Many of the concepts defined in this section are derived from the specifications discussed in Liberty Alliance Project Specifications.
See Identity Federation.
An affiliation is a group of providers formed without regard to their configured authentication domains. An affiliation is formed and maintained by an affiliation owner. Members of an affiliation may invoke services either as a member of the affiliation (by virtue of their Affiliation ID) or individually (by virtue of their Provider ID). An affiliation document describes a group of providers. See Entities for more information.
An attribute provider is a web service that hosts attribute data. The Access Manager Liberty Personal Profile Service data service is an example of an attribute provider. For more information, see Chapter 7, Data Services.
Authentication context refers to information added to a SAML Authentication Assertion regarding details of the technology used for the actual authentication action. This information might include the method of authentication (for example, HTTP Basic or Safeword), the process followed in the issuance of the identity (for example, web self-registration), and any other characteristics that may be relevant to the service provider consuming the assertion. The following code sample describes a user having authenticated with a password over an SSL-protected session.
<?xml version="1.0" encoding="UTF-8" ?> <AuthenticationContextStatement> <AuthenticationMethod> <PrincipalAuthenticationMethod> <Password> <Length min="3"/> </Password> </PrincipalAuthenticationMethod> <AuthenticatorTransportProtocol> <SSL/> </AuthenticatorTransportProtocol> </AuthenticationMethod> <AuthenticationContextStatement>
More information is in Authentication and Authentication Context.
An authentication domain is a federation of service providers (with at least one identity provider) that is configured using Access Manager.
An authentication domain is not a domain in the Domain Name System (DNS) sense of the word.
Before an authentication domain can be configured, the service providers must contractually agree to exchange authentication information using the Liberty Alliance Project specifications. After this circle of trust is established, an authentication domain can be configured using Access Manager and single sign-on can be enabled. Simply put, an authentication domain is the term used by Access Manager when configuring a circle of trust. See Concept of Trust for related information.
See Provider Federation.
A client is the role that any system entity assumes when making a request of another system entity. In this scenario, the system entity to which the request is made is called a server as discussed in Server.
If an authentication domain has more than one identity provider, the service providers need a way to determine which identity provider is used by the principal (as discussed in Principal). Because this function must work across any number of DNS domains, the Liberty approach is to create one domain that is common to all identity and service providers in the authentication domain. This predetermined domain is called the common domain. Within the common domain, when a principal has been authenticated to a service provider, the identity provider writes a common domain cookie that stores the principal’s identity provider. When the principal attempts to access another service provider within the authentication domain, the service provider reads the common domain cookie and the request is forwarded to the correct identity provider. See Chapter 4, Common Domain Services for Federation Management for more information.
A federation cookie called fedCookie is implemented by Access Manager. It can have a value of yes or no, based on the principal’s federation status. For information on how a federation cookie is used, see Process of Federation in Chapter 3, Federation.
The concept of a federation cookie was developed for Access Manager and is not a defined part of the Liberty Alliance Project specifications. The definition is placed here for information only.
A federated identity refers to a user's consolidated local identities. The user must choose to federate the separate identities that they have configured with multiple service providers. Although federated, the local identities are still administered by the user, but they can be securely shared between the service providers for which they were defined.
Users can terminate their federations. Federation termination (or defederation) cancels identity federations established between the user’s identity provider and service provider accounts.
See Concept of Identity.
Identity federation occurs when a user chooses to unite distinct service provider accounts with one or more identity provider accounts. A user retains the individual account information with each provider while simultaneously establishing a link that allows the exchange of authentication information between them. For more information, see Concept of Federation.
An identity provider is a service provider that specializes in providing authentication services. As the administrating service for authentication, an identity provider also maintains and manages identity information. Authentication by an identity provider is honored by all service providers with whom the identity provider is affiliated. This term is used when defining an entity of this sort specific to the Liberty Identity Federation Framework as discussed in Liberty Identity Federation Framework.
An identity service (also referred to as a data service or an attribute provider) is a web service that acts on a resource to retrieve, update, or perform some action on data attributes related to a principal (an identity). For example, an identity service might be a corporate phone book or calendar service. For more information, see Chapter 7, Data Services.
A Liberty-enabled client is a client that has, or knows how to obtain, information about the identity provider that a principal will use to authenticate to a service provider.
A Liberty-enabled proxy is an HTTP proxy that emulates a Liberty-enabled client.
To help preserve anonymity when identity information is exchanged between identity providers and service providers, an arbitrary name identifier is used. A name identifier is a randomly generated character string that is assigned to a principal and used to facilitate account linking at the identity provider and service provider sites. This pseudonym allows all providers to identify a principal without knowing the user’s actual identity. The name identifier has meaning only in the context of the relationship between providers.
A principal is an entity that can acquire a federated identity, that is capable of making decisions, and has authenticated actions done on its behalf. Examples of principals include an individual user, a group of individuals, a corporation, other legal entities, or a component of the Liberty architecture.
A protocol is an agreed-upon set of rules for formatting data to be transmitted between two or more devices. XML schemas define the syntax for request and response messages that are typically embedded into other structures for transport. Among other things, a protocol can determine:
The type of error checking to be used.
Data compression method, if any.
How the sending device will indicate that it has finished sending a message.
How the receiving device will indicate that it has received a message.
See Name Identifier.
A receiver is the role of a system entity when it receives a message sent by another system entity. In this scenario, the system entity from which the message is received is called a sender as discussed in Sender.
In a discovery service, a resource offering defines associations between a piece of identity data and the service instance that provides access to it. See Chapter 8, Discovery Service.
A sender is the role donned by a system entity when it constructs and sends a message to another system entity. In this scenario, the system entity from which the message is received is called a receiver as discussed in Receiver.
A server is the role that any system entity assumes when providing a service in response to a request from another system entity. In this scenario, the system entity from which the request is received is called a client as discussed in Client.
In order to provide a service to clients, a server will often be both a sender and a receiver.
A service provider is a commercial or not-for-profit organization that offers web-based services to a principal. This broad category can include Internet portals, retailers, transportation providers, financial institutions, entertainment companies, libraries, universities, and governmental agencies. This term is used when defining an entity of this sort specific to the Liberty Identity Federation Framework as discussed in Liberty Identity Federation Framework.
A single logout occurs when a user logs out of an identity provider or a service provider. By logging out of one provider, the user is logged out of all service providers or identity providers in that authentication domain.
Single sign-on is established when a user with a federated identity authenticates to an identity provider. If the user has previously opted-in for federation, access to affiliated service providers is available without having to reestablish identity.
A trusted provider is a generic term for one of a group of service and identity providers in an authentication domain. A user can transact and communicate with trusted providers in a secure environment.
A web service consumer invokes the operations that a web service provides by making a request to a web service provider. This term is used when defining an entity of this sort specific to the Liberty Identity Web Services Framework as discussed in Liberty Identity Web Services Framework.
A web service provider implements a web service based on a request from a web service consumer. This term is used when defining an entity of this sort specific to the Liberty Identity Web Services Framework as discussed in Liberty Identity Web Services Framework.
A web service provider may run on the same Java virtual machine as the web service consumer that is using it.