Extensible Access Control Markup Language (XACML)



Standard, XML-based access control policy language, including a processing model for making authorization decisions based on policies.

Extensible Access Control Markup Language (XACML)


access control instruction (ACI)

An instruction or rule that can be used to grant or deny access to users to perform operations on a server.

access control instruction (ACI)


access control rule (ACR)

An instruction or rule that can be used to grant or deny access to users to perform operations on a server.

access control rule (ACR)


access token

A data object by which a client authenticates to a resource server and lays claim to authorizations for accessing particular resources.

account link

A persistent name identifier that enables federation of separately established accounts among disparate domains (see also account linking and pseudonym)

account linking

A form of identity mapping among separate user accounts managed under different domains. The mapping typically involves a name identifier, which can be a pseudonym, to link the user to each account. The identifier is persisted at the SP site to enable seamless SSO/SLO. Additional attributes can be sent with the identifier.

account mapping

A form of identity mapping by which one or more user attributes is passed in a single sign-on transaction. The attributes are used at the destination site as a means identifying the user and looking up local account information.

Advanced Package Tool (APT)

A software user interface that works with core libraries to install and remove software on several Linux distributions.


Active Directory (AD)

A directory service for Windows domain networks, included in most Windows Server operation systems.

Active Directory (AD)



Plug-in software that allows Ping products to interact with web applications and authentication systems.

adapter contract

A list of attributes "hard-wired" to an adapter and conveyed generally through cookies between the adapter and application.

Amazon Web Services (AWS)

An Amazon subsidiary providing cloud computing platforms.

Amazon Web Services (AWS)


API Access Management

In PingOne Authorize, API Access Management addresses the needs of identity and access management (IAM) teams by simplifying common API access control use cases and eliminating the guesswork of OAuth and OpenID Connect (OIDC).

application programming interface (API)

A specification of interactions available for building software to access an application or service.



A reference to a SAML protocol message. The federation partner that receives the artifact dereferences it, identifying the sender, and requests the complete message in a separate SOAP transaction.

artifact resolution service (ARS)

The SOAP endpoint that processes artifacts returned from a federation partner to retrieve the referenced XML message. Can be used to dereference authentication requests, assertion responses, and SLO messages.

artifact resolution service (ARS)



A SAML XML document that contains identifying information about a particular subject; for example, a person, company, application, or system. A SAML assertion can contain authentication, authorization, and attribute information about the subject.

assertion consumer service (ACS)

A service provider URL that accepts SAML messages or artifacts to establish a session based on an assertion.

Assertion Consumer Service (ACS)



Distinct characteristics that describe a subject. If the subject is a website user, attributes can include a name, group affiliation, email address, and attributes alike.

attribute contract

A list of attributes, agreed to by the partners in an identity federation, representing information about a user (SAML subject). The attributes are sent from the IdP to the SP during SSO or STS processing.

attribute mapping

Matching corresponding attributes between an IdP and an SP to identify federated users or add supplemental user information.

attribute source

Specific database or directory location containing data needed by an IdP to fulfill a connection partner's attribute contract or by an SP to look up additional attributes to fulfill an adapter contract.


Part of a SAML assertion indicating the intended service provider (SP).

authentication context

An element in a SAML assertion indicating the method or process used by an IdP to authenticate the subject of the assertion; can be used for authorization decisions or auditing compliance.

authentication request (OpenID Connect)

An OAuth 2.0 authorization request using extension parameters and scopes defined in the OpenID Connect specifications that a relying party (RP, an OAuth client) sends to an OpenID Provider (an OAuth authorization server) for the purpose of authenticating the end user.

authentication request (SAML 2.0)

A SAML XML document that a service provider (SP) sends to an identity provider (IdP) to request that the IdP to authenticate the identity of an end user and to return a response for the request.

authorization request

A request based on the OAuth 2.0 Authorization Framework that an OAuth client sends to an authorization server for the purpose of obtaining an access token (for the purpose of ultimately accessing protected resources on a resource server).


A direct, cross-domain communication path using a protocol that doesn't rely on a browser as an intermediary.


A mapping of SAML request and response messages to specific transport protocols (redirect, POST, or artifact).


A digital file used for identity verification and other security purposes. The certificate, which is often issued by a certificate authority (CA), contains a public key, which can be used to verify the originator's identity.

certificate authority (CA)

An entity that issues digital certificates.

certificate authority (CA)


certificate revocation list (CRL)

A list of revoked signing certificates, maintained by the issuing authority at a public URL.

certificate revocation list (CRL)


certificate signing request (CSR)

A message sent to a certificate authority in order to apply for a digital identity certificate.

certificate signing request (CSR)



A dedicated outbound provisioning configuration specific to a particular service partner, data source, and target service.


(classless inter-domain routing) A method for allocating IP addresses and for IP routing.


client-initiated backchannel authentication (CIBA)

An extension to OpenID Connect defining a new OAuth grant type where user consent can be requested and granted through an out-of-band authentication flow. CIBA uses direct relying party to OpenID provider communication without redirects through the user's browser.

client-initiated backchannel authentication (CIBA)


connection partner

Entities, such as companies, that are part of an identity federation.


Information used to identify a subject for access purposes (for example, username and password). A credential can also be a certificate.

cross-origin resource sharing (CORS)

A mechanism to allow restricted resources, such as images and scripts, on a web page to be requested from a domain outside of the domain from which the first resource was served.

cross-origin resource sharing (CORS)


Common Event Format (CEF)

A logging and auditing file format that supports multiple device types.

Common Event Format (CEF)


database management system

A system for storing and maintaining user account information and attributes.

Data Encryption Standard (DES)

A symmetric-key method of encryption.

Data Encryption Standard (DES)



A database or directory location containing user account records and associated user attributes.


Optional user-initiated delinking of an identity federation that uses a persistent name identifier or pseudonym for account linking.

digital signature

A process for verifying the identity of the originator of an electronic document and whether the document has been intercepted or altered. The process involves message signing, signature validation, and signing policy coordination between partners.

distinguished name (DN)

A name uniquely identifying an object within the hierarchy of a directory tree.

distinguished name (DN)


Dynamic Authorization

In PingOne Authorize, Dynamic Authorization allows application owners and stakeholders to leverage real-time data in fine-grained policies that go beyond identity and roles.


One end in a communication channel, typically a URI.

entity ID

The XML element in a SAML assertion that uniquely identifies an identity provider.

attribute-based access control (ABAC)

Access control based on attributes of a user, such as how old a user is or whether the user is a paying customer.

attribute-based access control (ABAC)


access control

Control to grant or to deny access to a resource.

account lockout

The act of making an account temporarily or permanently inactive after successive authentication failures.


Defined as part of policies, these verbs indicate what authorized identities can do to resources.


In the context of a policy decision denying access, a hint to the policy enforcement point about remedial action to take that could result in a decision allowing access.

agent administrator

User having privileges only to read and write agent profile configuration information, typically created to delegate agent profile creation to the user installing a web or Java agent.

agent authenticator

Entity with read-only access to multiple agent profiles defined in the same realm allows an agent to read web service profiles.

anomaly report

A report that identifies potential anomalous assignments.


In general terms, a service exposing protected resources. In the context of Identity Cloud policies, the application is a template that constrains the policies that govern access to protected resources. An application can have zero or more policies.

application type

Application types act as templates for creating policy applications. Application types also define the internal normalization, indexing logic, and comparator logic for applications.

as-is predictions

A process where confidence scores are assigned to the entitlements that users have.


The act of confirming the identity of a principal.

authentication level

Positive integers associated with an authentication node used to require success with more stringent authentication measures when requesting resources requiring special protection.

authentication session

The interval while the user or entity is authenticating to Identity Cloud.


The act of determining whether to grant or deny a user access to a resource.

authorization server

In OAuth 2.0, the authorization server issues access tokens to the client after authenticating a resource owner and confirming that the owner authorizes the client to access the protected resource. Identity Cloud can play this role in the OAuth 2.0 authorization framework.


An action that an entitlement owner can do to approve a justification. Auto-certify indicates that anyone with the justification is automatically approved for the entitlement.


Arrangement to federate a principal’s identity automatically based on a common attribute value shared across the principal’s profiles at different providers.


An action that an entitlement owner can do to approve a justification. Auto-request indicates that anyone who matches these justification attributes but might not already have access should automatically get provisioned for this entitlement.

cross-domain single sign-on (CDSSO)

Identity Cloud capability allowing single sign-on across different DNS domains.

cross-domain single sign-on (CDSSO)


circle of trust

Group of providers, including at least one identity provider, who have agreed to trust each other to participate in a SAML 2.0 provider federation


In OAuth 2.0, the client requests protected web resources on behalf of the resource owner, given the owner’s authorization. Identity Cloud can play this role in the OAuth 2.0 authorization framework.

client-side OAuth 2.0 tokens

After a successful OAuth 2.0 grant flow, Identity Cloud returns a token to the client. This differs from server-side OAuth 2.0 tokens, where Identity Cloud returns a reference to the token to the client.

client-side sessions

Sessions for which Identity Cloud returns session state to the client after each request and requires the state to be passed in with the subsequent request. For browser-based clients, Identity Cloud sets a cookie in the browser that contains the session state. When the browser returns the cookie, Identity Cloud decodes the session state from the cookie.


Defined as part of policies, these determine the circumstances under which a policy applies. Environmental conditions reflect circumstances, such as the client's IP address, time of day, how the subject is authenticated, or the authentication level achieved. Subject conditions reflect characteristics of the subject, such as whether the subject is authenticated, the identity of the subject, or claims in the subject’s JSON Web Token (JWT).

confidence score

A score on a scale from 0 to 100% that indicates the strength of correlation between an assigned entitlement and a user’s data profile.

configuration datastore

LDAP directory service holding Identity Cloud configuration data.

data audit

A pre-analytics process that audits the seven data files to ensure data validity with the client.

data ingestion

A pre-analytics process that pushes the seven .csv files into the Cassandra database. This allows the entire training process to be performed from the database.

data sparsity

A reference to data that has null values. Identity Governance requires dense, high-quality data with very few null values in the user attributes to get accurate analysis scores.

data validation

A pre-analytics process that tests the data to ensure that the content is correct and complete prior to the training process.


Granting users administrative privileges with Identity Cloud.

driving factor

An association rule that is a key factor in a high entitlement confidence score. Any rule that exceeds a confidence threshold level (for example, 75%) is considered a driving factor.


An entitlement is a specialized type of assignment. A user or device with an entitlement gets access rights to specified resources.

extended metadata

Federation configuration information specific to Identity Cloud.