An overview of identity management terms: authentication, authorization, tokens, DCR, SCIM and more.

Glossary of Identity Management Terms

On this page

Identity Management Terminology

Authenticator : An identity resource that is set with an authentication method.

Authentication : A process through which the Identity Management System verifies who the user or application is.

Authorization : A process through which it is determined what access should be granted for the specific request.

Neo-Security Architecture : A modular and open-standard-based security architecture for secure, protected and legitimate access to mobile and web applications and their data, such as APIs and services.

Back-channel : A method of transmitting a token from an IdP to an RP where the token is obtained through direct communication between the RP and IdP. To this end, the IdP will send a by-ref token to the RP through the front-channel. Then, the RP authenticates to the IdP and presents the reference. The IdP will authenticate the RP and return the associated assertion.

By-reference token, by-ref token : A token that contains reference pointing to the identity data. They are used in external networks, which makes the identity data opaque to external networks. For example, a phantom token.

By-value token : A token that contains identity data and almost always include a digital signature over that data to ensure the integrity. They are used in internal networks. For example, a JWT.

Front-channel : A form of transmitting a token from an IdP to an RP where the token is sent via the user (typically facilitated by their browser).

Nonce : A token that can be used "no" more than "once" (i.e., a single-use token). A nonce is often a by-reference token.

Subject : The entity that is authenticated by an IdP, often an end user.

Identity Management Abbreviations

ALFA : Abbreviated Language For Authorization used in formulating access control policies

AMS : API Management System

CRUD : Create, Read, Update, Delete

DCR : Dynamic Client Registration

DCRM : Dynamic Client Registration Management

EMS : Entitlement Management System

FIDO : Fast IDentity Online, a set of standards for fast, simple, strong authentication

HOTP : HMAC-based One-time Password algorithm

IDP, IdP : Identity Provider, the entity or organization that asserts an identity for a subject

IMS : Identity Management System

JOSE : JSON Object Signing and Encryption

JWT : JSON Web Token

PAP : Policy Administration Point

PDP : Policy Decision Point

PEP : Policy Enforcement Point

PIP : Policy Information Point

PRP : Policy Retrieval Point

RP : Relying Party, synonymous with SP and (in the context of OAuth) client

SAML : Security Assertion Markup Language

SP : Service Provider

SCIM : System for Cross-domain Identity Management

TOTP : Time-based One-Time Password algorithm, an extension of HOTP