Skip to content.
|Networking government in New Zealand.
You are here: Home » Standards » Interoperability (e-GIF) » Authentication Standards » Amendments to Authentication Standards » Schedule to AS06/2008 (Rev 1.0)

Schedule to AS06/2008 (Rev 1.0)

Terms and Definitions

These additional terms and definitions were introduced as a result of the subsequent publishing of the New Zealand Security Assertion Messaging Standard, v1.0 June 2008.

Asserting party [SAML]

Informally, an instance of a SAML authority.

Assertion [SAML]

A piece of data produced by a SAML authority regarding either an act of authentication performed on a subject, attribute information about the subject, or authorisation data applying to the subject with respect to a specified resource.

Attribute [SAML]

A distinct characteristic of an object (in SAML, of a subject). An object’s attributes are said to describe it. Attributes are often represented as pairs of attribute name and attributes values…often referred to as attribute pairs. [edited]

Attribute assertion [SAML]

An assertion that conveys information about attributes of a subject.

Attribute authority [SAML]

A system entity that produces attribute assertions.

Authorisation [SAML]

The process of determining, by evaluating applicable access control information, whether a subject is allowed to have the specified types of access to a particular resource. Usually, authorisation is in the context of authentication. Once a subject is authenticated, it may be authorised to perform different types of access.

Back channel [SAML]

Direct communications between two system entities without 'redirecting' messages through another system entity such as an HTTP client (e.g. a user agent). See also front channel.

Binding, Protocol binding [SAML]

Generically, a specification of the mapping of some given protocol's messages, and perhaps message exchange patterns, onto another protocol, in a concrete fashion. For example, the mapping of the SAML <AuthnRequest> message onto HTTP is one example of a binding. The mapping of that same SAML message onto SOAP is another binding. In the SAML context, each binding is given a name in the pattern 'SAML xxx binding'.

Cookie [Webopedia]

A piece of information stored in a browser by a web server, which is then sent back to the web server each time the browser requests a page from that server.

Entity, System entity [SAML] [SSC]

An active element of a computer/network system. For example, an automated process or set of processes, a subsystem, a person or group of persons that incorporates a distinct set of functionality. (RFC2828)

  • NZ SAMS also refers to 'machine entity' to make an entity such as a computer distinct from an entity that encompasses a person or group of persons

Federated identity [SAML] [SSC]

A principal's identity is said to be federated between a set of providers when there is an agreement between the providers on a set of identifiers and/or attributes to use to refer to the principal.

Identity Federation – the act of creating a federated identity on behalf of a principal.

NZ SAMS uses the terms:

  • 'Federated identifier' to mean the identifier unique to an individual's identity paired with the particular service agency with which the individual transacts.
  • 'Federated logon tag' to mean the name given to the federated identifier used in the GLS implementation.

Federation [SAML]

This term is used in two senses in SAML:

  1. The act of establishing a relationship between two entities
  2. An association comprising any number of service providers and identity providers.

Front channel [SAML]

The 'communications channel' that can be effected between two HTTP-speaking servers by employing 'HTTP redirect' messages and thus passing messages between each via a user agent, e.g. a web browser, or any other HTTP client (RFC2616). See also back channel.

Government Shared Network (GSN) [SSC]

The Government Shared Network (GSN) enables government agencies to collaborate securely and more cost effectively. The shared network improves the delivery of information and services to the New Zealand public. Phase 1 includes inter-agency linking, wide area network links, internet services and remote access services.

Identifier [SAML]

This term is used in two senses in SAML:

  1. One that identifies.
  2. A data object (for example, a string) mapped to a system entity, which uniquely refers to the system entity. A system entity may have multiple distinct identifiers referring to it.

An identifier is essentially a 'distinguished attribute' of an entity. See also Attribute.

Identity Provider (IdP) [SAML]

A kind of service provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles.

Provider: a generic way to refer to both identity providers and service providers.

(An example of an identity provider is the Government Logon Service.)

  • In the nomenclature of actors enumerated in the Assertions and Protocols specification [SAMLCore] the identity provider is synonymous with a 'SAML Authority'.

igovt

The brand for the All-of-government Authentication Programme all-of-government shared services, i.e. the Government Logon Service, Identity Verification Service, and Future Services.

Logon, Sign-on [edited] [SAML]

The process whereby a service user presents credentials to an Authentication Authority, establishes a simple session, and optionally establishes a rich session.

(Logout, Logoff, Sign-off: The process whereby a service user signifies desire to terminate a simple session or rich session.)

NIST [Webopedia]

National Institute of Science and Technology

Party [SAML]

Informally, one or more principals participating in some process or communication, such as receiving an assertion or accessing a resource.

Principal [SAML]

A system entity whose identity can be authenticated.

(Principal identity: A representation of a principal's identity, typically an identifier.)

Profile [SAML]

A set of rules for one of several purposes; each set is given a name in the pattern 'xxx profile of SAML' or 'xxx SAML profile'.

Included are:

  1. Rules for how to embed assertions into and extract them from a protocol or other context of use.
  2. Rules for using SAML protocol messages in a particular context of use.
  3. Rules for mapping attributes expressed in SAML to another attribute representation system. Such a set of rules is known as an 'attribute profile'.

Proxy [SAML]

An entity authorised to act for another.

This includes:

  1. Authority or power to act for another.
  2. A document giving such authority.

Relying party [SAML]

A system entity that decides to take an action based on information from another system entity. For example, a SAML relying party depends on receiving assertions from an asserting party (a SAML authority) about a subject. (See also the definition of 'asserting party' above.)

  • In the nomenclature of actors enumerated in the Assertions and Protocols document, section 3.4 [SAMLCore] the relying party is the request issuer and the service provider.

Requester, SAML requester [SAML]

A system entity that utilises the SAML protocol to request services from another system entity (a SAML authority, a responder). The term 'client' for this notion is not used because many system entities simultaneously or serially act as both clients and servers. In cases where the SOAP binding for SAML is being used, the SAML requester is architecturally distinct from the initial SOAP sender.

Resource [SAML]

Data contained in an information system (for example, in the form of files, information in memory, etc), as well as:

  1. A service provided by a system.
  2. An item of system equipment (in other words, a system component such as hardware, firmware, software, or other documentation).
  3. A facility that houses system operations and equipment. [RFC2828]

SAML uses resource in the first two senses, and refers to resources by means of URI references.

Responder, SAML responder [SAML]

A system entity (a SAML authority) that utilises the SAML protocol to respond to a request for services from another system entity (a requester). The term 'server' for this notion is not used because many system entities simultaneously or serially act as both clients and servers. In cases where the SOAP binding for SAML is being used, the SAML responder is architecturally distinct from the ultimate SOAP receiver.

Security [SAML]

A collection of safeguards that ensure the confidentiality of information, protect the systems or networks used to process it, and control access to them. Security typically encompasses the concepts of secrecy, confidentiality, integrity, and availability. It is intended to ensure that a system resists potentially correlated attacks.

SAML artifact [SAML]

A small, fixed-size, structured data object pointing to a typically larger, variably-sized SAML protocol message. SAML artifacts are designed to be embedded in URLs and conveyed in HTTP messages, such as HTTP response messages with '3xx Redirection' status codes, and subsequent HTTP GET messages. In this way, a service provider may indirectly, via a user agent, convey a SAML artifact to another provider, who may subsequently dereference the SAML artifact via a direct interaction with the supplying provider, and obtain the SAML protocol message. Various characteristics of the HTTP protocol and user agent implementations provided the impetus for concocting this approach. The HTTP Artifact binding section of [SAMLBind] defines both the SAML Artifact format and the SAML HTTP protocol binding incorporating it.

SAML authority [SAML]

An abstract system entity in the SAML domain model that issues assertions. See also 'attribute authority', (and 'authentication authority' and 'policy decision point' (PDP) in the OASIS SAML v2.0 Glossary [edited].

  • In the nomenclature of actors enumerated in the Assertions and Protocols document [SAMLCore] the SAML authority is usually synonymous with 'identity provider'.

Security context [SAML]

With respect to an individual SAML protocol message, the message's security context is the semantic union of the message's security header blocks (if any) along with other security mechanisms that may be employed in the message's delivery to a recipient. With respect to the latter, examples are security mechanisms employed at lower network stack layers such as HTTP, TLS/SSL, IPSEC, etc.

With respect to a system entity, 'Alice', interacting with another system entity, 'Bob', a security context is nominally the semantic union of all employed security mechanisms across all network connections between Alice and Bob. Alice and Bob may each individually be, for example, a provider or a user agent. This notion of security context is similar to the notion of 'security contexts' as employed in RFC2743, and in the Distributed Computing Environment (DCE), for example.

Service provider (SP) [SAML]

A role donned [taken] by a system entity where the system entity provides services to principals or other system entities.

In the context of this Standard, it is a government agency providing online services.

  • In the nomenclature of actors enumerated in the Assertions and Protocols document, section 3.4 [SAMLCore]. The service provider is the request issuer and the relying party.

Service risk category (SRC) [SSC]

Each service risk category is defined based on the identity-related risk of a service and is detailed in the Evidence of Identity Standard [EOIS].

Session [SAML]

A lasting interaction between system entities, often involving a principal, typified by the maintenance of some state of the interaction for the duration of the interaction.

Single sign-on (SSO) [Webopedia]

An authentication process in a client/server relationship where the user, or client, can enter one name and password and have access to more than one application or access to a number of resources within an enterprise. Single sign-on takes away the need for the user to enter further authentications when switching from one application to another.

Single sign-on is also spelled single sign on or single sign-on and abbreviated as SSO.

Single sign-off [Wikipedia]

Single sign-off is the reverse of single sign-on, where a single action of signing out terminates access to multiple software systems.

SOAP [Webopedia]

Short for Simple Object Access Protocol, a lightweight XML-based messaging protocol used to encode the information in Web Service request and response messages before sending them over a network. SOAP messages are independent of any operating system or protocol and may be transported using a variety of internet protocols, including SMTP, MIME, and HTTP.

Subject [SAML]

A principal in the context of a security domain. SAML assertions make declarations about subjects.

Transport Layer Security (TLS) [Guide]

Like the Secure Sockets Layer (SSL) protocol, which it supersedes, TLS provides a cryptographically protected channel for web browser exchanges. TLS is defined by the Internet Engineering Task Force. TLS is similar to the older Secure Socket Layer (SSL) protocol and is effectively SSL version 3.1.

Uniform Resource Identifier (URI) [Webopedia]

Uniform Resource Identifier is the generic term for all types of names and addresses that refer to objects on the World Wide Web. (Uniform Resource Locator (URL) is one type of URI.)

Web Services [Webopedia]

A term used to describe a standardised way of integrating Web-based applications using the XML, SOAP, WSDL and UDDI open standards over IP.

W3C [Webopedia]

Short for World Wide Web Consortium, an international consortium of companies involved with the Internet and the Web. The W3C was founded in 1994 by Tim Berners-Lee, the original architect of the World Wide Web. The organisation's purpose is to develop open standards so that the Web evolves in a single direction rather than being splintered among competing factions.

XML Attribute [SAML]

An XML data structure that is embedded in the start-tag of an XML element and that has a name and a value. For example, the italicised portion below is an instance of an XML attribute:

<Address AddressID="A12345">…</Address>

XML Element [SAML]

An XML data structure that is hierarchically arranged among other such structures in an XML document and is indicated by either a start-tag and end-tag or an empty tag. For example:

<AssertionConsumerService>…</AssertionConsumerService>


[ Previous ]