SPML (Services Provisioning Markup Language)

What is Services Provisioning Markup Language (SPML)?

Services Provisioning Markup Language is an Open Source XML-based standard that facilitates the exchange of account provisioning information among applications, services and organizations. SPML allows organizations to securely create, update and delete end-user accounts for many web services and applications using a single request from a central point.

Provisioning, as defined in the standard, is "the automation of all the steps required to manage (set up, amend and revoke) user or system access entitlements or data relative to electronically published services." SPML primarily focuses on user accounts, but can also be relevant for service or automated account objects.

A technical working group within the Organization for the Advancement of Structured Information Standards (OASIS) first released SPML in 2003. SPML Version 1 is built on the OASIS Directory Services Markup Language (DSML). SPML version 2, released in 2006, is an XML representation of the Lightweight Directory Access Protocol (LDAP).

Why use SPML?

As organizations use more web services and microservices, the need to create and maintain single user accounts across these systems becomes more complex. Service oriented architecture (SOA) defines many small web services instead of a single large service. Enterprise application integration (EAI) initiatives also try in integrate these disparate services together.

SPML is part of a family of standards designed to ease the implementation of web services and to establish interoperability among provisioning systems. SPML can be used in conjunction with Security Assertion Markup Language (SAML) to manage identity for web services. Middleware may use SPML to orchestrate accounts among many services.

As an example of how an organization could use SPML, imagine a new person is hired. A single new account request is entered into the service orchestration software. It creates a SPML request that creates new accounts in the company internal workflow system, the company Wi-Fi manager and the public web-based storage platform the company uses.

When the employee sets an initial password, the service orchestration software using SPML sends it to each service. When the employee leaves it can delete each of these accounts, increasing security and reducing the likelihood of paying for a service for an employee that no longer works for the organization.

middleware architecture
Middleware can use orchestrate accounts among different services with SPML.

What are SPML capabilities?

SPML provides the capability to manage the entire account lifecycle. This includes creating, finding, updating and deleting objects or accounts on the target service.

Add: Creates a new object.

Delete: Removes an existing object.

Lookup: Requests information that represents the object. It can also search, list and iterate objects.

Modify: Changes the attributes of an object.

Passwords: Sets, resets and expires passwords associated with an object.

Bulk operations: Runs bulk operations to modify or delete objects.

SAML protocol messaging for SSO login
Security Assertion Markup Language can work with Services Provisioning Markup to manage identity access and management for web services.

What are SPML profiles?

SPML v2 has two profiles that can be used to exchange information. The SPMLv2 XSD profile uses XML to exchange information. SPMLv2 DSMLv2 uses DSML v2.0, itself an XML standard, to exchange information.

Also see this guide to identity and access management, how to plan and execute a migration to microservices, the importance of orchestration platforms to  modern IT structures and top integration frameworks.

This was last updated in December 2021

Continue Reading About SPML (Services Provisioning Markup Language)

Dig Deeper on Enterprise architecture management

Software Quality
Cloud Computing