Gluu Publishes Open Source “Enterprise UMA” Software to enable OAuth 2.0 Access Management for Web and Mobile
Gluu’s open source software for UMA, the proposed IETF standard for “User Managed Access”, makes it easier for organizations to publish an authorization API to centralize enforcement of application security policies.
Austin, TX, May 15, 2013 — Gluu announced today that the newest software release from OX, Gluu’s open source authorization and authentication project, implements UMA, a new profile of OAuth 2.0 for access management. As a profile of OAuth 2.0 that is complementary to OpenID Connect, UMA defines RESTful, JSON-based, standardized flows and constructs for coordinating the protection of any API or web resource. UMA defines interfaces between “authorization servers” and “resource servers” that enable centralized policy decision-making for improved policy administration, auditing, and responsiveness to security threats.
According to the UMA Working Group’s case study on enterprise access management, “although UMA’s primary use cases have centered on individual people, more specifically the “users” who manage access to their own online resources, the UMA notion of authorization as a service also has relevance to modern enterprises that must secure APIs and other web resources in a developer-friendly way.”
The UMA Work Group observes the utility of the protocol for multiple scenarios, noting that “Enterprise UMA” has a number of use cases, including managing client access to API’s, defining logic for Stepped-Up Authentication, and providing the foundation for standards-based interoperable web access management.”
With UMA, developers can handle authorization tasks by calling simple JSON/REST endpoints. Administrators no longer have to deploy a web server plugin module or a web “reverse proxy” to enable centralized web authorization. This new paradigm can also be leveraged by “native applications”, for example mobile or cloud applications.
“Integrating UMA into OX, our open source authorization and authentication platform, has opened the door for new enterprise authorization capabilities only partially solved by previous commercial access management suites,” said Gluu CEO Michael Schwartz. “UMA is a major milestone for the Internet. Right now authorization logic is managed in each application, and it is hard for large organizations to centralize policies. Previous attempts to centralize authorization policies have been proprietary, and are not Internet scale. By defining an IETF standard for a developer-friendly access management protocol, UMA reverses this trend, and ultimately will make the Internet a safer place for both people and companies.”
The OX UMA Authorization Server implements all the UMA defined endpoints. It also provides a web tool to enable administrators at the domain to view the servers resource sets and to define the policies for access management. These are written using Java or Python code, and can be highly customized to meet the exact authorization requirements, including calls to external systems or data sources. OX also provides all OpenID Connect endpoints, which provide client registration, authentication, and attribute release policies to support an UMA policy decision point, which is required by the UMA endpoints.
For more information on Gluu’s implementation of UMA visit http://gluu.org/uma-access-management
Gluu provides an open source authentication and authorization platform for organizations that want to leverage open standards such as OpenID Connect, SAML 2.0, and UMA to enable strong authentication, single sign-on (SSO), and access management. Deployed quickly on the customers’ IAAS platform of choice, Gluu’s technology stack improves the quality and drives down the cost of an increasingly complex and mission critical IT service: authentication and authorization (AA).
User-Managed Access (UMA, pronounced “OOH-mah”) is an OAuth-based protocol designed to give a web user a unified control point for authorizing who and what can get access to their online personal data (such as identity attributes), content (such as photos), and services (such as viewing and creating status updates), no matter where all those things live on the web.