A forthcoming XML-based standard is living a double life. It is expected to foster integration of current provisioning and identity management software now and will evolve to support Web service in the future.
The proposed standard is the Service Provisioning Markup Language (SPML) 1.0, which is set for ratification Oct. 31 by the Organization for the Advancement of Structured Information Standards (OASIS).
The 1.0 specification is designed to help network executives break the logjam that holds back interoperability among current provisioning systems. These systems let companies automatically set up and deactivate user accounts across corporate networks and applications.
But critics, namely IBM Corp. and Microsoft Corp., say SPML in its 1.0 form lacks features beyond simple addition and deletion of users. They say it's not flexible enough to integrate into the palette of Web services standards they are developing, known as WS-* (pronounced WS-Star), which includes WS-Security and WS-Federation.
The two companies are working with OASIS to correct those shortcomings.
The protocol, therefore, appears to satisfy short-term corporate needs while creating a starting point for developing a long-term solution that will work within Web services deployments.
"What this means is that SPML 1.0 will not become the be-all and end-all provisioning standard," says Daniel Blum, an analyst with Burton Group. "Something else will come along." He says Microsoft and Web services standards partner IBM, which last year acquired provisioning vendor and SPML co-creator Access360, have valid points on the long-term viability of SPML.
"But provisioning could take years to work out in the Web services framework, so why wait for interoperability between traditional provisioning systems and applications," he says. "We should not let 'best' be the enemy of 'good.' Companies need something now, so SPML 1.0 is a good first step."
It's a good first step because today different provisioning systems can't talk to each other. That fact makes it difficult to link multiple provisioning systems across business units or with business partners, a nagging issue in large corporations, according to Burton Group.
Provisioning systems also use proprietary technology to talk to the target systems on which they want to set up or deactivate accounts, which forces companies to use custom connectors from each target system to the provisioning system.
SPML 1.0 will foster interoperability on both fronts and let companies focus on the business rules for provisioning user accounts and not on the technology to wire everything together.
The interoperability SPML fosters was demonstrated in July when 10 vendors - BMC Software Inc., Business Layers Inc., Critical Path Inc., Entrust Inc., MyCroft, OpenNetwork Technologies Inc., PeopleSoft Inc., Sun Microsystems Inc., Thor Technologies Inc. and Waveset Technologies Inc. - held an interoperability test to show the addition and creation of users across their provisioning systems.
"Enterprise architects should start to consider SPML as real, deployable and valuable," says Darran Rolls, chairman of the Provisioning Services Technical Committee (PSTC) at OASIS and director of technology for Waveset.
What's also becoming real is the relationship between SPML and the Security Assertion Markup Language (SAML), an XML-based standard for exchanging user authentication and authorization data across corporate systems that OASIS ratified in October 2002.
Together, SAML and SPML provide a standard way to create user accounts and then validate these users as part of an identity management infrastructure. The two are the glue for integrating Web single sign-on and provisioning software. SPML can use a SAML credential as one way to identify users to be provisioned to corporate systems.
Corporate end users say this first step toward integration needs to be taken now to ease the deploying of provisioning systems, which are desired for the security benefits of automated account deactivation as much as account creation services.
"Standards are definitely the No. 1 need," says Pete Narmita, director of global IT for a leading pharmaceutical company. "Any system that requires an ID and password needs to have a provisioning module, and it should be based on standards."
Narmita, who helped build a provisioning system for 65,000 users, says every time a new application is added, his company has to work with the vendor to tie it into the provisioning system.
"It's a very time-consuming and expensive process," he says. He has eased the process by converting to Business Layers' eProvision Suite, which provides some application connectors and plans to support SPML.
Narmita says he is evaluating SPML and hopes every vendor embraces it.
"We are waiting for the big guys - Microsoft, IBM, Oracle - to make a commitment," Narmita says. "The only commitment that I have seen them make is to SAML. But SPML is the real key. It's not one or the other, they work together."
Working together describes what is happening now among IBM, Microsoft and OASIS. For its part, Microsoft says it won't support SPML 1.0 because its features are too narrow.
"The specification does not have higher-level provisioning support," says Jackson Shaw, technical product manager for directory services at Microsoft. The protocol supports adding and deleting users but not suspending or moving accounts, he says.
IBM also will not support SPML 1.0, says Jeff Curie, program director for Tivoli identity management, In April, IBM asked the PSTC to modify SPML to make it more flexible and align it with the WS-* family of Web services standards. The PSTC refused, and IBM abandoned the 1.0 specification, which uses as its foundation the Directory Services Markup Language 2.0, an XML representation of the Lightweight Directory Access Protocol (LDAP).
"What that brings with it is the limitations of LDAP," Curie says. He says those limitations include the fact that SPML is not a self-describing protocol like other WS-* specifications. For example, SPML cannot say that the data in a field is a date: Provisioning systems must already understand the SPML format of a date, he says.
IBM and OASIS say they are working to address the issue, but IBM does not rule out creating its own specification under the WS-* framework.
PSTC's Rolls says IBM, Microsoft and OASIS are working on making SPML a unified effort that incorporates requirements from both vendors.