We've put together a glossary of terms for newcomers and seasoned developers alike to put any remaining confusion to rest.Use Auth0 for Free
access control rule
Settings that define the specific resources that a user is authorized to access or change. In Auth0, controlled through rules.
Administering the logins and passwords of users across a range of apps and resources—typically contained inside a single organization. Largely superseded by federated identity management.
Fundamental to delegation, an authorization allowing a third party to act as if they were another user.
A claims-based application component that makes calls directly to the claims provider. Compare with passive client.
A technique for accessing a claims provider that does not involve the redirection feature of the HTTP protocol. With active federation, both endpoints of a message exchange are claims-aware. Compare with passive federation.
A statement about a user, generally relating to authentication, that is trusted by default. Contrast with claims.
(from Greek authentikos, “real, genuine”) Validating an identity as true or false—generally used to verify that a user is who he/she says they are. Most commonly achieved through a username/password combination, but the same principle applies to other forms of authentication like secret questions, secret links, bio-metric identification, etc. See factor.
Specifying which resources a user (with a given identity) should be allowed to access.
A server where user information is processed that the user cannot access—where Auth0 authenticates users, for instance.
A statement with the potential to authorize a user without identifying them—for example, confirming that you are 21 years of age on a site with protected materials.
Code passed to a claims provider to request identity delegation.
An entity that issues X.509 certificates, or digitally-signed identity verification.
A declaration about a subject that is supposed to be true and trusted depending on the identity provider. This declaration could be an attribute such as name, role, or permission.
An identity model that uses the vocabulary of claims within an application. The provider and requester need to agree on this nomenclature for the process to be successful.
When an application provides, requests, or transforms a claim.
The application that issues the original claim and security token.
The client that will be using the claims in the identity process.
An application that has an input of a claim, and then translate that into an action, such as implementing access control or other identity service.
The claim's identifier—could be role, name, company, etc.
The claim's value—could be admin, Martin, Auth0, etc.
An application that is using a claims-based identity model and grants access based on claims.
The combined claims that go together to make up the full identity of the user. These components could be username, email address, full name, company, and role for a SaaS login application.
claims-based identity model
A model of identity verification where the user’s identity is established externally through claims rather than intrinsic to the application itself.
An application that obtains information from a server for local use.
Usernames, passwords, email addresses—any of a variety of means for communicating parties to generate or obtain security tokens.
How you set up user identities for an application. Variants include discretionary (where a network administrator decides), self-service, (where users participate), and workflow-based (where a designated figure approves new provisions).
The science and practice of finding techniques for secure and stable communication, undeterred by third parties. Similar to encryption.
Calling external APIs to authenticate and authorize users. Keeps apps and services from having to store passwords and user information on-site.
A cryptographic method for ascertaining whether or not a digital message or set of documents is genuine, has not been altered or tampered with in transit, and comes from a known sender.
A network where all resources and users are linked to a centralized database on which all authentication and authorization takes place.
A server that handles requests for authentication such as logging in or checking for certain permissions.
Altering data so that it becomes meaningless unless decrypted with a secret key. For comprehensive security, data should be encrypted both in communication (with a scheme like TLS), “at rest” (with a scheme like GPG or PGP), and supplemented with authentication (encryption alone does not protect you from data integrity attacks (http://security.stackexchange.com/questions/33569/why-do-you-need-message-authentication-in-addition-to-encryption)).
A central repository of information about employees, information enabling access to resources, instructions for authentication and encryption, information on digital signatures, and more.
enterprise identity backbone
The mechanism you choose for providing identity and access control inside an organization.
A user interaction with your application that can be tracked. Common examples within Auth0 include signup and login.
In authentication, a vector through which identity can be confirmed. There are three basic categories—knowledge factors (a password, PIN, security answer), ownership factors (security token, ID card), and inherence factors (fingerprint, DNA, retinal scan).
federated identity management
An identity provider that provides single sign on, consistency in authorization practices, attributes exchange practices, and user management practices between identity providers (issuers) and relying parties (applications).
federation provider security token service (FP-STS)
A service that behaves like a go-between connecting various federation partners/identity providers to relaying parties (other web services or applications). Generates claims and security tokens on behalf of the client assuming trust exists between it and the IP.
A collection of domains overseen by one central authority.
forward chaining logic
A fundamental concept in inference engines, forward chaining logic controls how access control systems determine user permissions. Relies on the transitive rules between groups, roles, and users.
home realm discovery
How passive clients figure out a user's issuer.
The process by which a user's information is received, collected, and taken up for authentication.
identity provider (IdP)
A website, app, or service responsible for coordinating identities between users and clients. An IdP can provide a user with identifying information and serve that information to services when the user requests access, with a basic flow that works like this:
identity security token service (I-STS)
See identity provider (IdP) .
The claims sent into an access control system.
The entity that possesses the key used to sign off on security tokens.
A ticket-based protocol for authentication built on symmetric-key cryptography.
The authentication token used in Kerberos systems.
A piece of data, also known as a parameter, that controls the output of a cryptographic algorithm.
key distribution center (KDC)
An encryption “clearinghouse” designed to operate in situations where permissions are fluid and changing. Reduces the risk of exchanging keys.
An authentication process that takes into account multiple factors. Commonly used in reference to two-factor authentication, which most commonly appears in the form of an SMS code sent to a supplement a user's username/password login.
A term in software architecture referring to the serving of many users (tenants) from a single instance of an application. The most common form for SaaS products, which exist as a single instance but have dedicated shares served to many companies and teams.
An open standard for authorization. Development began in 2006 as employees from companies like Twitter and Google saw the need for a set of shared protocols dictating how web services should authorize other web apps to access to their users' information. At its most simple, it works like this:
- User is prompted to authorize the client, or not, for a specific need (access to your Facebook friends list, say)
- Proof of that authorization is sent to an (external) authentication server
- Authentication server gives the client a token representing access to the user's friends list
An open standard for authentication. Allows third-party services to verify that users are who they say they are without clients needing to collect, store, and therefore become liable for a user's login information. At its most simple, it works like this:
- User selects OpenID option upon login
- Client sends external server (your Facebook, Google, Twitter, etc.) an authentication request
- External server verifies the identity of the user, sending proof to user if successful
- User sends proof of authentication to the client
- Client approves or denies access
In contrast to SaaS, a form of software distribution where the application and physical hardware are owned by the same organization.
The claims produced by a claims transformer such as an output control system.
A web browser that receives HTTP redirects to obtain claims, generates tokens to send to claims issuers, and relies on home realm discovery to figure out the right IdP to use.
A form of federation in Windows Identity Foundation that relies on HTTP redirects and login forms to authenticate users.
A form of authentication based on tokens, most commonly received and sent through SMS, email (magic links) or biometric sensors. Entirely based on inherence and ownership factors, making passwordless more secure than traditional username/password logins.
Also known as a DMZ or demilitarized zone, a perimeter network is one that wraps around an organization's network and sets it off from a larger network (like the Internet).
Consent, held inside an object's properties, that allows certain actions to be performed upon it—read it, modify it, etc.
Agreement between two or more service providers, users, or identity providers on a custom security policy.
The policy of a system determines the kind of authentication that should be required, how messages should be sent and protected, how tokens should be signed.
Dashboard or other interface users and administrators can use to update or edit data held on a backend server.
A coded object representing the subject or user.
The key that is kept secret in public key cryptography.
Permission to perform an action. It is a property held by individual users and allows them to access non-public resources or services.
A cryptographic key that generates a digital signature, used in conjunction with bearer tokens in WS-Trust and WS-Federation.
The key that is published in public key cryptography
public key cryptography
A system of encryption that uses one key known only to the responsible user and another key known to all.
public key infrastructure (PKI)
The protocols concerning creation, management, distribution, use, storage, and revocation of public keys in public-key encryption.
A set of configured providers, users, groups, roles and other constraints that protect access to a set of resources.
relying party (RP)
An application or service that uses or relies on the tokens sent by a Security Token Service (STS).
relying party security token service (RP-STS)
A STS (Security Token Service) that relies on a SAML token sent by an IP-STS.
Any capability or data contained within a web service, software application, or server.
REpresentational State Transfer protocols rely not on XML but on HTTP commands sent through URLS: GET, POST, PUT, DELETE. Allows for creation, retrieval, and updating of user information.
An aspect of a user's identity that gives them certain permissions.
role-based access control (RBAC)
Security Assertion Markup Language (SAML)
An authentication and authorization standard commonly found in the enterprise, SAML differs from Open ID in that it does not dynamically discover and accept authentication from new identity providers. The IdPs that a service wants to trust must be specified and hard-coded into each login event. Typically used to give the users of a corporate network access to a specific 3rd party service—for instance, so you don't have to sign in again when you click a link to Salesforce on your company's intranet.
A description of the access control rules for a given application.
security token service (STS)
A service that works with the WS-Trust and WS-Federation protocols to build, sign and issue security tokens.
Application that provides services to other entities.
A private encryption/decryption key that's generated randomly and used both to read and obscure data.
Simple Object Access Protocol. Allows applications running on different operating systems to communicate using HTTP and XML.
social identity provider (social IdP)
A term used to refer to identity providers originating in social services like Facebook, Google, Twitter, etc.
software as a service (SaaS)
A model for software purchasing that relies on monthly subscriptions rather than the one-time purchase of a license. Software
A person. In some cases, business organizations or software components are considered to be subjects. Subjects are represented as principals in a software system. All claims implicitly speak of a particular subject.
A piece of hardware or software used to authorize access to a service.
Assurance given from a user or a web service that claims made are truthful.
A trusted claims provider.
Information belonging to a user used for authentication. See factor.
Identifying characters extracted from an HTTP request, often an authenticated email address.
Windows Communication Foundation (WCF)
A framework inside the Windows operating system that allows the construction of service-oriented applications.
How Active Directory organizes user information.
Windows Identity Foundation (WIF)
A framework for building applications with in-built identification protocols, with support for federation, identity delegation and step-up authentication.
A federated standard or common infrastructure for identity, used both by web services and browsers on Windows Identity Foundation.
A system for generating trusted authentication claims through Secure Token Service (STS), part of Windows Identity Foundation.
A standard format for digitally-signed identity certificates.