Service Provisioning Markup Language (SPML) is an XML representation for creating service requests to provision user accounts or for processing service requests related to the management of user account services. As discussed earlier in this chapter, service provisioning is a loosely defined term. According to the OASIS SPML specification (refer to [SPML10], pp. 9-10), provisioning refers to "the automation of all the steps required to manage (set up, amend, and revoke) user or system access entitlements or data relative to electronically published services." The scope of service provisioning is primarily the management of user account services, not the underlying operating systems or application environment. OASIS's service provisioning introduces the SPML domain model, which uses a Requesting Authority (a client requester that creates service provisioning requests to a known service point) to send service provisioning requests to the Provisioning Service Point (a service provider that intercepts service provisioning requests and processes them). The Provisioning Service Point handles the service provisioning request and creates or modifies user account information in the Provisioning Service Targets (target application systems where the service provisioning requests are executed and implemented). SPML is different from SAML (refer to Chapter 12 for details). SPML defines the processes and steps that are required in order to prepare for user account services to be available, while SAML defines security assertions related to authentication or authorization after the user accounts are available. Directory Services Markup Language (DSML) is an XML specification for expressing directory queries, updates, and the results of directory operations. SPML is different from DSML in that SPML may use directory servers (using DSML) as one of the underlying data store mechanisms to implement some of the user account service requests. Like any SOAP-based messaging, SPML faces security threats such as message replay, message insertion, message deletion, and message modification. The security protection mechanisms discussed in Chapter 6, "Web Services SecurityStandards and Techniques," is also applicable here. Service Provisioning OperationsThe SPML version 1.0 specification allows security architects and developers to perform the following operations:
The SPML specification allows service provisioning products the flexibility to implement how to handle and process service provisioning requests. It defines the language semantics of add, delete, search, and extended operations. Nevertheless, it does not specify the underlying operations of how to create a user account in an application system. Features in SPMLThere are a few unique design features in the SPML version 1.0 specification that are worth discussing. They allow security architects and developers to build SPML-enabled interfaces or integrate SPML-enabled products with their existing architecture with more flexibility and extensibility. These unique design features include:
Example 13-1. Sample SPML message for custom error handling<addResponse request result="urn:oasis:names:tc:SPML:1.0#failure" error="urn:oasis:names:tc:SPML:1.0#customError" errorMessage="my custom error message"> <identifier type="urn:oasis:names:tc:SPML:1.0#EMailAddress"> <spml:id>raylai@namredips.com</id> </identifier> <attributes> <attr name="mailBoxLimit"> <value>1000MB</value> </attr> </attributes> </addResponse> Adopting a SAML ImplementationThere are a few SPML-compliant commercial service provisioning systems available, such as Sun Java System Identity Manager (previously known as Waveset Technologies' Lighthouse) and Thor's Xellerate. Refer to the "References" section for more vendor products. These service provisioning systems allow creating and managing user account information as well as synchronizing user passwords across systems. Some products come with an SPML API library that allows custom applications or legacy systems to intercept and process SPML service requests. If security architects and developers want to use an open source implementation, they can also download OpenSPML Toolkit from http://www.openspml.org as well. Example 13-2 provides a sample SPML client using OpenSPML Toolkit (supporting SPML version 0.5). The OpenSPML Toolkit can be installed on any Web container (such as Apache Tomcat Web container or J2EE System Application Server). Example 13-2. SPML client to add a userpackage com.csp.provisioning; import java.util.HashMap; import org.openspml.client.SpmlClient; import org.openspml.message.AddRequest; import org.openspml.message.AddResponse; public class AddUser { protected SpmlClient client = new SpmlClient(); protected AddRequest request = new AddRequest(); protected HashMap userAttr = new HashMap(); protected AddResponse response; protected final String url = "http://localhost:8080/lighthouse/servlet/ rpcrouter2"; protected final String firstName = "Mary"; protected final String lastName = "Parker"; protected final String fullName = "Mary Jane Parker"; protected final String password = "peterIsSpidey123"; protected final String email = "maryj@namredips.com"; protected final String identifier = "maryjane"; /** * Creates a new instance of AddUser */ public AddUser() { try { System.out.println ("Creating a SPML request to add user"); create(); System.out.println ("SPML request generation is complete."); } catch (Throwable addUser) { // add your exception handling System.out.println(addUser.toString()); } } /** * Create SPML request for add user * * @exception Exception ex */ private void create() throws Exception { this.client.setTrace(true); // Use a generic SPML client // Assumptions // 1. SOAPRouter and TestSpmlHandler are registered using this URL below // customize this URL for your local environment // 2. Lighthouse is a resource resembling your SPML server this.client.setUrl(this.url); this.request.setIdentifier(this.identifier); this.request.setObjectClass("user"); // define user attributes this.userAttr.put("password", this.password); this.userAttr.put("email", this.email); this.userAttr.put("firstname", this.firstName); this.userAttr.put("lastname", this.lastName); this.userAttr.put("fullname", this.fullName); this.request.setAttributes(userAttr); // generate SPML request to add user response = (AddResponse)this.client.request(request); this.client.throwErrors(response); } public static void main(String args[]) { new AddUser(); } } Executing the sample SPML client will create an SPML request, as depicted in Example 13-3. This is an add operation to create an e-mail user account for user Mary Jane Parker. Example 13-3. Output from the sample SPML clientC:\Dev\OpenSPML\src>java -classpath %SPML_LIB%\openspml.jar;%SPML_LIB%\soap.jar; %SPML_LIB%\j2ee.jar;%SPML_LIB%\xercesImpl.jar;%SPML_LIB%\xmlParserAPIs.jar com.csp.provisioning.AddUser SpmlClient: sending to http://localhost:82/lighthouse/servlet/rpcrouter2 <spml:addRequest xmlns:spml='urn:oasis:names:tc:SPML:1:0' xmlns:dsml='urn:oasis: names:tc:DSML:2:0:core'> <spml:identifier type='urn:oasis:names:tc:SPML:1:0#GUID'> <spml:id>maryjane</spml:id> </spml:identifier> <spml:attributes> <dsml:attr name='objectclass'> <dsml:value>user</dsml:value> </dsml:attr> <dsml:attr name='fullname'> <dsml:value>Mary Jane Parker</dsml:value> </dsml:attr> <dsml:attr name='email'> <dsml:value>maryj@namredips.com</dsml:value> </dsml:attr> <dsml:attr name='password'> <dsml:value>peterIsSpidey123</dsml:value> </dsml:attr> <dsml:attr name='lastname'> <dsml:value>Parker</dsml:value> </dsml:attr> <dsml:attr name='firstname'> <dsml:value>Mary</dsml:value> </dsml:attr> </spml:attributes> </spml:addRequest> |