Identity Glossary

We've put together a glossary of terms for newcomers and seasoned developers alike to put any remaining confusion to rest.

Use Auth0 for Free
Identity Glossary
  • a
  • access control rule

    Settings that define the specific resources that a user is authorized to access or change. In Auth0, controlled through rules.

  • access management

    Administering the logins and passwords of users across a range of apps and resources—typically contained inside a single organization. Largely superseded by federated identity management.

  • ActAs

    Fundamental to delegation, an authorization allowing a third party to act as if they were another user.

  • active client

    A claims-based application component that makes calls directly to the claims provider. Compare with passive client.

  • active federation

    A technique for accessing a claims provider that does not involve the redirection feature of the HTTP protocol. With active federation, both endpoints of a message exchange are claims-aware. Compare with passive federation.

  • Assertion

    A statement about a user, generally relating to authentication, that is trusted by default. Contrast with claims.

  • Authentication

    (from Greek authentikos, “real, genuine”) Validating an identity as true or false—generally used to verify that a user is who he/she says they are. Most commonly achieved through a username/password combination, but the same principle applies to other forms of authentication like secret questions, secret links, bio-metric identification, etc. See factor.

  • Authorization

    Specifying which resources a user (with a given identity) should be allowed to access.

  • b
  • Back-end server

    A server where user information is processed that the user cannot access—where Auth0 authenticates users, for instance.

  • Blind credential

    A statement with the potential to authorize a user without identifying them—for example, confirming that you are 21 years of age on a site with protected materials.

  • Bootstrap token

    Code passed to a claims provider to request identity delegation.

  • c
  • Certificate authority

    An entity that issues X.509 certificates, or digitally-signed identity verification.

  • Claim

    A declaration about a subject that is supposed to be true and trusted depending on the identity provider. This declaration could be an attribute such as name, role, or permission.

  • Claims model

    An identity model that uses the vocabulary of claims within an application. The provider and requester need to agree on this nomenclature for the process to be successful.

  • claims processing

    When an application provides, requests, or transforms a claim.

  • claims provider

    The application that issues the original claim and security token.

  • claims requester

    The client that will be using the claims in the identity process.

  • claims transformer

    An application that has an input of a claim, and then translate that into an action, such as implementing access control or other identity service.

  • claims type

    The claim's identifier—could be role, name, company, etc.

  • claims value

    The claim's value—could be admin, Martin, Auth0, etc.

  • claims-based application

    An application that is using a claims-based identity model and grants access based on claims.

  • claims-based identity

    The combined claims that go together to make up the full identity of the user. These components could be username, email address, full name, company, and role for a SaaS login application.

  • claims-based identity model

    A model of identity verification where the user’s identity is established externally through claims rather than intrinsic to the application itself.

  • client

    An application that obtains information from a server for local use.

  • credentials

    Usernames, passwords, email addresses—any of a variety of means for communicating parties to generate or obtain security tokens.

  • credential provisioning

    How you set up user identities for an application. Variants include discretionary (where a network administrator decides), self-service, (where users participate), and workflow-based (where a designated figure approves new provisions).

  • cryptography

    The science and practice of finding techniques for secure and stable communication, undeterred by third parties. Similar to encryption.

  • d
  • delegation

    Calling external APIs to authenticate and authorize users. Keeps apps and services from having to store passwords and user information on-site.

  • digital signature

    A cryptographic method for ascertaining whether or not a digital message or set of documents is genuine, has not been altered or tampered with in transit, and comes from a known sender.

  • domain

    A network where all resources and users are linked to a centralized database on which all authentication and authorization takes place.

  • domain controller

    A server that handles requests for authentication such as logging in or checking for certain permissions.

  • e
  • encryption

    Altering data so that it becomes meaningless unless decrypted with a secret key. For comprehensive security, data should be encrypted both in communication (with a scheme like TLS), “at rest” (with a scheme like GPG or PGP), and supplemented with authentication (encryption alone does not protect you from data integrity attacks (http://security.stackexchange.com/questions/33569/why-do-you-need-message-authentication-in-addition-to-encryption)).

  • enterprise directory

    A central repository of information about employees, information enabling access to resources, instructions for authentication and encryption, information on digital signatures, and more.

  • enterprise identity backbone

    The mechanism you choose for providing identity and access control inside an organization.

  • event

    A user interaction with your application that can be tracked. Common examples within Auth0 include signup and login.

  • f
  • factor

    In authentication, a vector through which identity can be confirmed. There are three basic categories—knowledge factors (a password, PIN, security answer), ownership factors (security token, ID card), and inherence factors (fingerprint, DNA, retinal scan).

  • federated identity management

    A system of shared protocols that allows user identities to be managed *across *organizations. See access management and single sign-on.

  • federation provider

    An identity provider that provides single sign on, consistency in authorization practices, attributes exchange practices, and user management practices between identity providers (issuers) and relying parties (applications).

  • federation provider security token service (FP-STS)

    A service that behaves like a go-between connecting various federation partners/identity providers to relaying parties (other web services or applications). Generates claims and security tokens on behalf of the client assuming trust exists between it and the IP.

  • forest

    A collection of domains overseen by one central authority.

  • forward chaining logic

    A fundamental concept in inference engines, forward chaining logic controls how access control systems determine user permissions. Relies on the transitive rules between groups, roles, and users.

  • h
  • home realm discovery

    How passive clients figure out a user's issuer.

  • i
  • identification

    The process by which a user's information is received, collected, and taken up for authentication.

  • identity provider (IdP)

    A website, app, or service responsible for coordinating identities between users and clients. An IdP can provide a user with identifying information and serve that information to services when the user requests access, with a basic flow that works like this:

  • identity security token service (I-STS)

    See identity provider (IdP) .

  • input claims

    The claims sent into an access control system.

  • issuer

    The entity that possesses the key used to sign off on security tokens.

  • k
  • Kerberos

    A ticket-based protocol for authentication built on symmetric-key cryptography.

  • Kerberos ticket

    The authentication token used in Kerberos systems.

  • key

    A piece of data, also known as a parameter, that controls the output of a cryptographic algorithm.

  • key distribution center (KDC)

    An encryption “clearinghouse” designed to operate in situations where permissions are fluid and changing. Reduces the risk of exchanging keys.

  • m
  • multifactor authentication

    An authentication process that takes into account multiple factors. Commonly used in reference to two-factor authentication, which most commonly appears in the form of an SMS code sent to a supplement a user's username/password login.

  • multitenancy

    A term in software architecture referring to the serving of many users (tenants) from a single instance of an application. The most common form for SaaS products, which exist as a single instance but have dedicated shares served to many companies and teams.

  • o
  • OAuth

    An open standard for authorization. Development began in 2006 as employees from companies like Twitter and Google saw the need for a set of shared protocols dictating how web services should authorize other web apps to access to their users' information. At its most simple, it works like this:

    1. User is prompted to authorize the client, or not, for a specific need (access to your Facebook friends list, say)
    2. Proof of that authorization is sent to an (external) authentication server
    3. Authentication server gives the client a token representing access to the user's friends list
  • OpenID

    An open standard for authentication. Allows third-party services to verify that users are who they say they are without clients needing to collect, store, and therefore become liable for a user's login information. At its most simple, it works like this:

    1. User selects OpenID option upon login
    2. Client sends external server (your Facebook, Google, Twitter, etc.) an authentication request
    3. External server verifies the identity of the user, sending proof to user if successful
    4. User sends proof of authentication to the client
    5. Client approves or denies access
  • on-premises computing

    In contrast to SaaS, a form of software distribution where the application and physical hardware are owned by the same organization.

  • output claims

    The claims produced by a claims transformer such as an output control system.

  • p
  • passive client

    A web browser that receives HTTP redirects to obtain claims, generates tokens to send to claims issuers, and relies on home realm discovery to figure out the right IdP to use.

  • passive federation

    A form of federation in Windows Identity Foundation that relies on HTTP redirects and login forms to authenticate users.

  • passwordless

    A form of authentication based on tokens, most commonly received and sent through SMS, email (magic links) or biometric sensors. Entirely based on inherence and ownership factors, making passwordless more secure than traditional username/password logins.

  • perimeter network

    Also known as a DMZ or demilitarized zone, a perimeter network is one that wraps around an organization's network and sets it off from a larger network (like the Internet).

  • permission

    Consent, held inside an object's properties, that allows certain actions to be performed upon it—read it, modify it, etc.

  • personalization

    Agreement between two or more service providers, users, or identity providers on a custom security policy.

  • policy

    The policy of a system determines the kind of authentication that should be required, how messages should be sent and protected, how tokens should be signed.

  • portal

    Dashboard or other interface users and administrators can use to update or edit data held on a backend server.

  • principal

    A coded object representing the subject or user.

  • private key

    The key that is kept secret in public key cryptography.

  • privilege

    Permission to perform an action. It is a property held by individual users and allows them to access non-public resources or services.

  • proof key

    A cryptographic key that generates a digital signature, used in conjunction with bearer tokens in WS-Trust and WS-Federation.

  • public key

    The key that is published in public key cryptography

  • public key cryptography

    A system of encryption that uses one key known only to the responsible user and another key known to all.

  • public key infrastructure (PKI)

    The protocols concerning creation, management, distribution, use, storage, and revocation of public keys in public-key encryption.

  • r
  • realm

    A set of configured providers, users, groups, roles and other constraints that protect access to a set of resources.

  • relying party (RP)

    An application or service that uses or relies on the tokens sent by a Security Token Service (STS).

  • relying party security token service (RP-STS)

    A STS (Security Token Service) that relies on a SAML token sent by an IP-STS.

  • resource

    Any capability or data contained within a web service, software application, or server.

  • REST protocols

    REpresentational State Transfer protocols rely not on XML but on HTTP commands sent through URLS: GET, POST, PUT, DELETE. Allows for creation, retrieval, and updating of user information.

  • role

    An aspect of a user's identity that gives them certain permissions.

  • role-based access control (RBAC)

    A model for authorization based on users gaining certain permissions based on their roles.

  • rules

    Rules are Javascript functions in Auth0 that help you track events as they occur inside your web app or service. You can use them to query user information for profile enrichment, create unique authorization logic, enable context-based multifactor authentication, and more. Because they're based on Auth0's servers and not client-side, their analytics are far more reliable than your standard tracking products.

  • s
  • Security Assertion Markup Language (SAML)

    An authentication and authorization standard commonly found in the enterprise, SAML differs from Open ID in that it does not dynamically discover and accept authentication from new identity providers. The IdPs that a service wants to trust must be specified and hard-coded into each login event. Typically used to give the users of a corporate network access to a specific 3rd party service—for instance, so you don't have to sign in again when you click a link to Salesforce on your company's intranet.

  • scope

    A description of the access control rules for a given application.

  • security token service (STS)

    A service that works with the WS-Trust and WS-Federation protocols to build, sign and issue security tokens.

  • service provider

    Application that provides services to other entities.

  • session key

    A private encryption/decryption key that's generated randomly and used both to read and obscure data.

  • Single sign-on

    A subset of federated identity management, a means through which authentication and interoperability can be achieved in a federated system. See federated identity management and authentication.

  • SOAP

    Simple Object Access Protocol. Allows applications running on different operating systems to communicate using HTTP and XML.

  • social identity provider (social IdP)

    A term used to refer to identity providers originating in social services like Facebook, Google, Twitter, etc.

  • software as a service (SaaS)

    A model for software purchasing that relies on monthly subscriptions rather than the one-time purchase of a license. Software

  • subject

    A person. In some cases, business organizations or software components are considered to be subjects. Subjects are represented as principals in a software system. All claims implicitly speak of a particular subject.

  • t
  • token

    A piece of hardware or software used to authorize access to a service.

  • trust

    Assurance given from a user or a web service that claims made are truthful.

  • trusted issuer

    A trusted claims provider.

  • u
  • user credentials

    Information belonging to a user used for authentication. See factor.

  • w
  • web identity

    Identifying characters extracted from an HTTP request, often an authenticated email address.

  • Windows Communication Foundation (WCF)

    A framework inside the Windows operating system that allows the construction of service-oriented applications.

  • Windows identity

    How Active Directory organizes user information.

  • Windows Identity Foundation (WIF)

    A framework for building applications with in-built identification protocols, with support for federation, identity delegation and step-up authentication.

  • WS-Federation

    A federated standard or common infrastructure for identity, used both by web services and browsers on Windows Identity Foundation.

  • WS-Trust

    A system for generating trusted authentication claims through Secure Token Service (STS), part of Windows Identity Foundation.

  • x
  • X.509

    A standard format for digitally-signed identity certificates.