New Year’s Resolution: Let’s Talk More about SPML

About this site

The SAML XML.org web site is not longer accepting new posts. Information on this page is preserved for legacy purposes only. For current information on SAML, please see the OASIS Security Services Technical Committee Wiki.

New Year’s Resolution: Let’s Talk More about SPML

News: Submitted by carolgeyer on Thu, 2009-01-08 15:33.

Mark Diodati writes...Jackson Shaw and James McGovern have been blogging recently about one of my favorite topics: Service Provisioning Markup Language (SPML). I’d like to contribute to the discussion. You can find Jackson’s blog entry from December 20 here, and James McGovern’s blog entry from January 5 here.

One thing that organizations using SPML should do is to secure the service from an authentication, authorization, and encryption perspective. In most instances, because the number of SPML requestors and providers (this is terminology specific to SPML) are small, most organizations are opting to manually configure the requesting authority and the provisioning service provider with static passwords or certificate lists to establish trust between the provisioning services components. These authentication techniques don’t provide authorization services in any meaningful sense. A large SPML implementation requires authorization services to determine the rights of the requesting authority to manage the specific user on the respective provisioning service target. In our opinion, the multi-tenancy (call it cloud-based if you like) use case is an example of a large SPML implementation – one must build the requisite authorization and authentication services to support the provisioning service.

SPML’s lack of authentication and authorization capabilities highlights the broader issues we see with the emergence of identity services. An authorization service requires authentication services in order to have any utility whatsoever. The authorization and authentication services may be consolidated (one big authorization and authentication service) or discrete (two separate services). One example of a discrete authorization service is a XACML authorization service that leverages the user’s SiteMinder SMSESSION ticket for authentication.

As for federation and federated provisioning, the lack of provisioning capabilities remains an operational impediment. Several years ago, a Liberty Alliance Technical Expert Group began working on a way to “harmonize” SPML and SAML. While the services would remain separate “pipes”, the TEG was working on a way to harmonize the user attribute schema across the two services...

Read Mark's complete blog at Burton Group.

URL:

http://identityblog.burtongroup.com/bgidps/2009/01/new-years-resolution-...