Many of the concepts defined in this section are derived from the specifications discussed in Liberty Alliance Project Specifications.
See Identity Federation.
An affiliation is a group of providers formed without regard to a particular authentication domain. An affiliation is formed and maintained by an affiliation owner. Members of an affiliation may invoke services either as a member of the affiliation (by virtue of their Affiliation ID) or individually (by virtue of their Provider ID). An affiliation document describes a group of providers. See Chapter 3, Federation for more information.
An attribute provider is a web service that hosts attribute data, for example, an instance of the Liberty Personal Profile Service data service. For more information, see Chapter 6, Data Services.
Authentication context refers to information added to a SAML Authentication Assertion regarding details of the technology used for the actual authentication action. This information might include the method of authentication (HTTP Basic or Safeword), the process followed in the issuance of the identity (for example, web self-registration), and any other characteristics that may be relevant to the SAML assertion consumer. The following XML example describes a user having authenticated with a password over an SSL-protected session:
<?xml version="1.0" encoding="UTF-8" ?> <AuthenticationContextStatement> <AuthenticationMethod> <PrincipalAuthenticationMethod> <Password> <Length min="3"/> </Password> </PrincipalAuthenticationMethod> <AuthenticatorTransportProtocol> <SSL/> </AuthenticatorTransportProtocol> </AuthenticationMethod> <AuthenticationContextStatement>
An authentication domain is a federation of service providers (with at least one identity provider) that is configured technologically. The providers interact using the Liberty Alliance Project specifications. The term authentication domain does not encompass the prerequisite business agreements established between providers in a circle of trust. After the circle of trust is established, an authentication domain can be configured and single sign-on can be enabled.
An authentication domain is not a domain in the Domain Name System (DNS) sense of the word.
See Provider Federation.
A client is the role that any system entity assumes when making a request of another system entity. In this scenario, the system entity to which the request is made is called a server as discussed in Server.
If an authentication domain has more than one identity provider, the service providers need a way to determine which identity provider is used by the principal (as discussed in Principal). Because this function must work across any number of DNS domains, the Liberty approach is to create one domain that is common to all identity and service providers in the authentication domain. This predetermined domain is called the common domain. Within the common domain, when a principal has been authenticated to a service provider, the identity provider writes a common domain cookie that stores the principal’s identity provider. When the principal attempts to access another service provider within the authentication domain, the service provider reads the common domain cookie and the request is forwarded to the correct identity provider. See Chapter 4, Common Domain Services for more information.
A federation cookie called fedCookie is implemented by Access Manager. It can have a value of yes or no, based on the principal’s federation status. For information on how a federation cookie is used, see Process of Federation in Chapter 3, Federation.
The concept of a federation cookie was developed for Access Manager and is not a defined part of the Liberty Alliance Project specifications. The definition is placed here for information only.
A federated identity refers to the consolidated account information that a user has provided to service providers. Personal data, authentication information, buying habits and history, and shopping preferences are examples of user account information. The information is administered by the user, and can be securely shared with other service providers.
Users can terminate their federations. Federation termination, or defederation), cancels identity federations established between the user’s identity provider and service provider accounts.
See Concept of Identity.
Identity federation occurs when a user chooses to unite distinct service provider accounts with one or more identity provider accounts. A user retains the individual account information with each provider while, simultaneously, establishing a link that allows the exchange of authentication information between them. For more information, see Concept of Federation.
An identity provider is a service provider that specializes in providing authentication services. As the administrating service for authentication, an identity provider also maintains and manages identity information. Authentication by an identity provider is honored by all service providers with whom the identity provider is affiliated. This term is used when defining an entity of this sort specific to the Liberty Identity Federation Framework as discussed in Liberty Identity Federation Framework.
An identity service (also referred to as a data service) is a web service that acts on a resource to retrieve, update, or perform some action on data attributes related to a principal (an identity). For example, an identity service might be a corporate phone book or calendar service. For more information, see Chapter 6, Data Services.
A Liberty-enabled client is a client that has, or knows how to obtain, information about the identity provider that a principal will use to authenticate to a service provider.
A Liberty-enabled proxy is an HTTP proxy that emulates a Liberty-enabled client.
To help preserve anonymity when identity information is exchanged between identity and service providers, an arbitrary name identifier is used. A name identifier is a randomly generated character string that is assigned to a principal and used to facilitate account linking at the identity provider and service provider sites. This pseudonym allows all providers to identify a principal without knowing the user’s actual identity. The name identifier has meaning only in the context of the relationship between providers.
A principal is an entity that can acquire a federated identity, that is capable of making decisions, and has authenticated actions done on its behalf. Examples of principals include an individual user, a group of individuals, a corporation, other legal entities, or a component of the Liberty architecture.
A Liberty-based profile defines the combination of a message's content and its transport mechanisms for a user agent.
See Name Identifier.
A receiver is the role of a system entity when it receives a message sent by another system entity. In this scenario, the system entity from which the message is received is called a sender as discussed in Sender.
In a discovery service, a resource offering defines associations between a piece of identity data and the service instance that provides access to it. See Chapter 7, Discovery Service.
A sender is the role donned by a system entity when it constructs and sends a message to another system entity. In this scenario, the system entity from which the message is received is called a receiver as discussed in Receiver.
A server is the role that any system entity assumes when providing a service in response to a request from another system entity. In this scenario, the system entity from which the request is received is called a client as discussed in Client.
In order to provide a service to clients, a server will often be both a sender and a receiver.
A service provider is a commercial or not-for-profit organization that offers web-based services to a principal. This broad category can include Internet portals, retailers, transportation providers, financial institutions, entertainment companies, libraries, universities, and governmental agencies. This term is used when defining an entity of this sort specific to the Liberty Identity Federation Framework as discussed in Liberty Identity Federation Framework.
A single logout occurs when a user logs out of an identity provider or a service provider. By logging out of one provider, the user is logged out of all service providers or identity providers in that authentication domain.
Single sign-on is established when a user with a federated identity authenticates to an identity provider. If the user has previously opted-in for federation, access to affiliated service providers without having to re-authenticate is available.
A trusted provider is a generic term for one of a group of service and identity providers in an authentication domain. A user can transact and communicate with trusted providers in a secure environment.
A web service consumer invokes the operations that a web service provides by making a request to a web service provider. This term is used when defining an entity of this sort specific to the Liberty Identity Web Services Framework as discussed in Liberty Identity Web Services Framework.
A web service provider implements a web service based on a request from a web service consumer. This term is used when defining an entity of this sort specific to the Liberty Identity Web Services Framework as discussed in Liberty Identity Web Services Framework.
A web service provider may run on the same Java virtual machine as the web service consumer that is using it.