Extensible Access Control Markup Language (XACML)

A data object by which a client authenticates to a resource server and lays claim to authorizations for accessing particular resources.

A persistent name identifier that enables federation of separately established accounts among disparate domains (see also account linking and pseudonym)

A form of identity mapping among separate user accounts managed under different domains. The mapping typically involves a name identifier, which can be a pseudonym, to link the user to each account. The identifier is persisted at the SP site to enable seamless SSO/SLO. Additional attributes can be sent with the identifier.

A form of identity mapping by which one or more user attributes is passed in a single sign-on transaction. The attributes are used at the destination site as a means identifying the user and looking up local account information.

Plug-in software that allows Ping products to interact with web applications and authentication systems.

A list of attributes "hard-wired" to an adapter and conveyed generally through cookies between the adapter and application.

In PingOne Authorize, API Access Management addresses the needs of identity and access management (IAM) teams by simplifying common API access control use cases and eliminating the guesswork of OAuth and OpenID Connect (OIDC).

A reference to a SAML protocol message. The federation partner that receives the artifact dereferences it, identifying the sender, and requests the complete message in a separate SOAP transaction.

A SAML XML document that contains identifying information about a particular subject; for example, a person, company, application, or system. A SAML assertion can contain authentication, authorization, and attribute information about the subject.

Distinct characteristics that describe a subject. If the subject is a website user, attributes can include a name, group affiliation, email address, and attributes alike.

A list of attributes, agreed to by the partners in an identity federation, representing information about a user (SAML subject). The attributes are sent from the IdP to the SP during SSO or STS processing.

Matching corresponding attributes between an IdP and an SP to identify federated users or add supplemental user information.

Specific database or directory location containing data needed by an IdP to fulfill a connection partner's attribute contract or by an SP to look up additional attributes to fulfill an adapter contract.

Part of a SAML assertion indicating the intended service provider (SP).

An element in a SAML assertion indicating the method or process used by an IdP to authenticate the subject of the assertion; can be used for authorization decisions or auditing compliance.

An OAuth 2.0 authorization request using extension parameters and scopes defined in the OpenID Connect specifications that a relying party (RP, an OAuth client) sends to an OpenID Provider (an OAuth authorization server) for the purpose of authenticating the end user.

A SAML XML document that a service provider (SP) sends to an identity provider (IdP) to request that the IdP to authenticate the identity of an end user and to return a response for the request.

A request based on the OAuth 2.0 Authorization Framework that an OAuth client sends to an authorization server for the purpose of obtaining an access token (for the purpose of ultimately accessing protected resources on a resource server).

A direct, cross-domain communication path using a protocol that doesn't rely on a browser as an intermediary.

A mapping of SAML request and response messages to specific transport protocols (redirect, POST, or artifact).

A digital file used for identity verification and other security purposes. The certificate, which is often issued by a certificate authority (CA), contains a public key, which can be used to verify the originator's identity.

A dedicated outbound provisioning configuration specific to a particular service partner, data source, and target service.

Entities, such as companies, that are part of an identity federation.

Information used to identify a subject for access purposes (for example, username and password). A credential can also be a certificate.

A system for storing and maintaining user account information and attributes.

A database or directory location containing user account records and associated user attributes.

Optional user-initiated delinking of an identity federation that uses a persistent name identifier or pseudonym for account linking.

A process for verifying the identity of the originator of an electronic document and whether the document has been intercepted or altered. The process involves message signing, signature validation, and signing policy coordination between partners.

In PingOne Authorize, Dynamic Authorization allows application owners and stakeholders to leverage real-time data in fine-grained policies that go beyond identity and roles.

One end in a communication channel, typically a URI.

The XML element in a SAML assertion that uniquely identifies an identity provider.

Control to grant or to deny access to a resource.

The act of making an account temporarily or permanently inactive after successive authentication failures.

Defined as part of policies, these verbs indicate what authorized identities can do to resources.

In the context of a policy decision denying access, a hint to the policy enforcement point about remedial action to take that could result in a decision allowing access.

User having privileges only to read and write agent profile configuration information, typically created to delegate agent profile creation to the user installing a web or Java agent.

Entity with read-only access to multiple agent profiles defined in the same realm allows an agent to read web service profiles.

A report that identifies potential anomalous assignments.

In general terms, a service exposing protected resources. In the context of Identity Cloud policies, the application is a template that constrains the policies that govern access to protected resources. An application can have zero or more policies.

Application types act as templates for creating policy applications. Application types also define the internal normalization, indexing logic, and comparator logic for applications.

A process where confidence scores are assigned to the entitlements that users have.

The act of confirming the identity of a principal.

Positive integers associated with an authentication node used to require success with more stringent authentication measures when requesting resources requiring special protection.

The interval while the user or entity is authenticating to Identity Cloud.

The act of determining whether to grant or deny a user access to a resource.

In OAuth 2.0, the authorization server issues access tokens to the client after authenticating a resource owner and confirming that the owner authorizes the client to access the protected resource. Identity Cloud can play this role in the OAuth 2.0 authorization framework.

An action that an entitlement owner can do to approve a justification. Auto-certify indicates that anyone with the justification is automatically approved for the entitlement.

Arrangement to federate a principal’s identity automatically based on a common attribute value shared across the principal’s profiles at different providers.

An action that an entitlement owner can do to approve a justification. Auto-request indicates that anyone who matches these justification attributes but might not already have access should automatically get provisioned for this entitlement.

Group of providers, including at least one identity provider, who have agreed to trust each other to participate in a SAML 2.0 provider federation

In OAuth 2.0, the client requests protected web resources on behalf of the resource owner, given the owner’s authorization. Identity Cloud can play this role in the OAuth 2.0 authorization framework.

After a successful OAuth 2.0 grant flow, Identity Cloud returns a token to the client. This differs from server-side OAuth 2.0 tokens, where Identity Cloud returns a reference to the token to the client.

Sessions for which Identity Cloud returns session state to the client after each request and requires the state to be passed in with the subsequent request. For browser-based clients, Identity Cloud sets a cookie in the browser that contains the session state. When the browser returns the cookie, Identity Cloud decodes the session state from the cookie.

Defined as part of policies, these determine the circumstances under which a policy applies. Environmental conditions reflect circumstances, such as the client's IP address, time of day, how the subject is authenticated, or the authentication level achieved. Subject conditions reflect characteristics of the subject, such as whether the subject is authenticated, the identity of the subject, or claims in the subject’s JSON Web Token (JWT).

A score on a scale from 0 to 100% that indicates the strength of correlation between an assigned entitlement and a user’s data profile.

LDAP directory service holding Identity Cloud configuration data.

A pre-analytics process that audits the seven data files to ensure data validity with the client.

A pre-analytics process that pushes the seven .csv files into the Cassandra database. This allows the entire training process to be performed from the database.

A reference to data that has null values. Identity Governance requires dense, high-quality data with very few null values in the user attributes to get accurate analysis scores.

A pre-analytics process that tests the data to ensure that the content is correct and complete prior to the training process.

Granting users administrative privileges with Identity Cloud.

An association rule that is a key factor in a high entitlement confidence score. Any rule that exceeds a confidence threshold level (for example, 75%) is considered a driving factor.

An entitlement is a specialized type of assignment. A user or device with an entitlement gets access rights to specified resources.

Federation configuration information specific to Identity Cloud.