1.1 Glossary

This document uses the following terms:

application server: A computer that provides infrastructure and services for applications that are hosted on a server farm.

base64 encoding: A binary-to-text encoding scheme whereby an arbitrary sequence of bytes is converted to a sequence of printable ASCII characters, as described in [RFC4648].

certificate: A certificate is a collection of attributes and extensions that can be stored persistently. The set of attributes in a certificate can vary depending on the intended usage of the certificate. A certificate securely binds a public key to the entity that holds the corresponding private key. A certificate is commonly used for authentication and secure exchange of information on open networks, such as the Internet, extranets, and intranets. Certificates are digitally signed by the issuing certification authority (CA) and can be issued for a user, a computer, or a service. The most widely accepted format for certificates is defined by the ITU-T X.509 version 3 international standards. For more information about attributes and extensions, see [RFC3280] and [X509] sections 7 and 8.

checksum: A value that is the summation of a byte stream. By comparing the checksums computed from a data item at two different times, one can quickly assess whether the data items are identical.

claim: (1) A set of operations that are performed on a workflow task to specify the user who owns it.

(2) A statement that one subject makes about itself or another subject. For example, the statement can be about a name, identity, key, group, privilege, or capability. Claims have a provider that issues them, and they are given one or more values. They are also defined by a claim value type and, possibly, associated metadata.

claim issuer: A claims provider that issues a claim (2).

claim type: A statement that is part of a claim (2) and provides context for a claim value. It represents the type of claim and is typically a Uniform Resource Identifier (URI). Examples include FirstName and Role.

claim value: A string that represents the value of a statement in a claim (2). It specifies what is being asserted by a claim.

connection: A link that two physical machines or applications share to pass data back and forth.

credential: Previously established, authentication data that is used by a security principal to establish its own identity. When used in reference to the Netlogon Protocol, it is the data that is stored in the NETLOGON_CREDENTIAL structure.

endpoint: A communication port that is exposed by an application server for a specific shared service and to which messages can be addressed.

globally unique identifier (GUID): A term used interchangeably with universally unique identifier (UUID) in Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the value. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] must be used for generating the GUID. See also universally unique identifier (UUID).

group target application: A target application that stores credentials for a group of Secure Store Service (SSS) users. It references a set of claims (2) that represents the SSS users who can retrieve the credentials associated with it.

Hypertext Transfer Protocol (HTTP): An application-level protocol for distributed, collaborative, hypermedia information systems (text, graphic images, sound, video, and other multimedia files) on the World Wide Web.

Hypertext Transfer Protocol Secure (HTTPS): An extension of HTTP that securely encrypts and decrypts web page requests. In some older protocols, "Hypertext Transfer Protocol over Secure Sockets Layer" is still used (Secure Sockets Layer has been deprecated). For more information, see [SSL3] and [RFC5246].

individual target application: A target application that stores credentials for Secure Store Service (SSS) users. It references an identity claim (2) that represents an SSS user who can retrieve the credentials that are associated with it.

line-of-business (LOB) system: A software system that is used to store business data and can also contain business rules and business logic that support business processes.

master secret key: A symmetric encryption key that is used to encrypt and decrypt credentials and Secure Store Service (SSS) tickets.

Open Data Protocol (OData): A web protocol for querying and updating data specified in the OData protocol.

salt: An additional random quantity, specified as input to an encryption function that is used to increase the strength of the encryption.

Secure Store Service (SSS): A service that is used to store credentials for a user or a group of users. It enables applications, typically on behalf of a user, to authenticate and gain access to resources. Users can retrieve only their own credentials from the secure store.

Secure Store Service (SSS) partition: A group of target applications and credentials that are identified by a GUID and are contained in a single Secure Store Service (SSS) store.

Secure Store Service (SSS) store: A persistent store that provides storage for target application definitions and credentials.

Secure Store Service (SSS) ticket: A token that contains the encrypted identity of a Secure Store Service (SSS) user in the form of a claim (2) and a nonce.

Secure Store Service (SSS) user: A security principal that interacts with a Secure Store Service (SSS) implementation.

security principal: An identity that can be used to regulate access to resources. A security principal can be a user, a computer, or a group that represents a set of users.

SOAP: A lightweight protocol for exchanging structured information in a decentralized, distributed environment. SOAP uses XML technologies to define an extensible messaging framework, which provides a message construct that can be exchanged over a variety of underlying protocols. The framework has been designed to be independent of any particular programming model and other implementation-specific semantics. SOAP 1.2 supersedes SOAP 1.1. See [SOAP1.2-1/2003].

SOAP action: The HTTP request header field used to indicate the intent of the SOAP request, using a URI value. See [SOAP1.1] section 6.1.1 for more information.

SOAP body: A container for the payload data being delivered by a SOAP message to its recipient. See [SOAP1.2-1/2007] section 5.3 for more information.

SOAP fault: A container for error and status information within a SOAP message. See [SOAP1.2-1/2007] section 5.4 for more information.

Status-Code: A 3-digit integer result code in an HTTP response message, as described in [RFC2616].

Structured Query Language (SQL): A database query and programming language that is widely used for accessing, querying, updating, and managing data in relational database systems.

target application: A logical entity that represents a software system for which credentials are maintained. It consists of metadata including the number and type of credentials that are required by the software system and a set of claims (2) that identify the administrators who can update, read, and delete the entity.

target application field: A name of a credential field and its associated credential type.

Uniform Resource Identifier (URI): A string that identifies a resource. The URI is an addressing mechanism defined in Internet Engineering Task Force (IETF) Uniform Resource Identifier (URI): Generic Syntax [RFC3986].

Uniform Resource Locator (URL): A string of characters in a standardized format that identifies a document or resource on the World Wide Web. The format is as specified in [RFC1738].

Web Services Description Language (WSDL): An XML format for describing network services as a set of endpoints that operate on messages that contain either document-oriented or procedure-oriented information. The operations and messages are described abstractly and are bound to a concrete network protocol and message format in order to define an endpoint. Related concrete endpoints are combined into abstract endpoints, which describe a network service. WSDL is extensible, which allows the description of endpoints and their messages regardless of the message formats or network protocols that are used.

WSDL message: An abstract, typed definition of the data that is communicated during a WSDL operation [WSDL]. Also, an element that describes the data being exchanged between web service providers and clients.

WSDL operation: A single action or function of a web service. The execution of a WSDL operation typically requires the exchange of messages between the service requestor and the service provider.

XML namespace: A collection of names that is used to identify elements, types, and attributes in XML documents identified in a URI reference [RFC3986]. A combination of XML namespace and local name allows XML documents to use elements, types, and attributes that have the same names but come from different sources. For more information, see [XMLNS-2ED].

XML namespace prefix: An abbreviated form of an XML namespace, as described in [XML].

XML schema: A description of a type of XML document that is typically expressed in terms of constraints on the structure and content of documents of that type, in addition to the basic syntax constraints that are imposed by XML itself. An XML schema provides a view of a document type at a relatively high level of abstraction.

MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.