A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
AAA
Authentication, Authorisation and Accounting. A term used for describing a technical and legal environment for intelligently controlling access to computer resources, enforcing policies, auditing usage and providing the information necessary to bill for services.
AAF
Australian Access Federation Inc.
AAI
Authentication and Authorisation Infrastructure
Access Management System
The collection of systems and services associated with specific online resources or services that together decide whether to grant a given individual access to those resources or services.
Assertion
The identity information provided by an Identity Provider to a Service Provider.
Attribute
A single piece of information associated with an electronic identity database record. Some attributes are general; others are personal. Some subset of all attributes defines a unique individual. Examples of an attribute are name, phone number and group affiliation.
Attribute Authority (AA)
The Shibboleth software service that asserts the requesting individual's attributes by creating an attribute assertion and then digitally signing it. The receiving online Service Provider must be able to validate this signature.
Attribute Release Policy (ARP)
Rules that define which attributes are going to be released to a requesting resource. It is a mechanism to implement privacy and data protection.
Attribute resolver
A component of the identity provider. It retrieves attributes from various data sources (LDAP, Active Directory, etc) and performs the necessary transformations for SAML transport.
Audit
An independent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services and recommend any changes that are indicated for countermeasures.
Authentication
The security measure by which a person transmits and validates his or her association with an electronic identifier. An example of authentication is submitting a password that is associated with a user account name.
Authorisation
The process for determining a specific person's eligibility to gain access to a resource or service, a right or permission granted to access an online system.
(Authorisation) Attributes
User data (such as name, affiliation, etc) needed for access control decisions. The attributes used by a federation are defined in the federation attribute specification.
Certificate
A digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its Subscriber, (3) contains the Subscriber's public key, (4) identifies its operational period and (5) is digitally signed by the certification authority issuing it.
Certificate Authority (CA)
A certificate authority (CA) is an authority in a network that issues and manages security credentials and public keys for message encryption.
Certificate Signing Request (CSR)
A digital file that contains a user's name and public key. The user sends the CSR to a Certificate Authority (CA) to be converted into a certificate.
Core attributes
A set of Attributes selected by the federation that all Identity Providers are required to support.
Digital signature
A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message, or of the signer of a document. It can also be used to ensure that the original content of the message or document that has been conveyed is unchanged.
Directory
A directory is a specialised database that may contain information about an institution's membership, groups, roles, devices, systems, services, locations and other resources.
Distinguished Name (DN)
Distinguished names are string representations that uniquely identify users, systems, and organisations. In general, DNs are used in LDAP-compliant directories. In certificate management systems, DNs are used to identify the owner of a certificate and the authority that issued the certificate.
Domain name
A domain name is that portion of an Internet Uniform Resource Locator (URL) that fully identifies the server program that an Internet request is addressed to. Tuakiri.ac.nz is an example of a domain name.
Domain Name Service (DNS)
An Internet service that translates domain names to and from IP addresses.
Discovery Service
Technical term/synonym for WAYF.
eduPerson
An LDAP object class authored and promoted by the EDUCAUSE/Internet2 eduPerson Task Force to facilitate the development of inter-institutional applications. The eduPerson object class focuses on the attributes of individuals. Current documentation on the eduPerson object class is available at http://www.educause.edu/eduperson/.
Electronic identifier
A string of characters or structured data that may be used to reference an electronic identity. Examples include an email address, a user account name, a campus NetID, an employee or student ID or a PKI certificate.
Electronic identity
A set of information that is maintained about an individual, typically in campus electronic identity databases. May include roles and privileges as well as personal information. The information must be authoritative to the applications for which it will be used.
Electronic identity credential
An electronic identifier and corresponding personal secret associated with an electronic identity. An electronic identity credential typically is issued to the person who is the subject of the information to enable that person to gain access to applications or other resources that need to control such access.
Electronic identity database
A structured collection of information pertaining to given individuals. Sometimes referred to as an "enterprise directory". Typically includes name, address, email address, affiliation and electronic identifier(s). Many technologies can be used to create an identity database, for example, LDAP or a set of linked relational databases.
Enterprise directory
An enterprise directory is a core middleware architecture that may provide common authentication, authorisation and attribute services to electronic services offered by an institution.
Enterprise directory infrastructure
The infrastructure required to support and maintain an enterprise directory. This may include multiple directory hardware components as well as the processes by which data flows into and out of the directory service.
Entitlement
Entitlements form a specialized class of authorisation attributes important enough to call out separately. They can be used to identify a user's eligibility to access a given resource such as an e-journal.
Federated identity
The management of identity information between members of a federation.
Federation
A federation is an association of organisations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.
Federated identity management
The management and use of identity information across security domains, e.g. between individual universities. It deals with issues such as interoperability, liability, security, privacy and trust.
Federation member
A federation member is an organisation (such as a university, library, etc) that runs one Identity Provider and any number of federation-enabled resources. Federation members have to agree on a common set of policies and rules defined in the [federation rules|Governance, Rules & Policy^Federation Rules.pdf] in order to allow for smooth and reliable functioning of the federation.
Federation participants
Federation members and federation partners of the Federation.
Federation partner
A federation partner is an organisation, such as a publisher of e-journals, that offers one or more AAI-enabled resources to one or more federation members. The federation partner's resources get integrated into the federation and they may use the central AAI services required for a smooth operation within the federation. However, a federation partner cannot act as a home organisation, i.e. it cannot represent a user community and cannot be an identity provider within the federation.
Federation Registry
The Resource Registry is a tool developed by AAF to manage information about identity providers and service providers participating in the federation. It is used to generate the official metadata and ARP files used by all identity providers and service providers in the two federations.
Fully qualified domain name (FQDN)
The full host name of a computer.
Home organisation
A participating organisation representing a user community, e.g. a university, library, university hospital, etc. A home organisation registers users and stores information about them. Furthermore, it is able to authenticate its users.
Identity
The set of information associated with a specific physical person or other entity. Usually not all identity attributes are relevant in any given situation. Typically an Identity Provider will be authoritative for only a subset of a person's identity information.
Identity credential
An electronic identifier and corresponding personal secret associated with an electronic identity. An identity credential typically is issued to the person who is the subject of the information to enable that person to gain access to applications or other resources that need to control such access.
Identity database
A structured collection of information pertaining to a given individual. Sometimes referred to as an "enterprise directory." Typically includes name, address, email address, affiliation, and electronic identifier(s). Many technologies can be used to create an identity database or set of linked relational databases.
Identity Management System (IdMS)
A set of standards, procedures and technologies that provide electronic credentials to individuals and maintain authoritative information about the holders of those credentials.
Identity Provider (IdP)
An identity provider is a Shibboleth server that authenticates users and conveys their attributes to requesting resources. In other terms, it provides the digital identities of its users to other servers in the AAI.
Issuer
The CA that issues a certificate.
LDAP directory
An LDAP directory is one that supports the Lightweight Directory Access Protocol (LDAP). LDAP is a widely adopted IETF standard directory access protocol well suited to the authentication and authorisation needs of modern application architectures.
Lightweight Directory Access Protocol (LDAP)
An IETF standard for directory services.
Lightweight Directory Inter-exchange Format (LDIF)
A protocol for exchange of information among LDAP directories.
Metadata
Shibboleth relies on metadata to identify trusted identity providers, service providers and certificate authorities. Prior to Shibboleth 1.3, the metadata consisted of the XML-files sites.xml and trust.xml; now only metadata.xml, based on the new SAML 2.0 metadata standards, is used.
Namespace
A set of names in which all names are unique.
NetID
An electronic identifier created specifically for use with online applications, often an integer and typically with no other meaning.
OpenIdP
OpenIdP is a Shibboleth identity provider with a web interface that allows users to register their details (without any verification). This allows them to use Shibboleth without the burden of installing an IdP at their site. It might also be a good mechanism for the slow and controlled adoption of Shibboleth in an institution that might have a small audience.
Participant
An organisation accepted into Tuakiri that has met all the necessary criteria for participation.
Privacy policy
A statement to users of what information is collected and what will be done with the information after it has been collected.
Profile
Data comprising the broad set of attributes that may be maintained for an identity, and the data required to authenticate under that identity.
providerID
The providerID is a unique identifier, identifying each service provider and identity provider.
Public key cryptography
A cryptographic technique that uses two keys: the first key is always kept secret by an entity, and the second key, which is uniquely linked to the first one, is made public. Messages created with the first key can be uniquely verified with the second key.
Public Key Infrastructure (PKI)
The set of standards and services that facilitate the use of public-key cryptography in a networked environment.
Relying party
In general, one or more service or identity provider(s) that is the sender or receiver of a SAML assertion. A relying party could be a single service provider or a group of service providers. The SPs and IdPs can be grouped into a relying party by including them into an EntitiesDescriptor element in the metadata. Such a group of service providers may then, for example, be used to tell an identity provider to use a special way to transmit the attributes to the components of this relying party, e.g. attribute push or attribute pull.
Resource
Web application, web site, information system, etc. A federation-enabled resource requests attributes about users from an identity provider and makes access decisions based on these attributes.
SAML
SAML (Security Assertion Markup Language) is an XML framework for exchanging authentication and authorisation information. SAML is a standard of OASIS. Shibboleth is based on SAML.
Service Provider (SP)
A campus or other organisation that makes online resources available to users based in part on information about them that it receives from other Tuakiri participants.
Shibboleth
The name of an architecture and open source software developed by Internet2/MACE (Middleware Architecture Committee for Education). Shibboleth is based on SAML and allows the implementation of an AAI.
Single Sign-On (SSO)
Single Sign-On enables the user to gain access to multiple resources by authenticating only once.
Subscriber
An organisation that has agreed to the Tuakiri rules and policies and has paid subscription fees in order to use Tuakiri services.
Test federation
A federation operated for testing and developing Shibboleth applications. A test federation should not contain "real" users and is not as secure and reliable as the production federation.
Uniform Resource Identifier (URI)
The name for identifying an abstract or physical resource.
Uniform Resource Locator (URL)
The address of a resource accessible on the Internet. URLs are a subset of URIs.
Uniform Resource Name (URN)
Refers to the subset of URIs that is required to remain globally unique and persistent even when the resource ceases to exist or becomes unavailable.
User
Registered member of a home organisation
Virtual Home Organisation (VHO)
The Virtual Home Organisation is an identity provider for users who are not in a participating home organisation.
VHO group
A VHO group is a container within the VHO. It contains VHO end users and/or subgroups, which also can contain VHO end users. One or more VHO administrators manage a VHO group.
VHO administrator
The VHO administrator is a resource owner who is responsible for his VHO group(s) and its VHO end users. The VHO administrator maintains the account data and provides support for VHO end users.
VHO end user
A VHO end user is a valid user who belongs to the VHO.
WAYF (Where Are You From)
The WAYF service, also called the discovery service, lets the user choose his home organisation from a list and then redirects the user to that home organisation's login page for authentication.
Acknowledgement: This glossary contains content from SWITCH, AAF, InCommon and SURFNet.