Active Roles 7.3.3 - SPML Provider Administration Guide

How SPML Provider works

How SPML Provider works

With SPML Provider, applications can use SPML documents to look up, retrieve and update directory data in Active Directory, Azure AD, and AD LDS. SPML Provider converts XML elements and attributes into commands used to make changes to Active Directory and retrieve data from Active Directory. SPML Provider can also convert the response received from Active Roles or Active Directory to XML format. These conversions are based on and are in compliance with the OASIS SPML v2 - DSML v2 Profile specification.

SPML Provider runs as a Web application on a Web server running Microsoft Internet Information Services (IIS), and uses SOAP over HTTP to transmit and receive directory requests from client computers.

The SPML Provider environment includes the following components:

  • Clients that use SPML v2: These clients are applications that manage directory objects (for example, user accounts). A client issues SPML requests that describe operations to be performed on the directory object and send these requests to SPML Provider.
  • SPML Provider: Receives and processes client requests, and returns a response to the client.
  • Active Roles: In proxy mode, this is the endpoint for provisioning requests and the actual software that manages directory objects.
  • Active Directory, Azure AD, or AD LDS: In proxy mode, SPML Provider can access Active Directory or Azure AD domains and AD LDS instances that are registered with Active Roles as managed domains, Azure AD tenants, and managed AD LDS instances, respectively. In direct access mode, SPML Provider can access the domain controller or the AD LDS instance defined in the SPML.Config file. For more information, see “Configuring SPML Provider” later in this document.

The following diagram illustrates the flow of requests and responses through the SPML Provider environment components:

Figure 1: Flow of requests and responses through the SPML Provider environment components

As shown in the diagram, the client/SPML Provider communications are based on the simple request/response protocol.

In proxy mode, SPML Provider works in the following way:

  1. A client issues a well-formed SPML request using the SOAP over HTTP protocol. This request goes to a server running IIS, where it is routed to SPML Provider.
  2. SPML Provider examines the request for conformance to the SPML format.
  3. If the request complies with the SPML format, the SPML Provider submits the request to Active Roles. Based on the client request, Active Roles retrieves or modifies data in Active Directory, Azure AD, or in AD LDS.
  4. After performing the requested operation, Active Roles sends the result of the operation back to SPML Provider.
  5. SPML Provider then processes this result data and sends the result of the performed operation back to the client in the form of an SPML response.

In direct access mode, SPML Provider works in the following way:

  1. A client issues a well-formed SPML request using the SOAP over HTTP protocol. This request goes to a server running IIS, where it is routed to SPML Provider.
  2. SPML Provider examines the request for conformance to the SPML format.
  3. If the request conforms to the SPML format, SPML Provider retrieves or modifies the relevant data in Active Directory or in AD LDS (ADAM).
  4. SPML Provider sends the result of the performed operation back to the client in the form of an SPML response.

If the client request does not conform to the SPML format, the client receives an SPML response that describes the encountered error.

System requirements

System requirements

Before installing the Active Roles SPML Provider, ensure your system meets the following minimum hardware and software requirements.

Hardware requirements

Hardware requirements

Ensure that the following hardware requirements are met:

  • 1 GHz or higher Intel Pentium-compatible CPU.
  • At least 1 GB of RAM.
  • At least 100 MB of free disk space.

Software requirements

Software requirements

Ensure that the following software requirements are met:

  • Microsoft Windows Server 2008 R2 SP 1, Microsoft Windows Server 2012, Microsoft Windows Server 2012 R2, or Microsoft Windows Server 2016 operating system.
  • Microsoft .NET Framework 4.6.2.
  • Microsoft Internet Information Services (IIS). For proxy mode, the IIS server must be part of an Active Directory forest where Active Roles is deployed.
  • For proxy mode, Active Roles Administration Service 7.3 is required.

TIP: If you choose the proxy mode, for performance reasons, we recommend that you install the Active Roles SPML Provider on the computer running the Active Roles Administration Service.
Related Documents