SPML and SAML enhance application security in different ways

Access control is a major application security issue and OASIS standards SPML and SAML provide authentication and authorization benefits. Expert Ramesh Nagappan explains how these standards work.

Would you give some insights on SPML and its relationship with SAML?

Today's enterprises face unprecedented IT security risks and vulnerabilities around handling identity information related to users, credentials, resources and their access control privileges. The OASIS standards (Service Provisioning Markup Language) SPML and Security Assertion Markup Language (SAML) play a crucial role in standards based identity information management, where SPML promotes automation of user account management life cycle (identity provisioning) and SAML enables single sign-on (SSO) between heterogeneous systems and Identity federation across networks.

The Role of SPML in identity provisioning 

SPML is an XML protocol for exchanging user and resource information and for controlling identity provisioning operations with heterogeneous systems and resources. It defines an XML-based framework for representing provisioning requests intended for creating, modifying, deleting, enabling/disabling, searching user accounts and associated access control privileges with their target resources. The SPML-based provisioning process may also involve business work flows, designated approval actions based on other user attributes such as roles, permissions and privileges. With SPML, it would be lot quicker to automate provisioning user accounts and associated access rights to multiple resources and integrating different provisioning systems.

As a standard, SPML promotes integration and interoperability between SPML-aware identity provisioning systems and also allows exchanging identity information using standards-based protocols via XML Web services. The current specification, SPML 2.0, has been ratified as an OASIS standard for Identity provisioning.

The Role of SAML in SSO and identity federation 

SAML provides an XML-based framework for exchanging security-related information over networks, and thus over the Internet. SAML does not define newer mechanisms for authentication or authorization. Instead, it defines XML structures for representing information pertaining to authentication and authorization so that these structures can be marshaled across system boundaries and can be understood by the recipient's security systems residing within and across networks. SAML is emerging as a de facto standard for securely exchanging XML-based security information, for enabling single sign-on and identity federation regardless of the underlying security architectures, and for promoting security interoperability. The current specification SAML 2.0 has been ratified as an OASIS standard.

SPML relationship to SAML 

SPML is expected to play a vital role in enabling identity federation. SPML helps to initiate XML-based provisioning/de-provisioning processes from the identity provider to its target service providers. This allows users to bypass out-of-band account creation requirements using synchronization mechanisms from LDAP, database and user repositories. In relationship with SAML, SPML can make use of SAML assertions by facilitating a trust model in which senders and receivers using SPML messages agree upon the context of a predefined unique user identifier represented by a SAML assertion. To be more precise, the SAML assertion allows users to qualify a subject, against which a provisioning request is targeted.

Lately "Federated Provisioning Profile" (SAML 2.0 Profile for SPML), a supporting profile effort, is in progress as part of OASIS Security Services (SAML) TC, which addresses the use of SAML within SPML messages. The Federated Provisioning Profile focuses on the use cases requirements, facilitating the use of SPML provisioning in identity federation where SPML messages can make use of SAML assertions as provisioning data and on-demand/just-in-time bulk user provisioning between an identity provider (IdP) and a service provider (SP).

For more detailed information, I would suggest taking a look at the following references: 

OASIS Provisioning Services (SPML) TC Public Documents 

OASIS Security Services (SAML) TC Public Documents

More on this topic

  • Making sense of WS-Policy and SAML
  • OWASP Guide to Building Secure Web Applications and Web Services: Authentication
  • Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management -- Chapter 8

Dig Deeper on Topics Archive