This article defines the terms used throughout related Identity and Access Management knowledge base articles.
Active Directory (AD) - Microsoft-developed Kerberos and LDAP-based directory service that manages and provides resources such as users, groups and computers. AD provides configuration management for Windows devices and a directory service for many services. AD is the primary authentication source for nearly all campus applications.
Affiliation - Collection of users based on the level and type of participation with the organization. Example: A group can be created based on users' affiliations and granted a role, which is a collection of entitlements.
Attribute Release Policy (ARP) - The ARP file states which attributes are released to which service providers based on a set of rules defined in the IDP.
AuthN=AuthZ (Authentication equals Authorization) - The problem (or assumption) that "if you have an account in the Authentication Service, you should be allowed access to a given resource." This is commonly, mistakenly, used for labs, web forms, and downloads of site-licensed software.
Brickyard - Generic brand name of the authentication environment for guests and affiliates at NC State. Currently handles REPORTER and Parents but will expand when moved to Entra External ID implementation.
Cirrus Bridge - Middleware service for providing multi-lateral federation for SSO platforms that do not natively support it (like Entra ID), primarily focused on InCommon federation membership.
Claim - (aka attribute) Name/value pairs in a security token that provide assertions made by one entity to another (usually IDP to SP).
Conditional Access - A rule-based system for making authentication and authorization decisions to block, allow, or require more steps based on the user, location, target application, or other rules defined. Note that conditional access is the system by which Risk-Based Authentication is enforced.
Duo - NC State's primary MFA provider.
Duo LDAP Proxy - A product by Duo that will sit in front of an LDAP service to provide MFA for an application that doesn't support SSO. Its most common setup is to hold up the authentication process until an automated push notification has been approved on the user's registered device.
eduPerson* - The LDAP class specification agreed upon by Internet2, Educause, and used by many universities. - https://wiki.refeds.org/display/STAN/eduPerson+%28202208%29+v4.4.0
Enterprise Application - An Enterprise application (aka Service Provider, Relying Party, or Service Principal) is the Entra SSO-enabled resource that a user is attempting to access, which triggers an SSO/authentication process. An Enterprise Application is the summary of attribute/claim configuration, group-based authorization, and SCIM configuration, and can link to Conditional Access policies. https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/what-is-application-management
Entitlement - An entitlement is a right granted to a user's account on a given system to access some data or function.
Entity ID - A string that identifies the Identity Provider or Service Provider in a SAML message or metadata. Entra SPs usually refer to the IdP EntityID as the "Issuer." Shibboleth commonly uses URL-like strings as Entity IDs.
Entra Connect Sync - A synchronization service that runs on an on-prem server that connects an Active Directory domain and an Entra Tenant to be able to handle user, group, password hash, and attribute syncing between the environments.
Entra ID - (formerly Azure AD) A cloud-based Aauthentication, SSO, MFA, Directory, grouping platform. It includes most of the features common to identity and access management (IAM) platforms. It is the built-in back end for IAM for Azure, Intune, Office365 and other Microsoft technologies.
Entra WorkForce Tenant - An Entra WorkForce tenant is for our employees/students/staff, internal business apps, and other organizational resources. It can be used for Azure, Intune, Office365, and so forth. https://learn.microsoft.com/en-us/entra/external-id/customers/concept-supported-features-customers
Entra External Tenant - An Entra External tenant configuration is used exclusively for scenarios where you want to publish web applications to consumers, either internal or external. An External Tenant is SSO-only. Replaces Entra B2C. https://learn.microsoft.com/en-us/entra/external-id/customers/concept-supported-features-customers
Federation - Federation is both a technology and a business relationship. The business relationship is one where one organization (A) trusts a partner (B) to authenticate and authorize users who will subsequently be allowed to access A's resources (typically web applications) without having user records on A's network. This technology depends on a business relationship with implicit trust of B by A.
Google Group - A group in Google Workspace that contains one or more email addresses and can be used for mailing lists, access control with Drive, calendars, and GCP.
Group Membership - The assignment of a given user to a given security group.
High Assurance - The collection of identities where the university has done a high level of assurance that the account was given to the correct person. Usually, traditional Unity accounts that have gone through the application process (for enrollment or employment) involve background checks, and NC State manages all of the identity and account information, including MFA, UIA, etc. Will include a subset of Guest/Affiliates accounts for Research Collaborators and other affiliations that have access to university data.
Identity Provider (IDP) - The user-facing authentication interface. The IDP communicates with an authentication service and an identity database and, in conjunction with the attribute release policy, issues a cookie containing identity data to the user.
Infrastructure as Code (IaC) - Provisioning and managing infrastructure via automation and configuration management instead of manual configuration. Examples: Puppet, Ansible, Terraform, PowerShell, etc.
Level of Assurance (LoA) - The degree of certainty that a resource owner has that a person's physical self has been adequately verified before credentials are issued by a registration authority. There are different levels of assurance based on the number and quality of identifiers used to validate a user's identity; often, they have a correlation (but not a dependency on) authentication strength and/or password complexity.
Low Assurance - The collection of identities where the university has a low level of assurance regarding the identity of a user and where the university has delegated the account authentication to an external system (like Social Login), where an email address is the primary identifier that we have for the user. This includes Parent, REPORTER, and other accounts.
Microsoft Account - Entra user accounts from Microsoft's consumer services (outlook.com, hotmail, live.com, and so forth) as opposed to "work or school accounts." https://support.microsoft.com/en-us/account-billing/what-s-the-difference-between-a-microsoft-account-and-a-work-or-school-account-72f10e1e-cab8-4950-a8da-7c45339575b0
Multi-factor Authentication (MFA) - Authentication that requires multiple factors. For example, a user might sign into a system using a combination of two things they know, or a combination of something known and something they have, or a combination of something known, something they have, and something they are. The premise is that adding authentication factors makes it more difficult for a would-be attacker to simulate a legitimate authentication and consequently impersonate a legitimate user.
Multi-Lateral Federation - A federation where participating institutions declare conformance with federation-wide standards to foster implicit bilateral trust between each Identity Provider and Service Provider. These declarations are represented in the federation's metadata (or trust registry). The standards may address institutions' technology deployment, policies, IAM practices, organizational maturity, and so forth. InCommon is the most common example.
OAuth - OAuth (Open Authorization) is an open standard for authorization. It allows users to share private resources (such as photos, videos, or contact lists) stored on one site with another site without having to share their credentials, typically a username and password. https://oauth.net/2/
Onboarding - The process for new hires to join an organization. It may also be used for onboarding contractors or signing up visitors to a web portal.
Offboarding (termination) - All users eventually leave an organization. Likewise, customers may terminate their relationship with vendors. Generically, these events are referred to as offboarding or termination.
OpenID - An open standard for authentication in a decentralized manner. OpenID combined with OAuth is a competitor to SAML in the federation space. https://openid.net/
OIDC - SSO authentication protocol that builds on top of OAuth 2.0, including being able to pass attributes. Provides similar functionality to SAML while being much lighter weight and is generally preferred. https://www.microsoft.com/en-us/security/business/security-101/what-is-openid-connect-oidc
Persona - NCSU-developed grouping service fed with data from HR/SIS; allows users to build groups via an attribute builder, has an API, and first-party connectors for Active Directory and Google.
Privileged Identity Management (PIM) - Time-limited ability to gain additional role privileges (often with an approval step) for being able to complete administrative tasks. Supported by Entra ID for Entra-native applications.
REFEDS MFA Profile - Defines a standard signal to request MFA and to respond to such a request in a federated authentication transaction. https://refeds.org/profile/mfa
Role - A collection of entitlements defined within the context of a single system. Roles are used to simplify security administration on systems and applications by encapsulating popular sets of entitlements and assigning them as packages, rather than individually, to users.
SAR (System Access Request) - A system designed for approving, granting, and revoking role-based access within the Financial, HR, and SIS systems.
SCIM (System for Cross-domain Identity Management) - A standard for account and group provisioning using REST API's and JSON objects. https://www.microsoft.com/en-us/security/business/security-101/what-is-scim
Security Assertion Markup Language (SAML) - An XML-based protocol whereby one web service (the identity provider) may make assertions about the identity or rights of a user (the principal) to another web service (the service provider). SAML allows for single sign-on between domains, in cases where cookies, for example, cannot be used (web browsers in general only allow cookies to be submitted to the same domain that issued them). In practical terms, users authenticate to the identity provider. When users attempt to access content or applications on the service provider, their web browser is directed to request SAML assertions from the identity provider and pass those back to the service provider. In this way, the service provider no longer has to authenticate the user directly, and instead relies on statements about the user made by the identity provider, which does authenticate the user. https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
Separated - Users who still have Unity accounts, but are not active members of the NC State community. Former employees and graduated students being the most common examples. Commonly checked by the Library to determine licensed-access to journals and similar resources.
Service Provider (SP) - The Service Provider (called the Relying Party in ADFS) is the service that a user is trying to gain access to, which redirects the user to their IDP (or WAYF) and consumes the identity data (released per the ARP) passed back after authentication.
Shibboleth - Shibboleth is an Internet2 open-source implementation for federated identity-based authentication and authorization infrastructure based on Security Assertion Markup Language (SAML). Shibboleth is currently limited to web-based authentication/authorization.
Single Sign-on - Single sign-on (SSO) is any technology that replaces multiple, independent system or application login prompts with a consolidated authentication process, so that users don't have to repeatedly sign in.
Social Login - A federated login process with a simple WAYF that allows users to login from various IdP's including Google, Microsoft, Apple, Facebook, Twitter, and so on where the university tracks the identity, but is not in control of the account/authentication process; just the authorization to access services.
Unity - People who are in the classic group of "student, faculty, and staff". The group of individuals where AuthN often equals AuthZ. The unity account currently is used as a key in many systems not managed by the current unity account management process which manages the (de)provisioning of accounts in Active Directory, Google, and other systems.
User Provisioning - A user provisioning system is shared IT infrastructure which is used to externalize the management of users, identity attributes and entitlements from individual systems and applications. User provisioning is intended to make the creation, management and deactivation of login accounts and other user objects, which are spread across multiple systems, faster, cheaper and more reliable. This is done by automating and codifying business processes such as onboarding and termination and connecting these processes to multiple systems.
Where Are You From (WAYF) - Service that helps a user select their home organization or identity provider (IdP) to begin a single sign-on (SSO) process. Often provided as a searchable list of organizations or via an email suffix-based lookup to redirect the client login to the correct, local, IdP.
WorkShop Account - A set of accounts that can be checked out (with a new password) for short periods of time that were intended for use with k-12 summer programs and similar short term workshops, but has been used for many use cases beyond the original intent. Workshop accounts are not enforced with MFA (in most cases) and the Google account is archived and a new one created with each new checkout, but the Active Directory account is persistent.