AARC

Authentication and Authorization for Research Collaborations, Project funded by the European Union’s Horizon 2020 research and innovation programme under Grant Agreements 653965 and 730941. AARC was successful in establishing a Blue Print Architecture for the deployment of FIM technologies in research infrastructures, as well as in establishing guidelines on respective technical and policy matters .

Authentication

The process of verifying the the identity of a user, process or deviceability of a user to access an account, often, but by no means exclusively, use of a username and password.

Authorization

The process of verifying against a set of access controls whether an account is authorized to access a given service or resource.

eduGAIN

eduGAIN enables trustworthy exchange of identity information between federations without many bilateral agreements, reduces the costs of developing and operating services, improves the security and end-user experience of services, enables service providers to greatly expand their user base and enables identity providers to increase the number of services available to their users. Speaking about costs of operating services when a resource provider is updating its metadata it easy to send it to just one federation and then propagate it to eduGAIN instead of having to contact many national federations separately. On the federation side getting updated metadata from eduGAIN has no maintenance costs is undoubtedly an advantage. See AARC and eduGAIN: expanding access to online resources for students, teachers and researchers, How to reach global customers with Federated Identity Management and How to Join eduGAIN as Service Provider for more details.

Federated Authentication

The mechanism by which an identity provider, such as a home organization, indicates to one of more service providers that the user has been authenticated and may be authorized by the service provider to access relevant resources.

Federated Identity

A digital identity which is asserted by one system (an identity provider) which may be consumed by other systems (service providers) by means of federated authentication.

Federation

A federation is an association of organizations that agree to exchange information as appropriate about their users and resources in order to enable collaborations and transactions such as user authentication.

Identity Provider (IdP)

An organization that manages digital identities and issues authentication assertions and potentially other attributes to Service Providers.

Identity Provider (IdP) Persistence

The storage and re-use of a previous IdP choice made during an identity provider discovery process.

IP address-based Authorization

A method where a SP and a home organization have agreed that every request coming from a range of network/Internet Protocol (IP) addresses associated with the home organization should be authorized for the services provided by the SP.

Multilateral Identity Federation

A form of identity federation where a trusted third party registers and publishes all entity metadata to all members, preventing the need for bilateral agreements between an IdP and SP.

REFEDS R&S

The REFEDS Research and Scholarship Entity Category (R&S) has been designed as a simple and scalable way for Identity Providers to release minimal amounts of required personal data to Service Providers serving the Research and Scholarship Community. Candidates for the Research and Scholarship (R&S) category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part. Example Service Providers may include collaborative tools and services such as wikis, blogs, project and grant management tools that require some personal information about users to work effectively. This entity category should not be used for access to licensed on-line resources as described in the category definition. For more details see REFEDS documentation.

Service Provider (SP)

An organization that makes online resources available to users based in part on information, in particular authentication assertions, from IdPs.

Single Sign On (SSO)

The ability of a user to access multiple discrete systems or sets of resources with a single set of access credentials. This is often achieved by the mechanism of Federated Authentication.

Web Storage[7]

Where web applications can store data locally within the user's browser. Before HTML5, application data had to be stored in cookies, included in every server request. Use of browser local storage prevents sending the data to server with each server calls (which is what cookies do).

IP address-based Authorization

A method where an SP and a home organization have agreed that every request coming from a range of network/Internet Protocol (IP) addresses associated with the home organization should be authorized for the for services provided by the SP.

Security Assertion Markup Language (SAML)[8]

A standards-based approach to federated or single sign-on (SSO) authentication. Many interoperable open source and commercial implementations of SAML are available.