...
| For example, a web user (authorizing user) can authorize a web app (requester) to gain one-time or ongoing access to a resource containing his home address stored at a "personal data store" service (host), by telling the host to act on access decisions made by his authorization decision-making service (authorization manager). |
See the following sections for suggested reading. Be sure to read the documents in the Working Drafts area of this wiki for the official definition of UMA.
...
Following is suggested reading.
The basics
- Poster (best printed on A0-A3 paper; 8.5x11 or 8.5x14 is okay but small) presented at the IEEE Security and Privacy symposium poster session.Slides from a half-day workshop held at the European Identity Conference in Munich on 4 May 2010
- .UMA overview slides meant for a half-hour presentation (slides with builds and slides with speaker's notes). (Adjunct draft slides that explain UMA's resource protection method here.)
- The User Experience page collects wireframes exploring user interactions with UMA-enabled services. This includes a set of wireframes that matches the webinar scenario.
- We have a working lexicon that explores the relationship between the party who authorizes access and the party who ultimately gets access. Lawyerly types might be especially interested in this.
- Group chair Eve Maler writes about UMA and its predecessor, ProtectServe, here.
- Some historical materials (may be out of date) explaining the original thinking behind UMA and its predecessor, ProtectServe, are available.
- If you're a German speaker, check out Christian Scholz's appearance on
German radio (mp3), discussing privacy and UMA.
Implementers and Deployers
Following is a condensed summary of the draft UMA protocol:
See also the following:
- The Working Drafts page summarizes the state of play of all of the specs.
- Christian Scholz has done a very simple prototype of the UMA protocol in Python.
- These slides from IIW in May 2010 (and this blog post) explain how UMA compares to OAuthThe emerging set of UMA user stories attempts to capture the desired benefits to all the parties involved.
Technical perspective
- The Working Drafts area of this wiki contains the official definition of the UMA protocol.
- The OAuth leeloo open-source project is an UMA-friendly Java-based OAuth 2.0 implementation.
- A comprehensive technical report published under the auspices of Newcastle University called User-Managed Access to Web Resources (also available on ncl.ac.uk site) explains the requirements that drive UMA, analyzes the design features that respond to these requirements, and reviews related work.
- The Protocol Flow page has swimlane diagrams that show the core protocol at a high level.The Technology Matrix compares UMA with various other technologies and explores potential synergies between them.
- Writings by our implementation coordinator Maciej Machulak are at his user-managed access control site.
Discussions and ruminations
- ReadWriteWeb article Identity Management and Networks: The Enterprise Considers the Social Way from 23 Sep 2010, discussing UMA's potential impact.
- Group chair Eve Maler writes about UMA and its predecessor, ProtectServe, here.
- Some historical materials (may be out of date) explaining the original thinking behind UMA and its predecessor, ProtectServe, are available.
- If you're a German speaker, check out Christian Scholz's appearance on
German radio (mp3), discussing privacy and UMA.