OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

provision message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: potential "federated" use cases


Potential use cases I am involved with are federated group
provisioning and privilege & access management provisioning. So far
these use cases do not seem to suggest changes to the SPMLv2
specification, rather, they may serve as example implementations
potentially of interest to other parties wishing to encourage SPML.

A potential issue with regard to federated group provisioning that we
see is how to manage the group namespace across enterprises. This is
not really an SPML issue, since lookup and search operations will
allow parties to resolve identifiers. A suggested "best practice" for
federated group naming may result.

Privilege & access management provisioning may use XACML as the SPML
payload, potentially requiring us to work out an XACML profile to
SPML.

Federated provisioning, whether of groups or privileges, requires
relationships between RA's and PSP's that in higher-ed should leverage
our existing SAML federations - perhaps something along the lines of
SAML "provisioning assertions", with SPML as payload of the SAML
protocol. SAML's Change Notify proposal is interesting because it
supports multiple profiles, including SPML. Further alignment of SPML
and SAML may result in greater adoption of SPML in higher-ed,
otherwise, there are those that think SPML will be rendered
unnecessary by extensions to SAML.

Tom


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]