...
These are questions we have fielded while giving UMA presentations and demos. If you want us to answer one of the empty questions you see appearing here, or have other questions, tweet us!
UMA-related short links:
- tinyurl.com/umawg: wiki home page
- tinyurl.com/umafaq: this FAQ
- tinyurl.com/umav1: UMA Core home page (with list of breaking/notable changes in drafts)
- tinyurl.com/umatrust: Binding Obligations home page
- tinyurl.com/umacore: latest Core spec
- tinyurl.com/oauthrsr: latest Resource Set Registration spec
- tinyurl.com/umacase: UMA case studies page
- tinyurl.com/umaam20: Access Management 2.0 case study
- tinyurl.com/umaiiot: industrial IoT case study
- tinyurl.com/uma1iop: interop home page
Table of Contents | ||||
---|---|---|---|---|
|
General Questions
What is UMA?
User-Managed Access (UMA, pronounced
Table of Contents | ||||
---|---|---|---|---|
|
...
General Questions
What is UMA?
User-Managed Access (UMA, pronounced "OOH-mah" like the given name) is an OAuth-based protocol designed to give a web user a unified control point for authorizing who and what can get access to their online personal data (such as identity attributes), content (such as photos), and services (such as viewing and creating status updates), no matter where all those things live on the web.
UMA allows a user to make demands of the requesting side in order to test their suitability for receiving authorization. These demands can include requests for information (such as “Who are you?” or “Are you over 18?”) and promises (such as “Do you agree to these non-disclosure terms?” or “Can you confirm that your privacy and data portability policies match my requirements?”).
UMA has enterprise implications as well as "user-centric" implications. At least one company has begun using it for coordinating the protection of enterprise APIs in much the way that today's Web Access Management (WAM) systems protect corporate web apps. As well, since it is a system for distributing authorization responsibilities, UMA has contractual and legal implications.
UMA has the following actors and basic architecture, with entities that closely align with core OAuth entities:
A number of historical articles and other materials about UMA are available:
- A comprehensive technical report published under the auspices of Newcastle University called User-Managed Access to Web Resources (also available on ncl.ac.uk site) explains the requirements that drive UMA, analyzes the design features that respond to these requirements, and reviews related work.
- A ReadWriteWeb article, Identity Management and Networks: The Enterprise Considers the Social Way from 23 Sep 2010, discusses UMA's potential impact.
- Group chair Eve Maler has written about UMA and its predecessor, ProtectServe, here.
- Some older historical materials (may be out of date) explain the original thinking behind UMA and its predecessor, ProtectServe, and a poster (best printed on A0-A3 paper; 8.5x11 or 8.5x14 is okay but small) was presented at the IEEE Security and Privacy symposium poster session.
For UMA information in other languages, see:
- Domenico Catalano's UMA introduction in Italian
- Cordny Nederkoorn's article on UMA in a Dutch publication
- Tatsuo Kudo's SlideShare deck covering UMA in Japanese
- Wikipedia information in Italian and Spanish, thanks to Riccardo Abeti and Domenico Catalano
For external information and thoughts on UMA, see:
...
requirements?”).
UMA has enterprise implications as well as "user-centric" implications. At least one company has begun using it for coordinating the protection of enterprise APIs in much the way that today's Web Access Management (WAM) systems protect corporate web apps. As well, since it is a system for distributing authorization responsibilities, UMA has contractual and legal implications.
UMA has the following actors and basic architecture, with entities that closely align with core OAuth entities:
A number of historical articles and other materials about UMA are available:
- A comprehensive technical report published under the auspices of Newcastle University called User-Managed Access to Web Resources (also available on ncl.ac.uk site) explains the requirements that drive UMA, analyzes the design features that respond to these requirements, and reviews related work.
- A ReadWriteWeb article, Identity Management and Networks: The Enterprise Considers the Social Way from 23 Sep 2010, discusses UMA's potential impact.
- Group chair Eve Maler has written about UMA and its predecessor, ProtectServe, here.
- Some older historical materials (may be out of date) explain the original thinking behind UMA and its predecessor, ProtectServe, and a poster (best printed on A0-A3 paper; 8.5x11 or 8.5x14 is okay but small) was presented at the IEEE Security and Privacy symposium poster session.
For UMA information in other languages, see:
- Domenico Catalano's UMA introduction in Italian
- Cordny Nederkoorn's article on UMA in a Dutch publication
- Tatsuo Kudo's SlideShare deck covering UMA in Japanese
- Wikipedia information in Italian and Spanish, thanks to Riccardo Abeti and Domenico Catalano
For external information and thoughts on UMA, see:
- Wikipedia entry for "User-Managed Access" (English)
- WholeChainCom blog entry on selective sharing
- UnboundID blog entry on attribute management and white paper (registration required) on the "identity economy"
- Phil Windley white paper in the Live Web series: From Personal Computers to Personal Clouds
- Oliver Pfaff's "New Trends in Web Security" SlideShare
UMA-related short links:
- tinyurl.com/umawg: wiki home page
- tinyurl.com/umafaq: this FAQ
- tinyurl.com/umav1: UMA Core home page (with list of breaking/notable changes in drafts)
- tinyurl.com/umatrust: Binding Obligations home page
- tinyurl.com/umacore: latest Core spec
- tinyurl.com/oauthrsr: latest Resource Set Registration spec
- tinyurl.com/umacase: UMA case studies page
- tinyurl.com/umaam20: Access Management 2.0 case study
- tinyurl.com/umaiiot: industrial IoT case study
- tinyurl.com/uma1iop: interop home page
Further reading:
- UMA Case Studies
- Latest specification of the UMA profile of OAuth
- UMA's binding obligations specification for dealing with contractual obligations
...