Access and Identity Management - Eduserv AIM
Eduserv Background Image Go to main textInnovative Technology Services
Home
Athens
Chest
Web Solutions
Foundation
You are in :    Eduserv > AIM > Glossary
In this section

Glossary

A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z

API

Application Programming Interface. A library of functions that are pre-written (possibly by a third party) to offer funcionality to the programmer.

Athens

Athens is an Identity Management service that is run by Eduserv. It provides user authentication and authorisation for over 3 million users in the health and education sectors. Further details: http://www.athensams.net

AthensDA

Athens Devolved Authentication. An Identity Management service, run by Eduserv, that enables an organisation to maintain a single set of credentials for a user, and for that user to be authorised for access to online services depending on permissions defined by the user's organisation.

Attribute

Information about an individual in defined formats such as member of organisation x, member of department y, role equals student or faculty.

Attribute Authority (AA)

The Shibboleth component that responds to requests for user attributes by the SHAR, and enforces the organisation's Attribute Release Policy.

Attribute Query Handle (AQH)

An opaque, anonymous identifier (analogous to a session id) that identifies a user who has authenticated to a ShibbolethIdentity Provider. It does not uniquely identify a user across logins, nor does it remain consistent within an SSO session.

Attribute Release Policy (ARP)

A policy, maintained by the Attribute Authority, that governs the sharing of user attributes with Service Providers.

Authentication

The process of verifying who is requesting access to a resource.

Authorisation

The process of determining whether access should be granted to an individual based on information about that individual.

--- top

CA

Certificate Authority. A trusted body who issue and sign certificate requests on behalf of organisations (typically within a federation) requiring mutual trust.

Decision Engine

Establishes whether the user can access a given resource, based on one or more attributes obtained from the SHAR. The decision engine applies a policy to a set of attributes and returns a 'yes/no' response.

DES

Data Encryption Standard. A popular symmetric-key encryption method.

Devolved Authentication (DA)

A form of authentication in which responsibility for the authentication of users is devolved to their member organisation.

Early Adopters

Institutions who become early adopters of the next generation of access management tools.

EDINA

A JISC supported 'datacentre'. They provide online services to the UK further and higher education communities. Further details: http://edina.ac.uk/

Educause

Non-profit association in the US that promotes the use of information technology in higher education. Further details: http://www.educause.edu/

Educause CAMP

Campus Architectural Middleware Planning. Educause CAMP provides higher education in the US with help and advice on middleware for educational networks.

Federated authentication

See Devolved Authentication, and Federation.

Federation

A group or set of organisations that share a common set of policies and rules in order to establish common trust and language/terminology to aid cross-domain authentication and authorisation.

--- top

Handle

See Attribute Query Handle.

Handle Service (HS)

The Shibboleth component that authenticates the user. It issues the Attribute Query Handle that is used later in the authorisation process to request user attributes. When a user is successfully authenticated, the HS presents the handle to the SHIRE in the form of a signed SAMLResponse, sent via an HTTP-POST.

Identity Provider (IdP)

In the Shibboleth architecture, the Identity Provider is the organisation that provides authentication for a user. Authorisation is provided by the Service Provider.

Formerly known as the origin.

Internet2

Provides a central resource to develop and deploy advanced network applications, and techologies for research and higher education. Internet2 is funded by 200 US universities. Further details: http://www.internet2.edu

JANET

Joint Academic NETwork. A private, government-funded network for education and research. All further and higher education organisations are connected to JANET, as are all the Research Councils.

JISC

Joint Information Systems Committee. Supports further and higher education in the UK in the use of information and communications technology. Further details: http://www.jisc.ac.uk

LDAP - Lightweight Directory Access Protocol

LDAP, a set of protocols for accessing on-line information directories.

Liberty Alliance

A project, formed in September 2001, to establish an open standard for federated network identity. This will be accomplished by developing technical specifications that support a broad range of identity-based products and network devices. It is a consortium of more than 150 technology and consumer organizations. Further details: http://www.projectliberty.org/index.php

MACE

Middleware Architecture Committee for Education. An Internet2 group that provides technical advice and direction to help create a US-wide interoperable middleware infrastructure for research and education.

MATU

MATU is the Eduserv working title for the project more formally known as The JISC funded Middleware Assisted Take Up Service for Next Generation access management systems for UK Higher and Further Education.

Middleware

Network-based services that sit between users and the service that they are trying to access, enabling them to access that service or provide additional functionality. Authentication/authorisation is a classic example.

--- top

OASIS

Organization for the Advancement of Structured Information Systems. A standards body. A not-for-profit global consortium that drives the development, convergence and adoption of e-business standards.

OpenSAML

An open-source library implementing the SAML protocol. The project is currently hosted and controlled by Internet2.

Origin

See Identity Provider.

PERMIS

Privilege and Role Management Infrastructure Standards Validation. A tool for determining the rights of a user to access a service through the analysis of user attributes.

PKI

Public Key Infrastructure. This is the infrastructure required to support public key cryptography. It comprises both technology and trusted bodies, such as a certificate authority, and mechanisms to handle certificate revocation.

Regional Support Centres (RSC)

Advise on and promote the use of network learning technologies and resources in the UK tertiary education sector. Funded by JISC.

RSA

RSA is an algorithm commonly used in public key encryption.

SAML

Security Assertion Markup Language. A standard defined and maintained by OASIS. It's an XML-based framework for creating and exchanging security information between online parties.

SDSS

An EDINA project that is building a development Shibboleth federation for managing access to UK academic online resources.

Service Provider (SP)

In the Shibboleth architecture, the Service Provider is the provider of information or resources.

Formerly known as the target.

SHAR

SHibboleth Attribute Requester. The SHAR uses an AQH to request attributes on behalf of the user from their organisation's Attribute Authority.

Shibboleth

An Internet2 project to define an architecture that uses a SAML-based method of allowing users to access online resources. Authentication is devolved to the user's organisation - the Identity Provider - which passes attributes to the Service Provider. These attributes enable the Service Provider to make authorisation decisions. Further information: http://shibboleth.internet2.edu

The Internet2 Shibboleth group also develops software that implements the Shibboleth architecture. This software is also known as Shibboleth.

SHIRE

SHibboleth Indexical Reference Establisher. The SHIRE is the Shibboleth component that determines whether a user needs to authenticate, and if so, starts the Shibboleth process by sending the user to their Handle Service (possibly via a WAYF). The SHIRE then receives an Attribute Query Handle on return from the Handle Service.

Single Sign On (SSO)

Provides a user the ability to input assigned authentication once and then access multiple online services.

--- top

SOAP

Simple Object Access Protocol. This is a definition of how to use XML to transfer data between online services.

SSL

Secure Sockets Layer. A standard way of encrypting network traffic. Commonly used by 'secure websites'.

SURF

The Dutch network provider for education institutions, broadly analogous to UKERNA in the UK, except that they are also involved with higher-level service delivery and Research and Development, in a similar way to Eduserv. They have an authentication mechanism called A-Select (http://a-select.surfnet.nl).

SWITCH

The Swiss Education and Research Network. An early adopter of Shibboleth across the Swiss academic community. They have a significant, and useful amount of reference material on their Shibboleth infrastruture available here: http://www.switch.ch/aai/deployment.html

--- top

Target

See Service Provider.

TLS

Transport Layer Security. A standard way of encrypting network traffic.

Triple DES

A common encryption algorithm based on DES. Three times slower but far more secure.

UCISA

Universities and Colleges Information Systems Association. Represents the entire higher education, and increasingly further education, sectors on all matters concerning information systems.

UKERNA

Manages the operation and development of the JANET network.

WAYF

Where Are You From? The Shibboleth service that provides a mechanism for routing users from a resource on their Service Provider to their point of login (Handle Service). However, it is notionally assumed to be 'optional' in the Shibboleth specification, and can be implemented either by a service provider, or as a central service, perhaps by the federation provision body. It is directly analogous to the Home Domain Discovery Service in AthensDA, and the Athens implementation currently supports both the AthensDA and Shibboleth specifications.

WSDL

Web Services Definition Language. A SOAP protocol definition file. It enables programmers to quickly and easily support new protocols designed by third parties.

XACML

eXtensible Access Control Markup Language. An OASIS standard for the expression of access control policies. It also contains a request/response protocol, and goes some way to specifying the actual components required (such as policy decision and enforcement points) in an access control infrastructure. It is a rich, but as yet, quite obscure and underused language.

XML

Extensible Markup Language. A standards-based, electronic data format for transferring or organising information. Often used to transfer data between online services.

XML Encryption

A W3C standard for encrypting an arbitrary XML document. It is not typically used in SAML/Shibboleth. Further details: http://www.w3.org/TR/xmlenc-core

XML Schema

The definition of a particular use of XML. One example is SOAP.

XML Signature

A W3C standard for signing an arbitrary XML document. It is used by SAML for authentication of the document signer in order to establish cross-domain trust relationships. Further details: http://www.w3.org/TR/xmldsig-core/

--- top

A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z

 
Events | Contact us | News
© Copyright Eduserv - All rights reserved