• Security & Identity
• Authentication
  • About AAI
    • Introduction
    • Federation
    • Shibboleth
    • Stay Informed
    • Glossary
  • Participants
  • Join AAI
  • Support & Downloads
  • Demo
  • Contact
• Computer Emergencies
• Certificates

AAI Glossary

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

AAA

Authentication, Authorization and Accounting

AAI

Authentication and Authorization Infrastructure

AAI Test Federation

A federation operated by SWITCH for testing and developing Shibboleth applications. The AAI Test Federation shouldn't contain "real" users and is not as secure and reliable as the SWITCHaai production federation.

Authentication

Process of identifying of a previously registered user.

Authorization

Process of granting or denying access to a resource for an authenticated user.

(Authorization) Attributes

User data (such as name, affiliation, study branch, etc.) needed for access control decisions. The attributes used by SWITCHaai are defined in the Authorization Attribute Specification.

Attribute Authority (AA, deprecated)

The AA is a component of the Identity Provider. It issues attributes on behalf of an organization.

Attribute Release Policy (ARP)

The ARP defines which attributes are going to be released to a requesting resource. It is a mechanism to implement privacy and data protection.

Attribute Resolver

A component of the Identity Provider. It retrieves attributes from various data sources (LDAP, Active Directory, ...) and performs the necessary transformations for SAML transport.

Discovery Service

Technical term/synonym for WAYF.

Entitlement

Entitlements form a specialized class of Authorization Attributes important enough to call out separately. They can be used to identify a user's eligibility to access a given resource such as an e-journal.

Federated Identity Management

The management and use of identity information across security domains, e.g. between individual universities. It deals with issues such as interoperability, liability, security, privacy and trust.

Federation

A federation is a collection of organizations that agree to interoperate under a certain ruleset. Federations will usually define trusted roots, authorities and attributes, along with distribution of metadata representing this information.

Federation Member

A Federation Member is an organization (such as a university, library, etc.) that runs one Identity Provider and any number of AAI-enabled Resources. Federation Members have to agree on a common set of policies and rules defined in the AAI Service Agreement in order to allow for a smooth and proper functioning of the AAI.

Federation Partner

A Federation Partner is an organization (such as a publisher of e-journals) that offers one or more AAI-enabled Resources to one or more Federation Members. The Federation Partner's Resources get integrated into SWITCHaai and they may use the central AAI services required for a smooth operation within SWITCHaai. However, a Federation Partner cannot act as a Home Organization, i.e. it cannot represent a user community and not be an Identity Provider within SWITCHaai.

Handle Service (HS, deprecated)

Formerly, the component of the Identity Provider handling user login.

Home Organization, Home Org

A participating organization representing a user community, e.g. a university, library, university hospital etc. A Home Organization registers users and stores information about them. Furthermore, it is able to authenticate its users.

Identity Provider (IdP)

An Identity Provider is a Shibboleth server that authenticates users and conveys their attributes to requesting resources. In other terms it provides the digital identities of its users to other servers in the AAI.

Metadata

Shibboleth relies on metadata to identify trusted Identity Providers, Service Providers and Certificate Authorities. Prior to Shibboleth 1.3, the metadata consisted of the XML-files sites.xml and trust.xml; now only metadata.xml, based on the new SAML 2.0 metadata standards, is used. SWITCH provides official metadata for the SWITCHaai and AAI Test federations.

SWITCHaai Participants

Federation Members and Federation Partners of the SWITCHaai Federation.

providerID

The providerID is a unique identifier, identifying each Service Provider and Identity Provider.

Relying Party

In general, one or more Service or Identity Provider that is sender or receiver of a SAML assertion. A relying party could be a single Service Provider or a group of Service Providers. The SPs and IdPs can be grouped into a relying party by including them into an EntitiesDescriptor element in the metadata. Such a group of Service Provider then for example can be used tell an Identity Provider to use a special way to transmit the attributes to the components of this relying party, e.g. attribute push or attribute pull.

Resource

Web application, web site, information system, etc. An AAI-enabled Resource requests attributes about users from an Identity Provider and makes access decisions based on these attributes.

Resource Registry

The Resource Registry is a tool developed by SWITCH to manage information about Identity Providers and Service Providers participating in the SWITCHaai and AAI Test Federations. It is used to generate the official metadata and ARP files used by all Identity Providers and Service Providers in the two federations.

SAML

SAML - the Security Assertion Markup Language - is an XML framework for exchanging authentication and authorization information. SAML is a standard of OASIS. The software Shibboleth - and thus SWITCHaai - is based on SAML.

Service Provider (SP)

A Shibboleth term. Synonym for an AAI-enabled Resource, although used in a more technical sense.

Shibboleth

The name of an architecture and an open source software developed by Internet2/MACE (Middleware Architecture Committee for Education). Shibboleth is based on SAML and allows the implementation of an AAI. SWITCHaai makes use of Shibboleth.

SWITCHaai Federation

The Shibboleth-based production federation in Swiss higher education and research, coordinated and led by SWITCH.

Single Sign-On (SSO)

Single Sign-On enables the user to gain access to multiple Resources by authenticating only once.

User

Registered member of a Home Organization

Virtual Home Organization (VHO)

The Virtual Home Organization is an Identity Provider for users, which arent't in a participating Home Organization .

VHO group

A VHO group is a container within the VHO. It contain VHO end users and/or subgroups, which also can contain VHO end users. A VHO group is managed by one or more VHO administrators

VHO administrator

The VHO administator is a resource owner, who is responsible for his VHO group(s) and its VHO end users. He maintain the account data and provide support for VHO end users.

VHO end user

A VHO end user is a valid user, which belongs to the VHO.

WAYF (Where Are You From)

The WAYF service, also called Discovery Service, lets the user choose his Home Organization from a list and then redirects the user to this Home Organization's login page for authentication.