1. Gluu Publishes Open Source “Enterprise UMA” Software to
enable OAuth 2.0 Access
Gluu announced today that the newest software release from OX, Gluu’s open
source authorization and authentication project, implements UMA, a new
profile of OAuth 2.0 for access management. As a profile of OAuth 2.0 that is
complementary to OpenID Connect, UMA defines RESTful, JSON-based,
standardized flows and constructs for coordinating the protection of any API or
web resource. UMA defines interfaces between “authorization servers” and
“resource servers” that enable centralized policy decision-making for improved
policy administration, auditing, and responsiveness to security threats.
According to the UMA Working Group’s case study on enterprise access
management, “although UMA’s primary use cases have centered on individual
people, more specifically the “users” who manage access to their own online
resources, the UMA notion of authorization as a service also has relevance to
modern enterprises that must secure APIs and other web resources in a
developer-friendly way.”

2. The UMA Work Group observes the utility of the protocol for multiple scenarios,
noting that “Enterprise UMA” has a number of use cases, including managing client
access to API’s, defining logic for Stepped-Up Authentication, and providing the
foundation for standards-based interoperable web access management.”
With UMA, developers can handle authorization tasks by calling simple JSON/REST
endpoints. Administrators no longer have to deploy a web server plugin module or a
web “reverse proxy” to enable centralized web authorization. This new paradigm can
also be leveraged by “native applications”, for example mobile or cloud applications.
“Integrating UMA into OX, our open source authorization and authentication
platform, has opened the door for new enterprise authorization capabilities only
partially solved by previous commercial access management suites,” said Gluu CEO
Michael Schwartz. “UMA is a major milestone for the Internet. Right now
authorization logic is managed in each application, and it is hard for large
organizations to centralize policies. Previous attempts to centralize authorization
policies have been proprietary, and are not Internet scale. By defining an IETF
standard for a developer-friendly access management protocol, UMA reverses this
trend, and ultimately will make the Internet a safer place for both people and
companies.”

3. The OX UMA Authorization Server implements all the UMA defined endpoints. It
also provides a web tool to enable administrators at the domain to view the servers
resource sets and to define the policies for access management. These are written
using Java or Python code, and customized to meet the exact authorization
requirements, including calls to external systems or datcan be highly a sources. OX
also provides all OpenID Connect endpoints, which provide client registration,
authentication, and attribute release policies to support an UMA policy decision
point, which is required by the UMA endpoints.
For more information on Gluu’s implementation of UMA visit http://gluu.org/uma-
access-management
About Gluu:
Gluu provides an open source authentication and authorization platform for
organizations that want to leverage open standards such as OpenID Connect, SAML
2.0, and UMA to enable strong authentication, active directory single sign on, and
access management. Deployed quickly on the customers’ IAAS platform of choice,
Gluu’s technology stack improves the quality and drives down the cost of an
increasingly complex and mission critical IT service: authentication and
authorization (AA).

4. About UMA:
User-Managed Access (UMA, pronounced “OOH-mah”) is an OAuth-based
protocol designed to give a web user a unified control point for authorizing who
and what can get access to their online personal data (such as identity attributes),
content (such as photos), and services (such as viewing and creating status
updates), no matter where all those things live on the web.