token translators

An aggregate term for both token processors and token generators.

A web-based application, accessed using a web browser, that often aggregates content from multiple providers, serves as a central point of entry, or both.

An HTTP method used to request that the service or server accept the entity enclosed in the request as an addition to the resource identified in the URI.

In public key cryptography, a private key is the secret part of an asymmetric key pair that is typically used to digitally sign or decrypt data. The private key is kept secret by its owner, similar to a password.

Information, typically accessed through a web URL, that is protected by an access management system.

The rules, syntax, semantics, and synchronization of transactions between entities.

A persistent name identifier assigned to a user and shared among entities, usually with the user's permission, to enable single sign-on (SSO) and single logout (SLO). Pseudonyms are often used with the SAML account linking protocol to enable SSO while preventing the discovery of the user's identity or activities.

In public key cryptography, a public key is the part of an asymmetric key pair that the owner shares with others to allow them to decrypt digital signatures or encrypted data.

A long-lived token used by OAuth clients to obtain a new access token without having to obtain fresh authorization from the resource owner.

An application programming interface (API) that conforms to the design principles of the representational state transfer (REST) architectural style.

In OAuth 2.0, a server that hosts protected resources and can accept and respond to resource requests from clients presenting a valid access token.

A security domain that issues SAML assertions.

Rules that describe how to embed SAML assertions into and extract them out of other protocols in order to enable SSO or SLO. Profiles describe SAML request and response flows that fulfill specific use cases.

A SAML binding that conveys a request or response by sending the user's browser to another location. For instance, an authentication request can be sent from an SP through a browser to an IdP.

In OAuth, a parameter on an access request and resulting, issued access token that specifies a limitation or limitations on access to the protected resource or resources.

An application or group of applications that trust a common security token used for authentication, authorization, or session management. The token is issued to a user after the user has authenticated to the security domain.

A collection of information used to establish acceptable identity for security purposes. Tokens can be in binary or XML format. A SAML assertion is one kind of security token.

A loosely coupled application architecture in which all functions or services are accessible using standard protocols. Interfaces are platform and programming-language independent.

A mechanism for identifying a user or browser for subsequent requests to a server, needed because the HTTP protocol is stateless. This information is used to look up state information for the user. (For example, items in a shopping cart.)

A client session is persisted by directing the client to the same backend server or host for the duration of the session.

The SAML implementation endpoint URL that returns logout requests.

The SAML implementation endpoint URL that receives logout requests for processing

A service that implements SSO. In SAML, this is an endpoint that receives and processes authentication requests.

A 20-byte sequence used to determine an identity provider's (IdP) identity.

In SAML, an identity-federation transaction in which the initial action for single logout (SLO) occurs at a the service provider (SP) site.

In SAML, an identity-federation transaction in which the initial action for single sign-on (SSO) occurs at a the service provider (SP) site.

(SAML) A person, computer system, or application. In the SAML context, assertions make statements about subjects.

In SAML, the destination on a service provider (SP) to receive single sign-on (SSO) events.

A temporary ID used to preserve user anonymity while facilitating account linking.

A mechanism for evaluating attribute criteria available during a transaction to determine whether a user is authorized to access resources. A token in this instance can mean any type of security token, such as single sign-on (SSO), session cookie, or OAuth token.

The process by which a security token is exchanged for another security token.

Set of rules that define who is granted access to a protected resource when, how, and under what conditions.

Java, web, or custom agent that intercepts requests for resources directs principals to Identity Cloud for authentication and enforces policy decisions from Identity Cloud.

Represents an entity that has been authenticated (such as a user, a device, or an application), and thus is distinguished from other entities. When a Subject successfully authenticates, Identity Cloud associates the Subject with the Principal.

In the context of delegated administration, a set of administrative tasks that can be performed by specified identities in a given realm.

Agreement among providers to participate in a circle of trust.

Identity Cloud unit for organizing configuration and identity information. Administrators can delegate realm administration. The administrator assigns administrative privileges to users, allowing them to perform administrative tasks within the realm.

A process run after the as-is predictions that assigns confidence scores to all entitlements and recommends entitlements that users do not currently have. If the confidence score meets a threshold set by the conf_thresh property in the configuration file, the entitlement will be recommended to the user in the UI console.

An external system, database, directory server, or other source of identity data to be managed and audited by an identity management system.

In OAuth 2.0, a resource owner is an entity that can authorize access to protected web resources, such as an end user.

Defined as part of policies, Identity Cloud returns additional information as "attributes" with the response to a policy decision.

(Representational state transfer) A software architecture style for exposing resources using the technologies and protocols of the World Wide Web. REST describes how distributed data objects or resources can be defined and addressed.

Sessions that reside in the Core Token Service’s token store. Server-side sessions might also be cached in memory. Identity Cloud tracks these sessions in order to handle events like logout and timeout, permit session constraints, and notify applications involved in single sign-on (SSO) when a session ends.

The interval that starts after the user has authenticated and ends when the user signs off or when their session is terminated. For browser-based clients, Identity Cloud manages user sessions across one or more applications by setting a session cookie.

Unique identifier issued by Identity Cloud after successful authentication. The session token is used to track a principal’s session for server-side sessions.

Standard federation configuration information that you can share with other access management software.

Stateless services do not store any data locally to the service. When the service requires data to perform any action, it requests it from a data store. For example, a stateless authentication service stores session state for logged-in users in a database. This way, any server in the deployment can recover the session from the database and service requests for any user. All Identity Cloud services are stateless unless otherwise specified.

A process that occurs after training that removes similar association rules that exist in a parent-child relationship. If the child meets three criteria, the system will remove it. The criteria are: 1) the child must match the parent; 2) the child (for example, [San Jose, Finance]) is a superset of the parent rule (for example, [Finance]); 3) the child and parent’s confidence scores are within a +/- range of each other. The range is set in the configuration file.

(Identity Cloud) Entity that requests access to a resource. When an identity successfully authenticates, Identity Cloud associates the identity with the Principal that distinguishes it from other identities. An identity can be associated with multiple Principals.

A multi-step process that generates the association rules with confidence scores for each entitlement. First, Identity Governance models the frequent itemsets that appear in the user attributes for each user. Next, Identity Governance merges the user attributes with the entitlements that were assigned to the user. It then applies association rules to model the sets of user attributes that result in entitlement access and calculates confidence scores based on their frequency of appearances in the dataset.