Feature

Provisioning is the automation of all the steps required to manage user accounts or system access facilities or data relative to electronically published services.

The Provisioning Services Technical Committee (PSTC) at OASIS, the premier standards body for SOA-related standards, defined an XML-based framework named Service Provisioning Markup Language (SPML) for exchanging user information, resource information, and service provisioning information in systems. In this article, we'll explore the role of SPML in managing identity and resource information in SOA environments.

What Is SPML?
SPML is an XML-based request response protocol that is used to integrate and interoperate service provisioning requests. The use of SPML is to enable organizations to set up interfaces for Web Services and applications quickly and securely. This is done by letting portals, application servers, and service centers generate provisioning requests in and across organizations.

If you take a typical SOA security stack, SPML satisfies a complementary requirement for authentication, authorization and fine-grained access control. SPML is used for service provisioning whereas the authentication and authorization of data is done through SAML. Fine-grained XML access control is done through XACML.

Identity Management and SPML's Role
Nowadays user credentials play an important role, be it a network-oriented system or a specific application. Managing user identity is challenging in today's environment given the increasing diversity and complexity of systems. Identity management refers to the management of the entire lifecycle of one or more identities, from creation to destruction, and managing privileges.

SPML deals with provisioning these identities in enterprise ecosystems. It brings standardization in preparing system infrastructure to accomplish business activities. A typical SPML use case scenario in organizations is the situation of hiring a new employee, which involves lots of procedures that can be included in a provisioning workflow. Provisioning involves both digital as well as physical activities. A physical activity involves procuring a PC or laptop and a digital activity involves creating a user account in various applications.

SPML in Enterprise Identity Management
The Different Components of an Enterprise Provisioning System
The typical provisioning system contains three essential components: a Requesting Authority (RA), a Provisioning Service Provider (PSP), and a Provisioning Service Target (PST). This is represented in Figure 1.

•  Requesting Authority (RA): In a typical provisioning system the RA is the client. Well-formed SPML documents are created by the RA and are sent to the SPML service point, which is basically a Provisioning Service Provider (PSP). These requests describe an operation to be performed at the PSP end. For an RA to issue a request to the PSP, a trust relationship must exist between the RA and PSP. Sometimes the PSP can act as the RA for another PSP
•  Provisioning Service Point (PSP): This is the component that listens to the request from the RA, processes it, and returns a response to the RA. Any component that listens and processes well-formed SPML documents is called a Provisioning Service Point.
•  Provisioning Service Target (PST): The Target is basically actual software or an application on which action is taken. For example, it could be a directory that stores all of an organization's user accounts, or it could be an asset allocation system used to log requests for acquiring IT assets like laptops/PCs.

A typical provisioning system using SPML has one Requesting Authority with an PSP in the middle and one or more PSTs. Suppose there are three systems. Without using SPML the user information would have to be keyed into all three systems using the system portal. User information like name, address, contact number, date of birth, and SSN would have to be keyed in repeatedly across the three systems. By introducing a ProvisioningServiceProvider (PSP) layer and using SPML the user information can be keyed into a single Requesting Authority and be reflected across multiple targets. So we avoid keying the same set of information into various systems.

Operations Supported by SPML
SPML 2.0 supports various core, search , batch as well as async operations related to provisioning.

SPML Core Operations

• list Targets: to find the list of existing target (PST) systems supported by PSP
• add: to add an object to a given PST system
• modify: to modify an object in a given PST system
• delete: to remove an object from a given PST system
• lookup: to obtain an XML representation of an object from a given PST system

SPML Search Operations

• search: to get all the objects that match specified selection criteria (query)
• iterate: to get the next set of objects from the result set that the provider selects for a search operation (using selection criteria )
• closeIterator: to tell the provider that the requestor has no further need of the search result that a specific iterator represents

SPML Batch Operations

• Batch: to combine any number of individual requests into a single request

SPML Async Operations

• Cancel: To enable a requestor to stop the execution of an asynchronous operation
• Status (Async capability): To enable a requestor to determine whether an asynchronous operation has successfully completed or has failed or is still executing.

Problems with Provisioning
So a typical provisioning system consists of requesting authorities, a provider, and a target. Before provisioning, the Requesting Authority might use its own portal to update the user information. A typical problem with this kind of system is that it might already be in place and a lot of user information might have been keyed in for a particular target. Now after developing a new provisioning system and putting it in place, the user information might not be there in the audit details of the provisioning system.

Provisioning can be done for different targets at the same time. But doing this makes it difficult to synchronize the data unless you pass the data through the provisioning service provider for the different Requesting Authorities and multiple targets.

Use Cases of SPML
Some typical use cases of SPML will be explored in the sections:

1. A mass federated identity use case, and
2. Partner credential provisioning
   

Add Your Feedback

In order to post a comment you need to be registered and logged in.

Register | Log in

Please wait while we process your request...