Access Management System - The collection of systems and services associated with specific on-line resources or services that together decide whether to grant a given individual access to those resources or services.
Assertion - The identity information provided by an Identity Provider to a Service Provider.
Attribute - A single piece of information associated with an electronic identity database record. Some attributes are general; others are personal. Some subset of all attributes defines a unique individual. Examples of an attribute are name, phone number, and group affiliation.
Attribute Assertion - A mechanism for associating specific attributes with a user.
Attribute Authority (AA) - The Shibboleth software service that asserts the requesting individual's attributes by creating an attribute assertion and then digitally signing it. The receiving online Service Provider must be able to validate this signature.
Attribute Authority Subject DN - The distinguished name of the Attribute Authority.
Attribute Authority URL - The Internet address of the Attribute Authority.
Attribute Release Policy (ARP) - Rules that an AA follows when deciding whether or not to release an attribute and its value(s)
Audit - An independent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.
Authentication (AuthN) - The security measure by which a person transmits and validates his or her association with an electronic identifier. An example of authentication is submitting a password that is associated with a user account name.
Authorization (AuthZ) - The process for determining a specific person's eligibility to gain access to a resource or service, a right or permission granted to access an online system.
Billing Contact - The Billing Contact is responsible for executing and maintaining all of the Participant's financial transactions associated with its InCommon federation participation, including any necessary communication with its internal Executive and Administrative Contacts, and externally with federation accounting staff.
certificate - A digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its Subscriber, (3) contains the Subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it.
Certificate Authority (CA) - A certificate authority (CA) is an authority in a network that issues and manages security credentials and public keys for message encryption.
Certificate Policy (CP) - A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. http://www.ietf.org/rfc/rfc3647.txt
Certificate Signing Request (CSR) - A digital file which contains a user's name and public key. The user sends the CSR to a Certificate Authority (CA)
to be converted into a certificate.
Certification Practice Statement (CPS) - A statement of the practices that a certification authority employs in issuing, managing, revoking, and renewing or re-keying certificates. http://www.ietf.org/rfc/rfc3647.txt
digital signature - A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message, or of the signer of a document. It can also be used to ensure that the original content of the message or document that has been conveyed is unchanged.
directory - A directory is a specialized database that may contain information about an institution's membership, groups, roles, devices, systems, services, locations, and other resources.
Distinguished Name (DN) - Distinguished names are string representations that uniquely identify users, systems, and organizations. In general, DNs are used in LDAP-compliant directories. In certificate management systems, DNs are used to identify the owner of a certificate and the authority that issued the certificate.
domain name - A domain name is that portion of an Internet Uniform Resource Locator (URL) that fully identifies the server program that an Internet request is addressed to. InCommonFederation.org is an example of a domain name.
Domain Name Service (DNS) - An Internet service that translates domain names to and from IP addresses.
eduOrg - An LDAP object class authored and promoted by the EDUCAUSE/Internet2 eduPerson Task Force to facilitate the development of inter-institutional applications. The eduOrg object class focuses on the attributes of organizations. Current documentation on the eduOrg object class is available at http://www.educause.edu/eduperson/.
eduPerson - An LDAP object class authored and promoted by the EDUCAUSE/Internet2 eduPerson Task Force to facilitate the development of inter-institutional applications. The eduPerson object class focuses on the attributes of individuals. Current documentation on the eduPerson object class is available at http://www.educause.edu/eduperson/.
electronic identifier - A string of characters or structured data that may be used to reference an electronic identity. Examples include an email address, a user account name, a a campus NetID, an employee or student ID, or a PKI certificate.
electronic identity - A set of information that is maintained about an individual, typically
in campus electronic identity databases. May include roles and privileges
as well as personal information. The information must be authoritative to
the applications for which it will be used.
electronic identity credential - An electronic identifier and corresponding personal secret associated
with an electronic identity. An electronic identity credential typically is
issued to the person who is the subject of the information to enable that
person to gain access to applications or other resources that need to
control such access.
electronic identity database - A structured collection of information pertaining to given
individuals. Sometimes referred to as an "enterprise directory". Typically
includes name, address, email address, affiliation, and electronic
identifier(s). Many technologies can be used to create an identity
database, for example LDAP or a set of linked relational databases.
enterprise directory - An enterprise directory is a core middleware architecture that may provide common authentication, authorization, and attribute services to electronic services offered by an institution.
enterprise directory infrastructure - The infrastructure required to support and maintain an enterprise directory. This may include multiple directory hardware components as well as the processes by which data flows into and out of the directory service.
federated identity - The management of identity information between members of a federation.
federation - A federation is an association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.
Federation Operation Policies and Practices (FOPP) - The policies and practices the Federation operates under on a
day-to-day basis. This document describes the activities of the Federation
organization, the process of Participants applying and being accepted, etc.,
and how decisions are made.
Handle - A reference assigned to a user for the purpose of retrieving attributes about the user. The handle is not in any way linked to the identity of the user.
Handle Service - The Identity Provider component responsible for (indirectly) providing a handle to be used for making user attribute requests to an Identity Provider Attribute Authority.
Handle Service subject DN - The distinguished name of the Handle
Handle Service URL - The Internet address of the Handle Service.
higher education institution - A two- or four-year post-secondary, degree-granting institution that is regionally accredited by an agency on the U.S. Department of Education's list of Regional Institutional Accrediting Agencies (see http://www.incommonfederation.org/accrediting.html).
identity - Identity is the set of information associated with a specific physical person or other entity. Usually not all identity attributes are relevant in any given situation. Typically an Identity Provider will be authoritative for only a subset of a person's identity information.
identity credential - An electronic identifier and corresponding personal secret associated with an electronic identity. An identity credential typically is issued to the person who is the subject of the information to enable that person to gain access to applications or other resources that need to control such access.
identity database - A structured collection of information pertaining to a given individual. Sometimes referred to as an "enterprise directory." Typically includes name, address, email address, affiliation, and electronic identifier(s). Many technologies can be used to create an identity database or set of linked relational databases.
Identity Management System - A set of standards, procedures and technologies that provide electronic credentials to individuals and maintain authoritative information about the holders of those credentials.
Identity Provider (IdP) - The originating location for a user. Previously called the Origin Site in the Shibboleth software implementation. For InCommon, an IdP is a campus or other organization that manages and operates an identity management system and offers information about members of its community to other InCommon participants.
InCommon CA Root Profile - The description of attributes and the data required to authenticate under the InCommon Certificate Authority (CA).
InCommon federation - InCommon is a formal federation of organizations focused on creating a common framework for trust in support of research and education. The primary purpose of the InCommon federation is to facilitate collaboration through the sharing of protected network-accessible resources by means of an agreed-upon common trust fabric. InCommon participation is separate from membership in Internet2.
InCommon Technical Advisory Committee - Group of individuals that provide technical guidance and direction for InCommon.
InQueue - InQueue is a federation of organizations who are interested in using the Shibboleth technology and exploring how federations work prior to joining a production federation such as InCommon. Participation in InQueue is open to any technically qualifying organization. http://inqueue.internet2.edu/
Issuer - The CA that issues a certificate.
LDAP directory - An LDAP directory is one that supports the Lightweight Directory Access Protocol (LDAP). LDAP is a widely adopted IETF standard directory access protocol well suited to the authentication and authorization needs of modern application architectures.
Liberty Alliance - A consortium of technology and consumer-facing organizations, formed in September 2001 to establish an open standard for federated network identity. http://www.projectliberty.org/
Lightweight Directory Access Protocol (LDAP) - An IETF standard for directory services.
Lightweight Directory Inter-exchange Format (LDIF) - A protocol for exchange of information among LDAP directories.
metadata - Data about data, or information known about an object in order to provide access to the object. Usually includes information about intellectual content, digital representation data, and security or rights management information.
namespace - A set of names in which all names are unique.
NetID - An electronic identifier created specifically for use with on-line applications, often an integer and typically with no other meaning.
Participant - An organization accepted into the InCommon Federation that has met all the criteria for participation as either a higher education institution or a Sponsored Partner.
Participant Agreement (PA) - This is the "contract" that a potential Participant signs when they are
accepted by the Federation. This document outlines information such as
fees, and responsibilities to participate in InCommon.
Participant Operating Practices (POP) - This document describes how InCommon Participants need to describe
their credential and identity management system.
Profile - Data comprising the broad set of attributes that may be maintained for an identity, and the data required to authenticate under that identity.
public key cryptography - A cryptographic technique that uses two keys: the first key is always kept secret by an entity, and the second key, which is uniquely linked to the first one, is made public. Messages created with the first key can be uniquely verified with the second key.
Public Key Infrastructure (PKI) - The set of standards and services that facilitate the use of public-key cryptography in a networked environment.
relying party - A recipient of a certificate who acts in reliance on that certificate and/or any digital signatures verified using that certificate. http://www.ietf.org/rfc/rfc3647.txt
Resource Provider (RP) - For the InCommon Federation, the term Resource Provider has been superseded by the term Service Provider.
Service Provider (SP) - Previously called the Target Site in the Shibboleth software implementation. For InCommon, an SP is a campus or other organization that makes online resources available to users based in part on information about them that it receives from other InCommon participants.
Shibboleth® - Software developed by Internet2 to enable the sharing of web resources that are subject to access controls such as user IDs and passwords. Shibboleth leverages institutional sign-on and directory systems to work among organizations by locally authenticating users and then passing information about them to the resource site to enable that site to make an informed authorization decision. The Shibboleth architecture protects privacy by letting institutions and individuals set policies that control what information about a user can be released to each destination. For more information on
Shibboleth please visit http://shibboleth.internet2.edu/uses.html.
Sponsored Partner - A business partner that provides resources to a higher education institution, and is sponsored for participation in InCommon by a participating higher education institution.
Support Contact - The Support Contact is the primary contact for error handling. The Support Contact may be a help desk or a designated support person.
Technical Contact - The Technical Contact for InCommon serves as the
primary point of contact for all technical issues for the organization
participating in InCommon. The technical contact communicates with
federation technical staff to ensure smooth operation of the federation's
Uniform Resource Identifier (URI) - The name for identifying an abstract or physical resource.
Uniform Resource Locator (URL) - The address of a resource accessible on the Internet. URLs are a subset of URIs.
Uniform Resource Name (URN) - Refers to the subset of URIs that are required to remain globally unique and persistent even when the resource ceases to exist or becomes unavailable.
validation - The process of identification of certificate applicants.
Where Are You From (WAYF) - A server used by the Shibboleth software to determine what a user's home organization is.