Acronym for "Authentication and Authorization Infrastructure".

(SAML) Assertion

A digital statement issued by an IdP, derived from the Digital Identity of an End User. Typically an Assertion is digitally signed and optionally encrypted.


Process of identifying of a previously registered user.


Process of granting or denying access to a resource for an authenticated user.

(Authorization) Attributes

User data (such as name, affiliation, study branch, etc.) needed for access control decisions. The attributes used by eduGAIN are defined in the eduGAIN Attribute Profile.

Attribute Authority

The AA is a component of the Identity Provider. It issues attributes on behalf of an organization.

Attribute Release Policy (ARP)

It defines which attributes are going to be released to a requesting resource (the attribute filter). It is a mechanism to implement privacy and data protection.

Attribute Resolver

A component of the Identity Provider. It retrieves attributes from various data sources (LDAP, Active Directory, ...) and performs the necessary transformations for SAML transport.




Digital Identity

A set of information that is attributable to an End User It is issued and managed by an IdP Operator on the basis of the identification of the End User.

Discovery Service

Technical term/synonym for WAYF.


End User

Typically, a human person who belongs to an organization, typically an employee or student, who uses Federated Authentication via its IdP. However, an End User can also be a legal person, a virtual artifact (e.g. a computer process, an application), a tangible object (e.g. a device) or a group of other entities (e.g. an organization) of an organization.


Entitlements form a specialized class of Authorization Attributes important enough to call out separately. They can be used to identify a user's eligibility to access a given resource such as an e-journal, see common-lib-terms.


The EntityID is a unique identifier, identifying each Service Provider and Identity Provider.


Federated Authentication

An End User uses his Digital Identity to authenticate for accessing services offered by SP Operators within the same or a different organization.

Federated Identity Management

The management and use of identity information across security domains, e.g. between individual universities. It deals with issues such as interoperability, liability, security, privacy and trust.


A federation is a collection of organizations that agree to interoperate under a certain rule set.

Federation Member

A Federation Member is an organization (such as a university, library, etc.) that runs one Identity Provider and any number of AAI-enabled Resources. Federation Members usually have to agree on a common set of policies and rules defined in a service/federation agreement.

Federation Operator

The organization managing the Federation, operating the central components and acting as a competence centre. SWITCH is for example the Federation Operator of the SWITCHaai Federation, the Swiss identity federation.

Federation Technology Profile

The technology profiles specify how to use which subsets of a specific federation technology in the context of a Federation.



Home Organization, Home Institution

A participating organization representing a user community, e.g. a university, library, university hospital etc. A Home Organization registers users and stores information about them. Furthermore, it is able to authenticate its users an it operates an IdP.


Identity Provider (IdP)

The system component that issues Assertions on behalf of End Users who use them to access the services of SPs.

IdP Operator

The organization operating an IdP. IdP Operator refers to the legal entity that signs contracts, is a Federation Participant and is responsible for the overall processes supporting the IdP.


Interfederation takes place if a user from one federation accesses a service which is registered in another federation. eduGAIN is the most known and largest academic Interfederation service to exchange trusted identity information across boundaries of (national) identity federations.




Lazy Session Establishment

This special form of session establishment allows access to a URL or resource prior to authentication. The point is that the application decides when a user has to authenticate. More information is available for example on the SWITCHaai Demo Resource.



The Metadata contains technical details and descriptive information about the IdPs and SPs. For interoperability in a specific context, the Metadata format definition is part of a Federation Technology Profile.




Federation Participant

An organization that participates in an Identity Federation.



Relying Party

In general, one or more Service Provider or Identity Provider that is sender or recipient of an Assertion. A relying party could be a single Service Provider or a group of Service Providers. The SPs and IdPs can be grouped into a relying party by including them into an EntitiesDescriptor element in the Metadata. Such a group of Service Providers can then for example be used tell an Identity Provider to use a special way to transmit the attributes to the components of this relying party.


Web application, web site, information system, etc. An AAI-enabled Resource requests attributes about users from an IdP and makes access decisions (authorization) based on these attributes.



SAML - the Security Assertion Markup Language - is an XML framework for exchanging authentication and authorization information. SAML is a standard of OASIS. The software Shibboleth is based on SAML.

Service Provider (SP)

The system component that evaluates the Assertion from an IdP and uses the information from the Assertion for controlling access to protected Managed IT Services Ottawa. Synonym for an AAI-enabled Resource, although used in a more technical sense.


The name an open source SAML implementation developed by Shibboleth Consortium. Shibboleth is based on SAML and allows the implementation of an AAI. eduGAIN makes use of SAML.


SimpleSAML PHP is another very popluar open source SAML software. It supports SAML and additional protocols that can be used for federated identity management.

SP Operator

The organization operating an SP. SP Operator refers to the legal entity that signs contracts, is a Federation Participant and is responsible for the overall processes supporting the SP.

Single Sign-On (SSO)

Single Sign-On enables the user to gain access to multiple Resources by authenticating only once.





WAYF (Where Are You From)

The WAYF service, also called Discovery Service, lets the user choose his Home Organization from a list and then redirects the user to this Home Organization's login page for authentication.




Many of the above entries were with permission copied from SWITCHaai Glossary.

  • No labels