Talking SPML

Oddly enough the New Year has seen a spate of SPML discussions. James McGovern gets the whole thing kicked off here. Jackson Shaw adds his thoughts here, and makes the point that SaaS really needs federation and provisioning to work well.

Mark Diodotti (who has been following SPML for a long time) has some interesting thoughts about it here. Mark points out that SPML lacks built in authn and authz capabilities. This was an intentional design decision in both SPML 1.0 and 2.0 as it was felt at the time that authn and authz should be part of the web services infrastructure, not the provisioning standard. In retrospect that decision put too much faith in how well authn and authz standards would be adopted. This also points out the unique position that identity web services are in. They must be secured yet they must drive the security as well. It’s a real chicken-egg dilemma. Or to use the WSDM nomenclature, a real MUWS-MOWS dilemma.

Ian Glazer (a former colleague of mine at Access360 and who also served with me on the PSTC) wants to stop talking about federated provisioning. Ian makes the point that federated provisioning is not really any different than enterprise provisioning. Ian is correct in that they are basically the same, although there are some subtle differences in how they play out in deployment.

I really hope that these discussions lead to some real movement around leveraging SPML to enable SaaS services. I am always up for an SPML conversion. If you want to discuss SPML (or identity or change management), my work email is my first initial and last name at sunviewsoftware.com and my personal email is the same at yahoo.com.