Glossary
This glossary of terms has been compiled from InCommon, Internet2, and EDUCAUSE sources for the convenience of campus service providers.
A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z
A
Access Management System - The collection of systems and services associated with specific on-line resources or services that together decide whether to grant a given individual access to those resources or services.
Administrator - The Administrator serves as the participating organization's primary registrar. The Administrator is responsible for registering and maintaining the policies and technical data related to the organization's participation in a federation, including the submission of any Identity Provider and/or Service Provider metadata and associated certificates. The Administrator is assigned by the participating organization's designated Executive.
Assertion - The identity information provided by an Identity Provider to a Service Provider.
Attribute - A single piece of information associated with an electronic identity database record. Some attributes are general; others are personal. Some subset of all attributes defines a unique individual. Examples of an attribute are name, phone number, and group affiliation.
Attribute Assertion - A mechanism for associating specific attributes with a user.
Attribute Authority (AA) - The Shibboleth software service that asserts the requesting individual's attributes by creating an attribute assertion and then digitally signing it. The receiving online Service Provider must be able to validate this signature.
Attribute Authority Subject DN - The distinguished name of the Attribute Authority.
Attribute Authority URL - The Internet address of the Attribute Authority.
Attribute Release Policy (ARP) - Rules that an AA follows when deciding whether or not to release an attribute and its value(s)
Audit - An independent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.
Authentication (AuthN) - The security measure by which a person transmits and validates his or her association with an electronic identifier. An example of authentication is submitting a password that is associated with a user account name.
Authorization (AuthZ) - The process for determining a specific person's eligibility to gain access to a resource or service, a right or permission granted to access an online system.
C
certificate - A digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its Subscriber, (3) contains the Subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it.
Certificate Authority (CA) - A certificate authority (CA) is an authority in a network that issues and manages security credentials and public keys for message encryption.
Certificate Policy (CP) - A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. http://www.ietf.org/rfc/rfc3647.txt
Certificate Signing Request (CSR) - A digital file which contains a user's name and public key. The user sends the CSR to a Certificate Authority (CA) to be converted into a certificate.
Certification Practice Statement (CPS) - A statement of the practices that a certification authority employs in issuing, managing, revoking, and renewing or re-keying certificates. http://www.ietf.org/rfc/rfc3647.txt
Client Certificate - Certificate issued to an individual. It can be used to encrypt and digitally sign email messages; to digitally sign documents and files and to authenticate the identity of an individual prior to granting them access to secure online services.
Code Signing Certificate - Code Signing Certificates are used to digitally sign software executables and scripts. Doing so helps users to confirm that the software is 'genuine' by verifying content source (authentication of the publisher of the software) and content integrity (that the software has not been modified, corrupted or hacked since the time it was originally signed).
D
digital signature - A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message, or of the signer of a document. It can also be used to ensure that the original content of the message or document that has been conveyed is unchanged.
directory - A directory is a specialized database that may contain information about an institution's membership, groups, roles, devices, systems, services, locations, and other resources.
Distinguished Name (DN) - Distinguished names are string representations that uniquely identify users, systems, and organizations. In general, DNs are used in LDAP-compliant directories. In certificate management systems, DNs are used to identify the owner of a certificate and the authority that issued the certificate.
domain name - A domain name is that portion of an Internet Uniform Resource Locator (URL) that fully identifies the server program that an Internet request is addressed to. tamu.edu is an example of a domain name.
Domain Name Service (DNS) - An Internet service that translates domain names to and from IP addresses.
E
eduOrg - An LDAP object class authored and promoted by the EDUCAUSE/Internet2 eduPerson Task Force to facilitate the development of inter-institutional applications. The eduOrg object class focuses on the attributes of organizations. Current documentation on the eduOrg object class is available at http://www.internet2.edu/products-services/trust-identity-middleware/eduperson-eduorg/.
eduPerson - An LDAP object class authored and promoted by the EDUCAUSE/Internet2 eduPerson Task Force to facilitate the development of inter-institutional applications. The eduPerson object class focuses on the attributes of individuals. Current documentation on the eduPerson object class is available at http://www.internet2.edu/products-services/trust-identity-middleware/eduperson-eduorg/.
electronic identifier - A string of characters or structured data that may be used to reference an electronic identity. Examples include an email address, a user account name, a campus NetID, an employee or student ID, or a PKI certificate.
electronic identity - A set of information that is maintained about an individual, typically in campus electronic identity databases. May include roles and privileges as well as personal information. The information must be authoritative to the applications for which it will be used.
electronic identity credential - An electronic identifier and corresponding personal secret associated with an electronic identity. An electronic identity credential typically is issued to the person who is the subject of the information to enable that person to gain access to applications or other resources that need to control such access.
electronic identity database - A structured collection of information pertaining to given individuals. Sometimes referred to as an "enterprise directory". Typically includes name, address, email address, affiliation, and electronic identifier(s). Many technologies can be used to create an identity database, for example LDAP or a set of linked relational databases.
enterprise directory - An enterprise directory is a core middleware architecture that may provide common authentication, authorization, and attribute services to electronic services offered by an institution.
enterprise directory infrastructure - The infrastructure required to support and maintain an enterprise directory. This may include multiple directory hardware components as well as the processes by which data flows into and out of the directory service.
F
federated identity - The management of identity information between members of a federation.
federation - A federation is an association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.
Federation Operation Policies and Practices (FOPP) - The policies and practices the Federation operates under on a day-to-day basis. This document describes the activities of the Federation organization, the process of Participants applying and being accepted, etc., and how decisions are made.
H
Handle - A reference assigned to a user for the purpose of retrieving attributes about the user. The handle is not in any way linked to the identity of the user.
Handle Service - The Identity Provider component responsible for (indirectly) providing a handle to be used for making user attribute requests to an Identity Provider Attribute Authority.
Handle Service subject DN - The distinguished name of the Handle Service.
Handle Service URL - The Internet address of the Handle Service.
higher education institution - A two- or four-year post-secondary, degree-granting institution that is regionally accredited by an agency on the U.S. Department of Education's list of Regional Institutional Accrediting Agencies.
I
identity - Identity is the set of information associated with a specific physical person or other entity. Usually not all identity attributes are relevant in any given situation. Typically an Identity Provider will be authoritative for only a subset of a person's identity information.
identity credential - An electronic identifier and corresponding personal secret associated with an electronic identity. An identity credential typically is issued to the person who is the subject of the information to enable that person to gain access to applications or other resources that need to control such access.
identity database - A structured collection of information pertaining to a given individual. Sometimes referred to as an "enterprise directory." Typically includes name, address, email address, affiliation, and electronic identifier(s). Many technologies can be used to create an identity database or set of linked relational databases.
Identity Management System - A set of standards, procedures and technologies that provide electronic credentials to individuals and maintain authoritative information about the holders of those credentials.
Identity Provider (IdP) - The originating location for a user. Previously called the Origin Site in the Shibboleth software implementation. For InCommon, an IdP is a campus or other organization that manages and operates an identity management system and offers information about members of its community to other InCommon participants.
InCommon CA Root Profile - The description of attributes and the data required to authenticate under the InCommon Certificate Authority (CA).
InCommon federation - InCommon is a formal federation of organizations focused on creating a common framework for trust in support of research and education. The primary purpose of the InCommon federation is to facilitate collaboration through the sharing of protected network-accessible resources by means of an agreed-upon common trust fabric.
Issuer - The CA that issues a certificate.
⬑ Back to Top
L
LDAP directory - An LDAP directory is one that supports the Lightweight Directory Access Protocol (LDAP). LDAP is a widely adopted IETF standard directory access protocol well suited to the authentication and authorization needs of modern application architectures.
Liberty Alliance - A consortium of technology and consumer-facing organizations, formed in September 2001 to establish an open standard for federated network identity. http://www.projectliberty.org/
Lightweight Directory Access Protocol (LDAP) - An IETF standard for directory services.
Lightweight Directory Inter-exchange Format (LDIF) - A protocol for exchange of information among LDAP directories.
M
metadata - Data about data, or information known about an object in order to provide access to the object. Usually includes information about intellectual content, digital representation data, and security or rights management information.
N
namespace - A set of names in which all names are unique.
NetID - An electronic identifier created specifically for use with on-line applications.
P
Participant - An organization accepted into a federation that has met all the criteria for participation.
Participant Agreement (PA) - This is the "contract" that a potential Participant signs when they are accepted by a federation. This document outlines information such as fees, and responsibilities to participate in the federation.
Participant Operating Practices (POP) - This document describes how Participants need to describe their credential and identity management system.
Privacy Policy - A statement to users of what information is collected and what will be done with the information after it has been collected.
Profile - Data comprising the broad set of attributes that may be maintained for an identity, and the data required to authenticate under that identity.
public key cryptography - A cryptographic technique that uses two keys: the first key is always kept secret by an entity, and the second key, which is uniquely linked to the first one, is made public. Messages created with the first key can be uniquely verified with the second key.
Public Key Infrastructure (PKI) - The set of standards and services that facilitate the use of public-key cryptography in a networked environment.
R
relying party - A recipient of a certificate who acts in reliance on that certificate and/or any digital signatures verified using that certificate. http://www.ietf.org/rfc/rfc3647.txt
Resource Provider (RP) - see Service Provider.
⬑ Back to Top
S
Service Provider (SP) - Previously called the Target Site in the Shibboleth software implementation. An SP is a campus or other organization that makes online resources available to users based in part on information about them that it receives from an Identity Provider.
Shibboleth® - Software developed by Internet2 to enable the sharing of web resources that are subject to access controls such as user IDs and passwords. Shibboleth leverages institutional sign-on and directory systems to work among organizations by locally authenticating users and then passing information about them to the resource site to enable that site to make an informed authorization decision. The Shibboleth architecture protects privacy by letting institutions and individuals set policies that control what information about a user can be released to each destination. For more information on Shibboleth please visit http://shibboleth.net/.
SSL Certificate - SSL Certificates are used to secure communications between a website, host or server and end users that are connecting to that server. An SSL certificate will confirm the identity of the Organization that is operating the website; encrypt all information passed between the site and the visitor and will ensure the integrity of all transmitted data.
Support Contact - The Support Contact is the primary contact for error handling. The Support Contact may be a help desk or a designated support person.
T
Technical Contact - The Technical Contact serves as the primary point of contact for all technical issues for the organization participating in a federation. The technical contact communicates with federation technical staff to ensure smooth operation of the federation's infrastructure.
U
Uniform Resource Identifier (URI) - The name for identifying an abstract or physical resource.
Uniform Resource Locator (URL) - The address of a resource accessible on the Internet. URLs are a subset of URIs.
Uniform Resource Name (URN) - Refers to the subset of URIs that are required to remain globally unique and persistent even when the resource ceases to exist or becomes unavailable.
V
validation - The process of identification of certificate applicants.
W
Where Are You From (WAYF) - A server used by the Shibboleth software to determine what a user's home organization is.