Mark Diodati

A member of the Gartner Blog Network

Mark Diodati
Research VP
6 years at Gartner
21 years IT industry

Mark Diodati is a Research Vice President with Gartner's IT Professionals research and advisory service. His focus topics include mobility, authentication, cloud idenitity, federation, directory services, provisioning, identity services, Active Directory interoperability, Web access management…Read Full Bio

Coverage Areas:

SCIM and the Future of Standards-Based Provisioning

by Mark Diodati  |  May 6, 2011  |  1 Comment

Here at Gartner/Burton Group, we have been closely tracking identity standards—including Service Provisioning Markup Language (SPML)—since 2003. The standard has some serious flaws, which we have articulated in our research documents and blog posts. In the summer of 2010, the participants at the Gartner Catalyst Conference Standards-Based Provisioning Special Interest Group issued a consensus statement that stated that SPML was at a crossroads due to its complexity, lack of conformant implementations, and nearly non-existent support by application vendors. Nothing has changed since last summer; the OASIS Provisioning Services Technical Committee (PSTC) has not taken any steps to remediate these issues.

Several weeks ago, a specification for provisioning was released—Simple Cloud Identity Management (SCIM). It is an important step forward in the important goal of standards-based provisioning. Representatives from Google, salesforce.com, Ping Identity, VMware, UnboundID, Okta, Sailpoint, and other organizations are working on the initiative.

SCIM comes with four important benefits. SCIM is simple; it leverages REST and JSON, not SOAP and XML. SCIM focuses on essential CRUD (create, read, update, and delete) operations. It avoids the complexity of the LDAP object class inheritance model. Second, it doesn’t place an undue burden on the target application like SPML does (check out our research for the details). Third, SCIM has an extensible user schema (think LDAP’s inetOrgPerson), something that was sorely lacking in SPML. Lastly, SCIM comes with support from the major Cloud application vendors (e.g., salesforce.com and Google).

Some folks in the identity community state that SCIM needs to support the functionality provided by the SPML Capabilities (e.g., Reference, Batch, etc.). Based upon our research, these capabilities are rarely (if ever) used in the wild. The functionality provided by these Capabilities can exist outside SCIM, with the added benefit of not overburdening the target application. Let’s have that debate; please provide a comment to get it going.

Several identerati have advocated rolling SCIM into the PSTC work for the next release of SPML. Until last fall, the OASIS PSTC was largely dormant for nearly four years. With all apologies to the really smart people who are on the committee, a harmonization effort will take years and delay the release of a viable provisioning standard. What is the point of harmonizing SCIM to a largely unadopted, broken standard?

Others have stated that SCIM is suited only for Cloud applications. I disagree. If SCIM works for cloud applications, then it will work for on-premises applications.

SPML may still live on for specific use cases. For example, some organizations have utilized SPML to connect disparate provisioning systems (despite the fact that none of the major provisioning systems have a conformant SPML service). This is still a valid use case; if it ain’t broke, don’t fix it.

My unsolicited guidance for the folks working the SCIM specification: be disciplined. Keep the specification as simple as possible. Avoid the “everything but the kitchen sink” philosophy that sunk SPML v2. Focus on the end goal of providing a viable provisioning standard; don’t bother trying to harmonize SCIM with SPML—few organizations are using SPML today. Implement the standard as quickly as possible in your company’s products and services to spur adoption.

Gartner/Burton Group Recommended Reading

Directory Services, Federation, and the Cloud  (2010 Assessment Document – subscription required)

Consensus on the Future of Standards-Based Provisioning and SPML (2010 blog)

OASIS or Mirage: Standards-Based Provisioning (2010 Technical Case Study – subscription required)

SPML: Life Support Redux (2010 blog)

SPML Is On Life Support …. (2010 blog)

The Value of SPML Gateways (2009 blog)

New Year’s Resolution: Let’s Talk More about SPML (2009 blog)

The Latticework of Identity Services (2007 blog)

SPML: Gaining Maturity (2006 Technology and Standards Document – subscription required)

Recommended Reading from Wicked Smaaht People

Patrick Harding: Why SCIM over SPML? Why not?

John Fontana: From SPML churn rises new crack at provisioning standard

Nishant Kaushik: SCIMming the Surface of User Provisioning

Dave Kearns: SCIMing the provisioning landscape

Martin Kuppinger: SCIM – will SPML shortcomings be reinvented?

SCIM Specification

1 Comment »

Category: Uncategorized     Tags:

1 response so far ↓

  • 1 Anders Rundgren   May 7, 2011 at 11:49 am

    Mark,
    If you take a peek at:

    http://webpki.org/auth-token-4-the-cloud.html

    you will an entirely different approach to Cloud IDM. I do not see this as a standard effort but an attempt to create a de-facto standard. Why? SDOs only take a small thing and hope that somebody else will fix the rest. I don’t think that leads anywhere.