OpenAM Glossary

Control to grant or to deny access to a resource.

The act of making an account temporarily or permanently inactive after successive authentication failures.

Defined as part of policies, these verbs indicate what authorized subjects can do to resources.

In the context of a policy decision denying access, a hint to the policy enforcement point about remedial action to take that could result in a decision allowing access.

User having privileges only to read and write policy agent profile configuration information, typically created to delegate policy agent profile creation to the user installing a policy agent.

Entity with read-only access to multiple agent profiles defined in the same realm; allows an agent to read web service profiles.

In general terms, a service exposing protected resources.

Application types act as templates for creating policy applications.

Access control that is based on attributes of a user, such as how old a user is or whether the user is a paying customer.

The act of confirming the identity of a principal.

A series of authentication modules configured together which a principal must negotiate as configured in order to authenticate successfully.

Positive integer associated with an authentication module, usually used to require success with more stringent authentication measures when requesting resources requiring special protection.

OpenAM authentication unit that handles one way of obtaining and verifying credentials.

The act of determining whether to grant or to deny a principal access to a resource.

In OAuth 2.0, issues access tokens to the client after authenticating a resource owner and confirming that the owner authorizes the client to access the protected resource. OpenAM can play this role in the OAuth 2.0 authorization framework.

Arrangement to federate a principal’s identity automatically based on a common attribute value shared across the principal’s profiles at different providers.

Batch job permanently federating user profiles between a service provider and an identity provider based on a list of matched user identifiers that exist on both providers.

Group of providers, including at least one identity provider, who have agreed to trust each other to participate in a SAML v2.0 provider federation.

In OAuth 2.0, requests protected web resources on behalf of the resource owner given the owner’s authorization. OpenAM can play this role in the OAuth 2.0 authorization framework.

Defined as part of policies, these determine the circumstances under which which a policy applies.

LDAP directory service holding OpenAM configuration data.

OpenAM capability allowing single sign-on across different DNS domains.

Granting users administrative privileges with OpenAM.

Decision that defines which resource names can and cannot be accessed for a given subject in the context of a particular application, which actions are allowed and which are denied, and any related advice and attributes.

Federation configuration information specific to OpenAM.

Standard, XML-based access control policy language, including a processing model for making authorization decisions based on policies.

Standardized means for aggregating identities, sharing authentication and authorization data information between trusted providers, and allowing principals to access services across different providers without authenticating repeatedly.

Service provider application capable of participating in a circle of trust and allowing federation without installing all of OpenAM on the service provider side; OpenAM lets you create Java Fedlets.

Refers to configuration properties for which changes can take effect without restarting the container where OpenAM runs.

Set of data that uniquely describes a person or a thing such as a device or an application.

Linking of a principal’s identity across multiple providers.

Entity that produces assertions about a principal (such as how and when a principal authenticated, or that the principal’s profile has a specified attribute value).

Data store holding user profiles and group information; different identity repositories can be defined for different realms.

Java web application installed in a web container that acts as a policy agent, filtering requests to other applications in the container with policies based on application resource URLs.

Federation configuration information for a provider.

Set of rules that define who is granted access to a protected resource when, how, and under what conditions.

Agent that intercepts requests for resources, directs principals to OpenAM for authentication, and enforces policy decisions from OpenAM.

Entity that manages and stores policy definitions.

Entity that evaluates access rights and then issues authorization decisions.

Entity that intercepts a request for a resource and then enforces policy decisions from a PDP.

Entity that provides extra information, such as user profile attributes that a PDP needs in order to make a decision.

Represents an entity that has been authenticated (such as a user, a device, or an application), and thus is distinguished from other entities.

In the context of delegated administration, a set of administrative tasks that can be performed by specified subjects in a given realm.

Agreement among providers to participate in a circle of trust.

OpenAM unit for organizing configuration and identity information.

Something a user can access over the network such as a web page.

In OAuth 2.0, entity who can authorize access to protected web resources, such as an end user.

In OAuth 2.0, server hosting protected web resources, capable of handling access tokens to respond to requests for such resources.

Defined as part of policies, these allow OpenAM to return additional information in the form of "attributes" with the response to a policy decision.

Access control that is based on whether a user has been granted a set of permissions (a role).

Standard, XML-based language for exchanging authentication and authorization data between identity providers and service providers.

Entity that consumes assertions about a principal (and provides a service that the principal is trying to access).

The interval that starts with the user authenticating through OpenAM and ends when the user logs out, or when their session is terminated. For browser-based clients, OpenAM manages user sessions across one or more applications by setting a session cookie. See also Stateful session and Stateless session.

Capability to allow another OpenAM server to manage a session when the OpenAM server that initially authenticated the principal goes offline.

Unique identifier issued by OpenAM after successful authentication. For a Stateful session, the session token is used to track a principal’s session.

Capability allowing a principal to end a session once, thereby ending her session across multiple applications.

Capability allowing a principal to authenticate once and gain access to multiple applications without authenticating again.

Group of OpenAM servers configured the same way, accessed through a load balancer layer.

Standard federation configuration information that you can share with other access management software.

An OpenAM session that resides in the OpenAM server’s memory and, if session failover is enabled, is also persisted in the Core Token Service’s token store. OpenAM tracks stateful sessions in order to handle events like logout and timeout, to permit session constraints, and to notify applications involved in SSO when a session ends.

An OpenAM session for which state information is encoded in OpenAM and stored on the client. The information from the session is not retained in OpenAM’s memory. For browser-based clients, OpenAM sets a cookie in the browser that contains the session information.

Entity that requests access to a resource

Data storage service holding principals' profiles; underlying storage can be an LDAP directory service, a relational database, or a custom IdRepo implementation.

Native library installed in a web server that acts as a policy agent with policies based on web page URLs.