Service Provisioning Markup Language
Service Provisioning Markup Language (SPML) is an XML-based framework, being developed by OASIS, for exchanging user, resource and service provisioning information between cooperating organizations.
The Service Provisioning Markup language is the open standard for the integration and interoperation of service provisioning requests. SPML is an OASIS standard based on the concepts of Directory Service Markup Language. SPML version 1.0 was approved in October 2003. SPML version 2.0 was approved in April 2006. Security Assertion Markup Language exchanges the authorization data.
Definition
The OASIS Provisioning Services Technical Committee uses the following definition of "provisioning":[1]
Provisioning is the automation of all the steps required to manage (setup, amend and revoke) user or system access entitlements or data relative to electronically published services.
Goal of SPML
The goal of SPML is to allow organizations to securely and quickly set up user interfaces for Web services and applications, by letting enterprise platforms such as Web portals, application servers, and service centers generate provisioning requests within and across organizations. This can lead to automation of user or system access and entitlement rights to electronic services across diverse IT infrastructures, so that customers are not locked into proprietary solutions.
SPML Functionality
SPML version 2.0 [2] defines the following functionality:
Core functions
- listTargets - Enables a requestor to determine the set of targets that a provider makes available for provisioning.
- add - The add operation enables a requestor to create a new object on a target.
- lookup - The lookup operation enables a requestor to obtain the XML that represents an object on a target.
- modify - The modify operation enables a requestor to change an object on a target.
- delete - The delete operation enables a requestor to remove an object from a target.
Async capability
- cancel - The cancel operation enables a requestor to stop the execution of an asynchronous operation.
- status - The status operation enables a requestor to determine whether an asynchronous operation has completed successfully or has failed or is still executing.
Batch capability
- batch - Supports batch execution of requested operations.
Bulk capability
- bulkModify - Allows multiple modify requests to be run together.
- bulkDelete - Allows multiple delete requests to be run together.
Password capability
- setPassword - Enables a requestor to specify a new password for an object.
- expirePassword - Marks as invalid the current password for an object.
- resetPassword - Enables a requestor to change (to an unspecified value) the password for an object and to obtain that newly generated password value.
- validatePassword - Enables a requestor to determine whether a specified value would be valid as the password for a specified object.
Search capability
- search - The search operation obtains every object that matches a specified query.
- iterate - The iterate operation obtains the next set of objects from the result set that the provider selected for a search operation.
- closeIterator - The closeIterator operation tells the provider that the requestor has no further need for the search result that a specific <iterator> represents.
Suspend capability
- suspend - The suspend operation enables a requestor to disable an object.
- resume - The resume operation enables a requestor to re-enable an object that has been suspended.
- active - The active operation enables a requestor to determine whether a specified object has been suspended.
Updates capability
- updates - The updates operation obtains records of changes to objects.
- iterate - The iterate operation obtains the next set of objects from the result set that the provider selected for an updates operation.
- closeIterator - The closeIterator operation tells the provider that the requestor has no further need for the updates result set that a specific <iterator> represents.
Custom capabilities
- An individual provider (or any third party) can define a custom capability that integrates with SPMLv2.
Features
Provisioning Service Object (PSO)
The key identifier in SPML is a PSO.
A Provisioning Service Object (PSO), sometimes simply called an object, represents a data entity or an information object on a target. For example, a provider would represent as an object each account that the provider manages.
Every object is contained by exactly one target. Each object has a unique identifier (PSO-ID).
Profile
SPMLv2 defines two “profiles” in which a requestor and provider may exchange SPML protocol:
- XML Schema as defined in the “SPMLv2 XSD Profile” [SPMLv2-Profile-XSD].
- DSMLv2 as defined in the “SPMLv2 DSMLv2 Profile” [SPMLv2-Profile-DSML].
A requestor and a provider may exchange SPML protocol in any profile to which they agree.
The DSMLv2 Profile may be more convenient for applications that access mainly targets that are LDAP or X500 directory services. The XSD Profile may be more convenient for applications that access mainly targets that are web services.