodhi, the director of product management for security information management solutions at CA Inc. (formerly Computer Associates), and a co-chair of the SPML technical committee: 'SPML can become a major component of the identity management stack... this will allow vendors to build hooks into their applications,' to create easier out-of-the-box interoperability between applications, which should better facilitate B2B Web Services integration. That's because a growing requirement in Web services rollouts, as well as in the implementation of service-oriented architectures, is sharing user information across businesses — and not just identities, but also permissions, groups, and access rights.' [...] SPML 2.0 also competes with WS-Provisioning, created by IBM and Microsoft. Interestingly, SPML did adapt some WS-Provisioning functionality. 'SPML was developed alongside other key security specifications, including the Security Assertion Markup Language (SAML) and WS-Security, both of which are also OASIS Standards,' notes Patrick Gannon, the president and CEO of OASIS. 'Our security committees work together to exploit the benefits of reuse and coordination to the greatest extent possible'..."

  • [April 18, 2006] Domain Model for Identity Management." By Gary P. Cole (Sun). Posted to the PSTC Discussion List on April 18, 2006. "Jeff Bohren asked me to provide an Entity-Relationship Diagram (ERD) for the entities we've been discussing as part of the standard schema for SPML. I'm really glad that he did, because re-thinking those entities and relationships was a good exercise. I found that I went further than before, and I'm very interested to see whether we agree (and the extent to which we can agree) on this domain model... Most of this domain model is the same as it was before, although it is perhaps clearer when properly articulated as an ERD with ordinality, cardinality, direction and so forth. Person and Account are the same; Group, Organization and Role are the same. The area that is new has to do with Role and Type-of-Account. A Role may imply any number of types of account for a host. Each type of account may confer privileges on that host..." [Source PDF and ODT]

  • [April 11, 2006] "Service Provisioning Markup Language (SPML) v2.0 Ratified as OASIS Standard. BEA Systems, BMC Software, Capgemini, CA, Hewlett-Packard, IBM, Microsoft, Oracle, RSA Security, SAP, SOA Software, Sun Microsystems, and Others Develop OASIS Standard for Exchanging User, Resource, and Service Provisioning Information." -- "The OASIS international standards consortium today announced that its members have approved the Service Provisioning Markup Language (SPML) version 2.0 as an OASIS Standard, a status that signifies the highest level of ratification. SPML provides an XML-based framework for managing the allocation of system resources within and between organizations. Encompassing the entire life-cycle management of resources, SPML defines the provisioning of digital services such as user accounts and access privileges on systems, networks and applications, as well as non-digital or physical resources such as cell phones and credit cards. 'One of the hardest parts of provisioning is interoperability,' noted analyst, Mark Diodati of Burton Group's Identity and Privacy Strategies. 'SPML provides a standards-based approach, and version 2.0 adds important functionality that is required for robust provisioning services.' 'SPML v2.0 will further facilitate the seamless application of identity management solutions to the day-to-day challenges of provisioning and de-provisioning business services,' said Gavenraj Sodhi of CA, co-chair of the OASIS Provisioning Services Technical Committee. 'The result will be more efficient IT administration, improved security, and easier extension of services beyond organizational boundaries.' 'SPML 2.0 provides a service-oriented identity protocol that goes far beyond just enterprise provisioning while enabling customers to spend less time connecting systems and applications, and more time focusing on the technology issues and implementations most important to their business needs and services,' said Jeff Bohren, of BMC Software, co-chair of the OASIS Provisioning Services Technical Committee. The SPML v2.0 OASIS Standard offers enhanced functionality as well as a new profile that lets users and other objects be manipulated more easily. Additional features include improved password management, user suspension capabilities, and user attribute schema discovery..."

  • [April 04, 2006] "Standard Schema Input (SAP)." By Martin Raepple (SAP). File: 'SAPStandardSchema.xls'. Posted to the OASIS Provisioning Services TC document repository on April 04, 2006. Martin Raepple's note: "Please find [here] SAP's input for the standard schema. It contains two entities: Person and Organisation. The first worksheet is a list of all elements with a description, the other worksheets provide a graphical overview of the node structure. [Source .XSL file]

  • [April 04, 2006] "SIMPLEST Schema Entities and Relationships." By Gary P. Cole (Sun). Posted to the PSTC List on April 04, 2006. See an update. "[...] next revision of the SIMPLEST Profile doc would address references between entities, address the case of attribute names, and contain an updated list of attributes... The Person and Account schema entities are fundamental to Identity Management. An instance of Person normally represents a human being independent of any computer system or application. An instance of Account normally represents a person within the scope of a particular computer system or application. A person may own (i.e., be responsible for) any number of accounts. An inverse relationship also exists: an account may be owned by a person. SIMPLEST models these relationships by using attributes. An instance of Person may expose an 'ownsAccount' attribute that may have multiple values. Each value of the 'ownsAccount' attribute identifies an instance of Account for which the person is responsible... The Organization schema entity is ubiquitous in directory services (and is therefore common in identity management systems). An instance of Organization usually represents a corporate entity — that is, a structured entity that consists of more than one person. The most common structure is a hierarchy: an instance of organization may contain any number of sub-organizations. Each organization (except the topmost) is contained by exactly one organization (its 'parent'). (The topmost has no parent.) SIMPLEST represents these hierarchical relationships using the 'parentOrg' and 'childOrgs' attributes of Organization... The Group schema entity also represents an entity that consists of more than one person. (A group need not contain persons, but typically does.) Classically (as derived from Unix groups) a group cannot contain other groups, but many modern systems and applications allow this. Thus, modern groups may form a hierarchical structure. (SIMPLEST allows group nesting using the 'parentGroup' and 'childGroups' attributes of Group.) The primary difference between Group and Organization is semantic: Group structure is assumed to be orthogonal to (i.e., a dimension independent of) any organizational hierarchy. The syntactic difference between Group and Organization is that, while a person should belong to at most one organization, a person may belong to any number of groups... The Role schema entity represents something similar to a Group — a container for persons. Like Group, Roles may form a hierarchical structure. (SIMPLEST allows a role nesting using the 'parentRole' and 'childRoles' attributes of Role.) Also like Group, Role membership is not exclusive: a person may have more than one role. (The 'roles' attribute of Person allows a person to refer to any number of roles..."

  • [March 06, 2006] "OASIS Service Provisioning Markup Language (SPML) v2 — Federated Provisioning." Draft Version 0.6. 2006-March-06. Edited by Jeff Bohren (BMC). With contributions by Richard Sand (Tripod Technology Group, Inc). Submitted to the Kavi Repository on 03-April-2006. "This specification defines usage of SPML v2 for federated provisioning... In some federation environments an account needs to exist prior to the SSO event (which may never occur). Examples of this include vendor services such as 401K, paycheck services, and outsourced HR apps... Bulk Provisioning of Accounts: In some federation environments an account needs to exist prior to the SSO event (which may never occur). Examples of this include vendor services such as 401K, paycheck services, and outsourced HR apps. There are cases where multiple users must be granted accounts at the same time, such as when there is a merger or acquisition. When a user is no longer entitled to an account on the SP it should be de-provisioned. This may be required for a large set of users when there are no longer entitled to an account. For example there could be a lay-off or an ending of contractual relationships between two parties... Provisioning Federated Relationships: A user may already have unrelated accounts on both the IdP and SP. A federated relationship may be established between those two accounts for future SSO... Provisioning Related Accounts: A third party may need to provision accounts to multiple service providers that should initially have a federated realationship, and that relationship may have important privacy aspects. For instance when a new hire joins a company, he may need to be provisioned with a new 401K account and a new medical insurance account. The 401K provider should not have any knowledge of the medical insurance provider and vice-versa, but a federated relationship should be established in order for a SSO session to be possible... " [See the Kavi reference page and Word /.doc source]

  • [January 06, 2005] "XML Security: Manage Identities More Effectively with SPML. The Objectives, Architecture, and Basic Concepts of Service Provisioning Markup Language." By Manish Verma (Center Head & VP Delivery, Second Foundation). From IBM developerWorks (January 05, 2005). "The past couple of years have seen an increased interest in identity management. Managing identities effectively and efficiently is a critical issue for businesses, and various standards have been proposed to handle different aspects of identity management. One such standard is Service Provisioning Markup Language (SPML), which deals with resource provisioning for these identities. It brings standardization to the mundane but error prone job of preparing IT and support infrastructure to accomplish business activity. For example, with SPML it is possible to automate the provisioning workflow that results when an organization hires a new employee. Provisioning workflow can include activities that are either digital or physical. As an example, when a new employee is hired, digital activities can include the creation of a user account in various systems and applications, while physical activities can include procurement of a new laptop for that individual. In this article the author will explores the objectives and importance of the SPML standard, providing some sample programs that demonstrate how the standard helps you automate provisioning activities. The sample code uses openSPML, an open source implementation of SPML... With the ever-increasing number and complexity of systems and networks, managing digital identities is now a major challenge. Identity management refers to the management of the entire lifecycle of one or more identities, from creation to destruction, and the things that happen in between — such as managing permissions, privileges, and modifications..."

  • [January 23, 2004] "SAML Tops Federation Projects Survey." By Dave Kearns. In Network World (January 09, 2004). Ping Identity, sponsor of the SourceID Web site, recently surveyed folks who downloaded its open-source Liberty Alliance tool kit. "When asked about the priority of federation protocols, it wasn't surprising that the Liberty Alliance protocols out-polled the WS-Federation protocol (favored by IBM and Microsoft) since the respondents were specifically those who downloaded a Liberty Alliance tool kit. But even adding together those who preferred Liberty phase II with those who preferred Liberty phase I (a total of 42% of the respondents) they were still outweighed (at 49%) by those who favored Versions 1.0, 1.1 and 2.0 of the Security Assertion Markup Language (SAML). SAML is the transport mechanism for the Liberty Alliance proposals, and one of the allowed transports for WS-Federation, but it appears that a number of projects are working directly with SAML and by-passing the 'higher' layers of the two competing standards. It might be that the projects being talked about are all early stage developments, with the SAML parts being worked on now while the developers look to see which of the two competing standards will emerge with an edge -- or, perhaps, a consolidation or merger might occur with one standard being created from the two we currently have. If you think that's a likely scenario, then it would be wise to put off any development at that upper level until the parameters of the eventual standard begin to take shape. Another of the survey questions asked downloaders what additional protocols were 'of interest' to them vis-à-vis federation. The big winner there was OASIS' Extensible Access Control Markup Language (XACML), with 49%, followed by Service Provisioning Markup Language (SPML) at 29%, and eXtensible Resource Identifier (XRI) with 14%. A scattering of other protocols took 8% of the responses. XRI could be considered a competitor to Universal Description, Discovery and Integration..." See also: "Security Assertion Markup Language (SAML)."

  • [November 19, 2003] "Service Provisioning Markup Language (SPML) Ratified as OASIS Standard. Abridean, BEA Systems, BMC Software, Business Layers, Computer Associates, Entrust, Netegrity, OpenNetwork, Waveset, and Others Develop OASIS Standard for Exchanging User, Resource, and Service Provisioning Information." - "The OASIS standards consortium today announced that its members have approved the Service Provisioning Markup Language (SPML) version 1.0 as an OASIS Standard, a status that signifies the highest level of ratification. SPML provides an XML-based framework for managing the allocation of system resources within and between organizations. Encompassing the entire life-cycle management of resources, SPML defines the provisioning of digital services such as user accounts and access privileges on systems, networks and applications, as well as non-digital or physical resources such as cell phones and credit cards. 'As provisioning becomes a more widely available network service, the need for an open standard to support the integration of account and service management in identity infrastructures is clear,' says Darran Rolls of Waveset, chair of the OASIS Provisioning Services Technical Committee. 'By fostering interoperability across business units or with business partners, SPML frees companies to focus on the business rules for provisioning user accounts and not on the technology to wire everything together.' 'Enterprise architects should consider SPML real and deployable,' said Patrick Gannon, president and CEO of OASIS. 'It provides a much needed starting point for a long-term user access provisioning strategy that can be implemented today within the enterprise and will work in the future for integrating with Web services implementations. We congratulate the developers of SPML 1.0 and invite additional participation from the community on advancing SPML 2.0 to achieve full Web services compatibility.' Members of the OASIS Provisioning Services Technical Committee include Abridean, BEA Systems, BMC Software, Business Layers, Computer Associates, Entrust, Netegrity, OpenNetwork, Waveset, and other users and providers of identity management software. SPML relates closely to another OASIS Standard, the Security Assertion Markup Language (SAML). Together, SPML and SAML provide a standard way to create user accounts and validate users as part of an identity management infrastructure. The two offer the basis for integrating single sign-on and provisioning software for Web services..."

  • [October 07, 2003]   IBM Releases Web Services Provisioning (WS-Provisioning) Specification.    A draft version of Web Services Provisioning (WS-Provisioning) has been presented by IBM/Tivoli as a submission for consideration by the OASIS Provisioning Services TC. The contribution is provided as input to technical work on SPML Version 2, as Service Provisioning Markup Language (SPML) Version 1.0 is currently up for review and ballot as an OASIS Standard. The WS-Provisioning specification "describes the APIs and schemas necessary to facilitate interoperability between provisioning systems and to allow software vendors to provide provisioning facilities in a consistent way. The specification addresses many of the problems faced by provisioning vendors in their use of existing protocols, commonly based on directory concepts, and confronts the challenges involved in provisioning Web Services described using WSDL and XML Schema. WS-Provisioning defines a model for the primary entities and operations common to provisioning systems including the provisioning and de-provisioning of resources, retrieval of target data and target schema information, and provides a mechanism to describe and control the lifecycle of provisioned state." The WS-Provisioning authors envision that the technical work of the OASIS PSTC may at some point converge with the IBM specification.

  • [September 24, 2003] "CA's eTrust Admin Identity Management Solution to Support OASIS SPML. CA Demonstrates Interoperability With Emerging Web Services Standard at Recent PeopleSoft Conference." - "Computer Associates International, Inc. (CA) announced today that its eTrust Admin identity management solution will support the new OASIS Service Provisioning Markup Language (SPML) 1.0 specification, an emerging industry standard designed to streamline and automate the provisioning of systems and Web services across organizations. eTrust Admin increases user account management security while reducing administration costs. SPML is intended to provide a standards-based approach to removing user accounts across heterogeneous systems. This common administration can significantly reduce IT workloads, help ensure compliance with security policies, and provide employees with immediate access to critical resources. Changes in human resource systems can be propagated automatically to IT applications without human intervention. CA has tested eTrust Admin's SPML capabilities with PeopleSoft's leading human resources platform, and demonstrated interoperability with SPML at the recent PeopleSoft Connect 2003 Conference in Anaheim, California. 'CA's adoption of SPML enables a flexible and portable approach to leveraging HR information when managing and enforcing identity-based security policies,' said Phil Schacter, vice president and service director at Burton Group, a leading enterprise IT research and advisory services firm. 'Standards-based identity solutions, driven by authoritative HR information, improve overall security and substantially reduce the risk of exposing valuable business systems and information assets.' SPML has been approved by the OASIS Provisioning Services Technical Committee prior to submission to the consortium's membership at-large for voting as an OASIS Standard. As an XML-based framework, SPML allows eTrust Admin's capabilities to be extended to any enterprise system or Web service with the necessary compliant interface. 'The use of standards is essential as the number of applications and services proliferates,' said Karl Best, vice president of OASIS. 'CA's embrace of SPML is a welcome contribution to the advancement of efficient, open standards-based IT management architectures.' 'As organizations integrate business processes with their partners, they need to dynamically manage the authorization and de-authorization of access rights for users,' said Gavenraj Sodhi, CA product manager for eTrust Admin. 'By leveraging both the SPML specification and existing investments in PeopleSoft technology, eTrust Admin provides an ideal means of achieving these objectives'..."

  • [September 08, 2003] "Proposed Provisioning Technology Set to Go: IBM, Microsoft and OASIS Debate SPML." By John Fontana. From Network World. "A forthcoming XML-based standard is living a double life. It is expected to foster integration of current provisioning and identity management software now and will evolve to support Web service in the future. The proposed standard is the Service Provisioning Markup Language (SPML) 1.0, which is set for ratification on October 31 [2003] by OASIS. The 1.0 specification is designed to help network executives break the logjam that holds back interoperability among current provisioning systems. These systems let companies automatically set up and deactivate user accounts across corporate networks and applications. But critics, namely IBM and Microsoft, say SPML in its 1.0 form lacks features beyond simple addition and deletion of users... The two companies are working with OASIS to correct those shortcomings. The protocol, therefore, appears to satisfy short-term corporate needs while creating a starting point for developing a long-term solution that will work within Web services deployments..."

  • [September 04, 2003] "Proposed Provisioning Technology Set to Go." By John Fontana. In ComputerWorld (September 04, 2003). "A forthcoming XML-based standard is living a double life. It is expected to foster integration of current provisioning and identity management software now and will evolve to support Web service in the future. The proposed standard is the Service Provisioning Markup Language (SPML) 1.0, which is set for ratification October 31, 2003 by the Organization for the Advancement of Structured Information Standards (OASIS). The 1.0 specification is designed to help network executives break the logjam that holds back interoperability among current provisioning systems. These systems let companies automatically set up and deactivate user accounts across corporate networks and applications. But critics, namely IBM Corp. and Microsoft Corp., say SPML in its 1.0 form lacks features beyond simple addition and deletion of users. They say it's not flexible enough to integrate into the palette of Web services standards they are developing, known as WS-* (pronounced WS-Star), which includes WS-Security and WS-Federation. The two companies are working with OASIS to correct those shortcomings. The protocol, therefore, appears to satisfy short-term corporate needs while creating a starting point for developing a long-term solution that will work within Web services deployments. 'What this means is that SPML 1.0 will not become the be-all and end-all provisioning standard,' says Daniel Blum, an analyst with Burton Group. 'Something else will come along.' He says Microsoft and Web services standards partner IBM, which last year acquired provisioning vendor and SPML co-creator Access360, have valid points on the long-term viability of SPML... The interoperability SPML fosters was demonstrated in July when 10 vendors - BMC Software Inc., Business Layers Inc., Critical Path Inc., Entrust Inc., MyCroft, OpenNetwork Technologies Inc., PeopleSoft Inc., Sun Microsystems Inc., Thor Technologies Inc. and Waveset Technologies Inc. - held an interoperability test to show the addition and creation of users across their provisioning systems. 'Enterprise architects should start to consider SPML as real, deployable and valuable,' says Darran Rolls, chairman of the Provisioning Services Technical Committee (PSTC) at OASIS and director of technology for Waveset. What's also becoming real is the relationship between SPML and the Security Assertion Markup Language (SAML), an XML-based standard for exchanging user authentication and authorization data across corporate systems that OASIS ratified in October 2002. Together, SAML and SPML provide a standard way to create user accounts and then validate these users as part of an identity management infrastructure. The two are the glue for integrating Web single sign-on and provisioning software. SPML can use a SAML credential as one way to identify users to be provisioned to corporate systems..."

  • [September 02, 2003] "SPML: An Integration Framework for Enterprise Resource Provisioning as a Network Service." By Darran Rolls (Waveset Technologies). In DIM Report (September 02, 2003). "This article introduces the Secure Provisioning Markup Language (SPML), an XML standard from OASIS that addresses the interoperability issues around service provisioning... Provisioning and de-provisioning user access may sound simple. However, when one considers this in the context of complex, inter-related systems with potentially thousands of users needing full life-cycle user and account management, the process of establishing a common, well-understood framework for the provisioning these rights can become very challenging... By supporting widespread deployment of applications that can issue standardized service provisioning requests, SPML minimizes the complexity of the client interface. SPML provides a simple set of core operations for add, modify, delete and search functions, and an open model for the definition and discovery of service schema (the data required to subscribe to a service). The general model for SPML enables a client to issue an SPML request describing the operation to be performed at a given service point or endpoint. The service point is then responsible for performing the necessary operations to implement the request. Once the operation is complete, the service point sends the client an SPML response detailing results or errors. SPML version 1.0 provides an operations extension model and a synchronous and asynchronous batch request/response processing model. This lets a requesting authority batch sets of provisioning actions and control the execution semantics for individual requests as well as for the batch as a whole. For organizations extending identity management to portal and extranet projects, SPML provides a logical and easily understood operating model to allow standardization in the service request and subscription process flow between the end-user and the back-end security service. This allows de-centralized 'business driven' initiatives to make full re-use of centralized corporate provisioning policies and help to drive consolidated management of accounts and subscriptions to help drive the increasing audit and security requirements for the extended enterprise..."

  • [July 11, 2003]   Sun and Waveset Provide Identity Management Solution for PeopleSoft Using SPML.    Sun Microsystems, Waveset Technologies, and PeopleSoft have announced an "expansion of the companies' strategic alliance to deliver an integrated, standards-based identity management solution for use with PeopleSoft applications. The integrated solution is expected to provide users with the ability to initiate and manage the lifecycle of workforce identity information from a single portal interface, spanning Human Resource, IT and facilities resources." Featuring automated provisioning processes based upon the Service Provisioning Markup Language (SPML), this innovative identity management solution "is designed to combine the functionality of the Liberty Alliance-enabled Sun ONE Identity Server, Sun ONE Directory Server, and Waveset Lighthouse to reduce the time it takes to establish or change access rights, privileges and profile data across multiple applications. The first iteration of the solution is designed to enable business process integration between Human Capital Management and IT security/identity management, that will help drive down costs in the on-boarding and off-boarding of employees and to increase workforce productivity."

  • [July 09, 2003] "BMC Software Enhances Provisioning Solution. Marked By Industry First, Enhancements Ease Provisioning Management Challenges." - "BMC Software, Inc., a leader in enterprise management, today announced key enhancements to its user provisioning solution, CONTROL-SA. Dedicated to promoting open standards, CONTROL-SA will offer Service Provisioning Markup Language (SPML) based provisioning. SPML is an open standard defined by the Organization for the Advancement of Structured Information Standards (OASIS) that allows supply chain partners to provision employees on each others' systems even when using different provisioning solutions. Additional enhancements to CONTROL-SA include the product's integration with Remedy, a leading provider of service management software, and a new interface that enables CONTROL-SA to leverage Lightweight Directory Access Protocol (LDAP) connectivity... This new capability makes CONTROL-SA the only provisioning solution in the marketplace that allows multiple workflows to interact with the provisioning solution thereby providing customers with provisioning options to select the best workflow to meet their requirements. CONTROL-SA enables users today to seamlessly integrate into workflow environments from other leading vendors such as Business Layers, Oblix, PeopleSoft, and Remedy. In addition to affording customers the freedom of choosing the right workflow for their environment, CONTROL-SA's open provisioning initiative enhances the usability of their provisioning solution, and provides a foundation for ensuring secure identity management. BMC Software will be demonstrating the open provisioning capabilities of CONTROL-SA at the Catalyst Conference in San Francisco on July 9, 2003. This demo will feature integration between CONTROL-SA and PeopleSoft's human resource (HR) provisioning component using the OASIS Service Provisioning Markup Language (SPML) standard. The SPML standard allows technologies to securely manage the identity lifecycle of a user -- including the dynamic allocation of their associated resources -- across a trusted boundary using a common language. The demonstration will also show CONTROL-SA's ability to engage with PeopleSoft's HR provisioning component while using SPML standards. These capabilities answer the need for integration and interoperability of disparate provisioning components..."

  • [June 30, 2003] "SPML Eases Information Exchange." By Darran Rolls (Waveset Technologies, Inc). In Network World (June 30, 2003). "Provisioning is the process of managing the allocation of system resources to employees, partners and contractors as part of identity management... Service Provisioning Markup Language (SPML) is an XML-based framework for exchanging user, resource and service provisioning information between organizations. The framework is expected to establish an open, standard protocol for the integration and interoperability of service provisioning requests. Developed by the OASIS Provisioning Technical Service Committee (PTSC), SPML 1.0 is slated for ratification in summer [2003]. PTSC interprets provisioning to mean the upfront preparation of IT system materials or supplies required to carry out pre-defined business activities. The committee goes beyond the initial contingency of providing resources to encompass the entire life-cycle management of these resources. This includes provisioning of digital services such as user accounts and access privileges on systems, networks and applications, as well as the provisioning of non-digital or physical resources such as cell phones and credit cards. The sole purpose of a provisioning service in a network is to execute and manage provisioning requests. A given requesting authority, or client, sends the provisioning service a set of requests via a well-formed SPML document (an XML document that conforms to the SPML standard). Based on a pre-defined service execution model, the provisioning service takes the operations specified within the SPML document and executes provisioning actions on a pre-defined set of service targets or resources. The general model for SPML is one in which clients perform protocol operations on servers. In this model, a client issues an SPML request describing the operation to be performed at a given service point or endpoint. The service point is then responsible for performing the necessary operations to implement the request. Once the operation is complete, the service point sends the client an SPML response detailing results or errors... As more infrastructure becomes identity-centric and companies start to build and deploy Web services, SPML will be a critical element of an end-to-end standards-based identity management strategy..."

  • [June 27, 2003]   OASIS Member Companies Host SPML Identity Management Interoperability Event.    OASIS has announced a first public demonstration of the Service Provisioning Markup Language Specification (SPML) Version 1.0 in an interoperability event to be held on July 9, 2003 at the Burton Catalyst Conference in San Francisco. "SPML is an XML-based framework for exchanging and administering user access rights and resource information across heterogeneous environments. Ten members of the OASIS standards consortium will come together at Catalyst to prove the stability of the new specification and demonstrate interoperability between SPML-conformant security software products. SPML lets organizations automate, centralize, and manage the process of provisioning user access to internal and external corporate systems and data. SPML has been designed to work with the World Wide Web Consortium's SOAP, the OASIS Standard SAML, the OASIS WS-Security specification, and other open standards that allow companies to securely leverage Web services. The SPML specification is currently in a public review period which occurs prior to being submitted to the OASIS membership at-large for consideration as an OASIS Standard. SPML is one of several security standards being developed at OASIS. Other standards and specifications include WS-Security for high-level security services, XACML for access control, XCBF for describing biometrics data, and SAML for exchanging authentication and authorization information."

  • [June 16, 2003] "OASIS Provisioning Services Technical Committee SPML V1.0 Interoperability Event." Technical and Operations Plan. Edited by Darran Rolls (Waveset Technologies) for the OASIS SPTC. Committee Working Draft. 06-June-2003. 20 pages. "This document describes the message exchanges to be tested during the Burton Catalyst interoperability event in San Francisco, July 9-11, 2003. This interoperability test is designed to show the interoperation of service subscription and provisioning based on the draft SPML V1.0 specification. This interop event is based around a defined scenario intended to test the interoperability of different implementations performing a common set of SPML operations, to test the soundness of the specification and clarity the mutual understanding of its meaning and application in a given business scenario. Note the scenario and context of this interop is not intended to represent a definitive implementation of the SPML V1.0 specification... The interop scenario is based on interactive attendee participation. Interop Users (IUs) will be directed through a defined scenario, in which they input 'New Hire' user data into a PeopleSoft HRMS system. This action will cause a set of SPML protocol exchanges to create service subscriptions at each vendor station participating at the interop. The business scenario is based around a fictional company SPML Contractors Inc. When a new employee starts at SPML Contractors, an SPML enabled system is used to manage account subscriptions with a defined set of SPML Contracts' customers. New employees are added to the SPML Contractors PeopleSoft HRMS using the standard PeopleSoft web based interface. The creation of records within HRMS is used to trigger SPML service subscription requests to be sent to each PV at the interop. In this scenario PeopleSoft HRMS will be acting in the role of SPML Contractors Inc. and will be functioning as an SPML Requesting Authority (RA). Mycroft will be providing an integration 'SPML multiplexer' module that takes the SPML request from PeopleSoft and creates individual SPML service requests for each of the PVs. Each of the PVs will be modeled as SPML Contractors Inc customers and will receive, process and respond to their own service requests in accordance with their own systems models and PSP/PST implementations... The SPML Contractors Inc PeopleSoft HRMS installation will be running a centralized server, accessible and available to all of the PVs. By employing the PeopleSoft HRMS web based user access model, new SPML Contractors Inc employees will be able to be added from any of the workstations at the interop event room. This will prevent a bottleneck from forming at the PeopleSoft workstation and allow an IU to approach the scenario from any PV, thus making more staff available to help IUs with questions and generally spread the traffic more evenly across the event..."

  • [April 14, 2003] "Business Layers and Netegrity Partner on Industry's First Demonstration of SPML at RSA Conference. Vendors Present First XML Specification to Leverage Web Services for Secure Federated Resource Allocation." - "Business Layers, the eProvisioning Company and Netegrity, Inc., a leading provider of identity and access management solutions, will today demonstrate the industry's first XML-based solution for identity management at the RSA User Conference in San Francisco, Calif. As a pioneer of industry standards, Business Layers is responsible for submitting the original provisioning specification to the Organization for the Advancement of Structured Information (OASIS). Business Layers and Netegrity are committed to driving the development of SPML to provide the enterprise with the first XML specification designed to leverage the reuse of Web services to achieve secure, federated user resource allocation to maximize existing IT resources, reduce administrative costs and enhance security. Business Layers and Netegrity will demonstrate the industry's first identity management solution using the current SPML specification, with Simple Object Access Protocol (SOAP) and Security Assertions Markup Language (SAML), which will allow companies to securely leverage Web services to automate, centralize and manage the process of provisioning user access to internal and external corporate systems and data. Led by Business Layers' Gavenraj Sodhi and Netegrity's Amit Jasuja, the presentation will illustrate how SPML allows for businesses, via a common language, to more securely manage the identity lifecycle of a user including the dynamic allocation of their associated resources, across a trusted boundary. 'One of the biggest obstacles impeding the rapid adoption of Web services technologies is the enterprise's concern about the security holes that exist when sharing sensitive information in an open IT environment,' said Pete Lindstrom, Research Director of Spire Security. 'Business Layers and Netegrity are addressing this issue head-on with an interoperable SPML/SAML environment, offering users an open standard in which businesses can leverage Web services to achieve secure, federated resource provisioning with their trusted business partners.' Today's SPML demonstration will address the challenges associated with complex resource provisioning for inter-organizational business transactions. As businesses move towards service-oriented architectures, internal and external users require secure access to applications and corporate systems that often contain sensitive data. To illustrate SPML in this setting, Netegrity and Business Layers will provide real-world examples of Web services-enabled identity management and provisioning scenarios. For example, a large manufacturing company may work with several suppliers and business partners to provide a complete set of product lines. To help ensure that its supply chain is managed most effectively, the manufacturer must grant each set of users -employees, customers and partners- the appropriate access to information and applications. Using SPML, the manufacturer is able to automatically register, authenticate, and accommodate the provisioned information requests in a secure environment to protect each of these business relationships. This standards-based offering utilizes the SPML specification in conjunction with Web services technologies to create a secure, dynamic workflow..."

  • [February 11, 2003] "Netegrity and Business Layers to Demonstrate Support for Service Provisioning Markup Language (SPML). Vendors Are First to Exhibit XML Based Solution for Identity Management." - "Netegrity, Inc., a leading provider of identity and access management solutions, and Business Layers, the eProvisioning Company, today announced the development of the first identity management solution to support the Service Provisioning Markup Language (SPML) standard. SPML provides companies with a standard way to automate, centralize, and manage the process of provisioning user access to corporate systems and data in order to maximize existing IT resources, reduce administrative costs, and enhance security. The OASIS Provisioning Services Technical Committee is meeting today to finalize the SPML specification. 'Creating a standard way in which to communicate user provisioning information between enterprises will greatly improve corporate efficiency, contribute to cost reduction and increase productivity,' said Roberta Witty, Research Director of Gartner, Inc. 'The adoption of open standards such as SPML provides market assurance that customers do not need to be dependent on their user provisioning solution vendor for proprietary customization which only adds to the cost of the user provisioning implementation.' The challenge of resource provisioning only becomes more complex as companies reach beyond organizational boundaries to conduct business. The move towards service-oriented architectures adds yet another layer of complexity as not only users, but also pieces of applications require access to corporate systems. For example, a large auto manufacturer may have multiple warehouses across the country, some of which are owned by the auto manufacturer and others owned by partners. In order to provide the appropriate parts to the manufacturing plant at the appropriate time, employees at the warehouse must have access to various applications. In order to provision these users to the appropriate applications in a cost effective and timely manner, the company could deploy a provisioning Web service that supports SPML. Using standards based solutions from Netegrity and Business Layers, the auto manufacturer could seamlessly authenticate and authorize the issuer of the provisioning request and perform the appropriate provisioning tasks..."

  • See: "Information Technology Markup Language (ITML)" - Main reference page.

  • See: "XRPM Working Group for Extensible Resource Provisioning Management (XRPM)" - Main reference page.

  • See: "Active Digital Profile (ADPr)" - Main reference page.

  • See: Extensible Provisioning Protocol (EPP) - Main reference page.

  • Background documents from the XRPM Working Group:

    • Brainstorming Document. From PSTC F2F (9/10/2001)
    • "Peer-to-Peer Provisioning: Problem Statement" "Provisioning systems are currently designed with a master-slave relationship between themselves and the resources that they provision. Traditionally, the only true peer-to-peer relationship between the provisioning system and another system is with the provisioning systems relationship with an identity management (human resources) system. In this relationship, the identity management system will notify the provisioning system of identity changes, which may then trigger provisioning actions to take place against its managed resources."
    • Draft of Preliminary [PSTC] Charter, [cache]
    • XRPM Working Document. By Jeff Bohren, Tony Gullotta, Gavenraj Sodhi, and John Aisien. August 2, 2001. Supplies an initial set of use cases for XRPM. "This document describes the requirements and use cases for eXtensible Resource Provisioning Management (XRPM). It provides an initial set of use cases for the eXtensible Resource Provisioning Management, XRPM, Working Group. XRPM's objective is to provide an XML standard for the open interoperability between provisioning systems and resources in order for access rights to be provisioned... This section contains a set of primary use cases for XRPM. Each use case consists of a description, actors involved, pre-conditions, steps involved, post-conditions, and finally. many use cases contain a diagram depicting the actions occurring. We have attempted to address a good majority of use cases that would cover the workings of the group and it is understood that there are other use cases which XRPM may have not yet addressed (e.g., Modify, Suspend, Restore), which may be added to future use case list as stated in this draft." [cache]
    • "Resource Provisioning, Interoperability, and XML." Invitational Industry Discussion. By Phil Schacter (Director, Network Strategy Service, The Burton Group). September 10, 2001. See the original .PPT file.

Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation


XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Globe Image

Document URI:  —  Legal stuff
Robin Cover, Editor: