Industry Terms Glossary and Abbreviations

The DirX Access glossary differentiates between industry-wide and DirX Access-specific terms. This chapter provides a glossary of industry terms and abbreviations relevant to DirX Access. Where an adequate terminology is available, this glossary relies on standard explanations and reports their source in parenthesizes.

Abstract Syntax Notation No. 1 (ASN.1)
A standard notation for the definition of data types and values.

Access control (RFC 2828)
Protection of system resources against unauthorized access; a process by which use of system resources is regulated according to a security policy and is permitted by only authorized entities (users, programs, processes, or other systems) according to that policy.

Artifact profile
A profile of the SAML Web-SSO exchange that exchanges identifiers for SAML assertions via browsers (also called Browser/Artifact profile).

Aspect-Oriented Programming (AOP)
A software engineering approach that separates cross-cutting concerns (for example, security) from the actual business logic of an application and allows to integrate them transparently through weaving-in cross-cutting concerns into application sources (during build) or application binaries.

Asserting party
A system entity that makes assertions for consumption by another system entity.

Assertion
A declaration of facts about system entities such as subjects.

Assurance level
A numeric representation on the confidence level for the end user’s identity proofing and authentication mechanism (see NIST SP 800-63).

Attribute (SAML)
A distinct characteristic of an entity such as a subject or an object. An entity’s attributes are said to describe it.

Attribute-Based Access Control (ABAC)
A form of access control that employs arbitrary attributes of subjects, resources and actions. In XACML, ABAC is a synonym for free-formed XACML policies with arbitrary contents.

Authentication (NIST SP 600-83)
The process of establishing confidence in user identities.

Authentication (RFC 2828)
The process of verifying an identity claimed by or for a system entity. An authentication process consists of two steps:

Authorization
This term is used in the following connotations:

Authorization decision (SAML)
The result of an act of authorization. The result may be negative, that is, it may indicate that the subject is not allowed any access to the resource.

Authorization policy
A policy for rendering authorization decisions.

Certification Authority (CA) (RFC 2828)
An entity that issues digital certificates (especially X.509 certificates) and vouches for the binding between the data items in a certificate.

Certificate Revocation List (CRL) (RFC 2828)
A data structure that enumerates digital certificates invalidated by their issuer prior to their scheduled expiration date.

Credential (RFC 2828)
Data that is transferred or presented to establish either a claimed identity or the authorizations of a system entity.

Cross Certification (RFC 2510)
A PKI certificate management protocol that enables entities in one public-key infrastructure (PKI) to trust entities in another PKI.

Demilitarized Zone (DMZ)
A physical or logical subnetwork that contains and exposes an organization’s external services to a larger untrusted network, usually the Internet.

Discretionary Access Control (DAC) (RFC 2828)
An access control service that enforces a security policy based on the identity of system entities and their authorization to access system resources.

Directory
A hierarchical object store that may be highly distributed and replicated. Directories represent specialized databases optimized for providing object naming on a large scale in a network environment.

Directory Services Markup Language (DSML)
A general-purpose language for querying and modifying directory contents. Represents an SPML profile.

Distinguished Name (DN)
The unique identifier of a directory entry (LDAP).

Domain (RFC 2828)
An environment or context that is defined by a security policy, security model, or security architecture to include a set of system resources and the set of system entities that have the right to access those resources.

eXtensible Access Control Markup Language (XACML)
A general-purpose language for expressing authorization policies and authorization decision requests and responses.

eXtensible Markup Language (XML)
A general-purpose specification for creating markup languages.

Fully Qualified Distinguished Name (FqDN)

Fully Qualified Domain Name (FQDN)

Generic Security Service Application Program Interface (GSS-API) (RFC 2828)
An Internet Standard protocol (RFC 2078) that specifies calling conventions by which an application (typically another communication protocol) can obtain authentication, integrity, and confidentiality security services independently of the underlying security mechanisms and technologies.

HMAC-Based OTP (HOTP)
An HMAC-based One-Time Password algorithm (see RFC 4226).

Identity
A unique identifier for a user, organization, resource, or service along with supplementary information (such as attributes, credentials, and so on).

Identity 2.0
The collection of architectural patterns that pass identity information in the form-factor of authenticated subject information (also called approved user identity, not: unauthenticated user data) in distributed environments. This concept addresses identity management solutions for Web, Web services as well as other IT-environments. User-centric identity management presents a subset of Identity 2.0 where end-users are an active party in the exchange of this information.

Identity Provider (IdP)
The issuer of the digital identity in a federation scenario. It acts as an authentication authority making assertions on authenticated user identity. It represents digital identity comes in form of authentication statements contained, for example, in SAML assertions.

Inter-site transfer service
A Web-based service of an identity provider that provides identity assertions and redirects requestors to an actual target service.

Inter-site transfer URI
A specific form of a URI that is served by an inter-site transfer service. For example: https://federation-endpoint.this-idp.com/saml-idp/SingleSignOnService?TARGET=https://federation-endpoint.that-sp.com/saml-sp/AssertionConsumerService

Inter-Process Communication (IPC)
A set of techniques (message passing, synchronization, shared memory, remote procedure calls (RPC)) for exchanging data among multiple threads in one or more processes, which may be running on one or more computers connected by a network.

Java Platform, Enterprise Edition (JavaEE)
A set of services, APIs, and protocols that provide the functionality for developing multi-tiered, Web-based applications. JavaEE extends JavaSE.

Java Platform, Standard Edition (JavaSE)
A software development kit used to write applets and applications using the Java programming language.

Java API for XML-Based Web Services (JAX-WS)
The standard interface abstraction for XML-based Web services in Java (JSR224).

Java Authentication and Authorization Service (JAAS)
An architectural framework for the supply of authorization and authentication services on the Java platform.

Java Authorization Contract for Containers (JACC)
A contract between JavaEE containers and authorization providers that enables third-party authorization providers to plug into JavaEE application servers to make authorization decisions when a JavaEE resource is being accessed.

Java Cryptography Architecture (JCA)
An architectural framework for the supply of cryptographic services on the Java platform.

Java Cryptography Extension (JCE)
Extension modules to JCA that were separated for export control reasons (particularly encryption mechanisms).

Java GSS (JGSS)
The Java adaptation of GSS-API.

Java Runtime Environment (JRE)
An environment required to run applets and applications written using the Java programming language.

Java Secure Socket Extension (JSSE)
A set of Java packages that provide SSL/TLS support on the Java platform.

JAX-WS RI
The JAX-WS reference implementation by Oracle (provided with JavaSE 7).

Just-in-Time (JIT) provisioning (SAML)
A dynamic user provisioning model for SAML Web federated environments that enables a service provider to create user accounts on the fly the first time the user successfully authenticates via SAML Web SSO federation protocol.

Kerberos
An Internet-standard authentication protocol (RFC 1510) based on an online authentication authority.

Keyed-Hashing for Message Authentication (HMAC)
A mechanism for message authentication using cryptographic hash functions (RFC 2104). HMAC can be used with cryptographic hash functions such as MD5 or SHA-1, in combination with a secret shared key.

Lightweight Directory Access Protocol (LDAP)
A suite of Internet technologies for interaction with directories. In particular, LDAP defines the actual LDAP protocol, the LDAP directory information model, the LDAP naming model, and the LDAP functional model.

MAC
This term is used in the following connotations:

Managed Bean (MBean)(JavaSE)
A Java object that represents a resource to be managed. MBeans are part of the monitoring and management features of the Java Platform, Standard Edition (JavaSE) software development toolkit.

NT LAN Manager (NTLM)
A Microsoft proprietary challenge-response protocol for authenticating desktop users against network services in Windows domains.

Online Certificate Status Protocol (OCSP)
An Internet-standard protocol (RFC 2560) for determining the current status of a public-key certificate.

One-Time Password (OTP)
A password that is used only once as authentication information to verify an identity.

Open AuTHentication (OATH)
An industry initiative on user authentication.

OAuth 2.0 Authorization Framework (OAuth 2.0)
An authorization protocol described in RFC 6749 that enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

Password-Based Key Derivation Function (PBKDF)
A class of algorithms that derive a shared secret key from a password. PKCS#5 defines the instances PBKDF1 and PBKDF2.

Plain Old Java Object (POJO)
Form-free Java classes that are not required to implement dedicated interfaces or inherit specific super classes.

Policy Administration Point (PAP) (XACML)
A system entity that creates a policy or policy set.

Policy Decision Point (PDP) (SAML)
A system entity that makes authorization decisions for itself or for other system entities that request such decisions. A PDP is an authorization decision authority.

Policy Enforcement Point (PEP) (SAML)
A system entity that requests and subsequently enforces authorization decisions.

Policy Information Point (PIP) (XACML):
A system entity that acts as a source of attribute values.

Policy (Liberty Alliance)
A logically defined, executable and testable set of rules of behavior.

Policy Management Authority (PMA)
A system entity that creates and manages authorization policies.

Post profile
A profile of the SAML Web-SSO exchange that exchanges (digitally signed) SAML assertions via browsers (also called a Browser/Post profile).

Privacy (RFC 2828)
The right of an entity (normally a person), acting on its own behalf, to determine the degree to which it will interact with its environment, including the degree to which the entity is willing to share information about itself with others.

Proof-of-Possession (PoP)
The means provided by claimants along with identity assertions that lets relying parties verify that the presenting claimant corresponds to the subject identified in the assertion.

Provisioning (SPML)
The process of managing attributes and accounts within the scope of a defined business process or interaction. Provisioning an account or service may involve the creation, modification, deletion, suspension, or restoration of a defined set of accounts or attributes.

Provisioning Service (PS) (SPML)
Any system entity that supports the receipt and processing of SPML artifacts.

Provisioning Service Object (PSO) (SPML)
An object that represents a data entity or an information object on a target.

Provisioning Service Provider (PSP) (SPML)
A software component that listens for, processes, and returns the results for well-formed SPML requests from a known requestor.

Provisioning Service Target (PST) (SPML)
A destination or endpoint that a provider makes available for provisioning actions.

Proxying Identity Provider (Proxying IdP)
The identity provider in a federation scenario that can either perform initial user authentication locally or delegate the initial authentication to an external identity provider by means of the federation protocol, for example SAML Web SSO.

Public-Key Cryptography Standards (PKCS) (RFC 2828)
A series of specifications published by RSA Laboratories for data structures and algorithm usage for basic applications of asymmetric cryptography.

Public-Key Infrastructure (PKI) (RFC 2828)
A system of CAs (and, optionally, RAs and other supporting servers and agents) that perform some set of certificate management, archive management, key management, and token management functions for a community of users in an application of asymmetric cryptography.

Public-Key Infrastructure X.509 (PKIX)

RA
This term is used in the following connotations:

Relying party (SAML)
A system entity that decides to take an action based on information from another system entity.

Resource (SAML)
Data contained in an information system, a service provided by a system, an item of system equipment, or a facility that houses system operations and equipment.

Request Security Token (RST) (WS-Trust)
The initial request in a WS-Federation profile when the relying party redirects the user to the identity provider (Security Token Service) to which the user is to be returned with the issued security token after a successful authentication.

Request Security Token Response (RSTR) (WS-Trust)
The response of the identity provider in a WS-Federation profile to the initial request. The RSTR is directed to the relying party that holds the desired information about the authenticated subject.

Requested Security Token (RST) (WS-Trust)
The token requested by the relying party that claims the user’s identity. The token is typically enclosed in the RSTR.

Role (ANSI/INCITS 359-2004)
A role is a job function within the context of an organization with some associated semantics regarding the authority and responsibility conferred on the user assigned to the role.

Role-Based Access Control (RBAC) (RFC 2828)
A form of identity-based access control where the system entities that are identified and controlled are functional positions in an organization or process.

Role Enablement Authority (REA)
A system entity which resolves role assignments.

SAML proxying
The process of delegating initial user authentication in SAML Web SSO federation from the local SAML IdP endpoint to external SAML IdP endpoints.

Secure Sockets Layer (SSL)
An industry security protocol for entity authentication and transient message authentication and confidentiality in client/server environments. SSL v3 is the predecessor of TLS v1.

Security Assertion Markup Language (SAML)
General-purpose language for expressing declarations of facts about subjects (called assertions). SAML assertions may contain authentication, attribute and authorization decision statements.

Security token
A Web services abstraction that represents a collection of declarations (for example, name, identity, key, group, privilege, capability, etc) made by an entity. Security tokens serve as an umbrella concept for credentials such as SAML assertions, Kerberos tickets, X.509 certificates.

Security Token Service (STS) (WS-Trust)
A Web service that issues security tokens.

Service-Oriented Architecture (SOA)
A paradigm for architecting software products and solutions that is emphasizing self-contained business functionality which is loosely-coupled.

Service Principal Name (SPN)
An identifier for a service that is associated with the security principal (user or groups) in whose security context the service executes. SPNs are used to support mutual authentication between a client application and a service.

Service Provider (SP)
The consumer of the digital identity in a federation scenario. It acts as an authorization authority granting access to resources. The consumed digital identity comes in the form of authentication statements contained, for example, in SAML assertions.

Service Provisioning Markup Language (SPML)
A general-purpose language for describing provisioning services by their object schema and to express service primitives for provisioning services.

Simple and Protected NEGOtiation (SPNEGO)
An Internet-standard protocol (RFC 2478) for negotiating authentication protocols between clients and servers.

Simple Object Access Protocol (SOAP)
A protocol for exchanging XML-based messages in an IT-network.

Single Sign-On (SSO) (RFC 2828)
A system that enables a user to access multiple computer platforms or application systems after being authenticated just one time.

SOAP Message Security
A specification for defining SOAP headers that are capable of transferring security tokens (for example, SAML assertions) serving requestor authentication as well as protecting the authenticity and confidentiality of message contents with XML Signature and XML Encryption.

Software Development Kit (SDK)
A set of development tools that allows for the creation of applications for particular software packages, software frameworks, operating systems and other platform types.

SSPI
This term is used in the following connotations:

Subject (RFC 2828)
A system entity that causes information to flow among objects or changes the system state.

Time-Based OTP (TOTP)
An extension of the One-Time Password (OTP) algorithm—specifically, the HMAC-based One-Time Password (HOTP) algorithm, as defined in RFC 4226—to support the time-based moving factor (see RFC 6238).

Transport Layer Security (TLS)
An Internet standard security protocol (RFCs 2246, 4346) for entity authentication and transient message authentication and confidentiality in client/server environments. Note that TLS 1.0 is the successor of SSL 3.0.

Uniform Resource Identifier (URI)
A URL or URN.

Uniform Resource Locator (URL) (RFC 2828)
A type of formatted identifier that describes the access method and location of an information resource object on the Internet1.

Uniform Resource Name (URN) (RFC 2828)
A URI that has an institutional commitment to persistence and availability.

User (ANSI/INCITS 359-2004)
A human being.

Web services (WS) (W3C)
A software system identified by a URI whose public interfaces and bindings are defined and described using XML. Its definition can be discovered by other software systems. These systems may then interact with the Web service in a manner prescribed by its definition, using XML based messages conveyed by Internet protocols.

Web Services Description Language (WSDL)
A language for defining the contract of a Web service and publishing it in an XML document.

Web Services Federation (WSFED)
The OASIS technical committee that defines identity management enhancements to enable federations of trust across organizations.

Web Services Interoperability Technologies (WSIT)
JAX-WS compliant extensions to the JAX-WS RI with a functional focus on secure communications technologies for Web services.

Web Services Secure Exchange (WS-SX)
The OASIS technical committee that defines security technologies such as WS-Trust, WS-SecurityPolicy, WS-SecureConversation.

Web Services Security (WSS)
The OASIS technical committee that defines SOAP extensions for message authentication and encryption as well as transfer of security tokens.

WS-Policy
A general-purpose model and corresponding syntax to describe the policies of entities in a Web services-based system. WS-Policy mainly serves negotiation purposes between Web services consumers and providers.

WS-SecureConversation
A Web services specification for adding session orientation to SOAP Message Security.

WS-SecurityPolicy
A Web services specification for defining the framework for allowing WS providers and consumers to agree on communication security, such as the security tokens that need to be presented. It is an addition to WS-Policy and serves the extension of WSDL files.

WS-Trust
A framework for defining Web services for processing security tokens (STSs). This service framework deals with authentication diversity and uses security tokens to abstract from specific syntaxes that marshal authenticated identity information (for example, SAML).

X.509 (RFC 2828)
An ITU-T Recommendation that defines a framework to provide and support data origin authentication and peer entity authentication services, including formats for X.509 public-key certificates, X.509 attribute certificates, and X.509 CRLs.

XML encryption
An XML schema for representing encrypted information and related metadata.

XML schema
A mechanism for expressing shared vocabularies and allowing machines to carry out rules made by people.

XML Schema Definition (XSD)
An instance of an XML schema. Used, for example, to define the vocabulary for a Web service.

XML signature
An XML schema for representing digital signatures and related metadata.

1 Note that URLs comprise scheme, authority, path and query parts, where the scheme part specifies the method of access (for example, https), the authority part specifies the service (for example, my-service.my-company.biz:8443), the path specifies the resource – at the service – by its name (for example, my-company/root/extranet/applications/ServletApplication) and the query specifies information to be interpreted by the resource in a resource-specific way (for example, TARGET=diagnosis).