Gluu Blog

Follow us:
Back to Blog

Enterprise UMA: Access Management with OAuth2

Michael Schwartz July 8, 2013

The proposed IETF User Managed Access (UMA) protocol, in the works for years, is finally ready for prime time. UMA has the potential to make all the “app security” constituents happy: the people who use them, the web developers who write them and the organizations that host them.

In the late 90’s and early 2000’s, 100% proprietary Web Access Management (WAM) protocols were developed to enable organizations to centrally authenticate people, and to authorize who had access to what URLs. In the mid 2000’s, the Security Assertion Markup Language (SAML) standard emerged, but most implementations were limited to authentication and attribute exchange–not authorization.

For the first time, the IETF OAuth2 standard has enabled the consolidation of business logic for both authentication and authorization, for both internal and external websites. Two important profiles of OAuth2 have emerged:

(1) OpenID Connect provides authentication, including the endpoints that enable a website to bootstrap authentication with a previously unknown domain.

(2) UMA introduces an OAuth2 “policy decision point,” which enables a website to query a central point to find out if a person is authorized for a certain “scope,” which can map to an organizational policy.

Many mobile development environments lack the capability to use either WAM or SAML infrastructures for centralized authorization. This has left organizations searching for solutions. UMA and OpenID Connect are of course delivered via web and mobile developer friendly JSON-REST web services, and there is open source software available to facilitate adoption.


Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.

Reader Interactions