Web Services Gets SPML 2.0 Boost

New standard specifies XML framework for identity management and provisioning

How do businesses securely tie together systems with business partners using Web Services technology or service-oriented architectures?

Today, such business-to-business (B2B) efforts typically require business partners to standardize on identical identity-management software or code laborious workarounds.

A new standard should help. The international standards consortium OASIS announced it has ratified Service Provisioning Markup Language (SPML) version 2.0 (making it an official OASIS standard), which should facilitate easier out-of-the-box, B2B identity-management integration.

An XML-based framework, SPML defines how resources should be allocated between systems and organizations. It also handles provisioning—managing user accounts and access rights—in a variety of environments, including access to systems, networks, and applications, as well as to such physical resources as mobile phones and credit cards.

Moving Past “Barebones” 1.0 Spec

What’s changed in the updated standard? “SPML version 1.0 was really a barebones spec,” says Gavenraj Sodhi, the director of product management for security information management solutions at CA Inc. (formerly Computer Associates), and a co-chair of the SPML technical committee. “It was really, we can only accomplish so much in SPML version 1.0,” which made it “a vision of where do you want to go?”

With version 2.0, however, SPML can become “a major component of the identity management stack,” he says. In essence, “this will allow vendors to build hooks into their applications,” to create easier out-of-the-box interoperability between applications, which should better facilitate B2B Web Services integration.

That’s because a growing requirement in Web services rollouts, as well as in the implementation of service-oriented architectures, is sharing user information across businesses—and not just identities, but also permissions, groups, and access rights. Yet provisioning in a large, distributed environment can be difficult, since each identity management product typically handles things its own way. Indeed, “one of the hardest parts of provisioning is interoperability,” notes Burton Group analyst Mark Diodati.

Provisioning Competition

Of course, whether SPML 2.0 will be used remains to be seen. “Now the question is, the question has always been, adoption rates,” says Sodhi. Even so, a number of high-profile companies participated in developing the standard, including BEA Systems, BMC Software, CA, Hewlett-Packard, IBM, Microsoft, Oracle, RSA Security, and Sun Microsystems, which should give it a fighting chance.

SPML 2.0 also competes with WS-Provisioning, created by IBM and Microsoft. Interestingly, SPML did adapt some WS-Provisioning functionality. “SPML was developed alongside other key security specifications, including the Security Assertion Markup Language (SAML) and WS-Security, both of which are also OASIS Standards,” notes Patrick Gannon, the president and CEO of OASIS. “Our security committees work together to exploit the benefits of reuse and coordination to the greatest extent possible.”

Why not just use WS-Provisioning? Sodhi says it’s a question of which camp you’re in. “WS-Provisioning was designed by IBM and Microsoft to be really specific to their solutions, as part of the whole WS stack. There wasn’t a clear vision between their specs, and the Liberty specs and the SAML specs. So we as a group had to pick our war: which group do we want to go with, and eventually we’ll see some convergence.”

As he suggests, at some future point, most identity management and provisioning applications may interoperate, but we’re not there yet.

Products that take advantage of the SPML 2.0 specification will hit the market in 12-18 months, predicts Sodhi. Not coincidentally, that should be about when users actually need the functionality it enables. “We just have customers rolling out SPML version 1.0,” he says, and while “they’re starting to ask about” SPML 2.0, there’s been no push for it yet.

Related Articles:

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.

Must Read Articles