The proposed IETF User Managed Access (UMA) protocol, in the works for years, is finally ready for prime time. UMA has the potential to make all the “app security” constituents happy: the people who use them, the web developers who write them and the organizations that host them.
In the late 90’s and early 2000’s, 100% proprietary Web Access Management (WAM) protocols were developed to enable organizations to centrally authenticate people, and to authorize who had access to what URLs. In the mid 2000’s, the Security Assertion Markup Language (SAML) standard emerged, but most implementations were limited to authentication and attribute exchange–not authorization.
For the first time, the IETF OAuth2 standard has enabled the consolidation of business logic for both authentication and authorization, for both internal and external websites. Two important profiles of OAuth2 have emerged:
(1) OpenID Connect provides authentication, including the endpoints that enable a website to bootstrap authentication with a previously unknown domain.
(2) UMA introduces an OAuth2 “policy decision point,” which enables a website to query a central point to find out if a person is authorized for a certain “scope,” which can map to an organizational policy.
Many mobile development environments lack the capability to use either WAM or SAML infrastructures for centralized authorization. This has left organizations searching for solutions. UMA and OpenID Connect are of course delivered via web and mobile developer friendly JSON-REST web services, and there is open source software available to facilitate adoption.
Subscribe to Get News and Product Updates
our RSS Feed