5 reasons you need OpenID Connect and UMA in your IAM stack
Over the last 15 years there have been many standards for digital authentication and authorization. Some have seen more adoption than others, but none have provided a “silver bullet” solution to enable secure, universal resource federation at Internet scale.
There is still no “one protocol fits all” solution, however OpenID Connect and UMA succeed in standardizing solutions for today’s distributed authentication and authorization challenges.
Authentication & authorization with OAuth 2.0
On its own, OAuth 2.0 is a framework and does not specify how to implement a particular use case. OAuth 2.0 defines several flows for person and device authorization, but does not specify token formats (JSON or XML?), encryption formats, or other implementation specific details.
To do this you need a “profile” of OAuth 2.0, and the two most notable profiles are:
- OpenID Connect, which defines person authentication, client authentication, client registration;
- The User Managed Access (UMA) protocol, which defines RESTful, JSON-based, standardized flows and constructs for coordinating the protection of any API or web resource.
Why OpenID Connect and UMA?
Older web protocols may still provide tactical value, but here are five compelling reasons why OpenID Connect and UMA should be a top priority for modern identity and access management (IAM) deployments:
- Alignment with OAuth 2.0 standards is critical for mobile, IOT and Web security. By aligning with OAuth 2.0, organizations can support existing and future access management challenges, including mobile single sign-on (SSO), multi-factor adaptive authentication, and federated access to third-party cloud resources.
- OpenID Connect levels the playing field for identity providers and developers. By supporting OpenID Connect, organizations can run the same federation infrastructure as the worlds most trusted identity provider (IDP)–Google.
- OpenID Connect includes discovery which enables a client to find out what URI’s the domain uses to publish the OpenID Connect APIs for registration and requesting user claims. Discovery offers a scalable solution for autonomous domains to share personal identity information (PII).
- UMA enables organizations to launch new, more secure APIs that provide a top-line opportunity, not just a cost. If you can’t control who or what can access an API, and when, then you can’t charge for its use. UMA provides a standard way for API owners to protect and control access to APIs in a distributed, scalable way.
- UMA enables trust elevation by enabling organizations to set policies for certain API’s that require certain credentials, for instance two-factor authentication (2FA). A single authorization point is no longer sufficient for serious website security. To limit the damage done by hackers, domains need to use a multi-layered security approach where authorization is continually checked for depending on what resource is accessed, by which person, on which device, from where, and when.
A strong, central, and modern identity and access management infrastructure is one of the most important security tools available today. According to recent research from Verizon, more than 80% of breaches are due to compromised credentials. Aligning with modern standards that support today’s requirements for authentication and authorization can greatly reduce your organization’s exposure to fraud.
Deploy the Gluu Server today to launch your own OpenID Connect & UMA service.