Presentation is loading. Please wait.

Presentation is loading. Please wait.

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq 28 Aug 2013 1.

Published byHarry Whitney Modified over 9 years ago

Similar presentations

Presentation on theme: "User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq 28 Aug 2013 1."— Presentation transcript:

1 User-Managed Access UMA Work Group @UMAWG tinyurl.com/umawg | tinyurl.com/umafaq 28 Aug 2013 1

2 The “data price” for online service is too high: typing… Provisioning by hand Provisioning by value Oversharing Lying! 2

3 The “data price” for online service is too high: connecting… Meaningless consent to unfavorable terms Painful, inconsistent, and messy access management Oblivious oversharing 3

4 The “data price” for online service is too high: private URLs… Handy but insecure Unsuitable for really sensitive data 4

5 5 Most data “sharing” today is back-channel and unconsented Image source: http://informationanswers.com/?p=283

6 Privacy is about context, control, choice and respect – so UMA enables a “digital footprint control console” Web 2.0 access control is inconsistent and unsophisticated To share with others, you have to list them literally You have to keep rebuilding your “circles” in new apps You can’t advertise content without giving it away You can’t get a global view of who accessed what You can unify access control under a single app Your access policies can test for claims like “over 18” You can reuse the same policies with multiple sites You can control access to stuff with public URLs You can manage and revoke access from one place 6

7 Enterprise use cases bring WAM into the API economy 7 You create and standardize machine- readable scope descriptions You can centralize scope mgmt at one AS and reuse policies Scopes are entirely proprietary and non- interoperable Access management and policies are done on a pairwise, per- service basis The RO is the enterprise itself The policy administrator is an “RO agent” The AS is a PAP and (pseudo) PDP that can serve as a PIP client

8 Protocol vs. value-add: the basics 8 Apps can outsource reusable high-quality access control Your access policies can test for claims like “over 18” You can delegate constrained access to autonomous others You can control access to stuff with public URLs You can manage and revoke access from one place You create and standardize machine-readable scope descriptions You can centralize scope mgmt at one AS and reuse policies Protocol + likely AS/RS agreements Protocol + policy/claim support in AS UX and functionality Protocol + “personal discovery” features AS UX and functionality Profiling Protocol ASSUMPTION: STILL HAS API-SPECIFIC SEMANTICS, JUST LIKE OAUTH

9 Potential ecosystem: “social access control” (à la social sign-in) 9 Most dynamic; Alice-to-Bob sharing is the key differentiator AS RS CCCCCC CC Few, large, IdP-assoc/PDS Some with onboard RS apps Few, large, IdP-assoc/PDS Some with onboard RS apps Work with popular AS+IdPs May outsource local authz Work with popular AS+IdPs May outsource local authz Third-party apps UMA-enabled Benefits High-quality, centralized consumer authz Benefits High-quality, centralized consumer authz Challenges Disruptive change to biz models Trust and assurance API interoperability Challenges Disruptive change to biz models Trust and assurance API interoperability RS

10 Potential ecosystem: “walled garden PDS’s” 10 Likely highly static partnerships; Alice-to-Alice/Bob/org sharing AS RS C CC NSTIC-ish banks and telcos In-house apps NSTIC-ish banks and telcos In-house apps Part of existing third-party ecosystem Few truly independent apps Benefits Today’s back-channel user data is put under user control/monitoring “Outward” trust growth Benefits Today’s back-channel user data is put under user control/monitoring “Outward” trust growth Challenges Tight binding to the owner of the garden Challenges Tight binding to the owner of the garden RS C

11 Potential ecosystem: “patient- centric health vaults” 11 Static partnering will center on payers as 900-lb gorillas; highly vertical AS RS CCCCCC CC Payers (insurance, governments) and HISPs Healthcare providers Quantified self apps Healthcare providers Quantified self apps “Mint for patients and caregivers” Benefits Proactive, trackable consent directives Blue Button-like delivery of data Benefits Proactive, trackable consent directives Blue Button-like delivery of data Challenges Sclerotic IT practices Serious security, privacy, and discoverability needs Challenges Sclerotic IT practices Serious security, privacy, and discoverability needs RS

12 Potential ecosystem: “distributed authz for business” (access management 2.0) 12 AliceCo-to-Employee/Contractor/PartnerBob sharing AS RS CCCCCC CC Firms have own AS, like IdP May have internal apps Firms have own AS, like IdP May have internal apps SaaS, PaaS, IaaS “Claims-based SSO” SaaS, PaaS, IaaS “Claims-based SSO” Third-party apps UMA- enabled Benefits Centralized scope mgmt across web, mobile Less dependent on a “big bang” Benefits Centralized scope mgmt across web, mobile Less dependent on a “big bang” Challenges Legacy apps and WAM practices Challenges Legacy apps and WAM practices AS RSASC

13 UMA turns online sharing into a privacy-by-design solution 13

14 UMA turns online sharing into a privacy-by-design solution Historical Municipal Financial Vocational Artistic Social Geolocation Computational Genealogical Biological Legal... Historical Municipal Financial Vocational Artistic Social Geolocation Computational Genealogical Biological Legal... 14

15 UMA turns online sharing into a privacy-by-design solution I want to share this stuff selectively Among my own apps With family and friends With organizations I want to share this stuff selectively Among my own apps With family and friends With organizations I want to protect this stuff from being seen by everyone in the world 15

16 UMA turns online sharing into a privacy-by-design solution 16 I want to control access proactively, not just feel forced to consent over and over

17 Key use cases http://kantarainitiative.org/confluence/display/uma/Case+S tudies http://kantarainitiative.org/confluence/display/uma/Case+S tudies Subscribing to a friend’s personal cloud Sharing accessibility attributes (“GPII”) E-transcript sharing (“HEAR”) Patient-centric health data access Enterprise “access management 2.0” 17

18 UMA is a profile of OAuth, with bits added for interop and scale 18 resource owner resource server authorization server client protecte d resource s (unnamed till now)

19 UMA solves for 1) individual choice and 2) fully modular cloud services 19 App-specific API UMA-enabled client RPT requesting party token

20 UMA solves for 1) individual choice and 2) fully modular cloud services 20 Protection API Protection client PAT protection API token includes resource registration API and token introspection API

21 UMA solves for 1) individual choice and 2) fully modular cloud services 21 Authorization API Authorization client AAT authorization API token supports OpenID Connect-based claims-gathering for authz

22 Key implementations http://kantarainitiative.org/confluence/display/uma/UMA+Implementatio ns http://kantarainitiative.org/confluence/display/uma/UMA+Implementatio ns SMARTAM.net (running authorization service from Cloud Identity UK) Puma (Python libraries for RS- and client- enabling web apps) from ditto Fraunhofer AISEC open- source implementation in Java Gluu OX open-source implementation for Access Management 2.0 use cases 22

23 Next steps Work on optimization opportunities when UMA and OpenID Connect are used together Issue “Implementor’s Draft” Continue to work with AXN, Scalable Privacy, and others in “trusted identities in cyberspace” ecosystem Profile UMA for higher ed, accessibility attribute sharing, healthcare use cases We welcome your involvement and contributions –Become an UMAnitarian! –Follow @UMAWG on Twitter and UserManagedAccess on FB 23

24 Questions? Thank you @UMAWG tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May 2013 24

25 Phase 1: protect a resource 25

26 Phases 2 and 3: get authorization and access resource 1 of 3 26

27 Phases 2 and 3: get authorization and access resource 2 of 3 27

28 28 Phases 2 and 3: get authorization and access resource 1 of 3

29 Spec call tree for the UMA profile of OAuth 29 UMA coreOAuth 2 OpenID Connect Token introspection OAuth resource set registration UMA binding obligations Dynamic client registration hostmeta UMA native spec Required external component Optional external component Individual IETF I-D

Download ppt "User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq 28 Aug 2013 1."

Similar presentations

© 2012 Open Grid Forum Simplifying Inter-Clouds October 10, 2012 Hyatt Regency Hotel Chicago, Illinois, USA.

© 2012 Open Grid Forum Simplifying Inter-Clouds October 10, 2012 Hyatt Regency Hotel Chicago, Illinois, USA.
Identity Network Ideals – Heterogeneity & Co-existence

Identity Network Ideals – Heterogeneity & Co-existence
Impacts of 3 rd Party IaaS on broadband network operations and businesses Prabhat Kumar Managing Partner, i 3 m 3 Solutions.

Impacts of 3 rd Party IaaS on broadband network operations and businesses Prabhat Kumar Managing Partner, i 3 m 3 Solutions.
User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May 2013 1.

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?

DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Www.incommon.org A View into the Mi$t 1 RL Bob Morgan University of Washington Co-chair, InCommon Technical Advisory Committee.

A View into the Mi$t 1 RL "Bob" Morgan University of Washington Co-chair, InCommon Technical Advisory Committee.
Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.

Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Understanding Active Directory

Understanding Active Directory
The Business of Identity Management Barry R. Ribbeck Director Systems Architecture & Infrastructure Rice University

The Business of Identity Management Barry R. Ribbeck Director Systems Architecture & Infrastructure Rice University
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
OAuth option for mHealth Brief Profile Proposal for 2013/14 presented to the IT Infrastructure Planning Committee R Horn (Agfa Healthcare)

OAuth option for mHealth Brief Profile Proposal for 2013/14 presented to the IT Infrastructure Planning Committee R Horn (Agfa Healthcare)
Cloud Computing Cloud Security– an overview Keke Chen.

Cloud Computing Cloud Security– an overview Keke Chen.
UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
The powerful capabilities of JBoss Middleware as cloud based services on OpenShift. Build applications. Integrate with other systems Orchestrate using.

The powerful capabilities of JBoss Middleware as cloud based services on OpenShift. Build applications. Integrate with other systems Orchestrate using.
Protecting “Personal Clouds” with UMA and OpenID #UMApcloud for questions 19 June 2014 tinyurl.com/umawg for slides, recording, and more.

Protecting “Personal Clouds” with UMA and OpenID #UMApcloud for questions 19 June 2014 tinyurl.com/umawg for slides, recording, and more.

Similar presentations

Ads by Google