This document provides a general description of the components and functions of the provisioning engine component of an institutional-scale Identity and Access Management (IAM) suite. Requirements for provisioning engine functionality and operation can be written based on the terms and concepts presented in this model.
The function of a provisioning engine is to manage (create, modify, and delete) objects consisting of identifiers and attributes.
An object, consisting of identifiers and attributes, may be an identity registry entity. [OSIdM4HEteam:1]
The above sentence is a simplification of the formal definition of "provisioning" from the OASIS PSTC's SPML 1.0 specification. As noted by the PSTC, the root of the word provision includes the notion of "foresight" for "preparation beforehand".
For example, a provisioning engine may transform attributes describing a person from a database table
| userName | firstName | lastName |
to an LDAP directory
dn: cn=userName,ou=people,dc=edu
cn: userName
givenName: firstName
sn: lastName
It may be useful to think of provisioning in three different domains : enterprise, federated, and cloud. Federated and cloud provisioning differ from enterprise provisioning in terms of the degree of separation from sources, which affects the ability of the provisioning engine to determine object state.
In an enterprise, sources and targets exist within the same authoritative domain. For example, a university.
In federated provisioning, the source and target are in different domains within a federation. For example, two participants of InCommon.
In cloud provisioning, a source or target exists in the cloud. For example, a university which routes student email to Gmail.
Just-in-case provisioning is the "preparation beforehand" of objects in case those objects are used. Just-in-time provisioning prepares objects at the time of use, for example, during SSO. The SAML Change Notify protocol draft includes a mechanism for just-in-time provisioning.
Real-time provisioning occurs at the same rate at which changes are made to sources as measured by human perception.
Incremental provisioning is the provisioning of a small (possibly single) positive or negative change in the value of an attribute. Provisioning all attributes or all values of an attribute is "full" provisioning.
Resolving all values of an attribute may be expensive. For example, the Everyone group may be both an organization's largest group and the group which changes most frequently. Since it may be expensive to enumerate every member of the Everyone group in source and target systems, it is likely more efficient to add and remove members incrementally as source membership changes.
A provisioning engine consists of connectors and mappers.
A provisioning engine determines the existence and attributes of an object via identifier (lookup).
Enterprise provisioning likely includes the gathering of all identifiers of all source and target objects (search).
A provisioning engine maps identifiers between sources and targets.
A provisioning engine maps attributes between sources and targets, including filtering and rewriting.
To synchronize an object between a source and target, a provisioning engine :
- calculates how the target object should be provisioned
- determines how the target object is currently provisioned
- computes the difference between how the target object should be provisioned and how it is provisioned
- modifies the target object to synchronize it with the source.
Provisioning Engine :
A desirable feature of a provisioning engine is to verify and report that target objects are properly provisioned.
A provisioning engine should support standards, de facto or otherwise. Although SPML (either v1 or v2) has not seen widespread adoption, it is supported by Oracle as part of their IAM suite. Other applicable standards are SAML and SCIM.
...
[OSIdM4HEteam:... to be continued...]
[OSIdM4HEteam:1] https://spaces.at.internet2.edu/display/OSIdM4HEteam/Identity+Registry+Functional+Model
[OSIdM4HEteam:2] http://www.oasis-open.org/committees/download.php/4137/os-pstc-spml-core-1.0.pdf
[OSIdM4HEteam:3] http://www.surfnet.nl/nl/Innovatieprogramma%27s/gigaport3/Documents/EDS-4%20Provisioning%20Scenarios%20in%20Federations%20Final.pdf