A UK federation Glossary

A|B|C|D|E|F|G|H| I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z

API

Application Programming Interface. A library of functions that are pre-written (possibly by a third party) to offer funcionality to the programmer.

Athens

Athens is an Identity Management service that is run by Eduserv and funded by JISC. Athens is currently being replaced as the national access management service for the UK educational sector by a new service based on the Shibboleth technology. JISC will stop funding Athens in 2008. Athens will still be available after 2008 but as a subscription service. For more information about Athens: http://www.openathens.net/.

AthensDA

Athens Devolved Authentication. An Identity Management service, run by Eduserv, that enables an organisation to maintain a single set of credentials for a user, and for that user to be authorised for access to online services depending on permissions defined by the user's organisation. Attribute

Information about an individual in defined formats such as member of organisation x, member of department y, role equals student or faculty.

Attribute Authority (AA)

The Shibboleth component that responds to requests for user attributes by the SHAR, and enforces the organisation's Attribute Release Policy.

Attribute Query Handle (AQH)

An opaque, anonymous identifier (analogous to a session id) that identifies a user who has authenticated to a ShibbolethIdentity Provider. It does not uniquely identify a user across logins, nor does it remain consistent within an SSO session.

Attribute Release Policy (ARP)

A policy, maintained by the Attribute Authority, that governs the sharing of user attributes with Service Providers.

Authentication

The process of verifying who is requesting access to a resource.

Authorisation

The process of determining whether access should be granted to an individual based on information about that individual.

Back to top

CA

Certificate Authority. A trusted body who issue and sign certificate requests on behalf of organisations (typically within a federation) requiring mutual trust.

Back to top

Decision Engine

Establishes whether the user can access a given resource, based on one or more attributes obtained from the SHAR. The decision engine applies a policy to a set of attributes and returns a 'yes/no' response.

DES

Data Encryption Standard. A popular symmetric-key encryption method.

Devolved Authentication (DA)

A form of authentication in which responsibility for the authentication of users is devolved to their member organisation.

Back to top

Early Adopters

Institutions who become early adopters (opens in new window) of the next generation of access management tools.

EDINA

A JISC-supported 'datacentre'. They provide online services to the UK further and higher education communities. Edina built and maintained the UK pilot federation. Further details: http://edina.ac.uk/

Educause

Non-profit association in the US that promotes the use of information technology in higher education. Further details: http://www.educause.edu/

Educause CAMP

Campus Architectural Middleware Planning. Educause CAMP provides higher education in the US with help and advice on middleware for educational networks.

Back to top

Federated authentication

See Devolved Authentication, and Federation.

Federation

A group or set of organisations that share a common set of policies and rules in order to establish common trust and language/terminology to aid cross-domain authentication and authorisation.

Back to top

Grouper

Grouper is an open source toolkit for managing groups. For more information: http://middleware.internet2.edu/dir/groups/grouper/. Also see Signet.

Back to top

Handle

See Attribute Query Handle.

Handle Service (HS)

The Shibboleth component that authenticates the user. It issues the Attribute Query Handle that is used later in the authorisation process to request user attributes. When a user is successfully authenticated, the HS presents the handle to the SHIRE in the form of a signed SAMLResponse, sent via an HTTP-POST.

Back to top

Identity Provider (IdP)

In the Shibboleth architecture, the Identity Provider is the organisation that provides authentication for a user. Authorisation is provided by the Service Provider.

Formerly known as the origin.

Internet2

Provides a central resource to develop and deploy advanced network applications, and techologies for research and higher education. Internet2 is funded by 200 US universities. Further details: http://www.internet2.edu

Back to top

JANET

Joint Academic NETwork. A private, government-funded network for education and research. All further and higher education organisations are connected to JANET, as are all the Research Councils.

JISC

Joint Information Systems Committee. Supports further and higher education in the UK in the use of information and communications technology. Further details: http://www.jisc.ac.uk

Back to top

LDAP - Lightweight Directory Access Protocol

LDAP, a set of protocols for accessing on-line information directories.

Liberty Alliance

A project, formed in September 2001, to establish an open standard for federated network identity. This will be accomplished by developing technical specifications that support a broad range of identity-based products and network devices. It is a consortium of more than 150 technology and consumer organizations. Further details: http://www.projectliberty.org/index.php

Back to top

MACE

Middleware Architecture Committee for Education. An Internet2 group that provides technical advice and direction to help create a US-wide interoperable middleware infrastructure for research and education.

Middleware

Network-based services that sit between users and the service that they are trying to access, enabling them to access that service or provide additional functionality. Authentication/authorisation is a classic example.

Back to top

OASIS

Organization for the Advancement of Structured Information Systems. A standards body. A not-for-profit global consortium that drives the development, convergence and adoption of e-business standards.

OpenAthens

An range of Identity and Access Management products, run by Eduserv, that enables an organisation to maintain a single set of credentials for a user, and for that user to be authorised for access to online services depending on permissions defined by the user's organisation. For more information about OpenAthens: http://www.eduserv.org.uk/identity-access/products

OpenSAML

An open-source library implementing the SAML protocol. The project is currently hosted and controlled by Internet2.

Origin

See Identity Provider.

Back to top

PERMIS

Privilege and Role Management Infrastructure Standards Validation. A tool for determining the rights of a user to access a service through the analysis of user attributes. Fore more information: http://www.permis.org/.

PKI

Public Key Infrastructure. This is the infrastructure required to support public key cryptography. It comprises both technology and trusted bodies, such as a certificate authority, and mechanisms to handle certificate revocation.

Back to top

Regional Support Centres (RSC)

Advise on and promote the use of network learning technologies and resources in the UK tertiary education sector. Funded by JISC.

RSA

RSA is an algorithm commonly used in public key encryption.

Back to top

SAML

Security Assertion Markup Language. A standard defined and maintained by OASIS. It's an XML-based framework for creating and exchanging security information between online parties.

Signet

An open source privilege management service. For more information: http://middleware.internet2.edu/signet/. Also see Grouper.

SDSS

An EDINA project that built and maintained the UK development Shibboleth federation for managing access to UK academic online resources.

Service Provider (SP)

In the Shibboleth architecture, the Service Provider is the provider of information or resources.

Formerly known as the target.

SHAR

SHibboleth Attribute Requester. The SHAR uses an AQH to request attributes on behalf of the user from their organisation's Attribute Authority.

Shibboleth

An Internet2 project to define an architecture that uses a SAML-based method of allowing users to access online resources. Authentication is devolved to the user's organisation - the Identity Provider - which passes attributes to the Service Provider. These attributes enable the Service Provider to make authorisation decisions. Further information: http://www.shibboleth.net/

The Internet2 Shibboleth group also develops software that implements the Shibboleth architecture. This software is also known as Shibboleth.

SHIRE

SHibboleth Indexical Reference Establisher. The SHIRE is the Shibboleth component that determines whether a user needs to authenticate, and if so, starts the Shibboleth process by sending the user to their Handle Service (possibly via a WAYF). The SHIRE then receives an Attribute Query Handle on return from the Handle Service.

Single Sign On (SSO)

Provides a user the ability to input assigned authentication once and then access multiple online services.

SOAP

Simple Object Access Protocol. This is a definition of how to use XML to transfer data between online services.

SSL

Secure Sockets Layer. A standard way of encrypting network traffic. Commonly used by 'secure websites'.

SURF

The Dutch network provider for education institutions. They have an authentication mechanism called A-Select (http://a-select.surfnet.nl).

SWITCH

The Swiss Education and Research Network. An early adopter of Shibboleth across the Swiss academic community. They have a significant, and useful amount of reference material on their Shibboleth infrastruture available here: http://www.switch.ch/aai/deployment.html.

Back to top

Target

See Service Provider.

TLS

Transport Layer Security. A standard way of encrypting network traffic.

Triple DES

A common encryption algorithm based on DES. Three times slower but far more secure.

Back to top

UCISA

Universities and Colleges Information Systems Association. Represents the entire higher education, and increasingly further education, sectors on all matters concerning information systems. For more information, go to http://www.ucisa.ac.uk/.

Back to top

WAYF

Where Are You From? The Shibboleth service that provides a mechanism for routing users from a resource on their Service Provider to their point of login (Handle Service). However, it is notionally assumed to be 'optional' in the Shibboleth specification, and can be implemented either by a service provider, or as a central service, perhaps by the federation provision body.

WSDL

Web Services Definition Language. A SOAP protocol definition file. It enables programmers to quickly and easily support new protocols designed by third parties.

Back to top

XACML

eXtensible Access Control Markup Language. An OASIS standard for the expression of access control policies. It also contains a request/response protocol, and goes some way to specifying the actual components required (such as policy decision and enforcement points) in an access control infrastructure. It is a rich, but as yet, quite obscure and underused language.

XML

Extensible Markup Language. A standards-based, electronic data format for transferring or organising information. Often used to transfer data between online services.

XML Encryption

A W3C standard for encrypting an arbitrary XML document. It is not typically used in SAML/Shibboleth. Further details: http://www.w3.org/TR/xmlenc-core.

XML Schema

The definition of a particular use of XML. One example is SOAP.

XML Signature

A W3C standard for signing an arbitrary XML document. It is used by SAML for authentication of the document signer in order to establish cross-domain trust relationships. Further details: http://www.w3.org/TR/xmldsig-core/.

A|B|C|D|E|F|G|H| I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z