A UK federation Glossary

A|B|C|D|E|F|G|H| I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z


Application Programming Interface. A library of functions that are pre-written (possibly by a third party) to offer funcionality to the programmer.


Athens is an Identity Management service now known as OpenAthens, which is run by Jisc. OpenAthens is available as a subscription service. For more information visit: https://openathens.org

Attribute Authority (AA)

The Shibboleth component that responds to requests for user attributes by the SHAR, and enforces the organisation's Attribute Release Policy.

Attribute Query Handle (AQH)

An opaque, anonymous identifier (analogous to a session id) that identifies a user who has authenticated to a ShibbolethIdentity Provider. It does not uniquely identify a user across logins, nor does it remain consistent within an SSO session.

Attribute Release Policy (ARP)

A policy, maintained by the Attribute Authority, that governs the sharing of user attributes with Service Providers.


The process of verifying who is requesting access to a resource.


The process of determining whether access should be granted to an individual based on information about that individual.

Back to top


Certificate Authority. A trusted body who issue and sign certificate requests on behalf of organisations (typically within a federation) requiring mutual trust.

Back to top

Decision Engine

Establishes whether the user can access a given resource, based on one or more attributes obtained from the SHAR. The decision engine applies a policy to a set of attributes and returns a 'yes/no' response.


Data Encryption Standard. A popular symmetric-key encryption method.

Devolved Authentication (DA)

A form of authentication in which responsibility for the authentication of users is devolved to their member organisation.

Back to top

Early Adopters

Institutions who become early adopters (opens in new window) of the next generation of access management tools.


A JISC-supported 'datacentre'. They provide online services to the UK further and higher education communities. Edina built and maintained the UK pilot federation. Edina ceased involvement in the UK federation in August 2016. Further details: http://edina.ac.uk/


Non-profit association in the US that promotes the use of information technology in higher education. Further details: http://www.educause.edu/

Educause CAMP

Campus Architectural Middleware Planning. Educause CAMP provides higher education in the US with help and advice on middleware for educational networks.

Back to top

Federated authentication

See Devolved Authentication, and Federation.


A group or set of organisations that share a common set of policies and rules in order to establish common trust and language/terminology to aid cross-domain authentication and authorisation.

Back to top


Grouper is an open source toolkit for managing groups. For more information: http://middleware.internet2.edu/dir/groups/grouper/. Also see Signet.

Back to top


See Attribute Query Handle.

Handle Service (HS)

The Shibboleth component that authenticates the user. It issues the Attribute Query Handle that is used later in the authorisation process to request user attributes. When a user is successfully authenticated, the HS presents the handle to the SHIRE in the form of a signed SAMLResponse, sent via an HTTP-POST.

Back to top

Identity Provider (IdP)

In the Shibboleth architecture, the Identity Provider is the organisation that provides authentication for a user. Authorisation is provided by the Service Provider.

Formerly known as the origin.


Provides a central resource to develop and deploy advanced network applications, and techologies for research and higher education. Internet2 is funded by 200 US universities. Further details: http://www.internet2.edu

Back to top


Joint Academic NETwork. A private, government-funded network for education and research. All further and higher education organisations are connected to JANET, as are all the Research Councils.


Jisc. Supports further and higher education in the UK in the use of information and communications technology. Further details: http://www.jisc.ac.uk

Back to top

LDAP - Lightweight Directory Access Protocol

LDAP, a set of protocols for accessing on-line information directories.

Liberty Alliance

A project, formed in September 2001, to establish an open standard for federated network identity. This will be accomplished by developing technical specifications that support a broad range of identity-based products and network devices. It is a consortium of more than 150 technology and consumer organizations. Further details: http://www.projectliberty.org/index.php

Back to top


Middleware Architecture Committee for Education. An Internet2 group that provides technical advice and direction to help create a US-wide interoperable middleware infrastructure for research and education.


Network-based services that sit between users and the service that they are trying to access, enabling them to access that service or provide additional functionality. Authentication/authorisation is a classic example.

Back to top


Organization for the Advancement of Structured Information Systems. A standards body. A not-for-profit global consortium that drives the development, convergence and adoption of e-business standards.


A range of Identity and Access Management products, run by Jisc, that enables an organisation to maintain a single set of credentials for a user, and for that user to be authorised for access to online services depending on permissions defined by the user's organisation. For more information about OpenAthens: https://openathens.org/


An open-source library implementing the SAML protocol. The project is currently hosted and controlled by Internet2.


See Identity Provider.

Back to top


Privilege and Role Management Infrastructure Standards Validation. A tool for determining the rights of a user to access a service through the analysis of user attributes. Fore more information: http://www.permis.org/.


Public Key Infrastructure. This is the infrastructure required to support public key cryptography. It comprises both technology and trusted bodies, such as a certificate authority, and mechanisms to handle certificate revocation.

Back to top

Regional Support Centres (RSC)

Advised on and promoted the use of network learning technologies and resources in the UK tertiary education sector. They were funded by Jisc.


RSA is an algorithm commonly used in public key encryption.

Back to top


Security Assertion Markup Language. A standard defined and maintained by OASIS. It's an XML-based framework for creating and exchanging security information between online parties.


An open source privilege management service. For more information: http://middleware.internet2.edu/signet/. Also see Grouper.


An EDINA project that built and maintained the UK development Shibboleth federation for managing access to UK academic online resources.

Service Provider (SP)

In the Shibboleth architecture, the Service Provider is the provider of information or resources.

Formerly known as the target.


SHibboleth Attribute Requester. The SHAR uses an AQH to request attributes on behalf of the user from their organisation's Attribute Authority.


An Internet2 project to define an architecture that uses a SAML-based method of allowing users to access online resources. Authentication is devolved to the user's organisation - the Identity Provider - which passes attributes to the Service Provider. These attributes enable the Service Provider to make authorisation decisions. Further information: http://www.shibboleth.net/

The Internet2 Shibboleth group also develops software that implements the Shibboleth architecture. This software is also known as Shibboleth.


SHibboleth Indexical Reference Establisher. The SHIRE is the Shibboleth component that determines whether a user needs to authenticate, and if so, starts the Shibboleth process by sending the user to their Handle Service (possibly via a WAYF). The SHIRE then receives an Attribute Query Handle on return from the Handle Service.

Single Sign On (SSO)

Provides a user the ability to input assigned authentication once and then access multiple online services.


Simple Object Access Protocol. This is a definition of how to use XML to transfer data between online services.


Secure Sockets Layer. A standard way of encrypting network traffic. Commonly used by 'secure websites'.


The Dutch network provider for education institutions. They have an authentication mechanism called A-Select (http://a-select.surfnet.nl).


The Swiss Education and Research Network. An early adopter of Shibboleth across the Swiss academic community. They have a significant, and useful amount of reference material on their Shibboleth infrastruture available here: http://www.switch.ch/aai/deployment.html.

Back to top


See Service Provider.


Transport Layer Security. A standard way of encrypting network traffic.

Triple DES

A common encryption algorithm based on DES. Three times slower but far more secure.

Back to top


Universities and Colleges Information Systems Association. Represents the entire higher education, and increasingly further education, sectors on all matters concerning information systems. For more information, go to http://www.ucisa.ac.uk/.

Back to top


Where Are You From? The Shibboleth service that provides a mechanism for routing users from a resource on their Service Provider to their point of login (Handle Service). However, it is notionally assumed to be 'optional' in the Shibboleth specification, and can be implemented either by a service provider, or as a central service, perhaps by the federation provision body.


Web Services Definition Language. A SOAP protocol definition file. It enables programmers to quickly and easily support new protocols designed by third parties.

Back to top


eXtensible Access Control Markup Language. An OASIS standard for the expression of access control policies. It also contains a request/response protocol, and goes some way to specifying the actual components required (such as policy decision and enforcement points) in an access control infrastructure. It is a rich, but as yet, quite obscure and underused language.


Extensible Markup Language. A standards-based, electronic data format for transferring or organising information. Often used to transfer data between online services.

XML Encryption

A W3C standard for encrypting an arbitrary XML document. It is not typically used in SAML/Shibboleth. Further details: http://www.w3.org/TR/xmlenc-core.

XML Schema

The definition of a particular use of XML. One example is SOAP.

XML Signature

A W3C standard for signing an arbitrary XML document. It is used by SAML for authentication of the document signer in order to establish cross-domain trust relationships. Further details: http://www.w3.org/TR/xmldsig-core/.

A|B|C|D|E|F|G|H| I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z