Mass Federated Identity
Federated Identity is a process of user authentication across multiple systems. Data lying across multiple identity management systems are joined together by using a user name that is the common identity. In a Federated Identity system, agreements are established among different service providers. The agreements can be based on policy.

Mass Federated Identity describes the technologies and use cases that enable the portability of identity information across autonomous domains. A typical use case on Mass Federated Identity is cross-domain user provisioning.

Suppose there are three different systems, System A, System B, and System C as represented in Figure 2. These three systems are basically service providers. If a user is authenticated by one service provider he'll be authenticated across all the providers by the presence of a virtual identity domain.

The federation of isolated identifier domains gives the client the illusion that there's a single identifier domain. The user can still hold separate identities with each service provider. However, he doesn't necessarily have to know or possess them all. A single identifier and credential is sufficient for him to access all services in the federated domain. An SPML-based approach can streamline the basic task for user identity provisioning in such identity federation systems.

Partner Credential Provisioning
Partner Credential provisioning involves sharing information among business partners. With Auto Industry as a domain, a typical partner credential provisioning scenario is explained below. There are geographically spread-out dealers who basically supply the cars/trucks manufactured. Each dealer will typically use its own credential verification mechanism.

Now suppose there are two dealers, Dealer 1 and Dealer 2 as represented in Figure 3. Dealer 1 will have a system to create, delete, and update user information. Dealer 2 will have a different user identity system. The information in the system of both dealers is secured and confidential. Access rights are restricted. By using SPML we can get whole dealer systems provisioned with user information that gets reflected in both dealer systems. But Dealer 1 might have data that's confidential and doesn't want Dealer 2 to access it. Similarly Dealer 2 will have data that's secured. Both of them can incorporate Security Assertion Markup Language (SAML) along with SPML.

SAML will provide the Authorization decision Assertion and SPML will provide Identity Assertion. Using SAML we can enforce policies so each dealer will have specific access rights.

Related Standards
While SPML is a standard meant to simplify the problem of provisioning user credentials, it's related to similar standards-based approaches from other domains. We'll explore a few of the related approaches here.

WS-Federation Provisioning Component
A WS-Federation Provisioning component is a federated identity management component used to simplify the work of professionals as they seek to cut the cost and complexity of passing identity credentials across organizational boundaries. Various companies, including Microsoft and IBM, have come up with a WS-Federation specification as part of the WS-Security specification.

Federated Identity infrastructure provides cross-company identity sharing, cross-boundary single sign-on, and dynamic user provisioning. WS-Federation provides options to build new Web Services architectures.

The benefit of using a WS-Federation Provisioning component is its improved security features. It has an automated de-provisioning facility for external user access. A valid security token will be issued by the company to authenticate locally before accessing the partner credential.

Liberty ID-WSF Provisioning Component
The Liberty Alliance Provisioning component is to enable networked applications based on open standards where consumers and companies can make online transactions while protecting the privacy and security of identity information. In the present scenario, devices and identities of all kinds are linked by federation and protected by authentication being built today with Liberty's open identity standards, business and deployment guidelines, and best practices for managing privacy.

The Liberty ID-WSF Provisioning Service (ProvS) is the entity that distributes the data and potentially executable code to the client platforms. ProvS also provides a control point for the lifecycle management of provisioned modules (PMs), supporting operations such as update, delete, activate, and deactivate.

Project Concordia
The Concordia Project is aimed at providing interoperability among identity management systems. It's an organizationally independent global initiative consisting of representatives from CardSpace, Liberty Alliance, OpenID, openLiberty.org and the open source, SAML 2.0, and WS-Federation communities.

Conclusion
SPML can be used for provisioning identity and other service-related information in a variety of use cases. User information provisioning, partner credential provisioning, and device provisioning are some of the typical use cases involving SOA that can benefit from using SPML. The role of SPML in SOA is basically to provide a provisioning layer for identity and related information between different SOA participants. The problem of authenticating provisioning requests is resolved through SAML. SPML is the de facto standard for implementing an interoperable provisioning standard in SOA though some related industry efforts are working along similar lines. A concerted effort should be taken to enhance the penetration of SPML and reduce duplicated efforts.

References

1. SPML FAQ. www.openspml.org/spml_faq.html.
2. About SPML. www.networkworld.com/details/5623.html.
3. SPML Overview. http://en.wikipedia.org/wiki/SPML.
4. XML-based Provisioning Services. http://xml.coverpages.org/provisioningServices.html.
5. Kim Cameron's Identity Web Blog. www.identityblog.com/?p=771.
6. SPML and its importance in the Security Infrastructure Framework for e-Business.
   www.omg.org/interop/presentations/2002/Gavenraj_Sodhi.pdf.
7. Concordia Project. http://projectconcordia.org/index.php/Main_Page.