Versions Compared

Old Version 2

changes.mady.by.user Eve Maler

Saved on

compared with

New Version 3

changes.mady.by.user Eve Maler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Case Study: Access Management 2.0 for the Enterprise

Introduction

Although UMA's primary use cases have centered on individual people, the "users" who managed access to their own online resources, the UMA notion of authorization as a service also has relevance to modern enterprises that must secure APIs and other web resources in a developer-friendly way.

Problem Scenario

Where once web access management (WAM) and single sign-on (SSO) were sufficient for many purposes in the enterprise context, a new requirement has surfaced: managing access to an enterprise's web APIs, not just web apps. Today's systems for managing this type of access have a number of challenges.

...

APIs by their nature are subdivisions of functionality exposed at a single domain, and would map well to arbitrarily fine-grained policy, for example, at the call or even parameter level. However, outside the use of XACML, authorization policy granularity is coarse in traditional solutions: group filtering or URL regular expression matching at most.

Proposed Improvements

UMA makes the following solutions possible.

...

UMA inherits authentication-agnosticism from OAuth. It concentrates on authorization, not on authentication. It has been profiled to work with OpenID Connect to gather identity claims from whoever is attempting access, and enables true claims-based authorization.

Solution Scenario

In UMA trust model terminology, this scenario is in the category non-person entity (NPE) to person sharing. An organization – say, BusinessCo -- is the resource owner (technical term) and the Authorization Party (contractual term), acting on its own behalf. A human "resource owner agent" acts as a policy administrator, overseeing the rules that govern resource access.

...

Client web or mobile applications, wielded by enterprise resource users such as employees and partners, are UMA clients. Aeb service clients that operate autonomously, without human intervention, may also be UMA clients.

Solution Flow

This scenario uses ordinary UMA flows, noting that it is a human resource server agent, not BusinessCo, that sets policy and possibly performs any policy-dictated manual intervention to enable access requests to go through. The company Gluu has produced a swimlane diagram to illustrate.

Solution Demo

Gluu gave a demo of an enterprise UMA scenario at an UMA WG meeting on Jan 10, 2013; see the meeting notes.

...