A UK federation Glossary
Application Programming Interface. A library of functions that are pre-written (possibly by a third party) to offer funcionality to the programmer.
Athens
Athens is an Identity Management service now known as OpenAthens, which is run by Jisc. OpenAthens is available as a subscription service. For more information visit: https://openathens.org
The Shibboleth component that responds to requests for user attributes by the SHAR, and enforces the organisation's Attribute Release Policy.
An opaque, anonymous identifier (analogous to a session id) that identifies a user who has authenticated to a ShibbolethIdentity Provider. It does not uniquely identify a user across logins, nor does it remain consistent within an SSO session.
Attribute Release Policy (ARP)
A policy, maintained by the Attribute Authority, that governs the sharing of user attributes with Service Providers.
The process of verifying who is requesting access to a resource.
The process of determining whether access should be granted to an individual based on information about that individual.
Certificate Authority. A trusted body who issue and sign certificate requests on behalf of organisations (typically within a federation) requiring mutual trust.
Establishes whether the user can access a given resource, based on one or more attributes obtained from the SHAR. The decision engine applies a policy to a set of attributes and returns a 'yes/no' response.
DES
Data Encryption Standard. A popular symmetric-key encryption method.
A form of authentication in which responsibility for the authentication of users is devolved to their member organisation.
Institutions who become early adopters (opens in new window) of the next generation of access management tools.
A JISC-supported 'datacentre'. They provide online services to the UK further and higher education communities. Edina built and maintained the UK pilot federation. Edina ceased involvement in the UK federation in August 2016. Further details: http://edina.ac.uk/
Non-profit association in the US that promotes the use of information technology in higher education. Further details: http://www.educause.edu/
Educause CAMP
Campus Architectural Middleware Planning. Educause CAMP provides higher education in the US with help and advice on middleware for educational networks.
See Devolved Authentication, and Federation.
A group or set of organisations that share a common set of policies and rules in order to establish common trust and language/terminology to aid cross-domain authentication and authorisation.
Grouper is an open source toolkit for managing groups. For more information: http://middleware.internet2.edu/dir/groups/grouper/. Also see Signet.
The Shibboleth component that authenticates the user. It issues the Attribute Query Handle that is used later in the authorisation process to request user attributes. When a user is successfully authenticated, the HS presents the handle to the SHIRE in the form of a signed SAMLResponse, sent via an HTTP-POST.
In the Shibboleth architecture, the Identity Provider is the organisation that provides authentication for a user. Authorisation is provided by the Service Provider.
Formerly known as the origin.
Provides a central resource to develop and deploy advanced network applications, and techologies for research and higher education. Internet2 is funded by 200 US universities. Further details: http://www.internet2.edu
Joint Academic NETwork. A private, government-funded network for education and research. All further and higher education organisations are connected to JANET, as are all the Research Councils.
Jisc
Jisc. Supports further and higher education in the UK in the use of information and communications technology. Further details: http://www.jisc.ac.uk
LDAP - Lightweight Directory Access Protocol
LDAP, a set of protocols for accessing on-line information directories.
Liberty Alliance
A project, formed in September 2001, to establish an open standard for federated network identity. This will be accomplished by developing technical specifications that support a broad range of identity-based products and network devices. It is a consortium of more than 150 technology and consumer organizations. Further details: http://www.projectliberty.org/index.php
Middleware Architecture Committee for Education. An Internet2 group that provides technical advice and direction to help create a US-wide interoperable middleware infrastructure for research and education.
Middleware
Network-based services that sit between users and the service that they are trying to access, enabling them to access that service or provide additional functionality. Authentication/authorisation is a classic example.
Organization for the Advancement of Structured Information Systems. A standards body. A not-for-profit global consortium that drives the development, convergence and adoption of e-business standards.
OpenAthens
A range of Identity and Access Management products, run by Jisc, that enables an organisation to maintain a single set of credentials for a user, and for that user to be authorised for access to online services depending on permissions defined by the user's organisation. For more information about OpenAthens: https://openathens.org/
OpenSAML
An open-source library implementing the SAML protocol. The project is currently hosted and controlled by Internet2.
Origin
See Identity Provider.
Privilege and Role Management Infrastructure Standards Validation. A tool for determining the rights of a user to access a service through the analysis of user attributes. Fore more information: http://www.permis.org/.
PKI
Public Key Infrastructure. This is the infrastructure required to support public key cryptography. It comprises both technology and trusted bodies, such as a certificate authority, and mechanisms to handle certificate revocation.
Regional Support Centres (RSC)
Advised on and promoted the use of network learning technologies and resources in the UK tertiary education sector. They were funded by Jisc.
RSA
RSA is an algorithm commonly used in public key encryption.
Security Assertion Markup Language. A standard defined and maintained by OASIS. It's an XML-based framework for creating and exchanging security information between online parties.
An open source privilege management service. For more information: http://middleware.internet2.edu/signet/. Also see Grouper.
SDSS
An EDINA project that built and maintained the UK development Shibboleth federation for managing access to UK academic online resources.
In the Shibboleth architecture, the Service Provider is the provider of information or resources.
Formerly known as the target.
SHibboleth Attribute Requester. The SHAR uses an AQH to request attributes on behalf of the user from their organisation's Attribute Authority.
An Internet2 project to define an architecture that uses a SAML-based method of allowing users to access online resources. Authentication is devolved to the user's organisation - the Identity Provider - which passes attributes to the Service Provider. These attributes enable the Service Provider to make authorisation decisions. Further information: http://www.shibboleth.net/
The Internet2 Shibboleth group also develops software that implements the Shibboleth architecture. This software is also known as Shibboleth.
SHibboleth Indexical Reference Establisher. The SHIRE is the Shibboleth component that determines whether a user needs to authenticate, and if so, starts the Shibboleth process by sending the user to their Handle Service (possibly via a WAYF). The SHIRE then receives an Attribute Query Handle on return from the Handle Service.
Provides a user the ability to input assigned authentication once and then access multiple online services.
SOAP
Simple Object Access Protocol. This is a definition of how to use XML to transfer data between online services.
SSL
Secure Sockets Layer. A standard way of encrypting network traffic. Commonly used by 'secure websites'.
SURF
The Dutch network provider for education institutions. They have an authentication mechanism called A-Select (http://a-select.surfnet.nl).
SWITCH
The Swiss Education and Research Network. An early adopter of Shibboleth across the Swiss academic community. They have a significant, and useful amount of reference material on their Shibboleth infrastruture available here: http://www.switch.ch/aai/deployment.html.
See Service Provider.
TLS
Transport Layer Security. A standard way of encrypting network traffic.
Triple DES
A common encryption algorithm based on DES. Three times slower but far more secure.
Universities and Colleges Information Systems Association. Represents the entire higher education, and increasingly further education, sectors on all matters concerning information systems. For more information, go to http://www.ucisa.ac.uk/.
Where Are You From? The Shibboleth service that provides a mechanism for routing users from a resource on their Service Provider to their point of login (Handle Service). However, it is notionally assumed to be 'optional' in the Shibboleth specification, and can be implemented either by a service provider, or as a central service, perhaps by the federation provision body.
WSDL
Web Services Definition Language. A SOAP protocol definition file. It enables programmers to quickly and easily support new protocols designed by third parties.
eXtensible Access Control Markup Language. An OASIS standard for the expression of access control policies. It also contains a request/response protocol, and goes some way to specifying the actual components required (such as policy decision and enforcement points) in an access control infrastructure. It is a rich, but as yet, quite obscure and underused language.
Extensible Markup Language. A standards-based, electronic data format for transferring or organising information. Often used to transfer data between online services.
XML Encryption
A W3C standard for encrypting an arbitrary XML document. It is not typically used in SAML/Shibboleth. Further details: http://www.w3.org/TR/xmlenc-core.
XML Schema
The definition of a particular use of XML. One example is SOAP.
XML Signature
A W3C standard for signing an arbitrary XML document. It is used by SAML for authentication of the document signer in order to establish cross-domain trust relationships. Further details: http://www.w3.org/TR/xmldsig-core/.