Softerra Adaxes can be integrated in SPML-enabled provisioning systems to exchange provisioning data with SPML services. As an SPML client, Softerra Adaxes sends SPML requests, when certain operations are performed in Active Directory. For this purpose, SPML Connectors are used. SPML Connectors store information on the connection to an SPML service and parameters of SPML requests generation. For every SPML service, SPML Connectors establish the correspondence between AD and SPML object types and properties. This correspondence is established in the schema mapping.
When an SPML request is sent, it is necessary to specify the PSO ID (Provisioning Service Object Identifier) to identify, to which SPML object this request refers. The PSO ID uniquely identifies the object in the SPML target. The PSO ID is generated by the SPML provider, when an object is created. After that, Softerra Adaxes stores the PSO ID in a specific property of AD objects. The property, where the PSO ID is stored, is specified in the schema mapping. When the PSO ID is changed by an SPML request, the SPML Connector updates this property in AD. If the property is not specified in the schema mapping or its value is empty, the requests for this object are not sent.
Adaxes SPML Connectors send SPML requests, when the following operations are performed in Active Directory:
- Create Object. When a new object is created in Active Directory, SPML Connector sends the Add Request to its SPML provider. To determine the object type (objectclass) to create in the SPML provider target, the schema mapping is used. The schema mapping specifies the type of the SPML object associated with a certain type of AD object, and establishes the correspondence between the properties of AD and SPML object types. SPML requests are sent only for those AD objects, for which the schema mapping exists. In the response to the Add Request, the SPML provider returns the PSO ID for the new object and stores it in a specific property of the created AD object. The PSO ID will be used to identify the SPML object in the SPML provider target, when further SPML requests are sent for it.
- Modify Object. When an object is modified in Active Directory, SPML Connector sends the Modify Request to its SPML provider. To determine the object to modify in the SPML provider target, the Modify Request includes the PSO ID stored in the modified AD object. To determine the properties of the SPML object that correspond to the modified properties of the AD object, the schema mapping is used.
- Delete Object.
When an object is deleted in Active Directory, SPML Connector sends the Delete Request to its SPML provider.
To identify the object to delete on the SPML target, the Delete Request includes the PSO ID stored in the AD
object being deleted.
![[Tip]](img/tip.png)
Tip If the executed operation is Delete Subtree, and the SPML object, for which the SPML request is sent, is marked as Container in the schema of the SPML service, the recursive attribute of the request is set to true. - Enable/Disable Account. When an account is enabled or disabled in Active Directory, SPML Connector sends the Suspend or Resume Request to its SPML provider. To identify the object to enable/disable, the request includes the PSO ID stored in the AD object. The Resume/Suspend Request is only sent, if the SPML provider supports the Suspend Capability for the SPML object type that corresponds to the enabled/disabled AD object. The correspondence between SPML and AD object types is established in the schema mapping.
- Reset/Change Password.
When a user password is reset or changed in Active Directory, SPML Connector sends the Set Password request to
its SPML provider. To identify the object, for which the password is modified, the Set Password request includes the PSO ID stored in the
AD object.
The Set Password Request is only sent, if the SPML provider supports the Password Capability for the SPML object type that
corresponds to the type of the AD object, for which the password is reset or changed. The correspondence between SPML and AD object types
is established in the schema mapping.
Tip When the Reset Password operation is performed in Active Directory, only new password is specified in the Set Password Request, when the Change Password operation is performed, both new and old passwords are specified.
You can specify the operations, for which an SPML Connector will send SPML requests. For information on how to do so, see Specifying Operations to Send SPML Requests for.
SPML Connectors allow to manage parameters of SPML connections and SPML requests generation:
Connection to SPML Service
SPML Connectors store the SPML provider URI, target, and the credentials to authenticate to the SPML provider. SPML Connectors can connect to any SPML service that supports SPML v2.0 protocol (DSML profile).
Though the format of SPML requests is fixed by the SPML standard, the specifics of their delivery and authentication are not. SPML requests are sent in SOAP messages, the structure of which can vary for different SPML providers. To generate SOAP messages considering the specifics of the SPML provider they are sent to, Softerra Adaxes implements SPML Provider Adapters. SPML Provider Adapters regulate the generation of SOAP messages and the delivery of authentication parameters for a specific provider. By default, Adaxes supplies adapters for well-known SPML providers. However, Adaxes service allows to add custom or configure the existing SPML Provider Adapters for the SPML providers you need.
![[Note]](img/note.png)
Note All Adapters are registered in the section configuration\softerra.adaxes\spmlConnectors of Softerra.Adaxes.Service.exe.config. Activity Scope
You can configure SPML Connectors to send SPML requests when operations are executed in the specific AD domains only. In other words, SPML Connector will be effective for the specified AD domains only.
For information on how to modify the activity scope, see Modifying SPML Connector Activity Scope.
Schema mapping is the correspondence between the SPML and AD object types and properties. This correspondence is established to specify, which provisioning service object types and properties must be affected by an SPML request. Also, the schema mapping specifies the AD property to store the PSO ID of the SPML object that corresponds to the AD object. The value of this property is included in SPML requests to identify the SPML object, for which the request is sent. If schema mapping does not exist for a certain AD object type, SPML requests are not sent for operations on the AD objects of this type.
For information on how to modify the schema mapping, see Modifying SPML Schema Mapping.