Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The state of uma 2014 11-03


  • Login to see the comments

  • Be the first to like this

The state of uma 2014 11-03

  1. 1. The State of User-Managed Access, November 2014 Eve Maler, chair @UMAWG 3 November 2014 1
  2. 2. Agenda • Quick summary of UMA in context • Specification progress in context • Implementation news • Standardization progress and next steps • Use case domains • Other major news items • Thoughts on UMA contributions to the larger conversation 2
  3. 3. The new Venn of access control and consent OpenID Connect UMA OAuth 2.0
  4. 4. The marvelous spiral of controlled personal data/access sharing 4
  5. 5. Interoperable, RESTful authorization-as-a-service 5 Has standardized APIs for privacy and “selective sharing” Outsources protection to a centralizable authorization server “authz provider” (AzP) “authz relying party” (AzRP) identity provider (IdP) SSO relying party (RP)
  6. 6. Specification progress in context 6 08 09 10 11 12 13 14 15 Protect Serve UMA Core, Resource Set Registration OAuth 1.0, 1.0a WRAP OpenID AB/Connect Open ID OpenID Connect OAuth 2.0 Dynamic Client Reg… Claims, Obs…
  7. 7. Implementation news • Interop testing has begun on the “V0.9” specs, mostly against Roland Hedberg’s suite – Four participants, four full solutions (including an authorization server) and two partial solutions (resource server and client only) – Several other implementations in the wings • A few implementations in deployment – One product for a personal data use case – One product for several enterprise use cases • Cross-matrix testing coming in 2015 7
  8. 8. Standardization progress and next steps 8 UMA “Core” (Profile of OAuth) Resource Set Registration Claim Profiles Framework Binding Obligations Q1-2 Q1-2 Q3-4 Q3-4?
  9. 9. Use-case domains Health Financial Education Personal Government Media Behavioral Web Mobile API IoT
  10. 10. Other major news items • EIC award • HEART WG • New open-source community 10
  11. 11. UMA contributions to the larger privacy and consent conversation • UMA authorization grants (and consent directives) as asynchronous consent • The relationship between proactive, directed sharing and privacy-as-runtime-consent 11
  12. 12. UMA contributions to the larger access control conversation • Opportunities for declarative policy to be the “rocket fuel” of IoT authorization • Opportunities for UMA along with simplified XACML in the health space • UMA extensions for full ABAC 12
  13. 13. Big thanks! • To Kantara • To the UMA WG • To the implementers • To the IRM community 13
  14. 14. Questions? Thank you! Eve Maler, chair @UMAWG 3 November 2014 14