Identity Provisioning
SAML addresses the problem of how to exchange identity information between systems. That begs the question: how do these various systems set up the accounts and services that are being accessed? We learned in Chapter 5 that this happens in the provisioning and propagation phases of the digital identity lifecycle. Because a single identity may need to be used in multiple systems, automated provisioning is necessary. Automated provisioning is supported through the use of provisioning standards.
SPML , or Service Provisioning Markup Language, is an XML-based language for exchanging provisioning requests and responses. As mentioned at the beginning of this chapter, SPML is rather new and supported only by a few vendors, but it, or something like it, will be necessary to create automated identity systems. The goal of the SPML specification is to support the automation of all aspects of managing an identity throughout its entire lifecycle, including creating, amending, or revoking the identity. This section will discuss SPML and its use in automated provisioning.
SPML is defined in terms of three primary roles:
- Requesting Authority (RA)
The entity making the provisioning request.
- Provisioning Service Provider (PSP)
A SPML-enabled software service that responds to SPML requests from the RA.
- Provisioning Service Target (PST)
The entity that performs the provisioning. Sometimes the PSP and PST are the same software agent, but they needn't be. The crucial difference is ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access