February 22, 2010

SPML: Life Support Redux

Blogger: Mark Diodati

Two weeks ago, Burton Group published a blog post on the viability of using SPML to build viable, interoperable provisioning services. Many thanks to those who have contributed to the discussion. In particular, Jeff Bohren, Anil John, Nishant Kaushik, and Jackson Shaw shared some sound insights about SPML. I have great respect for these gentlemen. If you are interested in the topic, I recommend that you read their blog posts. I’d like to comment on several topics from these blog posts. First, a thought from Nishant:


 “Is SPML on life support? Not quite, judging from all the RFP requests that still ask for it to be supported.”


The assertion—that customers are asking for SPML in their RFPs—is true. The conclusion—that SPML is not on life support—is incorrect. Our position is based upon speaking to many organizations with deployed provisioning systems, as well as organizations that are considering the purchase of a provisioning product. For many customers, standards support is a “checklist” item. For other customers, leveraging SPML to build provisioning services is a long-term goal. Provisioning RFPs which specify SPML support is expected. But very few organizations have created provisioning services based upon SPML. The request for SPML support is based upon a key assumption—

SPML can be used to build viable provisioning services with interoperability among the components. As we discussed in our blog post, that just ain’t so.


A second thought from Nishant’s blog post:


 “I believe Oracle (led by folks like Prateek Mishra) will be looking to take some leadership in the evolution of the standard. Let’s see if we can turn things around.”

This is good news. For SPML to become viable, it will require a benefactor to lead the process of improving the standard. It will also require that the vendor community work together. Oracle’s position in the identity management market means that it has the muscle to lead this effort, if it sincerely commits to it.

From Jackson Shaw’s blog:

 “My experience so far with SPML has been good. Quest Software supports SPML V2 in our ActiveRoles Server product. We have a number of customers who have used Sun’s Identity Manager to provision and manage Active Directory, Exchange and SharePoint by via ARS and its SPML provider. When SPML works it really works and the benefit is quite clear to the customer.”

Quest is to be applauded for building one of the few commercial SPML provisioning service points. Last month, we spoke to a leader of the Quest Active Roles Server development team. The conversation focused specifically on interoperability between ARS and the different provisioning products via SPML. To accommodate the different vendor implementations, Quest must customize the ARS SPML interface for each provisioning product. The customization includes using different operations supported by each provisioning vendor. A future reference implementation for SPML v2 (that is, Core operations and optional Capabilities) would help facilitate interoperability between provisioning components.

The recent show of vendor interest in SPML v2 is a great sign. Let's hope it leads to real work to improve the standard in the coming months.

Posted by at 05:01 PM in interoperability, SPML | | Comments (4) | TrackBack (0)

|

February 01, 2010

SPML Is On Life Support ….

Blogger: Mark Diodati

But it (or something like it) is desperately needed.

 

At Burton Group, we closely watch emerging identity standards. In particular, we pay close attention to the development and adoption of the Service Provisioning Markup Language. We have hosted two interoperability events at our Catalyst conference. We issued our first research document on SPML in early 2006—coincident with the release of the SPML v2 standard. The publishing of our second document is imminent, and it is based upon some “hands-on” work with the standard, as well as ongoing discussions with vendors, end-user organizations, and OASIS Provisioning Service Technical Committee members (past and present).

 

The primary goal of SPML is provisioning without the use of proprietary connectors. The reality is that SPML is not currently viable for building useful, standards-based provisioning services because it is too complex and places too much of a performance burden on the connector. For example, the SPML Search capability is required for most viable provisioning services, and its support is infeasible due to complexity and performance concerns. I’ll talk more about these issues (including the Search capability) in my next blog.

 

The SPML standard—like all emerging standards—requires more work. More work is required to harmonize SPML with SAML. An optional “inetorgperson-like” user schema is required to promote greater SPML adoption (the OASIS Provisioning Services Technical Committee tried to create a standard user schema when developing SPML v2, but the members could not agree on one). A simpler “real world” search capability is needed, with a limitation on the number of attributes and filter expressions. The latter two requirements should be combined into a future “SPML Simple” profile.

 

Unfortunately, there appears to be little industry support for SPML enhancements. A vicious cycle exists. Few people are using the standard, so there’s less momentum to enhance it. The IdM vendors’ participation in the OASIS Provisioning Services Technical Committee has been minimal at best since the 2006 approval of the SPML v2 standard. The last meeting of the Committee was in early 2008. None of the major provisioning vendors have developed an SPML v2-conformant product. Many of the vendors who have created commercial SPML connectors tell us that they must create specific SPML implementations for each of the major provisioning products. An SPML reference implementation does not exist, but would surely help.

 

What is the future of standards-based provisioning?

 

SPML may prevail if the industry simplifies the standard and supports it in commercial products. It may be too late to pull it out of the fire, though. Another alternative is a “pull” model—LDAP-based directory services supported by virtual directories. For example, both salesforce.com and Google provide a pull capability via LDAP. The applications query existing enterprise directories for authentication and identity information. Many organizations express concern about exposing a directory (especially Active Directory) to cloud-based applications. Burton group believes that virtual directories can mitigate these concerns. It is worth noting that neither vendor supports SPML. Both salesforce.com and Google expose a relatively simple (compared to SPML) SOAP interface for provisioning. Another path to standards-based provisioning may be SAML.

 

My colleague Bob Blakely will be speaking more about standards-based provisioning in the IdPS Telebriefing “The Future of Identity Management is Pull”.

Posted by at 12:38 PM in federation, identity services, interoperability, provisioning, SPML | | Comments (1) | TrackBack (0)

|

January 15, 2009

Kerberos interop event hosted by Microsoft!

Blogger: Gerry Gebel

At Burton Group we are big fans of interoperability events so it was great to see that the MIT Kerberos Consortium announced it will host an interoperability event this March 30 to April 3 at Microsoft's offices in Redmond. Kerberos is a key element to many organizations' single sign-on strategy, providing standards-based mechanisms that are supported by many platforms and applications. It will be very interesting to see who participates, what the testing scenarios are, and how the results turn out.

Posted by at 02:31 PM in authentication, Gerry Gebel, interoperability | | Comments (0) | TrackBack (0)

|

  • Burton Group Free Resources Stay Connected Stay Connected Stay Connected Stay Connected

Categories



Read more Burton Group blogs

Blog Roll

Archives

More...

About

Blog powered by TypePad