Using SAML w/ SPML – A potential reality !

      No Comments on Using SAML w/ SPML – A potential reality !

I had multiple opportunities to work on SPML based user-provisioning with Sun Java System Identity Manager.  I found SPML as a very compelling standard, it worked as piece-of-cake on Sun IDM that certainly simplified my efforts on representing provisioning requests intended for creating, modifying, canceling, deleting, enabling, disabling, searching user accounts and associated access control privileges with multiple resources. Naturally I had the passion to dig deeper into SPML 2.0 !  I briefly involved with OASIS SPML TC forums and their discussions… unlike other standard efforts I am quite convinced about SPML gaining strong adoption as a de-facto standard in the user-provisioning industry and sooner it is also expected to play a vital role in enabling identity federation (yes, seriously!). We do know well, SPML helps to initiate XML-based provisioning/de-provisioning processes from the identity provider to its target service providers. This means SPML does allow users to bypass out-of-band account creation requirements using provisioning/synchronization mechanisms from LDAP, database and other user repositories. By working together with SAML, SPML can make use of SAML assertions by facilitating a trust model in which senders and receivers using SPML messages agree upon the context of a predefined unique user identifier represented by a SAML assertion. To be more precise, the SAML assertion allows users to qualify a subject, against which a provisioning request is targeted.

Lately “Federated Provisioning Profile” (SAML 2.0 Profile for SPML), a supporting profile effort, is in progress as part of OASIS Security Services (SAML) TC, which addresses the use of SAML within SPML messages. The Federated Provisioning Profile focuses on the usecase requirements, facilitating the use of SPML provisioning in identity federation where SPML messages can make use of SAML assertions as provisioning data and on-demand/just-in-time bulk user provisioning between an identity provider (IdP) and a service provider (SP). It is promising, but I am not sure where this effort stands now !

Leave a Reply

Your email address will not be published. Required fields are marked *