Upload
gavenraj-sodhi
View
220
Download
1
Embed Size (px)
Citation preview
1. IntroductionDuring the last half of the decade, the
economy has been going through a cyclic
process: businesses have been encouraged to
cut spending, encouraging layoffs of all
numbers; mergers and acquisitions of great
proportions have been occurring; and
employee disatisfaction leading to
sometimes corporate negligence, espionage,
and identity fraud has occurred.
Corporations have learned that to succeed
in this type of environment, they must be
versatile, lean, and economically diligent.
This often does not sit well with their
employees, as often is the case that they
must go through lay off procedures.
Another major initiative in curving the
spending has been to develop and further
enhance business practices.
All the concepts I have just talked about
have one common theme: managing
identities and securely provisioning and de-
provisioning identities effectively, to
resources inside and outside of your
organisation. This may sound easy, but
with new technologies come hurdles of
developing and incorporating business
practices, privacy policies, corporate goals,
because often technologies are immature
and these technologies may have raised
visibility with management, especially with
the great cost of purchasing and
implementing. I thought it may be
interesting to talk about where the
technology has gone and how standards,
like Service Provisioning Mark-up
Language (SPML) are being developed to
ensure the longevity of the technologies a
company has invested in would sustain
their investments they have made.
Investments have been great that
companies are determined to ensure the
technologies facilitate efficiency with their
organisations but provisioning is a difficult
tool to implement from a business process
point of view and from a deployment
point of view.
Throughout this paper, I will be
discussing about the concept of identities,
defining provisioning and how SPML,
Service Provisioning Mark-up Language,
can make a difference, especially as
businesses mature. During the stage of
defining the technologies that are being
developed to make provisioning an easier
solution to deploy and manage,
understanding the concept of identities,
how provisioning came about and why
technologies like SPML are important is
essential to make provisioning customer
deployments successful. I will start off by
defining what is an identity, why they need
to be managed then moving into the
technology of provisioning, providing a
business scenario, and explaining why
SPML is such an important technology
within all the XML standards there are.
1.1. What are identities?
Users’ identities are pieces of information
that identify your association of existence
at work, at home, with your friends, on the
phone, on the Internet, everywhere. In the
scope of this paper, identities are really at
the core of your business. To allow users to
utilize and benefit from the many
applications and services offered today,
organisations of all types assign identifiers,
or unique codes, to individuals in order to
represent their uniqueness to the
organisation, and easily map to applications
and services. Individuals may take on
multiple roles, throughout their lifetime
with their employer, by using these
identifiers as their digital identities when
they move through the organisational
structure. These identifiers may morph as
they adapt from business to business or
supplier to manufacturer but the uniqueness
maps back to the original identifier.
Identities are required for all users,
including employees, business partners and
customers. As online operations become the
standard of today’s business model, identity
is also becoming a key asset to all levels of
business operations.
86 1363-4127/04/© 2004, Elsevier Ltd
User provisioning with SPMLGavenraj Sodhi
Computer Associates,
Irvine, California, 92694,
USA
Gavenraj Sodhi is Product
Manager eTrust at Computer
Associates International, Inc.
(CA). In this role, Gavenraj is
responsible for defining and
evangelizing the product and
marketing strategy for the
eTrust Admin product line
and contributes to the overall
Identity and Access
Management security
solution strategy within CA’s
eTrust brand unit. Gavenraj
is co-founder and current
secretary of the Provisioning
Services Technical
Committee (PSTC), creators
of the Service Provisioning
Mark-up Language (SPML)
Standard, and chairs the
Mobile & Directory
Challenge as well as serving
on a number of industry
consortia groups including
the Identity Management
Steering Committee within
the Open Group.
Gavenraj holds a degree in
Chemical Engineering from
Illinois Institute of
Technology with a Masters in
Business Administration from
the University of Phoenix.
Previously, Gavenraj served
in a variety of positions in
the Provisioning and Identity
& Access Management space
for a number of years at
Business Layers
(Netegrity) and Access360
(IBM).
1.2. The management of identitiesfor provisioning
Multiple, parallel approaches to managing
identities have often appeared – even within
a single company. However, identities
cannot be securely and cost-effectively
managed in silos. A consistent, efficient and
secure method is needed to manage
identities both internally and externally.
Managing identities and identifiers across
this complex landscape is now a core
organisational survival skill that requires
consistent, cost-effective administration and
enforcement of access privileges with end-
to-end auditing of all identity-related
activity.
The proliferation of identities has also
increased the need to manage access to
business assets. An organisation’s success
depends on the integrity, confidentiality and
privacy of its information and processes
with the ability to audit governance,
compliance and use. Because today’s
business systems are all too accessible,
organisations need fine-grained, policy-
based protection to protect their mission-
critical data and services.
2. Business and technologytrendsOrganisations want to leverage the 24/7
availability of the Web to provide their
customers with access to information. In
many cases, this also includes the ability to
place orders, track shipments and delivery
dates, ask questions and contact customer
service representatives. However, we are also
living in a time concerned with identity
theft and security of personal data as well
as financial and other business confidential
data. Additional concerns are posed by
super users, who can gain unrestricted
access to virtually all of your files and
commands – regardless of their permissions
– and ‘ghost’ users – where some access
points are not revoked after an employee
leaves a company. Today, organisations need
to provide auditable proof that only
appropriate access is granted to critical
data.
2.1. Dimensions of identity andaccess management
Organisations need to manage relationships
with multiple and distinct populations of
‘identities.’ These may include employees,
customers and business partners. Every type
of population requires identity and access
management, but has its own unique
requirements:
• Employee populations need a
traditional, inward-facing security
management solution that focuses on
users’ access to physical resources and IT
systems, and protects internal systems. In
addition, it must reduce costs and
improve auditing while supporting tens
or hundreds of thousands of users. Key
to its success is the integration of the
solution itself, as well as with business
processes.
• Customer populations need an
outward-facing security management
solution that enables provisioning of
secure web access to customer services.
From the business perspective, its focus is
on customer acquisition and enabling
new customer services. From the
customer’s perspective, its focus is on
ease of use, and providing confidentiality
of personal data and transactions.
Additionally, this solution must be
scalable to supports tens of millions of
customers.
• Business-oriented identity and access
management, also known as B2B
(business to business), is focused on
cross-organisational transactions. It
depends upon legal frameworks, which
allow transactions to securely occur
between independent entities. It supplies
a secure Web services infrastructure to
address the issues associated with
User Provisioning with SPMLGavenraj Sodhi
Information Security Technical Report. Vol. 9, No. 1 87
cross-company authorization and
provides implementations of applicable
standards, including: Universal
Description, Discovery and Integration
(UDDI), Security Assertion Mark-up
Language (SAML), Service Provisioning
Mark-up Language (SPML) and Public
Key Infrastructure (PKI).
3. What is Provisioning andhow it is becoming thecenterstage in identitymanagement?The automation of business-oriented
workflow of systems, resources, services,
and devices to employees, partners,
contractors, suppliers, and temporary
workers is defined as Provisioning.
Provisioning of user objects, monitoring of
all activities, reporting of all transactions,
and de-provisioning of user objects is a
fundamental concept of user lifecycle
management and how your business
operates day to day.
Employees, contractors, temporary
workers, partners, and suppliers are all
granted access to a wide range of corporate
assets, from office building access to
accessing of computer systems, files,
directories, databases, mail systems, and
financial systems. In addition, they may be
assigned laptops, calling cards and
corporate credit cards. Provisioning is no
longer limited to IT practices.
Organisations need to manage the digital
identity across entire organisations,
provisioning all IT systems, Web services,
devices and entrance badges and securing
access to files, directories and databases
while monitoring of all these activities with
an end-to-end audit. Where Provisioning
differentiates from standard manual
business practices is that when employees,
contractors, temporary workers, partners,
Identity Management
88 Information Security Technical Report. Vol. 9, No. 1
Typical Enterprise Provisioning Architecture
and suppliers are terminated, access rights
to all systems, devices, files, etc are all
terminated. In effect, this helps reduce the
probability of any former employee,
contractor, and other affiliates from
illegally using corporate assets.
The idea of provisioning evolved in the
late 1990’s, from the economic troubles
that slowly evolved and as corporate
America needed to become more lean and
efficient. Provisioning started out, as is
often the case, as being just a manual
process within one’s organisation when a
new company joined an organisation,
moved from one position to another, left or
was terminated from their position. The
manager of the employee would generally
fill out an employee form or request,
providing the form to Human Resources,
and kicking off a number of tasks (all
manual and heavily paper driven) of
purchasing a computer for that employee,
to allocating accounts for that user, and/or
the assignment of physical security devices
to them. Essentially these provisioning
activities took days or even weeks to
complete, inefficiency at its best.
Provisioning encapsulates the art of
applying workflow and business
automation, derived from how businesses
operate deep from their business logic and
how they operate at the individual business
unit level and at grand scales, how they
operate with their partners and suppliers.
Thanks to the Internet, business
relationships have become worldwide
virtually, conceptually conceived via the
generation of the computer. Business is no
long within one’s enterprise but now the
relationships are being mapped out to cross-
domain of federated models and exiting the
closed corporate boundaries. Within this
comes new challenges and even greater
importance of open standards.
User Provisioning with SPMLGavenraj Sodhi
Information Security Technical Report. Vol. 9, No. 1 89
Example of a Provisioning Process: Provisioning Work Flow for a New User joining the company for his First Day at Work.
A feed process or some sort of identity
processing system will notify the
provisioning system of identity changes,
which may then trigger provisioning actions
to take place against managed resources.
The triggering will encounter identity
updates from an identity repository such as
an X.500 LDAP directory.
The graphic on page 89 shows a new
user, Joe Newguy, being added to an
organisation as a VP of Finance role, also
his title in this case, and is receiving a
number of subset roles, which will enable
translation to business logic based on these
roles. With these subset roles, work flow is
generated and processed and approval
requests are sent out.
The Provisioning system will translate
this business requests and translate them to
business and IT activities for resources and
services, for example, the contractor will
need a Laptop with a number of office
tools, an email account, access to the
financial system, a telephone extension with
a speakerphone, and business cards. Once
approvals are received, updates are made to
respective systems where Joe Newguy will
be performing his job function.
In the process of obtaining these
approvals, certain manual activities may
need to take place including buying the
Laptop, install the software on the laptop,
setup the user accounts and database access.
In parallel, the telephone must be installed
and setup on the provisioned desk, and the
business cards need to ordered. A robust
notification and escalation mechanism
needs to be in place for the provisioning
activities to address certain workflow
activities including buying the Laptop and
ordering business cards.
The provisioned user, Joe Newguy, must
be maintained, over his lifecycle as an
employee with the company, so on the day
that Joe leaves, the system would be able to
get him ‘out of the system’ immediately.
3.1. Provisioning – parties involved
Many groups have interests in the
provisioning and de-provisioning of users in
one’s organisation. Different groups have
different needs that need to be met with a
Provisioning solution.
Groups that would be directly involved
with a Provisioning Solution:
• Line of Business Managers – how
comprehensive and modular is the
solution? Does it address all of my
critical needs? How easy is it to use? Can
I integrate within my existing
infrastructure?
• Senior Executives – what is the
timeline for deployment,
implementation? Can it keep up with the
business as it changes? Is it going to
make the company operate more
efficiently and effectively, while providing
new business opportunities and allowing
us to save money?
• Network Administrators – is the
Provisioning solution reliable, scalable
and secure? Is the system easily
configurable and manageable? Does it
track changes, keep audit logs, and
provide the ability to build reports? Is
there support for developing custom
connectors to our existing systems? Does
it support open standards to ‘plug-n-
play?’
3.2. Provisioning and security
Provisioning and Security Management fit
hand in hand. Communication between the
provisioning server(s) and the managed
endpoints (target systems) must be secure
and encrypted but also the fundamental
business process for which workflow is
dynamically being generated to support the
security policies and business practices of
the organisation, for which the provisioning
of users if being conducted for.
The user information can be used to
create a profile of a person/role that
Identity Management
90 Information Security Technical Report. Vol. 9, No. 1
indicates exactly what resources should be
allocated to that person/role. Changes to
the profile can automatically trigger
provisioning or de-provisioning activities.
This means that when an employee moves
to another business unit, for example, all of
the necessary workflow items would start
and proceed to the reassignment of
provisioned items, of course based on
approvals received and external systems like
those from HR.
Security to the organisation is improved
when you can automate the process of
managing access to managed endpoints.
You can also essentially roll-back the
provisioning process, clearing all access
rights for any terminated employees via a
single process while maintaining a complete
audit of all changes.
3.2.1. Auditing
The provisioning system’s auditing system
should help ensure that all events and
activities associated with identities or
resources be tracked. Auditors can see when
an identity was created, by whom, where
the identity went, what it accessed, what it
touched, what it morphed into, when it was
suspended, by whom and when it was
terminated. It tracks all provisioning
activity across the entire enterprise and
extended enterprise, monitoring, collecting
and filtering events, providing centralized
management of organisation specific audit
policies, triggering alarms and alerts.
3.3. Employee provisioning oremployee lifecycle managementdrivers
3.3.1. Cost containment/productivity
enablement
The need to react to business priorities has
never been greater. A focus on operational
procedures drives requirements around
efficiency while the continued evolution of
on-demand computing – the next level in
automated systems management – drives an
urgency factor unseen to this point.
Organisations (particularly IT departments)
are also being asked to ‘do more with less.’
At a time when the number of identities
involved in daily transactions is exploding,
the requirements from auditors have
multiplied. The rate of mergers and
acquisitions may have slowed, but it has not
stopped – leaving IT departments with
larger user populations, more consolidation
and decreasing budgets.
Productivity loss – due to the need to
sign on to multiple applications – represents
a considerable cost overhead to many
organisations. Lost credentials and account
lockouts due to sign-on errors further
increase these costs. Manual user
provisioning and administration are
inefficient, and expensive.
3.3.2. Regulatory environment
The amount of personal and financial
information existing in distributed
databases, coupled with the demand for
open access, has increased demand for
protection and highlighted the need for
regulations against unauthorized access to
information and comprehensive auditing of
information accessed by any type of identity.
Regulations focus on data in two ways:
personal privacy and financial validity.
Governments and industry regulatory bodies
worldwide are responding with regulations
and directives for the privacy and confiden-
tiality of health care records – the Health
Insurance Portability and Accountability Act
(HIPAA), as well as financial data – the
Graham-Leach-Bliley Act (GLBA) and the
EU Data protection Directive (95/46/EC) and
with new controls on accounting practices
(Sarbanes-Oxley Act).
3.3.3. Standards as protection of
technology investment
IT departments leverage standards to
protect their investment in new technology.
User Provisioning with SPMLGavenraj Sodhi
Information Security Technical Report. Vol. 9, No. 1 91
Standards come with the promise that
current products will continue to
interoperate with products from other
vendors as technologies evolve and that
these technologies can be deployed securely.
Today, organisations need to adopt
strategies for technology and standards
adoption to position themselves for
participation in the new web economy.
4. Provisioning standardssupport and what is SPML?As the co-founder and current secretary of
SPML, I recognized in 2000 that Employee
Provisioning solutions needed to
interchange with other solutions,
repositories, applications, services,
including interoperability at some level with
other provisioning and meta-directory
solutions. SPML started as a group of
technology companies that eventually
evolved from three competing specifications
which transitioned as one agreed upon
specification and technical committee into
OASIS and finally as a version 1.0 standard,
with the mediation and dedication of the
Burton Group, specifically the amount of
time and effort contributed by Mr. Phil
Schacter and the continued motivation
provided by Mr. Jamie Lewis and Mr. Gerry
Gebel.
I realized through the years of operating
and implementing business process
management systems, creating connectors
Identity Management
92 Information Security Technical Report. Vol. 9, No. 1
SPML v1.0
Administrative Directory
Security & Network OS
Groupware Applications /
HR / ERP
Databases & Directories
Web Interfaces
Devices
Web Browser
AdministrativeDirectory
Web Server
SPML Bus
• Identities
• Credentials
Provisioning Server
Connectors/Agents
SPML BUS
Universal Feeds
HR / ERP / SCM
Self Admin
Delegated Admin
Password Reset
End-to-End Reporting
and connectors for systems, services, and
devices, finally came to the understanding
that each unique systems has their own
concept of workflow and SPML would not
be an easy process to standardize. It would
deem to be difficult and political. Most
important to vendors involved was that we
knew that organisations have one or more
identity-based provisioning, employee
lifecycle management tools, meta-directory
systems, or applications and devices that
are based on identity information within
their internal or external enterprise.
Technologies may have been acquired via
mergers and acquisitions, even over years
certain technologies become legacy to a
degree.
Service Provisioning Mark-up Language,
SPML, is a provisioning standard developed
and ratified within OASIS, Organisation for
the Advancement of Structured Information
Standards, and is intended to provide
standards methods for provisioning and de-
provisioning, querying, modifying,
suspending, and restoring user accounts
across heterogeneous systems, devices, and
non-computing resources (e.g. Credit Cards,
Laptop computers, phones) which require a
manual activity to be kicked off via the
systems workflow but notifications are to be
automated to respective approvers. This
common administration can significantly
reduce IT workloads, helps ensure
User Provisioning with SPMLGavenraj Sodhi
Information Security Technical Report. Vol. 9, No. 1 93
Sample Business Scenario - Externalization of Provisioning Activities using SPML1
i Note: I am only addressing SPML and how it interacts
with calling web services based on correct provisioning.
Concepts of SAML, Liberty Alliance, and other
standards may be derivatives of the concepts that are
discussed in the Business Case model.
compliance with security policies, and
provide employees with immediate access to
critical resources. Changes in human
resource systems can be propagated
automatically to IT applications without
human intervention.
Based on an XML-based framework,
SPML allows a provisioning system’s
capabilities to be extended to any enterprise
system or Web service adopting the
necessary compliant interface. SPML would
allow for businesses deploying and using
web services, via a common language, to
more securely manage the identity of a user
including the dynamic allocation of their
associated resources/web services, across
trusted boundaries.
4.1 SPML v1.0
Version 1.0 of SPML, was ratified within
OASIS in November of 2003. SPML v1.0
provides the first step in the development of
a standardized interface for exchanging
provisioning requests. To enable true secure
access control to resource allocation, system
and web service allocation, SPML is
designed as a standard to be the protocol to
allow the automation of access control for
system and user accesses to these systems,
devices, and web services.
In a sample business scenario, I wanted
to represent how SPML may operate when
provisioning users and web services around
a business activity would work. I am going
to address Business-to-Business (B2B)
interactions and the lifecycle management
of the provisioning actions conducted on
these interactions built on top of existing
and emerging standards technologies.
This paper presents a business scenario
showing how standards in a web services-
oriented environment are used to solve
problems in a business situation. Service
Provisioning Markup Language, or SPML,
is a standard that addresses the required
semantics for Provisioning Service Points to
exchange requests relating to the managed
Provisioning Service Targets. SPML requests
will facilitate the creation, modification,
activation, suspension, enablement and
deletion of data on managed Provisioning
Service Targets.
Publication of a service is really any
action by the service provider that makes
the WSDL document available to a
potential service requester. E-mailing the
WSDL (or a URL pointer to the WSDL) to
a developer is publishing. So, in advertising
the WSDL in a UDDI registry for many
developers or executing services to find.ii So
when a person or entity that wants to
consume a service, that person or entity
must meet some qualification to be assigned
a status or a role. The trusted parties in a
B2B environment may have a pre-established
mechanism in place to map a person or
entities’ qualification to a role.
The provisioning or subscribing function of
the web services will be assigned to the
Service Provisioning Mark-up Language
(SPML) to specify. SPML may dictate the
provisioning (Add/Create, Delete, Modify,
Query) of Provisioning Service Points (PSP)
and Provisioning Service Targets (PST)
based on a formal submittal from the
Requesting Authority (RA). In some cases
the PST may be a RA requesting access to a
service on another PSP, a true cross-
federation model.
4.1.1. Complex business relationship
analyzed using concepts of provisioning
and SPML
1. Supplier 2 visits a Supplier Network
System and signs up to sell vehicle parts.
2. Response comes back as the
Distributor of the Supplier Network
Identity Management
94 Information Security Technical Report. Vol. 9, No. 1
ii The UDDI project is a cross-industry initiative to
create an open framework for describing, discovering,
and integrating web services across the Internet. For
more information on UDDI, see http://www.uddi.org
System would be happy to have Supplier
2 join pending it meets certain require-
ments, as stated in the web service query.
a. Distributor (PSP) requests specified
business profile information, from
Supplier 2, to fulfill the request to be able
to sell as part of the Network.
3. Supplier 2 (acting as an RA) responds
to Distributor (PSP) with the completed
requirements to list its services, via the
Supplier Network System.
a. Suppliers requesting to list and
supply parts are credentialed by the
Distributor of the Supplier Network
System. The distributor has the authority
to accept/decline and allocate credentials
and mediate for services.
4. Upon meeting all requirements as
specified by Distributor (PSP), Supplier 2
(RA) is assigned a Provisioning Service
User Identifier (PSU-ID) as a
Provisioning Service User (PSU) of the
Supplier Network System.
5. The Dealer A (an RA) wants to
order parts for a vehicle it sells via the
Supplier Network System. The Dealer A’s
procurement manager sets up user profiles
for each of his company’s buyers,
establishing purchase areas and purchase
limits for each user.
6. Once each buyer’s profile, from the
dealership (RA), has been set up, he or
she can access the Supplier Network
System of parts suppliers.
7. The buyer, from that dealership (RA),
can then search through the list of items
and their prices that the supplier has
available.
8. The Dealer A and Dealer B dealerships
(RA) each may or may not have access to
the same set of suppliers on the Supplier
Network System. This may be based on
the query written in the request to the
Supplier Network System.
9. When an order is processed, the
Supplier Network System kicks off a
business process, validating the purchase
against the company policies defined by
the procurement manager, submitting
appropriate orders to the individual
suppliers, updating order status and
finally, reporting the status back to the
dealer (RA).
4.1.2. Analysis of the scenario
• Correct account setup (provisioning)
for each person at each layer
• Suppliers can only choose from
options assigned by their Distributors
assigned by their credentials.
• Hierarchy of delegation
4.2. SPML v2.0
During January 2004, the PSTC met to
discuss requirements for version 2.0 of
SPML, really still an early work in progress.
I did want to bring out some key points and
allow you, the reader, to see where the
group is going and hopefully generate some
ideas that you may bring to the PSTC if you
are interested in participating within the
PSTC working group in OASIS.
As a standard protocol was defined SPML
version 1.0, defining standard XML-schemas
was recommended to be part of version 2.0.
Furthermore, complex data modelling,
standard verbs and operation extensions,
and the idea of standardizing standard
requests were other requests. Even further,
the use and support of WSDL definitions,
handling of complex data objects and
enhanced/custom verbs, supporting opaque
identifiers, and backwards compatibility to
version 1.0 were necessity. A new draft for
vote is due to come out in the next several
weeks that will set the direction for SPML
version 2.0 and unification with agreement is
key for success.
5. Conclusion and what can I do?Get involved. Identity and Access
Management, of which provisioning is a key
User Provisioning with SPMLGavenraj Sodhi
Information Security Technical Report. Vol. 9, No. 1 95
technology, is here to stay and the market
grows substantially annually while
technology evolves. The PSTC is not only a
standards body made up of software
vendors but of customers, customers, and
customers. More customers need to get
more involved, state their needs and
problems, and in turn; SPML will enable
deployments and integrations to be made
much easier for them thus reducing overall
costs for the customers and providing for a
quicker realisable ROI.
Provisioning and Identity Management
are key technologies for enhancing
operations and increasing the efficiency
level but more importantly it is important
technologies for managing one’s identity
securely where ever it may travel. Standards
are key and necessary for solutions to
interoperate with existing solutions, new
solutions, mergers/acquisitions where one
or many organizations may already have
Identity or Provisioning-based solutions and
need to integrate them.
Vendors need to get engaged on a world-
wide basis because building a standard
interface to Identity Management systems is
a competitive advantage for each of them. It
is as important to encourage a larger
audience of users, that they may purchase
SPML standards-compliant solutions,
because they ‘can’ interoperate using
technologies like SPML, that have
standardized interfaces to those Identity
Management systems.
In this paper, a business scenario,
specifically a Supply-Chain model,
illustrated how evolving standards like
SPML may be applied to solve a real
business problem. SPML is only one
component of the pyramid that will allow
this scenario to come to completion
seamlessly. Many standards that need to
build this scenario are still in development,
one of these being Web Services. Web
Services have not presented itself as a real
B2B corporate solution but developing real-
life scenarios to show how the functions
may occur can help commercialize the
effort. Standard working groups like the
Provisioning Service Technical Committee
(PSTC) have vendors working together to
achieve the business scenario described and
to make it a reality.
For more information about SPML and
how to join the PSTC, please visit:
http://www.oasis-open.org/committees/
tc_home.php ?wg_abbrev=provision
6. References[1] HTTP: http://www.w3.org/Protocols/
[2] SOAP: http://www.w3.org/TR/SOAP/
[3] WSDL: http://www.w3.org/TR/wsdl
[4] Organisation for the Advancement of Structured
Information Standards, SAML Standard Set. See
http://www.oasis-open.org/
[5] Liberty Alliance, www.projectliberty.org
[6] Organisation for the Advancement of Structured
Information Standards, SPML 1.0 Standard Set and SPML
2.0 minutes. See http://www.oasis-open.org/
[7] Gottschalk, Karl; Graham, Steve; Kreger, Heather; and
Snell, James. ‘Introduction to Web Services Architecture.’
http://www.research.ibm.com/journal/sj/412/gottschalk.
html. Emerging Technologies. IBM Software Group.
November 2001
[8] Organisation for the Advancement of Structured
Information Standards, UDDI, http://www.oasis-
open.org/
[9] Organisation for the Advancement of Structured
Information Standards, PKI, http://www.oasis-open.org/
Identity Management
96 Information Security Technical Report. Vol. 9, No. 1