Versions Compared

Old Version 6

changes.mady.by.user Former user

Saved on

compared with

New Version 7

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Authorizing User (AU) is an actively part during the http://docs.kantarainitiative.org/uma/draft-uma-core.html#protecting-a-resourceprotecting a resource phasehttp://docs.kantarainitiative.org/uma/draft-uma-core.html#protecting-a-resource. UMA protecting a resource phaseFor this reason, this is the most critical trust (Bootstrapping trust) aspect of the whole process, where the AU builds his (trust) mental state towards others agents (Host, AM), evaluating the possible trustworthiness factors. Viceversa, the agents must trust the Identity of the subject involved in the process.
Parts of this fundamental process are:

...

The Trusted Claims aspect describes the AM-Requester (on behalf of Requesting Party) relationship.
UMA is designed to support claims-based Access Control, by which the access control decision to grant access to Authorizing User's resource (Protected Resource at Host) is made based on Requesting party information, such as Subject's name, age (or date of birth) email address, role, location, or score credit, etc.
In general, in UMA authorization system, there is no relationship between a Requester and the Authorization Manager (AM) prior to a request. Because the AM does not know the requester directly, to satisfy the access policy, it has to ask for information (Trusted Claims) from third parties who know the Requester better.
UMA trust model leverages the Trust Framework in order to trust identity (claims) issues from Identity Service provider.
For this specific purpose, UMA protocol provides an http://tools.ietf.org/html/draft-hardjono-oauth-umacore-04#section-3.5.1.1OpenID Connect claim profilehttp://tools.ietf.org/html/draft-hardjono-oauth-umacore-04#section-3.5.1.1 based on http://openid.net/connect/OpenID Connect specificationhttp://openid.net/connect/. OpenID Connect claim profile  based on OpenID Connect specification. 
OpenID Connect provides authentication, authorization, and attribute transmission capability. It allows third party attested claims from distributed sources.
OpenID Connect specification refers to the Authentication Context which is an information that the Relying Party (AM) may require before it makes an entitlements decision with respect to an authentication response. Such context may include, but is not limited to, the actual authentication method used or level of assurance such as http://openid.net/specs/openid-connect-messages-1_0.html#ISO29115ITU-T X ITU X.1254 \ entity authentication assurance level.
The picture below shows an high level diagram about UMA and OpenID Connect interoperability model based on the following steps:

...

  • The AM is a relying party of Identity Service Providers (for the AU Registration and for Trusted Claims scopes)
  • The AM maintains the list of certified IdP, including the cryptographic material (i.e. Public key).

Anchor
h.yviqt0bvq3zw
h.yviqt0bvq3zw

Applying UMA Trust aspects to a Business case

Anchor
h.nka5sgetykoj
h.nka5sgetykoj
Healthcare scenario

...