Glossary - About - SWITCHaai

AAI Glossary

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

AAA: Authentication, Authorization and Accounting
AAI: Authentication and Authorization Infrastructure
edu-ID Test Federation: A federation operated by SWITCH for testing and developing Shibboleth applications. The edu-ID Test Federation shouldn't contain "real" users and is not as secure and reliable as the SWITCHaai Federation.
Assertion: A digital statement issued by an IdP, derived from the Digital Identity of an End User. Typically an Assertion is digitally signed and optionally encrypted.
Attributes: User data (such as name, affiliation, study branch, etc.) needed for access control decisions. The attributes used by SWITCHaai are defined in the AAI Attribute Specification.
Authentication: Process of identifying of a previously registered user.
Authorization: Process of granting or denying access to a resource for an authenticated user.
Attribute Authority (AA, deprecated): The AA is a component of the Identity Provider. It issues attributes on behalf of an organization.
Attribute Release Policy (ARP): It defines which attributes are going to be released to a requesting resource (the attribute filter). It is a mechanism to implement privacy and data protection.
Attribute Resolver: A component of the Identity Provider. It retrieves attributes from various data sources (LDAP, Active Directory, ...) and performs the necessary transformations for SAML transport.

Digital Identity: A set of information that is attributable to an End User It is issued and managed by an IdP Operator on the basis of the identification of the End User.
Discovery Service: Technical term/synonym for WAYF.

End User: Typically, a human person who belongs to an organization, typically an employee or student, who uses Federated Authentication via its IdP. However, an End User can also be a legal person, a virtual artifact (e.g. a computer process, an application), a tangible object (e.g. a device) or a group of other entities (e.g. an organization) of an organization.
Entitlement: Entitlements form a specialized class of Authorization Attributes important enough to call out separately. They can be used to identify a user's eligibility to access a given resource such as an e-journal, see common-lib-terms
EntityID: The EntityID is a unique identifier, identifying each Service Provider and Identity Provider.

Federated Authentication: An End User uses his Digital Identity to authenticate for accessing services offered by SP Operators within the same or a different organization.
Federated Identity Management: The management and use of identity information across security domains, e.g. between individual universities. It deals with issues such as interoperability, liability, security, privacy and trust.
Federation: A federation is a collection of organizations that agree to interoperate under a certain rule set.
Federation Operator: The organization managing the Federation, operating the central components and acting as a competence centre. SWITCH is the Federation Operator of the SWITCHaai Federation.
Federation Partner: An organization that does not belong to the SWITCH Community but which wants to contribute to the SWITCHaai Federation and which has signed the SWITCHaai Federation Partner Agreement.
Federation Technology Profile: The technology profiles specify how to use which subsets of a specific federation technology in the context of a Federation.

Home Organization, Home Org: A participating organization representing a user community, e.g. a university, library, university hospital etc. A Home Organization registers users and stores information about them. Furthermore, it is able to authenticate its users an it operates an IdP.

Identity Provider (IdP): The system component that issues Assertions on behalf of End Users who use them to access the services of SPs.
IdP Operator: The organization operating an IdP. IdP Operator refers to the legal entity that signs contracts, is a SWITCHaai Participant and is responsible for the overall processes supporting the IdP.
Interfederation: Interfederation takes place if a user from one federation accesses a service which is registered in another federation.

Lazy Session Establishment: This special form of session establishment allows access to a URL or resource prior to authentication. The point is that the application decides when a user has to authenticate. More information is available on our AAI Demo Resource.

Metadata: The Metadata contains technical details and descriptive information about the IdPs and SPs. For interoperability in a specific context, the Metadata format definition is part of a Federation Technology Profile.

SWITCHaai Participant: An organization from the SWITCH Community that participates in the SWITCHaai Federation, or a SWITCHaai Federation Partner.

Relying Party: In general, one or more Service Provider or Identity Provider that is sender or recipient of an Assertion. A relying party could be a single Service Provider or a group of Service Providers. The SPs and IdPs can be grouped into a relying party by including them into an EntitiesDescriptor element in the Metadata. Such a group of Service Providers can then for example be used tell an Identity Provider to use a special way to transmit the attributes to the components of this relying party, e.g. attribute push.
Resource: Web application, web site, information system, etc. An AAI-enabled Resource requests attributes about users from an IdP and makes access decisions (authorization) based on these attributes.
Resource Registry: The Resource Registry is a tool developed by SWITCH to manage information about Identity Providers and Service Providers participating in the SWITCHaai and edu-ID Test Federations. It is used to generate the official metadata and ARP files used by all Identity Providers and Service Providers in the two federations.

SAML: SAML - the Security Assertion Markup Language - is an XML framework for exchanging authentication and authorization information. SAML is a standard of OASIS. The software Shibboleth - and thus SWITCHaai - is based on SAML.
Service Provider (SP): The system component that evaluates the Assertion from an IdP and uses the information from the Assertion for controlling access to protected services. Synonym for an AAI-enabled Resource, although used in a more technical sense.
Shibboleth: The name an open source software developed by Shibboleth Consortium. Shibboleth is based on SAML and allows the implementation of an AAI. SWITCHaai makes use of Shibboleth.
SP Operator: The organization operating an SP. SP Operator refers to the legal entity that signs contracts, is a SWITCHaai Participant and is responsible for the overall processes supporting the SP.
SWITCH Community: Annex 1 of the Service Regulations for Services by SWITCH defines which kind of organizations belong to the SWITCH Community. These are namely the universities and public research institutions.
SWITCHaai Federation: The SWITCHaai Federation consists of the SWITCHaai Participants that cooperate in the area of Federated Authentication and authorization and, for this purpose, operate a common Federation. SWITCH is the Federation Operator of the SWITCHaai Federation.
Single Sign-On (SSO)
: Single Sign-On enables the user to gain access to multiple Resources by authenticating only once.

Virtual Home Organization (VHO): The Virtual Home Organization is an Identity Provider for users, which arent't in a participating Home Organization .
VHO group: A VHO group is a container within the VHO. It contain VHO end users and/or subgroups, which also can contain VHO end users. A VHO group is managed by one or more VHO administrators
VHO administrator: The VHO administator is a resource owner, who is responsible for his VHO group(s) and its VHO end users. He maintain the account data and provide support for VHO end users.
VHO end user: A VHO end user is a valid end user, who belongs to the VHO.

WAYF (Where Are You From): The WAYF service, also called Discovery Service, lets the user choose his Home Organization from a list and then redirects the user to this Home Organization's login page for authentication.