SCIMing the provisioning landscape

The foundation for security and enterprise management

I never thought I'd see the day when an XML standard was relegated to the trash heap as outdated. But that's exactly what appears to be happening to SPML, the Service Provisioning Markup Language.

Ping Identity's John Fontana (formerly my colleague at Network World), recently laid out the argument for replacing SPML with SCIM (Simple Cloud Identity Management). Fontana describes SCIM this way: "The new model is envisioned as a scalable standard mechanism for assigning cloud resources and privileges, and setting security policies for users, including employees, contractors and business partners. In short, a uniform way to plug user management into any cloud application."

ON SPML: Microsoft's directory team forced to reconsider ignored standards

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

I never thought I'd see the day when an XML standard was relegated to the trash heap as outdated. But that's exactly what appears to be happening to SPML, the Service Provisioning Markup Language.

Ping Identity's John Fontana (formerly my colleague at Network World), recently laid out the argument for replacing SPML with SCIM (Simple Cloud Identity Management). Fontana describes SCIM this way: "The new model is envisioned as a scalable standard mechanism for assigning cloud resources and privileges, and setting security policies for users, including employees, contractors and business partners. In short, a uniform way to plug user management into any cloud application."

ON SPML: Microsoft's directory team forced to reconsider ignored standards

The driving forces behind SCIM are Google, Salesforce.com and Ping Identity. While Ping Identity has participated in SPML meetings, the other two haven't.

What were they thinking?

The argument is made that SPML is not best suited for cloud-based applications. Well, some people say that. The SCIM folk put it this way:

"The Simple Cloud Identity Management (SCIM) specification is designed to make it easier for organizations and developers to quickly create and manage users in cloud based applications and services as well as provide portability of those users between cloud providers. Its intent is to reduce the cost and complexity of common user management operations by providing a common user schema and extension model, as well as binding documents to provide patterns for exchanging this schema using standard protocols. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration."

There's nothing uniquely different about provisioning cloud applications as opposed to data center applications -- except that the "data center" is at the end of a URL rather than a network path.

A provisioning system needs to be able to work with all applications and services no matter where they're located.

And as to that "providing a common user schema" thing -- we've had that for many, many years (beginning with x.500) -- no need to reinvent that wheel.

To my mind this is no different than many other supposed "standardization" movements -- a poorly disguised attempt by one or a handful of vendors to dictate protocols to the world.

Kuppinger-Cole's Martin Kuppinger said it best:

"Wouldn't it be better to join forces of SPML and SCIM to build a SPML version 3.0 which supports REST [Representational State Transfer] as well? If working on a new or improved standard, wouldn't it make sense to address all relevant use cases? SPML doesn't today and SCIM is not likely to do, when looking at the information provided today."

It's time to scrap the SCIM and pump up the SPML.

Read more about security in Network World's Security section.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.