Cloud Authorization Use Cases Version 0 Committee Note 01 19 November 2014

Download 466 Kb.
Size466 Kb.
1   2   3   4   5   6   7   8   9   10   11

Identity Management Definitions

The following terms may be used within this document:


To interact with a system entity in order to manipulate, use, gain knowledge of, and/or obtain a representation of some or all of a system entity’s resources. [SAML-Gloss-2.0]

Access control

Protection of resources against unauthorized access; a process by which use of resources is regulated according to a security policy and is permitted by only authorized system entities according to that policy. [SAML-Gloss-2.0]


Typically a formal business agreement for providing regular dealings and services between a principal and business service provider(s). [SAML-Gloss-2.0]

Administrative domain

An environment or context that is defined by some combination of one or more administrative policies, Internet Domain Name registrations, civil legal entities (for example, individuals, corporations, or other formally organized entities), plus a collection of hosts, network devices and the interconnecting networks (and possibly other traits), plus (often various) network services and applications running upon them. An administrative domain may contain or define one or more security domains. An administrative domain may encompass a single site or multiple sites. The traits defining an administrative domain may, and in many cases will, evolve over time. Administrative domains may interact and enter into agreements for providing and/or consuming services across administrative domain boundaries. [SAML-Gloss-2.0]


A person who installs or maintains a system (for example, a SAML-based security system) or who uses it to manage system entities, users, and/or content (as opposed to application purposes; see also End User). An administrator is typically affiliated with a particular administrative domain and may be affiliated with more than one administrative domain. [SAML-Gloss-2.0]


An entity that acts on behalf of another entity. [X.idmdef]


The quality or state of being anonymous, which is the condition of having a name or identity that is unknown or concealed. This includes the inability to trace the name or identity by behavior, frequency of service usage or physical location among other things. [SAML-Gloss-2.0]


A piece of data produced by an authority regarding either an act of authentication performed on a subject, attribute information about the subject or authorization data applying to the subject with respect to a specified resource. An example of an assertion's subject would be an employee and an assertion about them would be that they are a manager (i.e. a named role). [SAML-Gloss-2.0]


See authentication assurance and identity assurance. [X.idmdef]

Assurance level

A level of confidence (or belief) in the binding (or association) between an entity and the presented identity information. [X.idmdef]


A distinct characteristic of an entity or object. An object’s attributes are said to describe it. Attributes are often specified in terms of physical traits, such as size, shape, weight, and color, etc., for real-world objects. Entities in cyberspace might have attributes describing size, type of encoding, network address, and so on. Note that Identifiers are essentially "distinguished attributes". See also Identifier. [RFC 4949]

Attribute assertion

An assertion that conveys information about attributes of an entity (i.e. an assertion's subject). An example of an attribute assertion would be that a person with a presented identity (i.e. the entity or subject) has the attributed assertions that they have blue eyes and is a medical doctor. [SAML-Gloss-2.0]


A process used to achieve sufficient confidence in the binding between a person or entity and their presented identity. NOTE: Use of the term authentication in an identity management (IdM) context is taken to mean entity authentication. [X.idmdef]

Authentication assertion

An assertion that conveys information about a successful act of authentication that took place for an entity or person (i.e. the subject of an assertion). [SAML-Gloss-2.0]

Authentication assurance

The degree of confidence reached in the authentication process that the communication partner is the entity that it claims to be or is expected to be. NOTE: The confidence is based on the degree of confidence (i.e. assurance level) in the binding between the communicating entity and the identity that is presented. [X.idmdef]


  • The process of determining, by evaluating applicable access control information, whether an entity or person is allowed to have the specified types of access to a particular resource. Usually, authorization is in the context of authentication. Once a person or entity is authenticated, they or it may be authorized to perform different types of access. [SAML-Gloss-2.0]

  • The granting of rights and, based on these rights, the granting of access. [X.idmdef]

Back channel

Back channel refers to direct communications between two system entities without “redirecting” messages through another system entity. An example would be an HTTP client (e.g. a user agent) communicating directly to a web service. See also front channel. [SAML-Gloss-2.0]


An explicit established association, bonding, or tie. [X.idmdef]

Binding, Protocol binding

Generically, a specification of the mapping of some given protocol's messages, and perhaps message exchange patterns, onto another protocol, in a concrete fashion. [SAML-Gloss-2.0]

Biometric (Recognition)

Recognition of individuals based on their consistent behavioral and biological characteristics and measurements.


A set of security-relevant data issued by a security authority or a trusted third party, that, together with security information, is used to provide the integrity and data origin authentication services for the data. [X.idmdef]


To state as being the case, without being able to give proof. [X.idmdef]


A set of data presented as evidence of a claimed identity and/or entitlements. [X.idmdef]


An action that assigns authority, responsibility, or a function to another entity. [X.idmdef]

Digital identity

A digital representation of the information known about a specific individual, group or organization. [X.idmdef]

End user

A natural person who makes use of resources for application purposes (as opposed to system management purposes; see Administrator, User). [SAML-Gloss-2.0]


The process of inauguration of an entity, or its identity, into a context.

NOTE: Enrollment may include verification of the entity’s identity and establishment of a contextual identity. Also, enrollment is a pre-requisite to registration. In many cases the latter is used to describe both processes [X.idmdef]


Something that has separate and distinct existence and that can be identified in context.

NOTE: An entity can be a physical person, an animal, a juridical person, an organization, an active or passive thing, a device, a software application, a service etc., or a group of these entities. In the context of telecommunications, examples of entities include access points, subscribers, users, network elements, networks, software applications, services and devices, interfaces, etc. [X.idmdef]

Entity authentication

A process to achieve sufficient confidence in the binding between the entity and the presented identity. NOTE: Use of the term authentication in an identity management (IdM) context is taken to mean entity authentication. [X.idmdef]

Federated Identity

A principal's identity is said to be federated between a set of Providers when there is an agreement between the providers on a set of identifiers and/or attributes to use to refer to the Principal. [SAML-Gloss-2.0]


To link or bind two or more entities together [SAML-Gloss-2.0]


Establishing a relationship between two or more entities (e.g. an association of users, service providers, and identity service providers). [SAML-Gloss-2.0] [X.idmdef]


Front channel refers to the “communications channel” between two entities that permit passing of messages through other agents and permit redirection (e.g. passing and redirecting user messages to a web service via a web browser, or any other HTTP client). See also back channel.


The process of recognizing an entity by contextual characteristics and its distinguishing attributes. [X.idmdef]


One or more distinguishing attributes that can be used to identify an entity within a context. [X.idmdef] [SAML-Gloss-2.0]


  • The essence of an entity [Merriam]. One's identity is often described by one's characteristics, among which may be any number of identifiers. See also Identifier, Attribute. [SAML-Gloss-2.0]
  • A representation of an entity in the form of one or more attributes that allow the entity or entities to be sufficiently distinguished within context. For identity management (IdM) purposes the term identity is understood as contextual identity (subset of attributes), i.e., the variety of attributes is limited by a framework with defined boundary conditions (the context) in which the entity exists and interacts. [X.idmdef]

Identity assurance

The degree of confidence in the process of identity validation and verification used to establish the identity of the entity to which the credential was issued, and the degree of confidence that the entity that uses the credential is that entity or the entity to which the credential was issued or assigned. [X.idmdef]

Identity defederation

The action occurring when providers agree to stop referring to a Principal via a certain set of identifiers and/or attributes. [SAML-Gloss-2.0]

Identity federation

The act of creating a federated identity on behalf of a Principal. [SAML-Gloss-2.0]

Identity management (IdM)

A set of functions and capabilities (e.g., administration, management and maintenance, discovery, communication exchanges, correlation and binding, policy enforcement, authentication and assertions) used for assurance of identity information (e.g., identifiers, credentials, attributes); assurance of the identity of an entity and supporting business and security applications. [X.idmdef]

Identity proofing

A process that validates and verifies sufficient information to confirm the claimed identity of the entity. [X.idmdef]

Identity Provider (IdP)

A kind of service provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles. [SAML-Gloss-2.0]

Identity Service Provider (IdSP)

An entity that verifies, maintains, manages, and may create and assign the identity information of other entities. [X.idmdef]

Login, Logon, Sign-on

The process whereby a user presents credentials to an authentication authority, establishes a simple session, and optionally establishes a rich session. [SAML-Gloss-2.0]

Logout, Logoff, Sign-off

The process whereby a user signifies desire to terminate a simple session or rich session. [SAML-Gloss-2.0]

Mutual authentication

A process by which two entities (e.g., a client and a server) authenticate each other such that each is assured of the other’s identity. [X.idmdef]


The ability to protect against denial by one of the entities involved in an action of having participated in all or part of the action. [X.idmdef]


A secondary communication process that provides information that supports (or may be required by) a primary communication process. The secondary process may or may not be fully defined or described as part of the primary process.


Informally, one or more principals (i.e. persons or entities) participating in some process or communication, such as receiving an assertion or accessing a resource. [SAML-Gloss-2.0]

Personally Identifiable Information (PII)

Any information (a) that identifies or can be used to identify, contact, or locate the person to whom such information pertains, (b) from which identification or contact information of an individual person can be derived, or (c) that is or can be linked to a natural person directly or indirectly. [X.idmdef]

Policy Decision Point (PDP)

A system entity that makes authorization decisions for itself or for other system entities that request such decisions. [PolicyTerm] For example, a SAML PDP consumes authorization decision requests, and produces authorization decision assertions in response. A PDP is an “authorization decision authority”. [SAML-Gloss-2.0]

Policy Enforcement Point (PEP)

A system entity that requests and subsequently enforces authorization decisions. [PolicyTerm] For example, a SAML PEP sends authorization decision requests to a PDP, and consumes the authorization decision assertions sent in response. [SAML-Gloss-2.0]


An entity or person whose identity can be authenticated. [X.idmdef]

Principal Identity

A representation of a principal’s identity (e.g. a user identifier, or an identity card). A principal identity may include distinguishing or identifying attributes.


The right of individuals to control or influence what personal information related to them may be collected, managed, retained, accessed, and used or distributed. [X.idmdef]

Privacy policy

A policy that defines the requirements for protecting access to, and dissemination of, personally identifiable information (PII) and the rights of individuals with respect to how their personal information is used. [X.idmdef]


A right that, when granted to an entity, permits the entity to perform an action. [X.idmdef]


The verification and validation of information when enrolling new entities into identity systems. [X.idmdef]


A generic way to refer to both identity providers and service providers. [SAML-Gloss-2.0]


An entity authorized to act for another. a) Authority or power to act for another. b) A document giving such authority. [SAML-Gloss-2.0]

Proxy Server

A computer process that relays a protocol between client and server computer systems, by appearing to the client to be the server and appearing to the server to be the client. [SAML-Gloss-2.0]


A process in which an entity requests and is assigned privileges to use a service or resource.

NOTE: Enrollment is a pre-requisite to registration. Enrollment and registration functions may be combined or separate. [X.idmdef]

Relying Party (RP)

  • A system entity that decides to take an action based on information from another system entity. For example, a SAML relying party depends on receiving assertions from an asserting party (a SAML authority) about a subject. [SAML-Gloss-2.0]

  • An entity that relies on an identity representation or claim by a requesting/asserting entity within some request context. [X.idmdef]


Data contained in an information system (for example, in the form of files, information in memory, etc.), as well as [SAML-Gloss-2.0] :

  1. A service provided by a system.

  2. An item of system equipment (in other words, a system component such as hardware, firmware, software, or documentation).


An architectural style in software architecture for distributed hypermedia systems such as the World Wide Web. Software that conforms to the principles of REST are termed “RESTful”. Derived from [REST-Def]


The annulment by someone having the authority, of something previously done. [X.idmdef]

  • Dictionaries define a role as “a character or part played by a performer” or “a function or position.” System entities don various types of roles serially and/or simultaneously, for example, active roles and passive roles. The notion of an Administrator is often an example of a role. [SAML-Gloss-2.0]

  • A set of properties or attributes that describe the capabilities or the functions performed by an entity. NOTE: Each entity can have/play many roles. Capabilities may be inherent or assigned. [X.idmdef]


A collection of safeguards that ensure the confidentiality of information, protect the systems or networks used to process it, and control access to them. Security typically encompasses the concepts of secrecy, confidentiality, integrity, and availability. It is intended to ensure that a system resists potentially correlated attacks. [SAML-Gloss-2.0]

Security architecture

A plan and set of principles for an administrative domain and its security domains that describe the security services that a system is required to provide to meet the needs of its users, the system elements required to implement the services, and the performance levels required in the elements to deal with the threat environment.

A complete security architecture for a system addresses administrative security, communication security, computer security, emanations security, personnel security, and physical security, and prescribes security policies for each.

A complete security architecture needs to deal with both intentional, intelligent threats and accidental threats. A security architecture should explicitly evolve over time as an integral part of its administrative domain’s evolution. [SAML-Gloss-2.0]

Security assertion

An assertion that is scrutinized in the context of a security architecture. [SAML-Gloss-2.0]

Security audit

An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy, and procedures. [X.idmdef]

Security policy

A set of rules and practices that specify or regulate how a system or organization provides security services to protect resources. Security policies are components of security architectures. Significant portions of security policies are implemented via security services, using security policy expressions. [SAML-Gloss-2.0]

Security service

A processing or communication service that is provided by a system to give a specific kind of protection to resources, where said resources may reside with said system or reside with other systems, for example, an authentication service or a PKI-based document attribution and authentication service. A security service is a superset of AAA services. Security services typically implement portions of security policies and are implemented via security mechanisms. [SAML-Gloss-2.0]

Service provider

A role donned by a system entity where the system entity provides services to principals or other system entities. Session A lasting interaction between system entities, often involving a Principal, typified by the maintenance of some state of the interaction for the duration of the interaction. [SAML-Gloss-2.0]

Session authority

A role donned by a system entity when it maintains state related to sessions. Identity providers often fulfill this role. [SAML-Gloss-2.0]

Session participant

A role donned by a system entity when it participates in a session with at least a session authority. [SAML-Gloss-2.0]


A principal in the context of a security domain. SAML assertions make declarations about subjects. [SAML-Gloss-2.0]

System Entity, Entity

An active element of a computer/network system. For example, an automated process or set of processes, a subsystem, a person or group of persons that incorporates a distinct set of functionality. [SAML-Gloss-2.0]


The firm belief in the reliability and truth of information or in the ability and disposition of an entity to act appropriately, within a specified context. [X.idmdef]


Any entity that makes use of a resource, e.g., system, equipment, terminal, process, application, or corporate network. [X.idmdef] See also End User.

Uniform Resource Identifier (URI)

A compact string of characters for identifying an abstract or physical resource. [RFC2396] URIs are the universal addressing mechanism for resources on the World Wide Web. Uniform Resource Locators (URLs) are a subset of URIs that use an addressing scheme tied to the resource’s primary access mechanism, for example, their network “location”. [SAML-Gloss-2.0]

Uniform Resource Identifier (URI), URI Reference

A compact sequence of characters that identifies an abstract or physical resource. It enables uniform identification of resources via a separately defined extensible set of naming schemes. [RFC 3986]

Universal Resource Locator (URL)

A compact string used for representation of a resource available via the Internet. [RFC 1738]


The process or instance of establishing the authenticity of something.

NOTE: Verification of (identity) information may encompass examination with respect to validity, correct source, original, (unaltered), correctness, binding to the entity, etc. [X.idmdef]


An entity that verifies and validates identity information. [X.idmdef]

XML, eXtensible Markup Language (XML)

Extensible Markup Language (XML) is a simple, very flexible text format designed to meet the challenges of large-scale electronic publishing. XML documents provide a meaningful way to exchange a wide variety of data over networks that can be used by business, operational and other processes.

    1. Share with your friends:
1   2   3   4   5   6   7   8   9   10   11

The database is protected by copyright © 2019
send message

    Main page