Glossary
A reference of frequently-used terms throughout this web site
| ANSI | American National Standards Institute |
| AP | Application Profile |
| ARIADNE | Alliance of Remote Instructional Authoring & Distribution Networks for Europe |
| COLIS | Collaborative Online Learning and Information Services |
| CP | Content Package |
| CQL | Common Query Language |
| DAM | Digital Assets Management |
| DOI | Digital Object Identifier |
| DRI | Digital Repositories Interoperability |
| DRM | Digital Rights Management |
| EML | Educational Modelling Language |
| GUID | Globally Unique Identifier |
| HEIP | Higher Education Innovation Program |
| IEEE | Institute of Electrical and Electronics Engineers |
| IMS | The IMS Global Learning Consortium. IMS is concerned with ‘standards for learning servers, learning content and the enterprise integration of these capabilities’. The name came originally from ‘Instructional Management Systems’. http://www.imsproject.org/ |
| IIS&R | Interaction of IT Systems and Repositories |
| LCMS | Learning Content Management System |
| LDAP | Lightweight Directory Access Protocol |
| LMS | Learning Management System |
| LO | Learning Object |
| LOX | Learning Object Exchange |
| LOM | IEEE Learning Object Meta-data |
| LOMS | Learning Object Management System |
| LMS | Learning Management System |
| MD | Meta-data |
| NISO | National Information Standards Organization |
| OAI-PMH | Open Archive Initiative Protocol for Metadata Handling |
| ODRL | Open Digital Rights Language |
| OKI | The Open Knowledge Initiative. A collaboration among leading universities and specification and standards organizations to support innovative learning technology in higher education. http://web.mit.edu/oki |
| PAM | Pluggable Authentication Module or Presence & Availability Management |
| REL | Rights Expression Language |
| SCOs | Sharable Content Objects |
| SOAP | Simple Object Access Protocol |
| SCORM | Shareable Content Object Reference Model |
| SRU | Search/Retrieve URL - URL access mechanism |
| SRW | Search/Retrieve Web Service protocol |
| SSO | Single Sign On |
| UDDI | Universal Description, Discovery and Integration |
| XQuery | XML Query |
| XrML | Digital rights expression language by Content Guard |
| W3C | World Wide Web Consortium |
| Z39.50 | A national and international standard (ISO 23950) defining a protocol for computer-to-computer information retrieval. |
Glossary - MAMS
A reference of frequently-used MAMS terms throughout this web site
Access Control |
Limiting or granting access to a file system, Web site, or other digital environment, usually via some sort of authentication. |
| Access Management System | The collection of systems and/or services associated with specific on-line resources and/or services that together derive the decision about whether to allow a given individual to gain access to those resources or make use of those services. |
| ACI | Access Control Instruction: Access control is the mechanism by which you define access. When the server receives a request, it uses the authentication information provided by the user in the bind operation, and the access control instructions (ACI’s) defined in the server to allow or deny access to directory information. The server can allow or deny permissions such as read, write, search, and compare. The permission level granted to a user may be dependent on the authentication information provided. (Definition taken from iPlanet Directory Server 4 documentation.) |
| ACL | Access Control List: A list of Access Control Instructions (ACI’s) constitutes an Access Control List. |
| Active Directory | Microsoft's directory service product for storing user identity information, attributes and access policy. Active Directory is built into the Window Server 2003 and the Windows 2000 Server operating systems. |
| Administrative Contact | The Administrative Contact serves as the primary registrar and administrator of the organization's InCommon federation participation. The Administrative Contact is responsible for registering and maintaining technical aspects of the organization's participation in InCommon, including Credential Provider and/or Resource Provider information, metadata and Technical Contact information. The Administrative Contact is assigned and verified by the Executive Liaison. |
| Applicant | Role which initiates applications. |
| Approval | Within the context of management document descriptions, refers to the authorisation by the appropriate management entity to proceed with work described by a proposal or plan, or adopt a defined management process. |
| ARP - Attribute release policies | rules that an AA follows when deciding whether or not to release an attribute and its value(s) |
| Assertion | When an Identity Provider authenticates a user and directs them back to the referring Service Provider, it includes as part of the message an assertion to prove that the user authenticated. See also Identity Provider, Service Provider. |
| Assertion | The identity information provided by a Credential Provider to a Resource Provider. |
| Assisted Password Reset | An assisted password reset is a password reset (reset) accomplished by interaction between the user and a support analyst, typically over a telephone. Assisted password resets are similar to self-service password resets (self-service-reset), but with the intervention of a support analyst. |
| Assisted takeup | A JISC project to support the work of the JISC core middleware programme. See http://www.jisc.ac.uk/index.cfm?name=funding_middlewareservice See also Early adopters, JISC. |
| The Athens service was developed by Eduserv to provide single sign-on access to a collection of online information services. See http://www.athensams.net/. See also Single Sign-On. |
|
| Attribute | A single piece of information associated with an electronic identity database record. Some attributes are general; others are personal. Some subset of all attributes defines a unique individual. Examples of an attribute are name, phone number, group affiliation, etc. |
| Attribute Assertion | A mechanism for associating specific attributes with a user. |
| Attribute Authority (AA) | The service that asserts the requester's attributes by creating an attribute assertion and then signing it. The sites must be able to validate this signature. |
| Attribute Authority subject DN | The distinguished name of the Attribute Authority. |
| Attribute Authority URL | The Internet address of the Attribute Authority. |
| Attribution | Assigning credit to the creator of an original work when the work is referenced, copied, distributed or performed. |
| Audit | An independent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures. |
| Audit Trail | A list of all recorded activity, which resources are being accessed, when and by whom and what actions are being performed. Audit trails are one of the requirements of system accountability, enabling any system action or event to be traced back to the user responsible for it. Audit trails are also used to investigate cyber crimes. They are indispensable for incident response and the follow-up aspect of digital forensics. The audit trail enables the person investigating the incident to follow the trail that was left. |
| Authentication (authN) | A process used by a system to uniquely identify a user. Most systems authenticate users by asking them to type a secret password. Other forms of authentication include: 1) Using hardware tokens 2) Using a PKI certificate 3) Using a smart card 4) Providing a biometric sample (fingerprint, voice print, etc.) 5) Answering personal questions. In security systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. |
| Authentication (authN) | Authentication in this context is the process of determining a user's identity, usually by verifying a supplied username and password combination. Single-Sign on systems provide a means where authentication information can be shared between services, preventing a user from having to authenticate themselves multiple times. See also Authorisation, Single Sign-On. |
| Authentication (authN) | AuthN: Authentication is the process of establishing whether or not a real-world subject is who or what its identifier says it is. Identity can be proven by: Something you know, like a password; Something you have, as with smart-cards, challenge-response mechanisms, or public-key certificates; Something you are, as with positive photo identification, fingerprints, and biometrics. (For more on this topic, see Internet-2 Middleware Authentication website <http://middleware.internet2.edu/core/authentication.html>.) AuthN protocols such as Kerberos v5, Secure Sockets Layer (SSL), NTLM, and digest authentication protect the authN process and prevent the interception of credentials. |
| Authentication (authN) | Establishing the individual identity of a user, or determining that the user has certain attributes or is a member of a specified group. |
| Authentication (authN) | The process by which a person verifies or confirms their association with an electronic identifier. For example, entering a password that is associated with an UserID or account name. A security measure designed to establish the validity of a transmission, message, or originator, also a means of verifying an individual's authorization to receive specific categories of information. |
| Authentication Devices | Devices used by organizations to verify the identities of users requesting access to information and applications. Authentication devices include: Fingerprint, Face, Voice, Signature, Password/PIN, Smart Card/Swipe Card, and Token. |
| Authentication Token | A portable security device used for authenticating a user. Authentication tokens operate by challenge/response, time-based code sequences, or other techniques. This may include paper-based lists of one-time passwords. These require complementary software or hardware. Smart cards, smart card readers, USB tokens, and touch memory devices are a few examples. |
| Authorisation (authZ) | Authorisation in this context is the process of determining a user's right to access a resource. Authorisation almost always relies on the user having been authenticated. |
| Authorisation (authZ) | AuthZ: based on the identity of a person, and the accompanying attributes or characteristics, allowing/denying access to resources. The determination that a request can be honoured is known as authorization. (For more on this topic, see Internet-2 Middleware Authorization website <http://middleware.internet2.edu/core/authorization.html>.) The process of evaluating whether an authenticated entity is authorised to do something to a particular resource under a defined set of circumstances. The process of resolving a user's entitlements with the permissions configured on a resource in order to control access. |
| Authorisation (authZ) | Establishing what an individual is permitted to do. |
| Authorisation (authZ) | The process of giving individuals access to system objects based on their confirmed Identity. |
| Authorisation (authZ) | The process or determining a specific person's eligibility to gain access to an application or function, or to make use of a resource. A right or permission that is granted to access a system resource. |
| Billing Contact | The Billing Contact is responsible for executing and maintaining all of the organization's financial transactions associated with their InCommon federation participation, including communication with the Executive Liaison, Administrative Contact and federation accounting staff. |
| Biometric Authentication | Biometric authentication is any process that validates the identity of a user who wishes to sign into a system by measuring some intrinsic characteristic of that user. Biometric samples include fingerprints, retina scans, face recognition, voiceprints, and even typing patterns. Biometric authentication depends on measurement of some unique attribute of the user. They presume that these user characteristics are unique, that they may not be recorded and reproductions provided later, and that the sampling device is tamper-proof. |
| Biometrics | Generally, the study of measurable biological characteristics. In computer security, biometrics refers to authentication techniques that rely on measurable physical characteristics that can be automatically checked. There are several types of biometric identification schemes: Face: the analysis of facial characteristics; Fingerprint: the analysis of an individual's unique fingerprints; Hand geometry: the analysis of the shape of the hand and the length of the fingers; Retina: the analysis of the capillary vessels located at the back of the eye; Iris: the analysis of the colored ring that surrounds the eye's pupil; Signature: the analysis of the way a person signs his name; Vein: the analysis of pattern of veins in the back if the hand and the wrist; Voice: the analysis of the tone, pitch, cadence, and frequency of a person's voice. |
| Blackboard | The Blackboard learning system is a Virtual Learning Environment (VLE) providing content-management and student/teacher interaction. The IAMSECT project has plans to set up a Blackboard service as a Shibboleth Service Provider. |
| BTP | Transaction standard |
| CA - Certificate Authority | A certificate authority (CA) is an authority in a network that issues and manages security credentials and public keys for message encryption. |
| Carnegie Classification | The Carnegie Classification of Institutions of Higher Education is a taxonomy of U.S. higher education institutions. The 2000 Carnegie Classification includes all colleges and universities in the United States that are degree-granting and accredited by an agency recognized by the U.S. Secretary of Education. The 2000 edition classifies institutions based on their degree-granting activities from 1995-96 through 1997-98. http://www.carnegiefoundation.org/Classification/CIHE2000/defNotes/Definitions.htm |
| Certificate | A digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its Subscriber, (3) contains the Subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it. |
| Cluster | Clusters, by definition, are interconnected whole computers that cooperate to solve a problem. But behind the definition, clusters are fairly static and homogeneous creations. The number of nodes in a cluster might grow or shrink over time, but the intent of the cluster rarely changes (and if it does, it's usually with a significant amount of re-architecting). For example, a cluster assembled for purposes of weather forecasting or for geopetrol exploration will have software installed for those applications only. The individual users of the cluster may change over time, but typically even as users turn over, the applications they run on the cluster remain similar to those run by previous users. The types of data that cluster users manipulate are typically chosen during the creation of the cluster. Second, clusters are usually homogeneous, both in function and hardware. With the possible exception of the cluster manager, the purpose of the nodes in a cluster is to solve the same kind of problem. Therefore, the nodes of a cluster are usually machines with similar architectures and operating systems. They also have, in general, a uniform set of software libraries and applications. Finally, for ease of administration and access, clusters are generally in one physical location. |
| Confidentiality | Ensuring that a resource may only be used by its intended recipient. |
| Contact/Contactless | When used in conjunction with chip cards: whether the card is read by direct contact with a reader or has a transmitter/receiver system which allows it to be read using radio frequency technology (up to a certain distance). |
| Content Repository | A secure storage facility that is capable of handling a wide variety of content types, and enabling access to authorized users. |
| Copyright | Rights granted to an original work under applicable copyright law (in the U.S. by the 1976 Copyright Act and other relevant law). |
| CP - Certificate Policy | A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. http://www.ietf.org/rfc/rfc3647.txt |
| CP - Credential Provider | A campus or other organization that manages and operates an identity management system and offers information about members of its community to other InCommon participants. |
| CPS - Certification Practice Statement | A statement of the practices that a certification authority employs in issuing, managing, revoking, and renewing or re-keying certificates. http://www.ietf.org/rfc/rfc3647.txt |
| Credential | An object that is verified when presented to the verifier in an authentication transaction. Credentials may be bound in some way to the individual to whom they were issued, or they may be bearer credentials. The former are necessary for identification, while the latter may be acceptable for some forms of authorization. Electronic credentials can be digital documents used in authentication and access control that bind an identity or an attribute to a claimant's token or some other property, such as a current network address. Credentials are verified when presented to the verifier in an authentication transaction. Anonymous credentials are used to evaluate an attribute when authentication need not be associated with a known personal identity. |
| CSR- Certificate Signing Request | A digital file which contains a user's name and public key. The user sends the CSR to a Certificate Authority (CA) to be converted into a certificate. |
| Deactivation | Deactivation is the process of disabling a user's accounts, so that the user can no longer authenticate to those systems or access their resources or functions. Deactivation does not necessarily imply that the accounts are deleted -- simply that they are made inoperative. |
| Delegated User Administration | As the number of accounts in a system grows, central user administration becomes impractical. Delegated user administration is a feature found in some systems to enable designated users to create new users and manage existing users in just a segment of the user directory. |
| Derivative Work | A new work that is created by altering, transforming or building upon another work. |
| Digital Asset Security | Technologies for ensuring that digital assets are used only as authorized, particularly when they are delivered outside the company firewall. |
| Digital Certificate | In the PKI environment, the data, equivalent to an identity card, issued to a user by a CA (Certificate Authority), which he/she uses during business transactions to prove his/her identity. |
| Digital Signature | A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message, or of the signer of a document. It can also be used to ensure that the original content of the message or document that has been conveyed is unchanged. |
| Digital Signature | The number derived by performing cryptographic operations on the text to be signed. This operation, or hash function (also called hash algorithm), is performed on the binary code of the text. The result is known as the message digest, and always has a fixed length. A signature algorithm is applied to the message digest, resulting in the digital signature. |
| Digital Signature | A digital signature provides information about the source of a digital object, and allows the receiver to determine if the object has been altered in transit. |
| Directory | A directory is a specialized database that may contain information about an institution’s membership, groups, roles, devices, systems, services, locations, and other resources. |
| Directory | A collection of accounts managed by a single system. Directories may be internal to a system (e.g., the SAM database in a Windows NT domain), or may be shared by multiple systems (e.g., an LDAP directory). |
| Directory | A directory is a specialized database that may contain information about an institution's membership, groups, roles, devices, systems, services, locations, and other resources. |
| Directory Cleanup | Manual system administration over an extended period of time tends to leave orphan accounts (see orphans). Directory cleanup is a process used to identify orphans, and deactivate their accounts. Some user provisioning systems incorporate tools for directory cleanup, including identification of orphans based on last login time/date, or based on user ID reconciliation (reconciliation), and including batch deactivation of access. |
| Directory Migration | Mergers, divestitures, and software changes periodically necessitate that large numbers of user accounts be moved from one system to another in a short period of time. User provisioning systems may provide tools to assist in such migrations: to list and characterize users on one system, and to automatically create batches of users on another system. |
| Directory Services | Services that provide identity, demographic and authorization information on a user. |
| Directory Synchronization | A directory synchronization process compares users, user groups, and user attributes as they are defined on two or more systems. It applies business logic to detected differences, and automatically updates the users, user groups, and/or user attributes on at least one system to match those found on others. |
| Disabled Account | An account is disabled in the event that some administrator or user provisioning process, presumably with suitable authorization, actively set a flag to prevent further logins to that account. Most systems differentiate between locked and disabled accounts. |
| DMCA | Digital Millennium Copyright Act. |
| DN - Distinguished Name | Distinguished names are string representations that uniquely identify users, systems, and organizations. In general, DNs are used in LDAP-compliant directories. In certificate management systems, DNs are used to identify the owner of a certificate and the authority that issued the certificate. |
| DNS - Domain Name Service | An Internet service that translates domain names to and from IP addresses. |
| Domain Name | A domain name is that portion of an Internet Uniform Resource Locator (URL) that fully identifies the server program that an Internet request is addressed to. InCommonFederation.org is an example of a domain name. |
| DREL | Digital Rights Expression Language |
| DRM | Digital Rights Management |
| DRM - Digital Rights Management | The process of defining, tracking and enforcing permissions and conditions for digital content through digital means. |
| Early adopters | A JISC project for early adopters of Shibboleth Technology. See http://www.jisc.ac.uk/index.cfm?name=funding. See also Assisted takeup, JISC. |
| eBook | A book in digital format that you can download to your computer and read using a software program. Depending on the specific format, the eBook can be read on a computer, PDA, or dedicated reader device with the proper software. |
| ebXML | XML for electronic business: it enables businesses to find each other electronically and conduct business through the exchange of XML-based business messages. Java API: JAXM (JSR 67) with ebXML message service profile; JAXR (JSR 93) registry/repository; CPP/CPA (JSR 157) |
| eduOrg | An LDAP object class authored and promoted by the EDUCAUSE/Internet2 eduPerson Task Force to facilitate the development of inter-institutional applications. The eduOrg object class focuses on the attributes of organizations. Current documentation on the eduOrg object class is available at http://www.educause.edu/eduperson/. |
| eduPerson | An LDAP object class authored and promoted by the EDUCAUSE/Internet2 eduPerson Task Force to facilitate the development of inter-institutional applications. The eduPerson object class focuses on the attributes of individuals. Current documentation on the eduPerson object class is available at http://www.educause.edu/eduperson/. |
| EL - Executive Liaison | The Executive Liaison serves as the main contact for the federation participant organization, and is responsible for approving the application, ensuring that agreements are signed by a person with proper signature authority, and annual agreement renewals. The Executive Liaison is also responsible for assigning the Administrative Contact and Billing Contact for the federation participant and keeping contact information current. The Executive Liaison is ultimately responsible for payment of fees and serves as a backup if the Administrative Contact is not available. The Executive Liaison role will typically be filled by a CIO, VP of IT, or other senior administrative officer responsible for the organization's information technology assets. For Internet2 University Members this role is initially filled by their Internet2 Executive Liaison. For organizations that are not an Internet2 University Member or a sub-group of an Internet2 University Member, this role must be filled by the CFO of the organization. The EL is responsible for ensuring that the person who signs the InCommon Participant Agreement and other required documents has the authority to sign such documents on behalf of their organization. A different InCommon Executive Liaison, who will assume all responsibilities of the Executive Liaison, may be designated after the application process is complete. |
| Electronic Identifier | A string of characters or structured data that may be used to reference an electronic identity. Examples include an email address, a user account name, a a campus NetID, an employee or student ID, or a PKI certificate. |
| Electronic Identity | A set of information that is maintained about an individual, typically in campus electronic identity databases. May include roles and privileges as well as personal information. The information must be authoritative to the applications for which it will be used. |
| Electronic Identity Credential | An electronic identifier and corresponding personal secret associated with an electronic identity. An electronic identity credential typically is issued to the person who is the subject of the information to enable that person to gain access to applications or other resources that need to control such access. |
| Electronic Identity Database | A structured collection of information pertaining to given individuals. Sometimes referred to as an "enterprise directory". Typically includes name, address, email address, affiliation, and electronic identifier(s). Many technologies can be used to create an identity database, for example LDAP or a set of linked relational databases. |
| Encryption | The process of encoding information so it cannot be accessed without first being decrypted through the use of an encryption key. |
| Encryption | The scrambling of data so that it becomes difficult to unscramble or decipher. Scrambled data is called ciphertext, as opposed to unscrambled data, which is called plaintext. Unscrambling ciphertext is called decryption. Data encryption is done by the use of an algorithm and a key. The key is used by the algorithm to scramble and unscramble the data. The algorithm can be public (for inspection and analysis by the cryptographic community), but the key must be kept private. Encryption does not make unauthorized decryption impossible, but merely difficult. Time, and the power (ever increasing) of computers are the factors involved in the feasibility of decryption. |
| Enrollment | The initial process of collecting biometric data from a user and then storing it in a template for later comparison. |
| Enterprise directory | An enterprise directory is a core middleware architecture that may provide common authentication, authorization, and attribute services to electronic services offered by an institution. See the "Middleware Business Case" http://middleware.internet2.edu/earlyadopters/draft-internet2-ea-mw-business-case-00.pdf for a thorough discussion of the values provided by enterprise directory services. |
| Enterprise directory | An enterprise directory is a core middleware architecture that may provide common authentication, authorization, and attribute services to electronic services offered by an institution. |
| Enterprise directory infrastructure | The infrastructure required to support and maintain an enterprise directory. This may include multiple directory hardware components as well as the processes by which data flows into and out of the directory service. |
| Enterprise directory infrastructure | The infrastructure required to support and maintain an enterprise directory. This may include multiple directory hardware components as well as the processes by which data flows into and out of the directory service. |
| ETL | Tools handling data Extraction, Loading, and Transformation are called ETL tools. These tools are common in the data warehousing industry, but are not yet commonplace in the directory/identity management industry. While directory industry metadirectory products and directory integration products such as IBM Directory Integrator (formerly Metamerge Integrator) may be able to address this need, most institutions make use of Perl scripting. |
| Executive Committee (ExCom) | The Executive Committee (ExCom) of InCommon is responsible for the governance and management of the InCommon Federation. |
| Fair Dealing | The term used in place of Fair Use in many parts of the world. |
| Fair Use | Under US law, Section 107 of the Copyright act allows reproduction and use of a work for the purposes of research, teaching and reporting, subject to restrictions. |
| Federated Identity | The management of identity information between members of a federation. |
| Federation | A Federation is a organisation composed of institutions which agree on a common set of principles in order to share information. Federations form the core of the Federated trust principle which Shibboleth is designed to use. See also Shibboleth. |
| Federation | A special kind of trust relationship established beyond internal network boundaries between distinct organizations. |
| Federation | A federation is an association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions. |
| FICE | A 6-digit identification code for educational institutions, originally created by the Federal Interagency Committee on Education. The code is still used when reporting enrollment and other information to IPEDS. The code will be asked for in the registration process for InCommon. |
| Fingerprinting | The process of extracting information about content to create a fingerprint for later matching and metadata retrieval. These work for audio and visual content, not so well for textual. |
| FOPP - Federation Operation Policies and Practices | The policies and practices the Federation operates under on a day-to-day basis. This document describes the activities of the Federation organization, the process of Participants applying and being accepted, etc., and how decisions are made. |
| GGF | OGSI is being standardized through the efforts of the Global Grid Forum (GGF), which is a community-initiated forum of researchers and practitioners working on distributed computing and grid technologies. GGF's primary objective is to promote and support the development, deployment, and implementation of grid technologies and applications via the creation and documentation of "best practices"--technical specifications, user experiences, and implementation guidelines. |
| Global User ID | A global User ID is an identifier that uniquely identifies a user in an organization. It may or may not be used as the user ID on any one system, but is guaranteed to be unique (i.e., no two users may share the same Global User ID). |
| Grid | Grids can be thought of as clusters without the pre-conceived limitations. Grids, like clusters, are interconnected whole systems that cooperate in solving problems. However, a grid can be thought of as a cluster that forms dynamically in response to requirements based on computing power and data sharing (with its associated authorization issues), without regard for the physical location where the computing power is generated, where the data is coming from, or on what kind of platform it is available. Imagine, in essence, having the ability to carve the necessary computing resources out of the universe of computing resources available to solve a specific problem, for whatever duration is required. A grid allows the dynamic, on-demand assembly of the different types of computing resources necessary to solve a particular problem. These computing resources usually belong to separate organizations whose members are interested in the solution of a given problem. This is the thinking that fostered the grid concept. The premise of grids is to share computing resources and data in a dynamic way on an unprecedented scale. |
| GUID | Globally Unique Identifier. A guid is a unique identifier intended to identify a single person for the entire period of their intersection with an institution’s electronic services. The guid is intended to function as the primary key for an individual within an institution’s enterprise directory, serving as a permanent link between all identifiers for an individual. Guid’s may be assigned according to an algorithm or constructed from source system identifiers. Guid’s should not be changed, reassigned, or retired. (The term "global" in this context means "within an institution", not across all institutions.) [See Addendum 4.5.2 – Why Social Security Number (or Any Government identifier) Is NOT A Good Guid and Early Harvest: Identifiers, Authentication, and Directories: Best Practices for Higher Education <http://middleware.internet2.edu/docs/internet2-mi-best-practices-00.html> for a thorough discussion of related issues.] |
| Handle | A reference assigned to a user for the purpose of retrieving attributes about the user. The handle is not in any way linked to the identity of the user. |
| Handle Service | The Identity Provider component responsible for (indirectly) providing a handle to be used for making user attribute requests to an Identity Provider Attribute Authority. |
| Handle Service subject DN | The distinguished name of the Handle Service. |
| Handle Service URL | The Internet address of the Handle Service. |
| Higher Education Institution | A twoor four-year post-secondary, degree-granting institution that is regionally accredited by an agency on the U.S. Department of Education's list of Regional Institutional Accrediting Agencies (see http://www.incommonfederation.org/accrediting.cfm). |
| I2MI | The Internet2 Middleware Initiative (I2MI) was setup in 1999 and spawned the Shibboleth Project. See also Internet2, Middleware, Shibboleth. |
| IAMSECT | IAMSECT stands for 'Inter-institutional Authorisation Management to Support eLearning with reference to Clinical Teaching'. IAMSECT is a JISC core middleware project to develop, test and disseminate practical approaches towards the adoption of Shibboleth technology within the UK. We have a particular focus on the issues of Authorisation (vs. Authentication) especially within the realm of clinical teaching, a field which provides a rich variety of privacy issues to consider. |
| Identifier | Unique pointer, within a certain context (namespace) to an identity |
| Identity | Description of a person or organisation, e.g. by a set of characteristics or attributes. To avoid schizophrenic views, a person or organisation can only have one identity, but multiple roles. WordNet dictionary - the individual characteristics by which a thing or person is recognized or known; |
| Identity | Identity is the set of information associated with a specific physical person or other entity. Typically a Credential Provider will be authoritative for only a subset of a person's identity information. What identity attributes might be relevant in any situation depend on the context in which it is being questioned. |
| Identity | The username used to identify an individual to an application. An individual may have multiple Identities, one per application. |
| Identity Credential | An electronic identifier and corresponding personal secret associated with an electronic identity. An identity credential typically is issued to the person who is the subject of the information to enable that person to gain access to applications or other resources that need to control such access. |
| Identity Database | A structured collection of information pertaining to a given individual. Sometimes referred to as an "enterprise directory." Typically includes name, address, email address, affiliation, and electronic identifier(s). Many technologies can be used to create an identity database or set of linked relational databases. |
| Identity Federation | Identity federation allows users to present a single set of identity and authentication information to access applications and services across multiple domains and distributed, heterogeneous networks. A federated system allows a user’s identity in one domain to be used to gain access to resources in another domain without the need for separate authentication. |
| Identity Management | The comprehensive management and administration of user permissions, privileges, and individual profile data. It provides a single point of administration for managing the lifecycle of accounts and profile data. |
| Identity Management System | A set of standards, procedures and technologies that provide electronic credentials to individuals and maintain authoritative information about the holders of those credentials. |
| Identity Provider | An identity provider is a service which asserts the identity of a user who is local to the institution running the provider. See also Origin. |
| Identity Provider | The originating location for a user. Previously called the Origin Site in the Shibboleth software implementation. |
| IdP | Acronym for Identity Provider. |