token translators



An aggregate term for both token processors and token generators.

password credential validator (PCV)

Configures a centralized location for user credential validation. The validator instances can then be referenced by PingFederate.

password credential validator (PCV)



A web-based application, accessed using a web browser, that often aggregates content from multiple providers, serves as a central point of entry, or both.


An HTTP method used to request that the service or server accept the entity enclosed in the request as an addition to the resource identified in the URI.

primary domain controller (PDC)

On Microsoft Windows networks, the initial domain controller that maintains the master copy of the directory database and validates users.

primary domain controller (PDC)


private key

In public key cryptography, a private key is the secret part of an asymmetric key pair that is typically used to digitally sign or decrypt data. The private key is kept secret by its owner, similar to a password.

protected resource

Information, typically accessed through a web URL, that is protected by an access management system.


The rules, syntax, semantics, and synchronization of transactions between entities.


A persistent name identifier assigned to a user and shared among entities, usually with the user's permission, to enable single sign-on (SSO) and single logout (SLO). Pseudonyms are often used with the SAML account linking protocol to enable SSO while preventing the discovery of the user's identity or activities.

public key

In public key cryptography, a public key is the part of an asymmetric key pair that the owner shares with others to allow them to decrypt digital signatures or encrypted data.

public key infrastructure (PKI)

Enables users of an unsecured public network to securely and privately exchange data through the use of key pairs and certificates. The PKI provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates.

public key infrastructure (PKI)


Remote Authentication Dial-In User Service (RADIUS)

A client/server networking protocol providing centralized user management.

Remote Authentication Dial-In User Service (RADIUS)


refresh token

A long-lived token used by OAuth clients to obtain a new access token without having to obtain fresh authorization from the resource owner.

relying party (RP)

An OAuth 2.0 client that requires end-user's authenticity and claims (attributes) from an OpenID provider.

relying party (RP)


<RequestSecurityToken> (RST)

WS-Trust or WS-Federation XML element identifying a request for validation of a security token, or for validation and then issuance of a replacement security token.

<RequestSecurityToken> (RST)


<RequestSecurityTokenResponse> (RSTR)

WS-Trust or WS-Federation XML element identifying a response to an RST and containing either the status of the submitted security token or both the status and (if requested and the received token is valid) a newly issued token for further SSO or web-services processing.

<RequestSecurityTokenResponse> (RSTR)



An application programming interface (API) that conforms to the design principles of the representational state transfer (REST) architectural style.

resource server

In OAuth 2.0, a server that hosts protected resources and can accept and respond to resource requests from clients presenting a valid access token.

SAML authority

A security domain that issues SAML assertions.

SAML profiles

Rules that describe how to embed SAML assertions into and extract them out of other protocols in order to enable SSO or SLO. Profiles describe SAML request and response flows that fulfill specific use cases.

SAML redirect

A SAML binding that conveys a request or response by sending the user's browser to another location. For instance, an authentication request can be sent from an SP through a browser to an IdP.


In OAuth, a parameter on an access request and resulting, issued access token that specifies a limitation or limitations on access to the protected resource or resources.


(software development kit) A set of tools that allows a developer to build a custom application that integrates with or connects to a platform or service.



(Secure Shell) Protocol for secure operation of network services over an unsecured network.



(Secure Sockets Layer) A protocol for authenticated and encrypted links between networked machines, typically over HTTPS. SSL was deprecated in 1999 in favor of Transport Layer Security (TLS).



(Security Assertion Markup Language) A standard, XML-based, message-exchange framework enabling the secure transmittal of authentication tokens and other user attributes across domains.


security domain

An application or group of applications that trust a common security token used for authentication, authorization, or session management. The token is issued to a user after the user has authenticated to the security domain.

security token

A collection of information used to establish acceptable identity for security purposes. Tokens can be in binary or XML format. A SAML assertion is one kind of security token.

Security Token Service (STS)

An entity responsible for responding to WS-Trust requests for validation and issuance of security tokens used for SSO authentication to web services.

Security Token Service (STS)


service-oriented architecture

A loosely coupled application architecture in which all functions or services are accessible using standard protocols. Interfaces are platform and programming-language independent.

service provider (SP)

In SAML, an entity that receives and accepts an authentication assertion issued by an identity provider (IdP), typically for the purpose of allowing access to a protected resource.

service provider (SP)


session persistence

A mechanism for identifying a user or browser for subsequent requests to a server, needed because the HTTP protocol is stateless. This information is used to look up state information for the user. (For example, items in a shopping cart.)

A client session is persisted by directing the client to the same backend server or host for the duration of the session.


(Simple Object Access Protocol) A program and platform-independent messaging protocol for the exchange of structured (XML) information, generally over HTTP. Most often used to invoke web services and process responses.


single logout (SLO)

The process of signing a user out of multiple sites where the user has started a single sign-on (SSO) session.

single logout (SLO)


single logout return service

The SAML implementation endpoint URL that returns logout requests.

single logout service

The SAML implementation endpoint URL that receives logout requests for processing

single sign-on (SSO)

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without re-authenticating.

single sign-on (SSO)


single sign-on service

A service that implements SSO. In SAML, this is an endpoint that receives and processes authentication requests.

source ID

A 20-byte sequence used to determine an identity provider's (IdP) identity.

SP-initiated SLO

In SAML, an identity-federation transaction in which the initial action for single logout (SLO) occurs at a the service provider (SP) site.

SP-initiated SSO

In SAML, an identity-federation transaction in which the initial action for single sign-on (SSO) occurs at a the service provider (SP) site.


(SAML) A person, computer system, or application. In the SAML context, assertions make statements about subjects.

System for Cross-domain Identity Management (SCIM)

An application-level, HTTP-based protocol for provisioning and managing user identity information. SCIM supplies a common schema for representing users and groups and provides a REST API.

System for Cross-domain Identity Management (SCIM)


target URL

In SAML, the destination on a service provider (SP) to receive single sign-on (SSO) events.

time-based one-time passcode (TOTP)

A temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors. Typically, an app or hardware token generates a six-digit passcode that is valid for less than 1 minute.

time-based one-time passcode (TOTP)


transient name identifier

A temporary ID used to preserve user anonymity while facilitating account linking.

token authorization

A mechanism for evaluating attribute criteria available during a transaction to determine whether a user is authorized to access resources. A token in this instance can mean any type of security token, such as single sign-on (SSO), session cookie, or OAuth token.

token exchange

The process by which a security token is exchanged for another security token.

Policy Enforcement Point (PEP)

Entity that intercepts a request for a resource and then enforces policy decisions from a Policy Decision Point (PDP).

Policy Enforcement Point (PEP)



Set of rules that define who is granted access to a protected resource when, how, and under what conditions.

Policy Administration Point (PAP)

Entity that manages and stores policy definitions.

Policy Administration Point (PAP)


policy agent

Java, web, or custom agent that intercepts requests for resources directs principals to Identity Cloud for authentication and enforces policy decisions from Identity Cloud.

Policy Decision Point (PDP)

Entity that evaluates access rights and then issues authorization decisions.

Policy Decision Point (PDP)


Policy Information Point (PIP)

Entity that provides extra information, such as user profile attributes that a Policy Decision Point (PDP) needs in order to make a decision.

Policy Information Point (PIP)



Represents an entity that has been authenticated (such as a user, a device, or an application), and thus is distinguished from other entities. When a Subject successfully authenticates, Identity Cloud associates the Subject with the Principal.


In the context of delegated administration, a set of administrative tasks that can be performed by specified identities in a given realm.

provider federation

Agreement among providers to participate in a circle of trust.

role-based access control (RBAC)

ole-based access control (RBAC)



Identity Cloud unit for organizing configuration and identity information. Administrators can delegate realm administration. The administrator assigns administrative privileges to users, allowing them to perform administrative tasks within the realm.


A process run after the as-is predictions that assigns confidence scores to all entitlements and recommends entitlements that users do not currently have. If the confidence score meets a threshold set by the conf_thresh property in the configuration file, the entitlement will be recommended to the user in the UI console.


An external system, database, directory server, or other source of identity data to be managed and audited by an identity management system.

resource owner

In OAuth 2.0, a resource owner is an entity that can authorize access to protected web resources, such as an end user.

response attributes

Defined as part of policies, Identity Cloud returns additional information as "attributes" with the response to a policy decision.


(Representational state transfer) A software architecture style for exposing resources using the technologies and protocols of the World Wide Web. REST describes how distributed data objects or resources can be defined and addressed.

server-side OAuth 2.0 tokens

server-side sessions

Sessions that reside in the Core Token Service’s token store. Server-side sessions might also be cached in memory. Identity Cloud tracks these sessions in order to handle events like logout and timeout, permit session constraints, and notify applications involved in single sign-on (SSO) when a session ends.


The interval that starts after the user has authenticated and ends when the user signs off or when their session is terminated. For browser-based clients, Identity Cloud manages user sessions across one or more applications by setting a session cookie.

session token

Unique identifier issued by Identity Cloud after successful authentication. The session token is used to track a principal’s session for server-side sessions.

standard metadata

Standard federation configuration information that you can share with other access management software.

stateless service

Stateless services do not store any data locally to the service. When the service requires data to perform any action, it requests it from a data store. For example, a stateless authentication service stores session state for logged-in users in a database. This way, any server in the deployment can recover the session from the database and service requests for any user. All Identity Cloud services are stateless unless otherwise specified.


A process that occurs after training that removes similar association rules that exist in a parent-child relationship. If the child meets three criteria, the system will remove it. The criteria are: 1) the child must match the parent; 2) the child (for example, [San Jose, Finance]) is a superset of the parent rule (for example, [Finance]); 3) the child and parent’s confidence scores are within a +/- range of each other. The range is set in the configuration file.


(Identity Cloud) Entity that requests access to a resource. When an identity successfully authenticates, Identity Cloud associates the identity with the Principal that distinguishes it from other identities. An identity can be associated with multiple Principals.


A multi-step process that generates the association rules with confidence scores for each entitlement. First, Identity Governance models the frequent itemsets that appear in the user attributes for each user. Next, Identity Governance merges the user attributes with the entitlements that were assigned to the user. It then applies association rules to model the sets of user attributes that result in entitlement access and calculates confidence scores based on their frequency of appearances in the dataset.