Here at Gartner/Burton Group, we have been closely tracking identity standards—including Service Provisioning Markup Language (SPML)—since 2003. The standard has some serious flaws, which we have articulated in our research documents and blog posts. In the summer of 2010, the participants at the Gartner Catalyst Conference Standards-Based Provisioning Special Interest Group issued a consensus statement that stated that SPML was at a crossroads due to its complexity, lack of conformant implementations, and nearly non-existent support by application vendors. Nothing has changed since last summer; the OASIS Provisioning Services Technical Committee (PSTC) has not taken any steps to remediate these issues.
Several weeks ago, a specification for provisioning was released—Simple Cloud Identity Management (SCIM). It is an important step forward in the important goal of standards-based provisioning. Representatives from Google, salesforce.com, Ping Identity, VMware, UnboundID, Okta, Sailpoint, and other organizations are working on the initiative.
SCIM comes with four important benefits. SCIM is simple; it leverages REST and JSON, not SOAP and XML. SCIM focuses on essential CRUD (create, read, update, and delete) operations. It avoids the complexity of the LDAP object class inheritance model. Second, it doesn’t place an undue burden on the target application like SPML does (check out our research for the details). Third, SCIM has an extensible user schema (think LDAP’s inetOrgPerson), something that was sorely lacking in SPML. Lastly, SCIM comes with support from the major Cloud application vendors (e.g., salesforce.com and Google).
Some folks in the identity community state that SCIM needs to support the functionality provided by the SPML Capabilities (e.g., Reference, Batch, etc.). Based upon our research, these capabilities are rarely (if ever) used in the wild. The functionality provided by these Capabilities can exist outside SCIM, with the added benefit of not overburdening the target application. Let’s have that debate; please provide a comment to get it going.
Several identerati have advocated rolling SCIM into the PSTC work for the next release of SPML. Until last fall, the OASIS PSTC was largely dormant for nearly four years. With all apologies to the really smart people who are on the committee, a harmonization effort will take years and delay the release of a viable provisioning standard. What is the point of harmonizing SCIM to a largely unadopted, broken standard?
Others have stated that SCIM is suited only for Cloud applications. I disagree. If SCIM works for cloud applications, then it will work for on-premises applications.
SPML may still live on for specific use cases. For example, some organizations have utilized SPML to connect disparate provisioning systems (despite the fact that none of the major provisioning systems have a conformant SPML service). This is still a valid use case; if it ain’t broke, don’t fix it.
My unsolicited guidance for the folks working the SCIM specification: be disciplined. Keep the specification as simple as possible. Avoid the “everything but the kitchen sink” philosophy that sunk SPML v2. Focus on the end goal of providing a viable provisioning standard; don’t bother trying to harmonize SCIM with SPML—few organizations are using SPML today. Implement the standard as quickly as possible in your company’s products and services to spur adoption.
Gartner/Burton Group Recommended Reading
Directory Services, Federation, and the Cloud (2010 Assessment Document – subscription required)
OASIS or Mirage: Standards-Based Provisioning (2010 Technical Case Study – subscription required)
SPML: Life Support Redux (2010 blog)
SPML Is On Life Support …. (2010 blog)
The Value of SPML Gateways (2009 blog)
The Latticework of Identity Services (2007 blog)
SPML: Gaining Maturity (2006 Technology and Standards Document – subscription required)
Recommended Reading from Wicked Smaaht People
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.