1.1 Glossary

This document uses the following terms:

Active Directory Federation Services (AD FS): A Microsoft implementation of a federation services provider, which provides a security token service (STS) that can issue security tokens to a caller using various protocols such as WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) version 2.0.

AD FS behavior level: A specification of the functionality available in an AD FS server. Possible values such as AD_FS_BEHAVIOR_LEVEL_1 and AD_FS_BEHAVIOR_LEVEL_2 are described in [MS-OAPX].

AD FS server: See authorization server in [RFC6749].

claim: A declaration made by an entity (for example, name, identity, key, group, privilege, and capability). For more information, see [WSFederation1.2].

Coordinated Universal Time (UTC): A high-precision atomic time standard that approximately tracks Universal Time (UT). It is the basis for legal, civil time all over the Earth. Time zones around the world are expressed as positive and negative offsets from UTC. In this role, it is also referred to as Zulu time (Z) and Greenwich Mean Time (GMT). In these specifications, all references to UTC refer to the time at UTC-0 (or GMT).

digest: The fixed-length output string from a one-way hash function that takes a variable-length input string and is probabilistically unique for every different input string. Also, a cryptographic checksum of a data (octet) stream.

DNS name: A fully qualified domain name (FQDN).

domain naming service name: The fully qualified domain name (FQDN) as known by the Domain Name System (DNS), as specified in [RFC1035] and [RFC1123].

federation: A collection of security realms that have established trust.

identity provider/security token service (IP/STS): An STS that might also be an identity provider (IP). This term is used as shorthand to see both identity that verifies token services and general token services that do not verify identity. Note that the "/" symbol implies an "or" relationship.

relying party (RP): A web application or service that consumes security tokens issued by a security token service (STS).

requestor IP/STS: An IP/STS in the same security realms as the web browser requestor. The requestor IP/STS has an existing relationship with the user that enables it to issue security tokens containing user information.

resource IP/STS: An IP/STS in the same security realm as the web service (WS) resource. The resource IP/STS has an existing relationship with the WS resource that enables it to issue security tokens that are trusted by the WS resource.

security realm or security domain: Represents a single unit of security administration or trust, for example, a Kerberos realm (for more information, see [RFC4120]) or a Windows Domain (for more information, see [MSFT-ADC]).

security token: A collection of one or more claims. Specifically in the case of mobile devices, a security token represents a previously authenticated user as defined in the Mobile Device Enrollment Protocol [MS-MDE].

security token service (STS): A web service that issues security tokens. That is, it makes assertions based on evidence that it trusts; these assertions are for consumption by whoever trusts it.

signature: A value computed with a cryptographic algorithm and bound to data in such a way that intended recipients of the data can use the signature to verify that the data has not been altered and/or has originated from the signer of the message, providing message integrity and authentication. The signature can be computed and verified either with symmetric key algorithms, where the same key is used for signing and verifying, or with asymmetric key algorithms, where different keys are used for signing and verifying (a private and public key pair are used). For more information, see [WSFederation1.2].

sign-out: The process by which a user (or an agent acting on the user's behalf) indicates that it will no longer be using its security token, and relying parties across security realms can destroy their security token caches for the user. For more information, see [WSFederation1.2]. Note that the use of the term sign-out is based on [WSFederation1.2].

single sign-on (SSO): An authentication and authorization scheme in which a user needs only one set of credentials in order to access unrelated network resources.

subject key identifier (SKI): The SKI extension provides a means of identifying certificates that contain a particular public key. For more information, see [RFC3280] section

trust: The characteristic that one entity is willing to rely on a second entity to execute a set of actions and/or to make a set of assertions about a set of subjects and/or scopes. For more information, see [WSFederation1.2].

user: A person who employs a web browser requestor to access a WS resource.

user principal name (UPN): A user account name (sometimes referred to as the user logon name) and a domain name that identifies the domain in which the user account is located. This is the standard usage for logging on to a Windows domain. The format is: someone@example.com (in the form of an email address). In Active Directory, the userPrincipalName attribute of the account object, as described in [MS-ADTS].

web browser requestor: An HTTP 1.1 web browser client that transmits protocol messages between an IP/STS and a relying party.

web service (WS) resource: A destination HTTP 1.1 web application or an HTTP 1.1 resource serviced by the application. In the context of this protocol, it refers to the application or manager of the resource that receives identity information and assertions issued by an IP/STS using this protocol. The WS resource is a relying party in the context of this protocol. For more information, see [WSFederation1.2].

MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.