X

An Oracle blog about Openomics

  • sun
    November 19, 2009

Provision 1C user accounts thru SPML gateway

Guest Author

Service Provisioning Markup Language (SPML) is an XML-based standard, developed by the OASIS
consortium, for exchanging user, resource and service provisioning
information. SPML came in response to the need of unifying and
automating the management of user accounts and rights inside a
corporation. Indeed, with the multiplication of IT systems --logistics,
accounting, customer management, human resources, you name it-- inside
the companies we work for, the old (manual) ways of dealing with users
--Dear Admin, please create account for new employee... Dear Admin,
please give me access right for the folder/document
... who doesn't
remember writing one of these emails?-- could not keep up, responsible for
too much incorrect data, leading to information
leaks and productivity loss.

Today in its version 2.0 --version
1.0 had limited number of operations, limited scheme for user
information and simpler using/integrating--, SPML has enabled the
software industry to develop interoperable solutions of identity
management, for the various IT systems themself to communicate and
propagate changes in user information and rights. Examples of
commercial solutions that are SPML-compliant include Sun Identity Manager and Oracle Identity Manager.
We believe that it is essential that Enterprise Resource
Management (ERM) applications today support advanced identity management
operations beyond single sign-on --on that topic, check out this OpenSSO integration work.

Based in Moscow, 1C is a leading Russian software vendor, with 1M+ customers for their ERM software suite 1C:Enterprise and 18.7% market share in the Russia ERM market --making it the top #2 vendor in 2008 per a recent IDC study.
1C is particularly known as the maker of the most popular enterprise
accounting system 1C:Accounting sold in the CIS region; about every
company in Russia runs a copy of that software, I have been told. With
such a large installed base, 1C has evolved to become the center of a
large ecosystem and network of 5000+ partner integrators, resellers and
software vendors. Some of which being Sun Microsystems partners as well.

To
help our partners differentiate and add value in the legacy 1C ecosystem with
Sun open technologies, the local ISV Engineering team engaged last year in the prototype
development of an SPML interface for 1C:Enterprise, so it can integrate into the identity management frameworks deployed at large
corporations. Because the 1C platform is fully based on Microsoft
technologies and there was no
external interfaces except Microsoft COM, our solution was to
write a proxy gateway for translating SPML requests into COM API
requests, and exchanging provisioning information. The gateway is
embedding a web server for handling HTTP
requests so an administrator can simply install the SPML
gateway along with the 1C client on a clean Windows machine. That done,
the provisioning
information inside the 1C database can be managed from any machine on
the network.

We
have had very good feedback from our partners about this solution so
far. It has proven to save a
lot of time --and money too!-- at deployment time and in managing
1C:Enterprise, because the service could litterally be managed as
an appliance and the solution did not require to install a 1C client on
the machine where the Identity
Management server sits. We encourage all of the 1C:Franchising network
to leverage our work and put it to good use at their 1C customers. The
code for the 1C SPML Gateway has been shared under an open-source license for
that matter and is available for free download.

As
a general solution --I'm talking outside of the 1C ecosystem now, I'm thinking of any ISV out there needing
to have its application exchange user information with
identity
management systems--, there is a lot one can learn from this particular project. The gateway approach enables to plug legacy applications into a customer's identity infrastructure with no modification to the application --provided you have some kind of interfaces, of course. In addition, the SPML open protocol ensures maximum interoperability with modern identity management frameworks.

To conclude, anyone really is welcome to leverage our work as is, extend it --please join the community and share back-- or use it as a stub for another application --why not using Project Kenai to host and share your project as well? Most of the documentation for the 1C SPML Gateway is currently in Russian but we will be soon posting an English summary of it to make life easier. In any case, you can right away post questions in English in the issue tracker and/or mailing list.

Join the discussion

Comments ( 2 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.