Active Directory
Microsoft's directory service product for storing user identity information, attributes and access policy. Active Directory is built into the Window Server 2003 and the Windows 2000 Server operating systems.
Glossary of Terms
Welcome to the IAMSECT glossary. This is designed to help people understand the terminology associated with Shibboleth, related technologies and the IAMSECT project.
You may also find the following glossaries useful: Athens, inCommon, matu.
Index: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A
Assertion
When an Identity Provider authenticates a user and directs them back to the referring Service Provider, it includes as part of the message an assertion to prove that the user authenticated.
See also Identity Provider, Service Provider.
Assisted takeup
A JISC project to support the work of the JISC core middleware programme. The original invitation to tender is available at http://www.jisc.ac.uk/index.cfm?name=funding_middlewareservice. The contract was won by Eduserv, who now run the MATU service.
See also JISC, Eduserv, Early adopters, MATU.
Athens
The Athens service was developed by Eduserv to provide single sign-on access to a collection of online information services. See http://www.athensams.net/.
See also Single Sign-On.
Attribute
Attribute, in the context of Shibboleth, is the term used to describe a piece of information about a user. Attributes are exchanged between the Service and Identity providers based on pre-agreed attribute release policies.
In order to standardise interaction between institutions, a number of attribute schemas are being developed or considered for the UK. An example of an existing schema is the eduPerson schema.
See also eduPerson, Identity Provider, Service Provider.
Attribute Release Policy
An Attribute Release Policy (ARP) is defined by an Identity Provider (IdP) and dictates what information the IdP will release to Service Providers.
The ARP can define general release policies (the following will be released to any service provider) and specific ones (the following will be released to service provider X).
See also Attribute, Identity Provider, Service Provider.
Authentication
Authentication in this context is the process of determining a user's identity, usually by verifying a supplied username and password combination.
Single-Sign on systems provide a means where authentication information can be shared between services, preventing a user from having to authenticate themselves multiple times.
See also Authorisation, Single Sign-On.
Authorisation
Authorisation in this context is the process of determining a user's right to access a resource.
Authorisation almost always relies on the user having been authenticated.
See also Authentication.
B
Blackboard
The Blackboard learning system is a Virtual Learning Environment (VLE) providing content-management and student/teacher interaction.
The IAMSECT project has plans to set up a Blackboard service as a Shibboleth Service Provider.
See also Virtual Learning Environment.
C
CAS
CAS is an acronym for Central Authentication System, a WebISO developed at Yale University.
See also Eduserv, webISO, Yale Central Authentication System.
Certificate
The digital equivalent of an ID card. A certificate specifies the name of an individual, company, or other entity and certifies that a public key, which is included in the certificate, belongs to that entity. A web browser can use the certificate to authenticate the user to a web service they are trying to access. Certificates are also called digital ID, digital passport, public-key certificate, X.509 certificate, and security certificate.
See also Certificate Authority, Public Key Cryptography.
Certificate Authority
Certificate Authority (CA): issues, revokes, manages and digitally signs certificates (i.e. Globalsign).
See also Certificate, Public Key Cryptography.
Certificate Signing Request
A Certificate Signing Request (CSR) is an SSL public key plus metadata, which is submitted to a Certificate Authority (CA) for signing.
The CA verifies that the owner of the public key is who they say they are by various means, sign the key and return the result to the owner.
The resulting certificate can be used as part of secure data transmissions.
See also Certificate, Certificate Authority.
E
Early adopters
A JISC project for early adopters of Shibboleth Technology. The original JISC circular is available at http://www.jisc.ac.uk/index.cfm?name=funding_circular11_04.
Please note that Iamsect is not an early-adopters project.
See also JISC, Assisted takeup, MATU.
EDINA
EDINA is an Edinburgh based JISC-funded national data centre.
see http://edina.ac.uk/about/.
See also SDSS.
Educause
Educause is a non-profit association based in the United States, working towards enhancing IT use in education.
Educause work with Internet2 to produce the EduPerson schema.
eduPerson
eduPerson is an attribute specification (or schema, or LDAP Object Class) authored and promoted by the EDUCAUSE/Internet2 eduPerson Task Force, developed to standarise the description of common education attributes between US institutions.
The eduPerson object class focuses on the attributes of individuals. Current documentation on the eduPerson object class is available at http://www.educause.edu/eduperson/.
See also Attribute.
Eduserv
Eduserv is a non-profit IT organisation, most famously responsible for the Athens service. More recently, Eduserv have become the operators of the Middleware Assisted Take-Up service (MATU). You can find out more at http://www.eduserv.org.uk/.
F
Federation
A Federation is a organisation composed of institutions which agree on a common set of principles in order to share information.
Federations form the core of the Federated trust principle which Shibboleth is designed to use.
See also SDSS, Shibboleth.
H
Home Domain Discovery
Home Domain Discovery (HDD) is an Athens SSO mode of operation where the user accesses a service provider firstly and it is up to the Athens infrastructure to ascertain where the user comes from. This is an alternative to Local Authentication Assertion (LLA).
This mode of operation is analogous to the Shibboleth WAYF approach.
See also Single Sign-On, Local Authentication Assertion, Athens, WAYF.
I
I2MI
The Internet2 Middleware Initiative (I2MI) was setup in 1999 and spawned the Shibboleth Project.
See also Internet2, Middleware, Shibboleth.
IAMSECT
IAMSECT stands for 'Inter-institutional Authorisation Management to Support eLearning with reference to Clinical Teaching'.
IAMSECT is a JISC core middleware project to develop, test and disseminate practical approaches towards the adoption of Shibboleth technology within the UK.
We have a particular focus on the issues of Authorisation (vs. Authentication) especially within the realm of clinical teaching, a field which provides a rich variety of privacy issues to consider.
See also JISC, Shibboleth.
Identity Provider
An identity provider is a service which asserts the identity of a user who is local to the institution running the provider.
See also Origin.
InCommon
InCommon is a production federation operated on behalf of US educational institutions. Membership is by (paid) subscription and is open only to US institutions.
See http://www.incommonfederation.org/.
See also Federation.
InQueue
InQueue is a test federation operated by Internet2. InQueue is designed to allow institutions to add test services and identity providers to an existing federation to aid in testing. See http://inqueue.internet2.edu/.
See also Federation, Internet2.
Internet2
Internet2 is a U.S. consortium of Universities which develops technologies to support education, such as Shibboleth.
See also Shibboleth.
J
JISC
The Joint Information Systems Committee (JISC) is a support organisation for further and higher education institutions. It provides guidance and funding. The JISC core middleware initiative provides funding for the IAMSECT project.
JSTOR
A not-for-profit academic journal archive. See http://www.jstor.org/.
L
Local Authentication Assertion
Local Authentication Assertion (LLA) is an Athens SSO mode of operation where a user visits their home institution explicitly prior to accessing a service provider. This is typically used with an instititional portal, and is the alternative to Home Domain Discovery.
See also Athens, Home Domain Discovery, Single Sign-On.
M
MATU
MATU is the Middleware Assisted Take-Up service. This service is provided by Eduserv on behalf of JISC to aid Early Adopter projects. You can learn more about it at http://www.matu.ac.uk/.
See also Eduserv, Early adopters, Assisted takeup, JISC.
Middleware
Software that bridges the operation of two or more programs. JISC define Middleware as "the process of helping institutions to connect people to resources".
The term 'Core Middleware' refers to software services that provide authentication, authorisation, directory services and user identifiers. see http://www.jisc.ac.uk/index.cfm?name=middleware_team.
O
OASIS
The Organization for the Advancement of Structured Information Standards (OASIS) is a standards body involved in the creation of international standards for electronic business. OASIS particularly focuses on standards for Web Services and security. see http://www.oasis-open.org/who/.
OASIS are responsible for the SAML standard.
See also SAML.
Open Source
"Open Source" is a term originally used to describe software where the source code to the program is as readily available as the program itself.
The generally accepted definition of Open Source is the Open Source Definition (OSD), originally derived from the Debian Free Software Guidelines and now maintained by the Open Source Initiative (OSI).
The OSD is available from http://www.opensource.org/docs/definition.php.
See also Open Source Initiative.
Open Source Initiative
The Open Source Initiative is a non-profit organisation which maintains the open source definition and certifies suitable licences as Open Source. The OSI's website is http://www.opensource.org/.
See also Open Source.
P
Pubcookie
Pubcookie is an open-source single sign-on technology based on the WebISO standard. It allows institutes to leverage existing password stores, e.g. Microsoft's Active Directory, to provide web based single sign-on (SSO).
See also Active Directory.
Public Key Cryptography
Public Key Cryptography is a system involving a pair of keys, one public and one private. Each key can be used to encrypt information, which can only be decrypted with the other key.
In order to send an encrypted transmission to someone, you use their public key. Only their private key can be used to decrypt the message.
In order to prove a message's authenticity, you encrypt it with your private key. Anyone can decrypt the message using your public key, but the use of your public key proves it was your private key which encrypted the message in the first place.
In comparison to symmetric-key cryptography, public key cryptography is computationally intensive. However the obstacle of sharing a single private key is overcome.
See also Certificate, Certificate Authority.
S
SAML
A security standard, created by OASIS, which is use to create a federation. SAML is defined by OASIS as a "Security Assertion Markup Language, an XML-based security specification for exchanging authentication and authorization information".
See also OASIS.
SDSS
Shibboleth Development and Support Services (SDSS) is a project funded by JISC under the core-middleware strand, hosted at EDINA.
SDSS are operating a development federation for managing access to UK online resources.
See also Federation, EDINA, JISC.
Service Provider
A service provider is a web-based service which is protected by Shibboleth.
See also Target.
Shibboleth
Shibboleth is a combination of software and a federated trust model to support the sharing of resources between institutions such as Universities.
Shibboleth was originally developed by the Internet2 group and is being tested and explored by a number of JISC projects (such as IAMSECT) to assess its suitability within the UK.
The Shibboleth software, as of version 1.3, is licenced under the Open Source Apache licence, 2.0.
See also Internet2, Open Source.
Shibbolize
Shibbolize, verb. 'to Shibbolize': Adjust a Service so that access via Shibboleth is possible.
See also Service Provider, Shibboleth.
SHIRE
The SHIRE is a component of the Shibboleth Target software. It is responsible for managing authentication.
See also Shibboleth, Target.
Single Sign-On
Single Sign-On (SSO) is a term used to describe technology which allows a user to access multiple resources, whilst only having to authenticate once.
An example of a Single Sign-On technology is Pubcookie (external link).
See also Pubcookie.
Symmetric Key Cryptography
Symmetric Key Cryptography allows two (or more) parties to share encrypted information. A single key is used to both encrypt and decrypt the information. Symmetric key cryptography, in comparison to public key cryptography, is computationally fast. However each party involved in the transaction must somehow obtain the key beforehand.
T
Target
A Shibboleth Target is a Service, access to which is controlled by Shibboleth. Target is the name used in technical documents - Service Provider is the equivalent term for managerial documents.
See also Service Provider, Shibboleth.
V
Virtual Learning Environment
A Virtual Learning Environment (VLE) is a support system to assist teaching and learning. Typical features of VLEs include tools to support the delivery of learning materials, assessment of students and joining students and tutors together. VLEs are typically web-based applications.
Two examples of VLEs are Blackboard, and a bespoke system developed in-house at the University of Newcastle, powered by Zope.
See also Blackboard, Zope.
Virtual Organisation
A Virtual Organisation is one that is composed from people and resources belonging to a variety of different institutions, with no requirement for them to be geographically near to one another.
W
WAYF
A 'Where Are You From' service. This service allows a user to select their home institution's Identity Provider and redirects them there to be authenticated. It can be compared to the Athens SSO 'Home Domain Discovery' mode of operation.
A Service Provider can define the WAYF to direct un-authenticated users to.
A WAYF is typically ran on behalf of a federation.
See also Identity Provider, Home Domain Discovery, Federation, Service Provider.
webISO
webISO or "Web Initial Sign-on" is a term coined by the middleware group out in the states to describe the variety of project designed to allow single sign on for web applications.
See also Single Sign-On.
Y
Yale Central Authentication System
The Yale Central Authentication System (CAS) is a webISO technology developed at Yale University, analogous to Pubcookie. Find out more at http://tp.its.yale.edu/.
Z
Zope
Zope is an "application server" or framework for building CMS, portal and VLE systems. Zope is provided under the Zope Public Licence, which is OSI certified as open source.
The University of Newcastle have used Zope to develop a bespoke Virtual Learning Environment. One of the goals of the IAMSECT project is to provide access to this via Shibboleth.
See also Shibboleth, Virtual Learning Environment.
These works are licensed under a Creative Commons License.