A UK federation Glossary
Application Programming Interface. A library of functions that are pre-written (possibly by a third party) to offer funcionality to the programmer.
Athens is an Identity Management service that is run by Eduserv and funded by JISC. Athens is currently being replaced as the national access management service for the UK educational sector by a new service based on the Shibboleth technology. JISC will stop funding Athens in 2008. Athens will still be available after 2008 but as a subscription service. For more information about Athens: http://www.openathens.net/.
Athens Devolved Authentication. An Identity Management service, run by Eduserv, that enables an organisation to maintain a single set of credentials for a user, and for that user to be authorised for access to online services depending on permissions defined by the user's organisation. Attribute
Information about an individual in defined formats such as member of organisation x, member of department y, role equals student or faculty.
An opaque, anonymous identifier (analogous to a session id) that identifies a user who has authenticated to a ShibbolethIdentity Provider. It does not uniquely identify a user across logins, nor does it remain consistent within an SSO session.
The process of verifying who is requesting access to a resource.
The process of determining whether access should be granted to an individual based on information about that individual.
Certificate Authority. A trusted body who issue and sign certificate requests on behalf of organisations (typically within a federation) requiring mutual trust.
Establishes whether the user can access a given resource, based on one or more attributes obtained from the SHAR. The decision engine applies a policy to a set of attributes and returns a 'yes/no' response.
Data Encryption Standard. A popular symmetric-key encryption method.
A form of authentication in which responsibility for the authentication of users is devolved to their member organisation.
Institutions who become early adopters (opens in new window) of the next generation of access management tools.
A JISC-supported 'datacentre'. They provide online services to the UK further and higher education communities. Edina built and maintained the UK pilot federation. Further details: http://edina.ac.uk/
Non-profit association in the US that promotes the use of information technology in higher education. Further details: http://www.educause.edu/
Campus Architectural Middleware Planning. Educause CAMP provides higher education in the US with help and advice on middleware for educational networks.
Grouper is an open source toolkit for managing groups. For more information: http://middleware.internet2.edu/dir/groups/grouper/. Also see Signet.
The Shibboleth component that authenticates the user. It issues the Attribute Query Handle that is used later in the authorisation process to request user attributes. When a user is successfully authenticated, the HS presents the handle to the SHIRE in the form of a signed SAMLResponse, sent via an HTTP-POST.
Formerly known as the origin.
Provides a central resource to develop and deploy advanced network applications, and techologies for research and higher education. Internet2 is funded by 200 US universities. Further details: http://www.internet2.edu
Joint Academic NETwork. A private, government-funded network for education and research. All further and higher education organisations are connected to JANET, as are all the Research Councils.
Joint Information Systems Committee. Supports further and higher education in the UK in the use of information and communications technology. Further details: http://www.jisc.ac.uk
LDAP, a set of protocols for accessing on-line information directories.
A project, formed in September 2001, to establish an open standard for federated network identity. This will be accomplished by developing technical specifications that support a broad range of identity-based products and network devices. It is a consortium of more than 150 technology and consumer organizations. Further details: http://www.projectliberty.org/index.php
Middleware Architecture Committee for Education. An Internet2 group that provides technical advice and direction to help create a US-wide interoperable middleware infrastructure for research and education.
Network-based services that sit between users and the service that they are trying to access, enabling them to access that service or provide additional functionality. Authentication/authorisation is a classic example.
Organization for the Advancement of Structured Information Systems. A standards body. A not-for-profit global consortium that drives the development, convergence and adoption of e-business standards.
An range of Identity and Access Management products, run by Eduserv, that enables an organisation to maintain a single set of credentials for a user, and for that user to be authorised for access to online services depending on permissions defined by the user's organisation. For more information about OpenAthens: http://www.eduserv.org.uk/identity-access/products
An open-source library implementing the SAML protocol. The project is currently hosted and controlled by Internet2.
See Identity Provider.
Privilege and Role Management Infrastructure Standards Validation. A tool for determining the rights of a user to access a service through the analysis of user attributes. Fore more information: http://www.permis.org/.
Public Key Infrastructure. This is the infrastructure required to support public key cryptography. It comprises both technology and trusted bodies, such as a certificate authority, and mechanisms to handle certificate revocation.
Regional Support Centres (RSC)
Advise on and promote the use of network learning technologies and resources in the UK tertiary education sector. Funded by JISC.
RSA is an algorithm commonly used in public key encryption.
In the Shibboleth architecture, the Service Provider is the provider of information or resources.
Formerly known as the target.
An Internet2 project to define an architecture that uses a SAML-based method of allowing users to access online resources. Authentication is devolved to the user's organisation - the Identity Provider - which passes attributes to the Service Provider. These attributes enable the Service Provider to make authorisation decisions. Further information: http://www.shibboleth.net/
The Internet2 Shibboleth group also develops software that implements the Shibboleth architecture. This software is also known as Shibboleth.
SHibboleth Indexical Reference Establisher. The SHIRE is the Shibboleth component that determines whether a user needs to authenticate, and if so, starts the Shibboleth process by sending the user to their Handle Service (possibly via a WAYF). The SHIRE then receives an Attribute Query Handle on return from the Handle Service.
Provides a user the ability to input assigned authentication once and then access multiple online services.
Simple Object Access Protocol. This is a definition of how to use XML to transfer data between online services.
Secure Sockets Layer. A standard way of encrypting network traffic. Commonly used by 'secure websites'.
The Dutch network provider for education institutions. They have an authentication mechanism called A-Select (http://a-select.surfnet.nl).
The Swiss Education and Research Network. An early adopter of Shibboleth across the Swiss academic community. They have a significant, and useful amount of reference material on their Shibboleth infrastruture available here: http://www.switch.ch/aai/deployment.html.
See Service Provider.
Transport Layer Security. A standard way of encrypting network traffic.
A common encryption algorithm based on DES. Three times slower but far more secure.
Universities and Colleges Information Systems Association. Represents the entire higher education, and increasingly further education, sectors on all matters concerning information systems. For more information, go to http://www.ucisa.ac.uk/.
Where Are You From? The Shibboleth service that provides a mechanism for routing users from a resource on their Service Provider to their point of login (Handle Service). However, it is notionally assumed to be 'optional' in the Shibboleth specification, and can be implemented either by a service provider, or as a central service, perhaps by the federation provision body.
Web Services Definition Language. A SOAP protocol definition file. It enables programmers to quickly and easily support new protocols designed by third parties.
eXtensible Access Control Markup Language. An OASIS standard for the expression of access control policies. It also contains a request/response protocol, and goes some way to specifying the actual components required (such as policy decision and enforcement points) in an access control infrastructure. It is a rich, but as yet, quite obscure and underused language.
Extensible Markup Language. A standards-based, electronic data format for transferring or organising information. Often used to transfer data between online services.
A W3C standard for encrypting an arbitrary XML document. It is not typically used in SAML/Shibboleth. Further details: http://www.w3.org/TR/xmlenc-core.
The definition of a particular use of XML. One example is SOAP.
A W3C standard for signing an arbitrary XML document. It is used by SAML for authentication of the document signer in order to establish cross-domain trust relationships. Further details: http://www.w3.org/TR/xmldsig-core/.