Glossary of Terms

 

Access ManagementAn access management system determines what access a user has to resources.
ARPAttribute Release Policy
AttributeA single piece of user data (such as name, affiliation, study branch, etc.) needed to make authorization decisions. Some attributes are general; others are personal. Some combination of attributes defines a unique individual.
Attribute AssertionThe process by which one entity asserts that attributes about an individual are accurate.
Attribute Release PolicyDefines which attributes are going to be released to a requesting resource. It is a mechanism to implement privacy and data protection.
AuthenticationThe process of verifying the identity of a user. Also "auth" or "authN".
AuthorizationThe process of granting or denying access to a resource for an authenticated user. Also "authZ".
CertificateA form of digital credential which may be used for authentication. More formally, a digital certificate is a cryptographically signed, digital representation of user or device attributes that binds a key to an identity. A unique certificate attached to a public key provides evidence that the key has not been compromised. A certificate is issued and signed by a certificate authority.
http://en.wikipedia.org/wiki/Public_key_certificate
Certificate Authority (CA)A trusted third-party organization or company that issues certificates used to encrypt, decrypt, and create digital signatures and public-private key pairs.
http://en.wikipedia.org/wiki/Certificate_authority
CredentialPasswords, keys, other security tokens, such as a proxy or smart card, or biometrics such as fingerprints are examples of credentials.
Credential ProviderAn entity that issues credentials to its members for the purpose of authenticating that individual's identity or authorizing access a particular system.
Discovery ServiceA service that helps a user locate his or her "home" IdP. This discovery service is able to read federation metadata and generate a web page to enable the user to select the appropriate IdP.
Federated IdentityThe management of identity information between members of a federation, according to agreed-upon standards and conventions.
http://www.incommon.org/fedbasics.html
FederationAn Identity Federation is an organization of institutions that agree on a common set of principles in order to share information as a collection of equals.
Federation MemberAn individual institution (such as a university, library, etc.) that agrees to participate in an Identity Federation
Federation OperatorAn entity that runs the Federation on a day-to-day basis and maintains standards, metadata, operational agreements, etc.
IdentifierCharacters or data that refer to a specific identity. Examples include an email address, a user name, a Kerberos principal name, a campus network ID, an employee or student ID, or a certificate. An identifier is a label for an identity.
IdentityInformation about who you are. A set of data that is kept about an individual. May include data such as a user name and password, groups, roles, privileges or even personal information such as employment and health records.
http://en.wikipedia.org/wiki/Digital_Identity
Identity ProviderSomeone who stores your identity information and presents it to others. A campus or other organization that manages and operates an identity management system and offers information about members of its community to other InCommon participants; a trusted party that can be relied upon by users and servers for authentication. Also "Issuer".
Identity StoreA database of identities, such as an enterprise directory. A structured collection of information about multiple individuals.
IdPIdentity Provider
Level of Assurance (LOA)Amount of confidence that the person presenting a credential is actually that person. A federation member must undergo an assurance audit to be allowed to grant high Levels of Assurance to its users.
http://www.educause.edu/Resources/AppropriateAccessLevelsofAssur/162629
MetadataData or information about data. This information is necessary for one party to communicate to the other. A formal description of how federation components agree to communicate. In SAML there is metadata about the IdP and metadata about the SP.
http://www.incommon.org/metadata.html
PrincipalUser
RoamingA mechanism that allows a device to connect to a network other than its home network.
http://www.eduroam.org
SAMLSecurity Assertion Markup Language. Specified by the OASIS Security Services Technical Committee, SAML is a standard to construct, exchange and interpret information between an IdP and an SP.
http://www.oasis-open.org/committees/security
Service ProviderSomeone who provides you with a "service" such as a web site, online community, or research tool. A campus, department, or other organization that makes online resources available to users based, in part, on information about them that it receives from other Federation participants. Also "Relying Party" (RP).
ShibbolethDeveloped by Internet 2, it is a standards-based, open source software package for federated identity-based authentication and authorization infrastructure based on SAML web single sign-on across organizational boundaries such as in an identity federation.
http://shibboleth.net/
SPService Provider
SubjectUser
TrustThe amount of reliance that can be placed in received information. In a federation, trust is based on the practices and conventions that are agreed upon by federation members.
http://en.wikipedia.org/wiki/Trusted_system
UserThe person who accesses the online services available in a federation. Also "subject" or "principal".