An aggregate term for both token processors and token generators.
password credential validator (PCV)
Configures a centralized location for user credential validation. The validator instances can then be referenced by PingFederate.
password credential validator (PCV)
PCV
portal
A web-based application, accessed using a web browser, that often aggregates content from multiple providers, serves as a central point of entry, or both.
POST
An HTTP method used to request that the service or server accept the entity enclosed in the request as an addition to the resource identified in the URI.
primary domain controller (PDC)
On Microsoft Windows networks, the initial domain controller that maintains the master copy of the directory database and validates users.
primary domain controller (PDC)
PDC
private key
In public key cryptography, a private key is the secret part of an asymmetric key pair that is typically used to digitally sign or decrypt data. The private key is kept secret by its owner, similar to a password.
protected resource
Information, typically accessed through a web URL, that is protected by an access management system.
protocol
The rules, syntax, semantics, and synchronization of transactions between entities.
pseudonym
A persistent name identifier assigned to a user and shared among entities, usually with the user's permission, to enable SSO and SLO. Pseudonyms are often used with the SAML account linking protocol to enable SSO while preventing the discovery of the user's identity or activities.
public key
In public key cryptography, a public key is the part of an asymmetric key pair that the owner shares with others to allow them to decrypt digital signatures or encrypted data.
public key infrastructure (PKI)
Enables users of an unsecured public network to securely and privately exchange data through the use of key pairs and certificates. The PKI provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates.
public key infrastructure (PKI)
PKI
Remote Authentication Dial-In User Service (RADIUS)
A client/server networking protocol providing centralized user management.
Remote Authentication Dial-In User Service (RADIUS)
RADIUS
refresh token
A long-lived token used by OAuth clients to obtain a new access token without having to obtain fresh authorization from the resource owner.
relying party (RP)
An OAuth 2.0 client that requires end-user's authenticity and claims (attributes) from an OpenID provider.
relying party (RP)
RP
<RequestSecurityToken> (RST)
WS-Trust or WS-Federation XML element identifying a request for validation of a security token, or for validation and then issuance of a replacement security token.
<RequestSecurityToken> (RST)
RST
<RequestSecurityTokenResponse> (RSTR)
WS-Trust or WS-Federation XML element identifying a response to an RST and containing either the status of the submitted security token or both the status and (if requested and the received token is valid) a newly issued token for further SSO or web-services processing.
<RequestSecurityTokenResponse> (RSTR)
RSTR
REST API
An application programming interface (API) that conforms to the design principles of the representational state transfer (REST) architectural style.
resource server
In OAuth, a server that hosts protected resources and can accept and respond to resource requests from clients presenting a valid access token.
SAML authority
A security domain that issues SAML assertions.
SAML profiles
Rules that describe how to embed SAML assertions into and extract them out of other protocols in order to enable SSO or SLO. Profiles describe SAML request and response flows that fulfill specific use cases.
SAML redirect
A SAML binding that conveys a request or response by sending the user's browser to another location. For instance, an authentication request can be sent from an SP through a browser to an IdP.
scope
In OAuth, a parameter on an access request and resulting, issued access token that specifies a limitation or limitations on access to the protected resource or resources.
software development kit (SDK)
A set of tools that allows a developer to build a custom application that integrates with or connects to a platform or service.
SDK
Secure Shell (SSH)
Protocol for secure operation of network services over an unsecured network.
SSH
Secure Sockets Layer (SSL)
A protocol for authenticated and encrypted links between networked machines, typically over HTTPS. SSL was deprecated in 1999 in favor of Transport Layer Security (TLS).
SSL
Security Assertion Markup Language (SAML)
A standard, XML-based, message-exchange framework enabling the secure transmittal of authentication tokens and other user attributes across domains.
SAML
security domain
An application or group of applications that trust a common security token used for authentication, authorization, or session management. The token is issued to a user after the user has authenticated to the security domain.
security token
A collection of information used to establish acceptable identity for security purposes. Tokens can be in binary or XML format. A SAML assertion is one kind of security token.
Security Token Service (STS)
An entity responsible for responding to WS-Trust requests for validation and issuance of security tokens used for SSO authentication to web services.
Security Token Service (STS)
STS
service-oriented architecture
A loosely coupled application architecture in which all functions or services are accessible using standard protocols. Interfaces are platform and programming-language independent.
service provider (SP)
In SAML, an entity that receives and accepts an authentication assertion issued by an identity provider (IdP), typically for the purpose of allowing access to a protected resource.
service provider (SP)
SP
session persistence
A mechanism for identifying a user or browser for subsequent requests to a server, needed because the HTTP protocol is stateless. This information is used to look up state information for the user. (For example, items in a shopping cart.)
A client session is persisted by directing the client to the same backend server or host for the duration of the session.
Simple Object Access Protocol (SOAP)
A program and platform-independent messaging protocol for the exchange of structured (XML) information, generally over HTTP. Most often used to invoke web services and process responses.
SOAP
single logout (SLO)
The process of signing a user out of multiple sites where the user has started a single sign-on (SSO) session.
single logout (SLO)
SLO
single logout return service
The SAML implementation endpoint URL that returns logout requests.
single logout service
The SAML implementation endpoint URL that receives logout requests for processing
single sign-on (SSO)
The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without re-authenticating.
single sign-on (SSO)
sso
single sign-on service
A service that implements SSO. In SAML, this is an endpoint that receives and processes authentication requests.
source ID
A 20-byte sequence used to determine an identity provider's (IdP) identity.
SP-initiated SLO
In SAML, an identity-federation transaction in which the initial action for single logout (SLO) occurs at a the service provider (SP) site.
SP-initiated SSO
In SAML, an identity-federation transaction in which the initial action for single sign-on (SSO) occurs at a the service provider (SP) site.
subject
A person, computer system, or application. In the SAML context, assertions make statements about subjects.
System for Cross-domain Identity Management (SCIM)
An application-level, HTTP-based protocol for provisioning and managing user identity information. SCIM supplies a common schema for representing users and groups and provides a REST API.
System for Cross-domain Identity Management (SCIM)
SCIM
target URL
In SAML, the destination on a service provider (SP) to receive single sign-on (SSO) events.
time-based one-time passcode (TOTP)
A temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors. Typically, an app or hardware token generates a six-digit passcode that is valid for less than 1 minute.
time-based one-time passcode (TOTP)
TOTP
transient name identifier
A temporary ID used to preserve user anonymity while facilitating account linking.
token authorization
A mechanism for evaluating attribute criteria available during a transaction to determine whether a user is authorized to access resources. A token in this instance can mean any type of security token, such as SSO, session cookie, or OAuth token.
token exchange
The process by which a security token is exchanged for another security token.