The OASIS group will demonstrate the Service Provisioning Markup Language, or SPML at the Burton Group's Catalyst Conference in July. According to OASIS, ten OASIS members will show the stability of the specification and demonstrate interoperability between SPML-conformant products. You might rightly ask: What is SPML?
The Security Assertion Markup Language, or SAML has been around for a while. Its an XML-based markup language for exchanging assertions about authentication and authorization in a federated identity system. There's nothing in SAML about how security credentials get created, managed, or queried.
SPML is the other shoe. Its a markup language for provisioning credentials. Not surprisingly, its methods look just like those of any database: add, update, delete, query. When a SAML request is received from a partner in a federated identity network, the software receiving that request could use SPML to query the identity system for the correct tokens. These tokens would then be returned to the partner using SAML.
SPML is not designed, as far as I can see, for federated security provisioning, but rather easy interoperability between different vendor products. That doesn't mean it can't be used for that, but it would have to be tacked up by the players who would have to take the IT and business concerns into account. SPML will probably find the most use behind the firewall, at least initially.
Here are a few resources on SAML and SPML that you might find interesting.
- CNET News article on SPML demonstration.
- Slides by Gavenraj Sodhi (PDF) on SPML and SAML. There's a good example using a supply chain. Sodhi is the secretary of the OASIS TC on SPML.
- OASIS TC Page on SPML. This is where the source documents live.
- OpenSPML.org. A Web site on the promotion and distribution of an open source client code that supports the SPML. There is a source code toolkit on the site.
- Sun has a good article on using SAML to provide SSO (single sign-on).