Here’s a sad statement on standards-based provisioning: “likely unachievable.”

That is the conclusion from Mark Diodati, a senior analyst in the identity and privacy practice at the Burton Group, who last week published his new report on the topic.
(Note: the full report is available only to clients)
The report concludes that complexity, performance and lack of vendor support for SPML v2 is a crippler for seamless interoperability between provisioning systems and target applications
But it is not the final word. I spoke today to Richard Sand, CEO for Skyworth TTG, a global systems integrator, who said he is working to revive the OASIS SPML TC, dormant for nearly two years, and work toward a SPML 3.0 focused more on needs for the cloud.
Sand said we should hear news on the new or revised TC this week or next. He is talking to a number of companies about joining in.
If that does not work out , Mary McRae, director of standards development at OASIS and a technical committee administrator, told me the current SPML TC would be laid to rest. She had been set to shut it down May 1, but has been actively working with Sand, who nominated himself to chair the TC.
Standards based provisioning just isn’t getting the traction that Sand says it deserves as cloud computing evolves. He acknowledges the complexity as a major hurdle.
When I talked to Diodati a few weeks ago, he told me Burton took the step of writing its own SPML connector to get the 20-miles-of-bad-road view on what it takes. His conclusion: “[The industry is] at a crossroads now.”  And Diodati wrote in his report that his "unachievable" conclusion is “a sad prognosis, as SPML (or something like it), is desperately needed for interoperable provisioning services associated with locally hosted and cloud-based applications.”
Queue Sand.
“I have a lot of ambition around what SPML 3.0 should be,” said Sand. Foremost on the list is that it won’t be backward compatible with 2.0, which for all intents and purposes has no takers. But he says a SPML 3.0 effort would take “building blocks” from the existing work.
Sand says he is looking at simplification of some of the use cases. “I also want to put in some higher level use cases,” he said. “One problem with SPML is that adoption is a low-level thing. I want to give it some higher level function so it solves more of the integration challenges.”
He says he would like to spec out a REST specification and minimize the focus on SOAP. “I think this can make adoption a bit easier and make it more appealing to existing products. I want to get ahead of the curve for use cases around cloud enablement and what products will need to support.”
And Sand wants to attack the standard schema issue that was never really finished by the SPML TC.
“I want to put a stake in the ground. There can be more than one common schema. There could be one SPML recognizes out of the box so to speak. In the long term that could facilitate adoption because there would be a basic pre-fab schema that end points can translate into.”
Sand has a heavy rock to push up a steep hill, but he hopes SPML has a Chapter 3. This time with some tangible results.
Follow John on Twitter and check out our Identity-Conversation Tweet list
Register for the Cloud Identity Summit, July 20-22, 2010 at Colorado's Keystone Resort.


Do you have any thoughts on why the market hasn't adopted SPML?

Frankly, in my opinion, I think the vendors don't see a business model around it- i.e it is not in their best interest right now to support standards. The building-one-off-connectors model is a better one. There has not been activity in the SPML TC for two years if you want validation that interest has faded among those building the spec. It might take a user crowd with torches and pitch forks to move the needle. On the technology side, certainly SPML needs to be easier. Searching for a user is one area that causes so much pain vendors won't go near it. One offing connectors will need to go away. In my blog, Richard hints at one other consideration - a simple, basic profile with a basic schema may help break the ice. Not suggesting the answers are easy. If the TC work for a 3.0 spec doesn't get going again, I think you have your answer on standards-based provisioning for the foreseeable future.


Is Ping Identity doing anything in the area of SPML?


and also do you know of any openID providers that are support SPML?

We are watching SPML,reacting to user needs. As our CEO has stated: a few years back we even wrote our own SPML engine, which was our first step towards full-blown support of SPML to facilitate federated provisioning. We postponed the project after doing deeper market research, and discovering that we were a bit too early to market, and that enterprises weren't quite ready for it.
Ping provides provisioning both expedited when the user’s identity is already well understood and in SaaS environments where a de-provisioning mechanism is available.
To your other question. I am unsure but will ask.

What is required from the enterprise perspective to be ready for SPML?

It's the chicken-and-egg vicious cycle: SPML-based products...

that's unfortunate :(


* Required Fields