Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
OASIS Provisioning WG work after SPMLv2 (20070709)
During the week of OASIS security standards WG webinars Kent Spaulding of Tripod and Jeff Bohren of BMC presented on the status and directions of the OASIS Provisioning Services TC, which standardized SPMLv1 in 2003 and SPML 2.0 in 2006.
SPML 2.0 was designed to address limitations and complaints with the original SPML. Even though the SPML specification is completed, the working group lives on. The presenters' slides mentioned that post-2.0 the working group has been considering
- SPML 2.0 specification corrections
(As of May 2007, there were approx. 10 errata).
- Federated provisioning
(A submission has been made to the OASIS Security Services TC, the home of the SAML specification, to develop a SAML 2.0 Profile of SPML 2.0 for linking identities across domains. )
"The Federated Provisioning Profile is designed to support the 'Bulk Provisioning' use case where an Identity Management Lifecycle exists between the IdP and SP. The proposed profile will use the ... (SPML) 2.0 standard as the provisioning protocol with elements from the SAML 2.0 Assertion schema as the provisioning data."
- Optional standard schema
(A set of attributes for the representation of operational state for people, accounts, groups, roles, organizations, entitlements, and their relationships.)
- Asynchronous notifications
(This would be addressed after the standards schemas, and would be based on the OASIS specs WS-BaseNotification, WS-BrokeredNotification and WS-Topics.)