• United States

Vendors complete prototype of provisioning interface for Web services

Apr 02, 20034 mins
Access ControlEnterprise Applications

* Prototype addresses secure deployment of Web services

Identity services, provisioning management, OASIS – been there, done that but there are some new developments you should know about.

First though, a digression. Sometimes inspiration comes in odd ways. Odd, at least, for me. I tell marketing and press relations people that I much prefer e-mail to any other communication method. I’ll talk to them on the phone if I have to, read their faxes if I must and put their snailmail press releases directly into the trash can. The nice thing about e-mail (compared to the phone) is that I can read it when I’m ready, I don’t have to take notes (which I never have done very well) and it’s still there for reference when I get around to writing the story.

But this time I was conversing (via e-mail) with Waveset’s PR lady, Jennifer Lake (from the excellent Lois Paul agency) about two different events that are coming up – an announcement concerning OASIS, and another announcement about a new technology partnership.

I asked her to send an e-mail outlining the OASIS development and was planning on writing it up for this newsletter. So I’m sitting at my desk this morning, casting about for a subject for this newsletter (I knew I’d planned one, just couldn’t remember what it was!) when the phone rang. It was Ms. Lake who wanted to talk about the technology partnership, but she did remind me that she’d already sent the OASIS information I requested and which I’d simply misfiled. Moral: sometimes it is necessary to use the telephone; or make notes; or change the way you do things – or even keep discussions to a single topic.

But on to the announcement: Waveset, along with BEA Systems, Entrust, and Sun have completed the first open, broad-based prototype implementation of an XML-based provisioning interface for secure deployment of Web services.  The prototype is based on the draft Service Provisioning Markup Language (SPML) from OASIS’ Provisioning Services Technical Committee (PSTC), which intends to submit its SPML 1.0 specification to the OASIS board for review in May 2003. 

The intent of the prototype implementation is to demonstrate a standards-based framework for exchanging user, resource and service provisioning information between cooperating organizations. But more than just a demonstration of technology, this prototype will actually be put into use by brokerage firm Merrill Lynch for its customer and partner portals to facilitate quick and easy setup and maintenance of user interaction with Web services and applications.

The SPML-based prototype provides a Web services-based framework that enterprise platforms such as Web portals, application servers, and service centers can use to generate provisioning requests within and across organizations.  This can lead to automation of user or system access and entitlement rights to electronic services across diverse IT infrastructures, so that customers are not locked into proprietary solutions. 

For example, a supply partner (Company A) goes to its partner’s (Company B) supply chain portal and requests access to its inventory data, which is stored in a back-office system.  In response, Company B initiates a request using SPML to communicate with SPML-enabled identity management software.  After automatically acquiring the appropriate permissions, Company B grants the appropriate access levels to Company A to gain access to the data it needs.  This process takes place without the need for the portal environment to have an intimate understanding of the back-office environment. In other words, it’s all automatic. The prototype encompasses all of the provisions of the proposed SPML standard while also leveraging the benefits of the Security Assertion Markup Language (SAML) that we’ve mentioned on more than one occasion.

You can find out more at the Waveset Web site as well as through the proceedings of the PSTC (see links below). Provisioning, especially when coupled with security, is still the “killer app” for identity services.