Provision 1C user accounts thru SPML gateway
By Frederic Pariente on Nov 19, 2009
Service Provisioning Markup Language (SPML) is an XML-based standard, developed by the OASIS
consortium, for exchanging user, resource and service provisioning
information. SPML came in response to the need of unifying and
automating the management of user accounts and rights inside a
corporation. Indeed, with the multiplication of IT systems --logistics,
accounting, customer management, human resources, you name it-- inside
the companies we work for, the old (manual) ways of dealing with users
--Dear Admin, please create account for new employee... Dear Admin,
please give me access right for the folder/document... who doesn't
remember writing one of these emails?-- could not keep up, responsible for
too much incorrect data, leading to information
leaks and productivity loss.
Today in its version 2.0 --version 1.0 had limited number of operations, limited scheme for user information and simpler using/integrating--, SPML has enabled the software industry to develop interoperable solutions of identity management, for the various IT systems themself to communicate and propagate changes in user information and rights. Examples of commercial solutions that are SPML-compliant include Sun Identity Manager and Oracle Identity Manager. We believe that it is essential that Enterprise Resource Management (ERM) applications today support advanced identity management operations beyond single sign-on --on that topic, check out this OpenSSO integration work.
Based in Moscow, 1C is a leading Russian software vendor, with 1M+ customers for their ERM software suite 1C:Enterprise and 18.7% market share in the Russia ERM market --making it the top #2 vendor in 2008 per a recent IDC study. 1C is particularly known as the maker of the most popular enterprise accounting system 1C:Accounting sold in the CIS region; about every company in Russia runs a copy of that software, I have been told. With such a large installed base, 1C has evolved to become the center of a large ecosystem and network of 5000+ partner integrators, resellers and software vendors. Some of which being Sun Microsystems partners as well.
To help our partners differentiate and add value in the legacy 1C ecosystem with Sun open technologies, the local ISV Engineering team engaged last year in the prototype development of an SPML interface for 1C:Enterprise, so it can integrate into the identity management frameworks deployed at large corporations. Because the 1C platform is fully based on Microsoft technologies and there was no external interfaces except Microsoft COM, our solution was to write a proxy gateway for translating SPML requests into COM API requests, and exchanging provisioning information. The gateway is embedding a web server for handling HTTP requests so an administrator can simply install the SPML gateway along with the 1C client on a clean Windows machine. That done, the provisioning information inside the 1C database can be managed from any machine on the network.
We have had very good feedback from our partners about this solution so far. It has proven to save a lot of time --and money too!-- at deployment time and in managing 1C:Enterprise, because the service could litterally be managed as an appliance and the solution did not require to install a 1C client on the machine where the Identity Management server sits. We encourage all of the 1C:Franchising network to leverage our work and put it to good use at their 1C customers. The code for the 1C SPML Gateway has been shared under an open-source license for that matter and is available for free download.
As a general solution --I'm talking outside of the 1C ecosystem now, I'm thinking of any ISV out there needing to have its application exchange user information with identity management systems--, there is a lot one can learn from this particular project. The gateway approach enables to plug legacy applications into a customer's identity infrastructure with no modification to the application --provided you have some kind of interfaces, of course. In addition, the SPML open protocol ensures maximum interoperability with modern identity management frameworks.
To conclude, anyone really is welcome to leverage our work as is, extend it --please join the community and share back-- or use it as a stub for another application --why not using Project Kenai to host and share your project as well? Most of the documentation for the 1C SPML Gateway is currently in Russian but we will be soon posting an English summary of it to make life easier. In any case, you can right away post questions in English in the issue tracker and/or mailing list.