Versions Compared

Old Version 7

changes.mady.by.user Former user

Saved on

compared with

New Version 8

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
h.

...

Anchor
h.2aybfh7m3ksh
h.2aybfh7m3ksh
Introduction

...

The Trusted Claims aspect describes the AM-Requester (on behalf of Requesting Party) relationship.
UMA is designed to support claims-based Access Control, by which the access control decision to grant access to Authorizing User's resource (Protected Resource at Host) is made based on Requesting party information, such as Subject's name, age (or date of birth) email address, role, location, or score credit, etc.
In general, in UMA authorization system, there is no relationship between a Requester and the Authorization Manager (AM) prior to a request. Because the AM does not know the requester directly, to satisfy the access policy, it has to ask for information (Trusted Claims) from third parties who know the Requester better.
UMA trust model leverages the Trust Framework in order to trust identity (claims) issues from Identity Service provider.
For this specific purpose, UMA protocol provides an OpenID Connect claim profile  based on OpenID Connect specification. 
OpenID Connect provides authentication, authorization, and attribute transmission capability. It allows third party attested claims from distributed sources.
OpenID Connect specification refers to the Authentication Context which is an information that the Relying Party (AM) may require before it makes an entitlements decision with respect to an authentication response. Such context may include, but is not limited to, the actual authentication method used or level of assurance such as ITU X.1254 | ISO/IEC 29115\ entity authentication assurance level.
The picture below shows an high level diagram about UMA and OpenID Connect interoperability model based on the following steps:

...

  • The AM is a relying party of Identity Service Providers (for the AU Registration and for Trusted Claims scopes)
  • The AM maintains the list of certified IdP, including the cryptographic material (i.e. Public key).

Anchor
h.yviqt0bvq3zw
h.yviqt0bvq3zw

Applying UMA Trust aspects to a Business case

...

  • Alice visits the hospital for an health check-up.
  • She meets with Bob, a Doctor from department of ecography.
  • Bob needs to access to online Alice's healthcare records.
  • Bob uses a Hospital's web application to attempt to access to Alice's healtcare records at the HealthcareSystem.com.
  • CopMonkey.com applies Alice's policy, asking for Trusted Claims, to verify the Bob's role.
  • Bob gets access to the Alice's Healthcare record.


References

User-Managed [ |http://www.google.com/url?q=http%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-hardjono-oauth-umacore-04&sa=D&sntz=1&usg=AFQjCNEV1PrrCyQbqdkLenYL1HFQfk_lhA]Access[(|http://www.google.com/url?q=http%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-hardjono-oauth-umacore-04&sa=D&sntz=1&usg=AFQjCNEV1PrrCyQbqdkLenYL1HFQfk_lhA]UMA)core[ |http://www.google.com/url?q=http%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-hardjono-oauth-umacore-04&sa=D&sntz=1&usg=AFQjCNEV1PrrCyQbqdkLenYL1HFQfk_lhA]Protocol
UMA[ |http://kantarainitiative.org/confluence/display/uma/UMA+Trust+Model]Trust[ |http://kantarainitiative.org/confluence/display/uma/UMA+Trust+Model]Model[ |http://kantarainitiative.org/confluence/display/uma/UMA+Trust+Model]Spec.
OpenID[ |http://openid.net/specs/openid-connect-messages-1_0.html]Connect[ |http://openid.net/specs/openid-connect-messages-1_0.html]Message[1.0 |http://openid.net/specs/openid-connect-messages-1_0.html]Spec
McCallister, E., "ITU-T[ |http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45138]Recommendation[ |http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45138]X.1254 |ISO/IEC[ |http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45138]DIS[29115 -- |http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45138]Information[ |http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45138]technology[- |http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45138]Security[ |http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45138]techniques[- |http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45138]Entity[ |http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45138]authentication[ |http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45138]assurance[ |http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45138]framework," ISO/IEC 29115, November 2011.
Access Core Protocol 

UMA Trust Model Specification

OpenID Connect Spec

Rainer Steffen, Rudi Knorr, " A [ |http://www.pervasive.ifi.lmu.de/adjunct-proceedings/poster/p001-005.pdf] trust [ |http://www.pervasive.ifi.lmu.de/adjunct-proceedings/poster/p001-005.pdf] based [ |http://www.pervasive.ifi.lmu.de/adjunct-proceedings/poster/p001-005.pdf] delegation [ |http://www.pervasive.ifi.lmu.de/adjunct-proceedings/poster/p001-005.pdf] system [ |http://www.pervasive.ifi.lmu.de/adjunct-proceedings/poster/p001-005.pdf] for [ |http://www.pervasive.ifi.lmu.de/adjunct-proceedings/poster/p001-005.pdf] managing [ |http://www.pervasive.ifi.lmu.de/adjunct-proceedings/poster/p001-005.pdf]access[ |http://www.pervasive.ifi.lmu.de/adjunct-proceedings/poster/p001-005.pdf]control"access control