the task for managing the access of a subject to online resources (services).
a statement on a subject made by an authority, e.g. authentication, attributes, authorization decision.
a piece of information describing a property that is part of a user’s digital identity.
the process or action of verifying the identity of a user or process. In our context, authentication means confirming the identity of a person by validating their credentials.
an entity that produces assertions that are considered reliable/trustworthy by the parties involved in the AAI transactions.
is the function of specifying access rights to resources related to information security and computer security in general and to access control in particular. In this context, it is the function of specifying one’s access rights to resources. More formally, ”to authorize” is to define and implement an access policy.
a set of information which are used to prove the relation between a subject and his digital identity (e.g. username and password).
a set of data representing a person or a thing (subject) within a community. It contains information about the subject’s attributes and relationships. A given digital identity refers to a specific user and includes a number of attributes containing information about the user it refers to. The goal of identity management is to keep this information secret and up-to-date. A user may have multiple Digital Identities, targeted at different activities the user engages in.
a service that implements the SAML Discovery Service protocol and allows a user to find out the Identity Provider of his Home Organization, where he/she can log-in with his/her credentials. It also called “Where Are You From” (WAYF) service.
the organization a user belongs to. The Home Organization collects, maintains and makes available the user’s information through attributes, and it is responsible for the user’s proper identity management.
any number of organizations agreeing to interoperate under a certain rule, a federation policy, set to authenticate and authorize users. Federations are usually circles of trust in which each organisation agrees to trust the Identity Management of the other members.
identity management is the process of managing and provisioning information about users over the lifetime of the digital identity.
Identity Provider (IdP):
a system that creates, maintains, and manages identity information for principals (users, services, or systems) and provides principal authentication to other service providers (applications) within a federation or distributed network. It is a trusted third party that can be relied upon by users and servers when users and servers are establishing a dialog that must be authenticated. The IdP sends an attribute assertion containing trusted information about the user to the SP.
a Federation of Identity Federations across the boundaries of their local federations under a common/agreed policy. The main goal of an inter-federation is to pool users and resources while keeping high levels of trust/security.
a piece of code that describes an entity (IdP or SP) and that is exchanged between parties to make SAML working. The information includes into the metadata are needed to create the circle-of-trust in an Identity Federation.
SAML (Security Assertion Markup Language):
standard that defines a framework for exchanging security information between online entities. It was developed by the Security Services Technical Committee (SSTC) of the standards organization OASIS (the Organization for the Advancement of Structured Information Standards).
Service (or resource):
an activity or work that a company or organization performs for a customer and is intangible and does not result in ownership. A service delivers value to users by facilitating outcomes customers want to achieve without the ownership of specific operations and risks. In our scope we will consider services that can be accessed via the internet.
Service Provider (SP) or Resource Provider:
an entity that provides an online Service. In order to manage the access to the Service, the SP evaluates the Digital Identity through an appropriate software. Within an Identity Federation, the Service Provider retrieves the Digital Identity from an Identity Provider.