UMA Explained

User-Managed Access (UMA) involves these entities:

For example, a web user (authorizing user) can authorize a web app (requester) to gain one-time or ongoing access to a resource containing his home address stored at a "personal data store" service (host), by telling the host to act on access decisions made by his authorization decision-making service (authorization manager).

The requesting party might be an e-commerce company whose site is acting on behalf of the user himself to assist him in arranging for shipping a purchased item, or it might be his friend who is using an online address book service to collect addresses, or it might be a survey company that uses an online service to compile population demographics.

Following is suggested reading.

The basics

Poster (best printed on A0-A3 paper; 8.5x11 or 8.5x14 is okay but small) presented at the IEEE Security and Privacy symposium poster session.

UMA overview slides meant for a half-hour presentation (slides with builds and slides with speaker's notes). (Adjunct draft slides that explain UMA's resource protection method here.)

The User Experience page collects wireframes exploring user interactions with UMA-enabled services. This includes a set of wireframes that matches the webinar scenario.

The emerging set of UMA user stories attempts to capture the desired benefits to all the parties involved.

Technical perspective

The Working Drafts area of this wiki contains the official definition of the UMA protocol.

The OAuth leeloo open-source project is an UMA-friendly Java-based OAuth 2.0 implementation.

A high-level set of protocol swimlane flows is shown on this page.

A comprehensive technical report published under the auspices of Newcastle University called User-Managed Access to Web Resources (also available on ncl.ac.uk site) explains the requirements that drive UMA, analyzes the design features that respond to these requirements, and reviews related work.

The Technology Matrix compares UMA with various other technologies and explores potential synergies between them.

Writings by our implementation coordinator Maciej Machulak are at his user-managed access control site.

Discussions and ruminations

ReadWriteWeb article Identity Management and Networks: The Enterprise Considers the Social Way from 23 Sep 2010, discussing UMA's potential impact.

Group chair Eve Maler writes about UMA and its predecessor, ProtectServe, here.

Some historical materials (may be out of date) explaining the original thinking behind UMA and its predecessor, ProtectServe, are available.

If you're a German speaker, check out Christian Scholz's appearance on
German radio (mp3), discussing privacy and UMA.