Standards


Back to Resources

Enterprise UMA (user managed access)


As a profile of OAuth 2.0 that is complementary to OpenID Connect, the user managed access, or “UMA”, specification defines RESTful, JSON-based, standardized flows and constructs for coordinating the protection of APIs and web resources in a way that will be familiar to any developer already acquainted with OAuth.

Read the UMA specification document

Read the Gluu Server UMA Documentation

UMA’s machine-readable resource sets and scope descriptions creates an access control mechanism that enables control over specific API scopes (customizable buckets of API functionality) and website domains. With UMA, client app developers can handle authorization tasks by calling simple JSON/REST endpoints; administrators don’t have to deploy a web server agent or reverse proxy to enable centralized policy enforcement.

UMA defines interfaces between authorization servers and resource servers that, by default, enable centralized policy decision-making for improved service delivery, auditing, policy administration, and accountability, even in a very loosely coupled “public API” environment. Custom profiles enable flexibility to move the decision-making line outward to distributed applications, to account for local preferences in API ecosystems. UMA does not standardize a policy expression language, enabling flexibility in policy expression and evaluation through XACML, other declarative policy languages, or procedural code as warranted by conditions.

UMA inherits authentication agnosticism from OAuth. It concentrates on authorization, not on authentication. It has been profiled to work with OpenID Connect to gather identity claims from whoever (or whatever device) is attempting access, and enables true claims-based authorization (with simple group or role based policies a natural subset).

The best way to learn more is by reviewing the UMA specification document. Note that as of April 25, 2017, UMA 2.0 is nearing completion and will have breaking changes with v 1.0.1. However, the core principals apply and the existing specification document will provide a good foundation for better understanding how the technology works.

In addition, Kantara has published an Enterprise UMA Solution Scenario that provides tangible examples and use cases for UMA in a distributed enterprise setting.

And finally, read our UMA documentation to better understand how to use UMA in the Gluu Server.

Get News and Product Updates