-
Notifications
You must be signed in to change notification settings - Fork 113
Glossary
There are many different definitions for terms in the Identity Management ecosystem; here are those terms and their definitions.
The goal of the glossary is to define common Identity terms so that all parties can communicate about Identity without confusion. Some terms are used differently in specific contexts or dialects; we will map where these terms are used incorrectly or interchangeably.
An "industry" glossary worth scanning: http://solutionsreview.com/identity-management/identity-management-glossary/
Authentication
Authorization
A privacy architecture that allows the IdP and RP to collaborate with each other without the need for reading or modifying any User data traveling through the network with the intent there is zero disclosure of PII.
A privacy architecture that includes the Double Blind Privacy model, with the addition of the Hub having zero disclosure to User’s PII.
SOURCE Privacy By Design | SecureKey
Credit Card Number
An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber. SOURCE: SP 800-63
Evidence attesting to one’s right to credit or authority. SOURCE: FIPS 201
Evidence or testimonials that support a claim of identity or assertion of an attribute and usually are intended to be used more than once. SOURCE: CNSSI-4009 | Searchable Source
Credential Service Provider
A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use. SOURCE: SP 800-63
A CSP is often also an IdP.
Documents that indicate that the holder is eligible for a service or benefit, such as health care.
A set of rules, defined by the IT resource owner, for managing access to a resource (asset, service, or entity) and for what purpose. A User's level of access is conditioned not only by your identity but is also likely to be constrained by a number of further security considerations.
SOURCE Entities and Entitlement
Hub is the idea of an identity "traffic controller" that interacts with requesters and requestees during an identity authentication workflow. It "manages communications between Users, RP and IdP. It makes sure that users can assert their identities securely and safely, and that relying parties can be confident that users are who they say they are."
On the basis of this assertion, the Hub can aid in making an access control decision - it can decide whether to perform some service for the connecting parties. Will be revised as we make progress
SOURCE: Wikipedia | UK Digital Services
Identity Access Management
A property of a Digital Subject that may have zero or more values. Generally known as an "attribute" (name, first name, shoe size, social security number, religion, marital status, etc.) in digital form (so it's attached to a Digital Subject). The attributes exist whether or not they have a value and whether or not they're part of a Claim.
The process by which a CSP and a RA collect and verify information about a person for the purpose of issuing credentials to that person.
Identity Provider
An Identity Provider, also known as Identity Assertion Provider, is responsible for (a) providing identifiers for users looking to interact with a system, and (b) asserting to such a system that such an identifier presented by a user is known to the provider, and (c) possibly providing other information about the user that is known to the provider.
An Identity Provider can be described as a Service Provider for storing identity profiles and offering incentives to other SPs with the aim of federating user identities.
The ability to distinguish a person from all others within the context of the total population of persons of interest.
Identity Verification
Level Of Assurance
Two Party Model - User and Service Provider
Three Party Model - User, Identity Provider and Service Provider
Four Party model - User, Identity Provider, Attribute Provider and Service Provider
SOURCE: NISTIR 7817
describes two-factor and higher levels of authentication. Anything which requires more than just a username and password is considered MFA. (eg. passphrase + OTP via phone, passphrase + browser fingerprint + phone OTP). Note, however, that MFA is meant to describe combining different types of authentication factors: possession, knowledge and inherence.
An identity record present in the database that is missing one or more of the attributes included in an analysis that causes a search error and renders that record invalid for the purpose of the analysis.
Token valid for one use. See https://en.wikipedia.org/wiki/One-time_password
Personally Identifiable Information
Relying Party
An entity that relies upon the subscriber’s credentials, typically to process a transaction or grant access to information or a system.
SOURCE: CNSSI-4009 | Searchable Source
An entity that relies upon the Subscriber's token and credentials or a Verifier's assertion of a Claimant’s identity, typically to process a transaction or grant access to information or a system. SOURCE: SP 800-63
Registration Authority
A trusted entity that establishes and vouches for the identity or attributes of a Subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s).
Service Provider
Single LogOut
An entity that verifies the Claimant’s identity by verifying the Claimant’s possession and control of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status. SOURCE: SP 800-63
An entity which is or represents the entity requiring an authenticated identity. A verifier includes the functions necessary for engaging in authentication exchanges. SOURCE: FIPS 196