Service Provisioning Markup Language

Last updated November 11, 2022

Service Provisioning Markup Language (SPML) is an XML-based framework, being developed by OASIS, for exchanging user, resource and service provisioning information between cooperating organizations.

The Service Provisioning Markup language is the open standard for the integration and interoperation of service provisioning requests. SPML is an OASIS standard based on the concepts of Directory Service Markup Language. SPML version 1.0 was approved in October 2003. SPML version 2.0 was approved in April 2006. Security Assertion Markup Language exchanges the authorization data.

Definition

The OASIS Provisioning Services Technical Committee uses the following definition of "provisioning":^[1]

Provisioning is the automation of all the steps required to manage (setup, amend and revoke) user or system access entitlements or data relative to electronically published services.

Goal of SPML

The goal of SPML is to allow organizations to securely and quickly set up user interfaces for Web services and applications, by letting enterprise platforms such as Web portals, application servers, and service centers generate provisioning requests within and across organizations. This can lead to automation of user or system access and entitlement rights to electronic services across diverse IT infrastructures, so that customers are not locked into proprietary solutions.

SPML Functionality

SPML version 2.0 ^[2] defines the following functionality:

Core functions

listTargets - Enables a requestor to determine the set of targets that a provider makes available for provisioning.
add - The add operation enables a requestor to create a new object on a target.
lookup - The lookup operation enables a requestor to obtain the XML that represents an object on a target.
modify - The modify operation enables a requestor to change an object on a target.
delete - The delete operation enables a requestor to remove an object from a target.

Async capability

cancel - The cancel operation enables a requestor to stop the execution of an asynchronous operation.
status - The status operation enables a requestor to determine whether an asynchronous operation has completed successfully or has failed or is still executing.

Batch capability

batch - Supports batch execution of requested operations.

Bulk capability

bulkModify - Allows multiple modify requests to be run together.
bulkDelete - Allows multiple delete requests to be run together.

Password capability

setPassword - Enables a requestor to specify a new password for an object.
expirePassword - Marks as invalid the current password for an object.
resetPassword - Enables a requestor to change (to an unspecified value) the password for an object and to obtain that newly generated password value.
validatePassword - Enables a requestor to determine whether a specified value would be valid as the password for a specified object.

Reference capability

Search capability

search - The search operation obtains every object that matches a specified query.
iterate - The iterate operation obtains the next set of objects from the result set that the provider selected for a search operation.
closeIterator - The closeIterator operation tells the provider that the requestor has no further need for the search result that a specific <iterator> represents.

Suspend capability

suspend - The suspend operation enables a requestor to disable an object.
resume - The resume operation enables a requestor to re-enable an object that has been suspended.
active - The active operation enables a requestor to determine whether a specified object has been suspended.

Updates capability

updates - The updates operation obtains records of changes to objects.
iterate - The iterate operation obtains the next set of objects from the result set that the provider selected for an updates operation.
closeIterator - The closeIterator operation tells the provider that the requestor has no further need for the updates result set that a specific <iterator> represents.

Custom capabilities

An individual provider (or any third party) can define a custom capability that integrates with SPMLv2.

Features

Provisioning Service Object (PSO)

The key identifier in SPML is a PSO.

A Provisioning Service Object (PSO), sometimes simply called an object, represents a data entity or an information object on a target. For example, a provider would represent as an object each account that the provider manages.

Every object is contained by exactly one target. Each object has a unique identifier (PSO-ID).

Profile

SPMLv2 defines two “profiles” in which a requestor and provider may exchange SPML protocol:

XML Schema as defined in the “SPMLv2 XSD Profile” [SPMLv2-Profile-XSD].
DSMLv2 as defined in the “SPMLv2 DSMLv2 Profile” [SPMLv2-Profile-DSML].

A requestor and a provider may exchange SPML protocol in any profile to which they agree.

The DSMLv2 Profile may be more convenient for applications that access mainly targets that are LDAP or X500 directory services. The XSD Profile may be more convenient for applications that access mainly targets that are web services.

Related Research Articles

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing arbitrary data. It defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. The World Wide Web Consortium's XML 1.0 Specification of 1998 and several other related specifications—all of them free open standards—define XML.

The Organization for the Advancement of Structured Information Standards is a nonprofit consortium that works on the development, convergence, and adoption of open standards for cybersecurity, blockchain, Internet of things (IoT), emergency management, cloud computing, legal data exchange, energy, content technologies, and other areas.

XSD, a recommendation of the World Wide Web Consortium (W3C), specifies how to formally describe the elements in an Extensible Markup Language (XML) document. It can be used by programmers to verify each piece of item content in a document, to assure it adheres to the description of the element it is placed in.

The Geography Markup Language (GML) is the XML grammar defined by the Open Geospatial Consortium (OGC) to express geographical features. GML serves as a modeling language for geographic systems as well as an open interchange format for geographic transactions on the Internet. Key to GML's utility is its ability to integrate all forms of geographic information, including not only conventional "vector" or discrete objects, but coverages and sensor data.

Directory Services Markup Language (DSML) is a representation of directory service information in an XML syntax.

Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. SAML is also:

Office Open XML is a zipped, XML-based file format developed by Microsoft for representing spreadsheets, charts, presentations and word processing documents. Ecma International standardized the initial version as ECMA-376. ISO and IEC standardized later versions as ISO/IEC 29500.

Catalogue Service for the Web (CSW), sometimes seen as Catalogue Service - Web, is a standard for exposing a catalogue of geospatial records in XML on the Internet. The catalogue is made up of records that describe geospatial data, geospatial services, and related resources.

Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between security domains. SAML is a product of the OASIS (organization) Security Services Technical Committee.

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization identities between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal between a SAML authority, named an Identity Provider, and a SAML consumer, named a Service Provider. SAML 2.0 enables web-based, cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user.

Information cards are personal digital identities that people can use online, and the key component of an identity metasystem. Visually, each i-card has a card-shaped picture and a card name associated with it that enable people to organize their digital identities and to easily select one they want to use for any given interaction. The information card metaphor is implemented by identity selectors like Windows CardSpace, DigitalMe or Higgins Identity Selector.

Election Markup Language (EML) is an XML-based standard to support end to end management of election processes.

Content Assembly Mechanism (CAM) is an XML-based standard for creating and managing information exchanges that are interoperable and deterministic descriptions of machine-processable information content flows into and out of XML structures. CAM is a product of the OASIS Content Assembly Technical Committee.

The Key Management Interoperability Protocol (KMIP) is an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server. This facilitates data encryption by simplifying encryption key management. Keys may be created on a server and then retrieved, possibly wrapped by other keys. Both symmetric and asymmetric keys are supported, including the ability to sign certificates. KMIP also allows for clients to ask a server to encrypt or decrypt data, without needing direct access to the key.

The Office Open XML file formats are a set of file formats that can be used to represent electronic office documents. There are formats for word processing documents, spreadsheets and presentations as well as specific formats for material such as mathematical formulae, graphics, bibliographies etc.

The SAML metadata standard belongs to the family of XML-based standards known as the Security Assertion Markup Language (SAML) published by OASIS in 2005. A SAML metadata document describes a SAML deployment such as a SAML identity provider or a SAML service provider. Deployments share metadata to establish a baseline of trust and interoperability.

A 'SAML identity provider' is a system entity that issues authentication assertions in conjunction with a single sign-on (SSO) profile of the Security Assertion Markup Language (SAML).

References

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Open SPML FAQ

[2] SPML Version 2

[1]

[2]