SOAP API for provisioning

Simple Object Access Protocol or SOAP is a protocol for exchanging XML-based messages over a computer network, normally by using HTTP. SOAP forms the foundation layer of the Web services stack, providing a basic messaging framework that more abstract layers can build on.

SOAP services are defined by using Web Services Definition Language (WSDL) and are accessible by using a URL that is known as a SOAP endpoint.

IBM® Security Access Manager for Enterprise Single Sign-On provides a SOAP API for identity provisioning systems to communicate with the IMS Server for provisioning. With the SOAP API, the request interface is an object in the native programming language of your application. 

A third-party SOAP client can be used to generate business-object interfaces and network stubs from a WSDL document. The document specifies the IMS Server message schema, the service address, and other information.

The SOAP client handles the details of building the SOAP request and sending it to the IMS Server. Your application works with data in the form of object properties, and it sends and receives the data by calling object methods.

Identity provisioning for IBM Security Access Manager for Enterprise Single Sign-On requires the use of two sets of SOAP APIs:

• API for server authentication

  For the provisioning agent to log on and log off the IMS Server. Provisioning agents must log on to the IMS Server before calling other API operations.

• API for provisioning service

  For creating, deleting, or revoking IBM Security Access Manager for Enterprise Single Sign-On users, and adding, setting, or removing application account credentials.

A typical identity provisioning system contains provisioning agents for provisioning users and applications on third-party systems. It is assumed that the provisioning agent would be using the SOAP API to integrate with the IMS Server.

The provisioning agent first sets up an IMS Server session by logging on to the IMS Server. It provisions IBM Security Access Manager for Enterprise Single Sign-On users by specifying their user names and initial passwords. It can also provision application credentials by specifying the application user names and passwords.

When necessary, the provisioning agent can also call the appropriate operations to reset application passwords, remove application credentials, and delete or revoke IBM Security Access Manager for Enterprise Single Sign-On users. Finally, the provisioning agent terminates the session by logging off the IMS Server.