Glossary

This document provides a listing of key Identity and Access Management (IAM) terms.

University-specific terms:

  • Enterprise Authentication System (EAS) is an internally developed web access management (authentication) system used to control access to many of the University’s enterprise systems. EAS uses Enterprise ID and Password to logon users to the enterprise web applications.
  • Enterprise ID (EID) is the user id used by EAS to authenticate users to administrative applications such as UI-Integrate (Banner), PCard, online student course registration, Human Recourses, Payroll, Benefits, Finance, etc. EID is a user id in the uillinois.edu domain, which is a superset of (most) campus NetID's. NetID's are user ids assigned by each campus and are used as credentials to access campus specific applications and systems.
  • Enterprise-wide Administrative Application is defined as any online service provided within System Office or across two or more University campuses.
  • Bluestem is an internally developed web access management (authentication) system used to control access to campus specific web resources at the UIUC and UIC campuses. BlueStem uses NetID and Net Password to logon users to the various web applications.
  • NetID: Network identifier used to access campus computing and networking services, Bluestem authentication and to determine the University email address. The NetID is usually unique across all campuses. The NetID password is normally different from campus to campus unless it was specifically matched by the user.
  • UIN: A University Identification Number (UIN) is a string of nine digits that begins with a 6. UINs are used to identify people in University of Illinois System's computer and record systems.
  • i-card: The i-card is the all-in-one-campus card for students, faculty, and staff to access card services.

General terms:

  • Address of Record A means of contacting the Subject.
  • Affiliation A type of relationship with an organization that is usually identified by attributes. A user can have multiple affiliations.
  • Assertion Structured data objects containing identity information and other relevant data. Also referred to as Identity Assertions.
  • Attribute A single piece of information associated with an electronic identity database record. Some attributes are general; others are personal. Some subset of all attributes defines a unique individual. Examples of an attribute are name, phone number, and group affiliation.
  • Attribute Assertion A mechanism for associating specific attributes with a user.
  • Attribute Authority (AA) The Shibboleth software service that asserts the requesting individual's attributes by creating an attribute assertion and then digitally signing it. The receiving online Service Provider must be able to validate this signature.
  • Attribute Authority Subject DN The distinguished name of the Attribute Authority.
  • Attribute Authority URL The Internet address of the Attribute Authority.
  • Attribute Release Policy (ARP) Rules that an AA follows when deciding whether or not to release an attribute and its value(s).
  • Attribute Service Provides Subject Attributes in response to queries from SPs.
  • Audit An independent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.
  • Authentication (AuthN) The security measure by which a person transmits and validates his or her association with an electronic identifier. An example of authentication is submitting a password that is associated with a user account name.
  • Authentication Secret Used generically for passwords, passphrases, PINs, symmetric keys and other forms of secrets used for authentication.
  • Authorization (AuthZ) The process for determining a specific person's eligibility to gain access to a resource or service, a right or permission granted to access an online system.
  • Certificate Authority (CA) A certificate authority (CA) is an authority in a network that issues and manages security credentials and public keys for message encryption.
  • Certificate Policy (CP) A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. http://www.ietf.org/rfc/rfc3647.txt
  • Certification Practice Statement (CPS) A statement of the practices that a certification authority employs in issuing, managing, revoking, and renewing or re-keying certificates. http://www.ietf.org/rfc/rfc3647.txt
  • Credential A unique identifier and authentication material.
  • Credential Store Contains Authentication Secrets for all Subjects.
  • De-Provisioning The process of removing user accounts and disabling access to applications and services.
  • Digital Signature A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message, or of the signer of a document. It can also be used to ensure that the original content of the message or document that has been conveyed is unchanged.
  • Directory A directory is a specialized database that may contain information about an institution's membership, groups, roles, devices, systems, services, locations, and other resources.
  • Distinguished Name (DN) Distinguished names are string representations that uniquely identify users, systems, and organizations. In general, DNs are used in LDAP-compliant directories. In certificate management systems, DNs are used to identify the owner of a certificate and the authority that issued the certificate.
  • Domain Name A domain name is that portion of an Internet Uniform Resource Locator (URL) that fully identifies the server program that an Internet request is addressed to. InCommonFederation.org is an example of a domain name.
  • Domain Name Service (DNS) An Internet service that translates domain names to and from IP addresses. 
  • eduOrg An LDAP object class authored and promoted by the EDUCAUSE/Internet2 eduPerson Task Force to facilitate the development of inter-institutional applications. The eduOrg object class focuses on the attributes of organizations. Current documentation on the eduOrg object class is available at http://www.educause.edu/eduperson/.
  • eduPerson An LDAP object class authored and promoted by the EDUCAUSE/Internet2 eduPerson Task Force to facilitate the development of inter-institutional applications. The eduPerson object class focuses on the attributes of individuals. Current documentation on the eduPerson object class is available at http://www.educause.edu/eduperson/.
  • Electronic Identifier A string of characters or structured data that may be used to reference an electronic identity. Examples include an email address, a user account name, a campus NetID, an employee or student ID, or a PKI certificate.
  • Enterprise Directory An enterprise directory is a core middleware architecture that may provide common authentication, authorization, and attribute services to electronic services offered by an institution.
  • Enterprise Directory Infrastructure The infrastructure required to support and maintain an enterprise directory. This may include multiple directory hardware components as well as the processes by which data flows into and out of the directory service.
  • Executive The Executive represents the participant organization regarding all decisions and delegations of authority for the responsibilities of InCommon Participants, including but not limited to payment of invoices, and assigning any person in the trusted Administrator role who submits Certificate Signing Requests, metadata, or Certificate Revocation Requests, and other administrative duties as described herein. The Executive is authorized as such in the InCommon participation agreement or by succession from the originally named Executive. The Executive role will typically be filled by a CIO, VP of IT, or other senior administrative officer responsible for the organization's information technology assets.
  • FERPA: The Family Educational Rights and Privacy Act of 1974, commonly known as FERPA, is a federal law governing the privacy of educational records. It grants specific rights to students and sets restrictions on how schools may handle educational records. FERPA requires that schools obtain written permission from students before releasing educational records. In certain well-defined circumstances, some information may be released without written permission from the student.
  • Federated Identity The management of identity information between members of a federation.
  • Federation A federation is an association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.
  • Global ID A unique identifier that spans two or more systems.
  • Handle A reference assigned to a user for the purpose of retrieving attributes about the user. The handle is not in any way linked to the identity of the user.
  • Handle Service The Identity Provider component responsible for (indirectly) providing a handle to be used for making user attribute requests to an Identity Provider Attribute Authority.
  • Handle Service subject DN The distinguished name of the Handle Service.
  • Handle Service URL The Internet address of the Handle Service.
  • Higher Education Public Key Infrastructure (HEPKI) See entry for Public Key Infrastructure (PKI)
  • Identity Information that is true about a Subject.
  • Identity Assurance The degree of certainty that a digital identity is uniquely bound to an individual whose real world identity is reliably understood.
  • Identity Attributes Information elements relevant to a Subject.
  • Identity Credential An electronic identifier and corresponding personal secret associated with an electronic identity. An identity credential typically is issued to the person who is the subject of the information to enable that person to gain access to applications or other resources that need to control such access.
  • Identity Database A structured collection of information pertaining to a given individual. Sometimes referred to as an "enterprise directory." Typically includes name, address, email address, affiliation, and electronic identifier(s). Many technologies can be used to create an identity database or set of linked relational databases.
  • Identity Management System A set of standards, procedures and technologies that provide electronic credentials to individuals and maintain authoritative information about the holders of those credentials.
  • Identity Proofing The process used to establish the identity of an individual to whom the credential was issued.
  • Identity Provider (IdP) The originating location for a user. Previously called the Origin Site in the Shibboleth software implementation. For InCommon, an IdP is a campus or other organization that manages and operates an identity management system and offers information about members of its community to other InCommon participants.
  • Identity Provisioning The process of creating user accounts and enabling access to all needed applications.
  • IdMS Database A database of IdMS Subjects.
  • IdMS Operations The technical environment supporting the IdMS.
  • IdMS Operator The organization operating an IdP is an IdP Operator.
  • InCommon CA Root Profile The description of attributes and the data required to authenticate under the InCommon Certificate Authority (CA).
  • InCommon Federation InCommon is a formal federation of organizations focused on creating a common framework for trust in support of research and education. The primary purpose of the InCommon federation is to facilitate collaboration through the sharing of protected network-accessible resources by means of an agreed-upon common trust fabric. InCommon participation is separate from membership in Internet2.
  • InQueue InQueue is a federation of organizations who are interested in using the Shibboleth technology and exploring how federations work prior to joining a production federation such as InCommon. Participation in InQueue is open to any technically qualifying organization.
  • Issuer The CA that issues a certificate.
  • Kerberos is a secure method for authenticating a request for a service in a computer network. Kerberos was developed in the Athena Project at the Massachusetts Institute of Technology (MIT). The name is taken from Greek mythology; Kerberos was a three-headed dog who guarded the gates of Hades. Kerberos lets a user request an encrypted "ticket" from an authentication process that can then be used to request a particular service from a server. The user's password does not have to pass through the network. A version of Kerberos (client and server) can be downloaded from MIT or you can buy a commercial version.
  • Kerberos-Windows: Windows 2000 and later use Kerberos as their default authentication method. Some Microsoft additions to the Kerberos suite of protocols are documented in RFC 3244 "Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols". RFC 4757 documents Microsoft's use of the RC4 cipher. While Microsoft uses the Kerberos protocol, it does not use the MIT software.
  • LDAP Directory An LDAP directory is one that supports the Lightweight Directory Access Protocol (LDAP). LDAP is a widely adopted IETF standard directory access protocol well suited to the authentication and authorization needs of modern application architectures and is used by applications to connect to a directory, search for objects, add, edit or remove objects.
  • Liberty Alliance A consortium of technology and consumer-facing organizations, formed in September 2001 to establish an open standard for federated network identity. http://www.projectliberty.org/
  • Lightweight Directory Access Protocol (LDAP) An IETF standard for directory services.
  • Lightweight Directory Inter-exchange Format (LDIF) A protocol for exchange of information among LDAP directories.
  • Metadata Data about data, or information known about an object in order to provide access to the object. Usually includes information about intellectual content, digital representation data, and security or rights management information.
  • Namespace A set of names in which all names are unique.
  • NetID An electronic identifier created specifically for use with on-line applications, often an integer and typically with no other meaning.
  • Non-Person Identities associated with non-living entities, such as departments, organizations or locations.
  • Nonrepudiation Assurance that the sender is provided with proof of delivery and that the recipient is provided with proof of the sender's identity so that neither can later deny having processed the data.
  • Open Source Software where the source code is available for anyone to extend or modify. http://www.opensource.org/
  • Personal Secret Used in the context of this document, is synonymous with password, pass phrase or PIN. It enables the holder of an electronic identifier to confirm that s/he is the person to whom the identifier was issued.
  • Policies Statements that outline the process and procedures that will be followed.
  • Privacy Policy A statement to users of what information is collected and what will be done with the information after it has been collected.
  • Profile Data comprising the broad set of attributes that may be maintained for an identity, and the data required to authenticate under that identity.
  • Protected Channel A communication mechanism that provides message integrity and confidentiality protection.
  • Public Key Cryptography A cryptographic technique that uses two keys: the first key is always kept secret by an entity, and the second key, which is uniquely linked to the first one, is made public. Messages created with the first key can be uniquely verified with the second key.
  • Public Key Infrastructure (PKI) The set of standards and services that facilitate the use of public-key cryptography in a networked environment.
  • Registration The process of creating a record of a Subject’s Identity information.
  • Registration Authority A trusted entity entitled to perform Registrations.
  • Relying Party A recipient of a certificate who acts in reliance on that certificate and/or any digital signatures verified using that certificate. A synonym for Service Provider. http://www.ietf.org/rfc/rfc3647.txt
  • Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). SAML is a product of the OASIS Security Services Technical Committee.
  • Shibboleth Software developed by Internet2 to enable the sharing of web resources that are subject to access controls such as user IDs and passwords. Shibboleth leverages institutional sign-on and directory systems to work among organizations by locally authenticating users and then passing information about them to the resource site to enable that site to make an informed authorization decision. The Shibboleth architecture protects privacy by letting institutions and individuals set policies that control what information about a user can be released to each destination. For more information on Shibboleth please visit http://shibboleth.internet2.edu/uses.html.
  • Subject A person who is (or will be) registered with the IdP Operator.
  • Target Systems Applications and systems where information about users resides and is later integrated into an identity management infrastructure.
  • Token A physical device (or specialized software on a device such as a mobile phone) used in authentication.
  • Uniform Resource Identifier (URI) The name for identifying an abstract or physical resource.
  • Uniform Resource Locator (URL) The address of a resource accessible on the Internet. URLs are a subset of URIs.
  • Uniform Resource Name (URN) Refers to the subset of URIs that is required to remain globally unique and persistent even when the resource ceases to exist or becomes unavailable.
  • User Agent Typically a web browser that is used by the Subject to authenticate to the IdP and convey the assertion to the SP.
  • US Higher Education Root (USHER) USHER is the replacement for the CREN Certificate Authority. USHER will issue Institutional Certificates to US institutions of higher education and is the certificate issuing authority for Internet2.
  • Validation The process of identification of certificate applicants.
  • Verifier Validates the correctness of offered authentication material.
  • Virtual Directory An application that exposes a consolidated view of multiple physical directories over an LDAP interface. Consumers of the directory information connect to the virtual directory’s LDAP service and "behind the scenes" requests for information and updates.
  • Where Are You From (WAYF) A server used by the Shibboleth software to determine what a user's home organization is.