UMA Explained
User-Managed Access (UMA) involves these entities:
|
For example, a web user (authorizing user) can authorize a web app (requester) to gain one-time or ongoing access to a resource containing his home address stored at a "personal data store" service (host), by telling the host to act on access decisions made by his authorization decision-making service (authorization manager). |
Following is suggested reading.
The basics
- Poster (best printed on A0-A3 paper; 8.5x11 or 8.5x14 is okay but small) presented at the IEEE Security and Privacy symposium poster session.
- UMA overview slides meant for a half-hour presentation (slides with builds and slides with speaker's notes). (Adjunct draft slides that explain UMA's resource protection method here.)
- The User Experience page collects wireframes exploring user interactions with UMA-enabled services. This includes a set of wireframes that matches the webinar scenario.
- The emerging set of UMA user stories attempts to capture the desired benefits to all the parties involved.
Technical perspective
- The Working Drafts area of this wiki contains the official definition of the UMA protocol.
- The OAuth leeloo open-source project is an UMA-friendly Java-based OAuth 2.0 implementation.
- A comprehensive technical report published under the auspices of Newcastle University called User-Managed Access to Web Resources (also available on ncl.ac.uk site) explains the requirements that drive UMA, analyzes the design features that respond to these requirements, and reviews related work.
- The Technology Matrix compares UMA with various other technologies and explores potential synergies between them.
- Writings by our implementation coordinator Maciej Machulak are at his user-managed access control site.
Discussions and ruminations
- ReadWriteWeb article Identity Management and Networks: The Enterprise Considers the Social Way from 23 Sep 2010, discussing UMA's potential impact.
- Group chair Eve Maler writes about UMA and its predecessor, ProtectServe, here.
- Some historical materials (may be out of date) explaining the original thinking behind UMA and its predecessor, ProtectServe, are available.
- If you're a German speaker, check out Christian Scholz's appearance on
German radio (mp3), discussing privacy and UMA.