UMA Explained
User-Managed Access (UMA) involves these entities:
|
For example, a web user (authorizing user) can authorize a web app (requester) to gain one-time or ongoing access to a resource containing his home address stored at a "personal data store" service (host), by telling the host to act on access decisions made by his authorization decision-making service (authorization manager). |
See the following sections for suggested reading. Be sure to read the documents in the Working Drafts area of this wiki for the official definition of UMA.
General Interest
- Poster (best printed on A0-A3 paper; 8.5x11 or 8.5x14 is okay but small) presented at the IEEE Security and Privacy symposium poster session.
- Slides from a half-day workshop held at the European Identity Conference in Munich on 4 May 2010.
- The overview slides (slides without builds, audio, Flash, WMV for PC users, ARF file requiring PC WebEx player or Mac WebEx player) from the webinar held on 29 Jan 2010 explains the problem UMA is trying to solve and the general shape of the solution, including a walkthrough of a simplified scenario.
- The User Experience page collects wireframes exploring user interactions with UMA-enabled services. This includes a set of wireframes that matches the webinar scenario.
- We have a working lexicon that explores the relationship between the party who authorizes access and the party who ultimately gets access. Lawyerly types might be especially interested in this.
- Group chair Eve Maler writes about UMA and its predecessor, ProtectServe, here.
- Some historical materials (may be out of date) explaining the original thinking behind UMA and its predecessor, ProtectServe, are available.
Implementers and Deployers
Following is a condensed summary of the draft UMA protocol:
See also the following:
- Christian Scholz has done a very simple prototype of the UMA protocol in Python.
- A comprehensive technical report published under the auspices of Newcastle University called User-Managed Access to Web Resources (also available on ncl.ac.uk site) explains the requirements that drive UMA, analyzes the design features that respond to these requirements, and reviews related work.
- The Protocol Flow page has swimlane diagrams that show the core protocol at a high level.
- The Technology Matrix compares UMA with various other technologies and explores potential synergies between them.
- Writings by our implementation coordinator Maciej Machulak are at his user-managed access control site.