UMA Explained
User-Managed Access (UMA) involves these entities:
|
For example, a web user (authorizing user) can authorize a web app (requester) to gain one-time or ongoing access to a resource containing his home address stored at a "personal data store" service (host), by telling the host to act on access decisions made by his authorization decision-making service (authorization manager). |
See the following sections for suggested reading. Be sure to read the documents in the Working Drafts area of this wiki for the official definition of UMA.
General Interest
- Poster (best printed on A0-A3 paper; 8.5x11 or 8.5x14 is okay but small) presented at the IEEE Security and Privacy symposium poster session.
- Slides from a half-day workshop held at the European Identity Conference in Munich on 4 May 2010.
- The User Experience page collects wireframes exploring user interactions with UMA-enabled services. This includes a set of wireframes that matches the webinar scenario.
- We have a working lexicon that explores the relationship between the party who authorizes access and the party who ultimately gets access. Lawyerly types might be especially interested in this.
- Group chair Eve Maler writes about UMA and its predecessor, ProtectServe, here.
- Some historical materials (may be out of date) explaining the original thinking behind UMA and its predecessor, ProtectServe, are available.
- If you're a German speaker, check out Christian Scholz's appearance on
German radio (mp3), discussing privacy and UMA.
Implementers and Deployers
Following is a condensed summary of the draft UMA protocol:
See also the following:
- The Working Drafts page summarizes the state of play of all of the specs.
- Christian Scholz has done a very simple prototype of the UMA protocol in Python.
- A comprehensive technical report published under the auspices of Newcastle University called User-Managed Access to Web Resources (also available on ncl.ac.uk site) explains the requirements that drive UMA, analyzes the design features that respond to these requirements, and reviews related work.
- The Protocol Flow page has swimlane diagrams that show the core protocol at a high level.
- The Technology Matrix compares UMA with various other technologies and explores potential synergies between them.
- Writings by our implementation coordinator Maciej Machulak are at his user-managed access control site.