SPML is dead … long live “SPML envelope” ?

I just got a demo from our engineers of an integration they completed for a higher-ed customer. The customer is using a prominent ERP for higher ed and needed to send onboarding and deactivation requests, in real time, to our identity manager. This was to be done using an SPML gateway.

The demo went great – the web services gateway does, indeed, send messages to our system to provision and deactivate students, faculty and staff in real time. Everything works nicely, especially once our guys and the customer’s team worked through crashes in the J2EE app server hosting the software that sends messages to our system.

Did I mention that J2EE sucks and major J2EE servers are crashy junk? Lets leave that for another day.

Just one hitch: when I had a look at the message format, I discovered that while the message envelope was indeed SPML, the message body was not. Indeed, the message body was clear and human-legible, something nobody would accuse SPML of. There are plenty of sample SPML messages out there (google for SPML example if you’re curious) but the key point is that they are nasty, overburdened XML not suitable for human eyes.

Our friendly higher-ed ERP vendor clearly wanted (a) to be seen as a leader adopting standard protocols, such as SPML and (b) to deliver a developer-friendly, legible web service. (a) and (b) are not compatible, so they seem to have found a sneaky way to do both – use the header from SPML but send nice content in the body.


We had to write a bit of custom code to parse the message body, but hey – it wasn’t anything like the spaghetti required to parse real SPML, so no complaints.

This is the first time we’ve ever had an actual, honest-to-goodness use case for SPML at a living customer – not a demo for an analyst firm or trade show, so I thought we’d get to exercise more of the standard. I guessed wrong.

SPML *could* be used to manage security in an app, but I’ve yet to meet an app that supports inbound SPML instead of a proprietary API.

SPML *could* be used to notify a user provisioning system of events in a system of record (as happened in our deployment here), in real time, but I’ve yet to meet an application that does that using actual SPML message bodies.

I guess SPML is so ugly that a bunch of cloud vendors invented a simpler alternative – SCIM (simplecloud.info/). I don’t think there is anything particularly “cloud” about SCIM – it’s just that the people pushing it are SaaS vendors and the word “cloud” is sexy these days.

Hopefully SCIM succeeds where SPML failed – perhaps by having a clear schema and simple syntax that humans can read unaided.

Here’s to hoping.

— Idan

Comments are closed.