Identity Access Management Glossary 1 1

8/8/2019 Identity Access Management Glossary 1 1

1/35

Identity and Access Management Terminology

Glossary

By

MagnaquestSolutions Sdn Bhd

Cyberjaya

www.magnaquest.com

Version 1.0

4th October 2010
http://www.magnaquest.com/http://www.magnaquest.com/http://www.magnaquest.com/


2/35

Identity and Access Management - Glossary

IAM Glossary 1.0 Confidential

Page

2

Revision History

VersionDate

(DD/MM/YYYY)Author Reviewed By Changes

1.0 Oct 04, 2010 Shince Thomas Initial draft

Trade Marks

MQAssureTM is registered trademarks of Magnaquest Solutions Sdn Bhd

Company Titles

Within this document, the following shortened forms of company titles may be used:

Magnaquest Solutions Sdn Bhd - Magnaquest


3/35



Page

3

Access Certification Over time, users may accumulate entitlements which are no longer

needed or appropriate for their job function. Access certification is a

process by which appropriate business stake-holders, such as

users' managers or application owners, can periodically review

entitlements and identify those that should be removed.

Access Control An access control limits the use of a resource. Only those people,

programs or devices that are specifically permitted to use the

resource will have access. In addition, an access control will usually

limit use to specific types of access; someone can read a file but not

change it, for example.

An access control may be physical, for example, a lock on a door; or

it may be software or hardware based, for example, in a computersystem. It can also be a combination of the two.

Access Control

Instruction (ACI)

Access control is the mechanism by which you define access. When

the server receives a request, it uses the authentication information

provided by the user in the bind operation, and the access control

instructions (ACIs) defined in the server to allow or deny access to

directory information. The server can allow or deny permissions

such as read, write, search, and compare. The permission level

granted to a user may be dependent on the authentication

information provided.

Access Control List

(ACL)

A list of Access Control Instructions (ACIs) constitutes an Access

Control List.

Access Deactivation When termination happens, user access rights relating to an

organization's systems and applications must be removed. This

removal is called access deactivation.

Access

Management

In an organization, access management is the sum of all of the

practices, policies, procedures, and technical access control

mechanisms that are used to appropriately control access to the

assets, or a subset of the assets, of the company.

Account Expiry

Date

An account has a termination date if logins will not be possible after

a given time/date

Administrator

Lockout

An administrator lockout is a flag set by an administrator to disable

logins on an account.

Administrator lockouts normally precede permanent deletion of the


4/35



Page

4

account, and provide an opportunity to retrieve data from the

account before it is removed.

Note that on some systems and applications, intruder lockouts and

administrator lockouts are entangled (they use the same flag). This

is a poor but common design.

Alert A robust network-security monitoring application should include an

alerting service. When an event that requires attention occurs, this

service will send a notice by e-mail, page, instant messaging or

other urgent method to a security expert.

Alias An alias is a local ID that a user has on a given system which is

different from the user's global ID

Application

Migration

Vendors release new versions of their software all the time. When

this happens, customers often choose to upgrade. Upgrades may

require data from the old system, including data about users, to be

migrated to the new system. An identity management system can be

used to aid in this migration process.

Application Owner An applications owner is a person in a business organization who

may have authorized purchase of the application and is in any case

responsible for the use of that system. This is a business rather thantechnical role.

Approval Workflow An approval workflow is a business process where human actors

may enter, review, approve, reject and/or implement a change

request

Approved Exception An approved exception is a role violation which has been flagged

as acceptable, and which consequently may be removed from

violation reports and/or not corrected

Assertion When an Identity Provider authenticates a user and directs them

back to the referring Service Provider, it includes as part of the

message an assertion to prove that the user authenticated.

Assisted Password

Reset

An assisted password reset is a password reset (reset)

accomplished by interaction between the user and a support

analyst, typically over a telephone. Assisted password resets are

similar to self-service password resets (self-service-reset), but with

the intervention of a support analyst.


5/35



Page

5

Attestation Attestation is synonymous with access certification. This term

highlights the aspect of certification where stake-holders attest to

the appropriateness of entitlements, rather than flagging those that

should be removed. Both signing off on appropriate entitlements and

flagging inappropriate ones should be done in tandem.

Attribute A single piece of information associated with an electronic identity

database record. Some attributes are general; others are personal.

Some subset of all attributes defines a unique individual. Examples

of an attribute are name, phone number, group affiliation, etc

Attribute Assertion A mechanism for associating specific attributes with a user

Attribute Authority

(AA)

The service that asserts the requesters attributes by creating an

attribute assertion and then signing it. The sites must be able to

validate this signature

Audit An independent review and examination of a systems records and

activities to determine the adequacy of system controls, ensure

compliance with established security policy and procedures, detect

breaches in security services and recommend any changes that are

indicated for countermeasures.

Audit Trail A list of all recorded activity, which resources are being accessed,when and by whom and what actions are being performed. Audit

trails are one of the requirements of system accountability, enabling

any system action or event to be traced back to the user responsible

for it. Audit trails are also used to investigate cyber crimes. They are

indispensable for incident response and the follow-up aspect of

digital forensics. The audit trail enables the person investigating the

incident to follow the trail that was left.

Authentication Authentication is a process where a person or a computer program

proves their identity in order to access information. The persons

identity is a simple assertion, the login ID for a particular computer

application, for example. Proof is the most important part of the

concept and that proof is generally something known, like a

password; something possessed, like your ATM card; or something

unique about your appearance or person, like a fingerprint

Authentication

Factor

An authentication factor is something a user presents to a system in

order to prove his identity. It may be something he (and hopefully

only he) knows, or proof of possession of a physical object, or a


6/35



Page

6

measurement of some physical characteristic (biometric) of the

living human user. In other words, something the user knows, or

something he has, or something he is.

Authorization Authorization is the act of granting a person or other entity

permission to use resources in a secured environment. This is

usually tightly linked to authentication. A person or other identity first

authenticates and then is given pre-determined access rights. They

now have the authority to take specific actions.

The process of deciding what permissions are given begins with

policiesdecisions made and documented by the owners of the

resources. The policies may be based on a users identity or on the

users role within the organization, or a combination of the two.

Authorization

Reminders

Authorizers in an approvals process may not respond to invitations

to review a change request in a timely manner. When this happens,

automatic reminders may be sent to them, asking them again to

review change requests

Authorizer Changes to user profiles or entitlements may be subject to approval

before they are acted on. In cases where approval is required, one

or more authorizers are assigned that responsibility

Automated

Provisioning

Automated provisioning systems typically operate on a data feed

from a system of record, such as a human relations (HR) system

and automatically create login IDs and related logical access rights

for newly hired employees or contractors.

It should be noted that automated provisioning normally operates

without a user interface -- i.e., data flows in from one system and out

to one or more other systems, without any further user input in

between.

Auto-provisioning reduces IT support costs and can shorten the time

required to provision new users with requisite access rights.

Automated

Termination

Automated termination systems typically operate on a data feed

from a system of record, such as a human relations (HR) system

and automatically disable access rights for existing users when they

have left an organization.

It should be noted that automated termination normally operates

without a user interface -- i.e., data flows in from one system and out


7/35



Page

7


between.

Auto-termination reduces IT support costs and can make access

deactivation both faster and more reliable than manual processes.

Automatic

Escalation

In the event that an authorizer has been invited to review a change

request, has not responded, has been sent reminders, has

nonetheless not responded, and has not delegated his authority, an

identity management system may automatically select an alternate

authorizer, rather than allow the approvals process to stall.

Automatically rerouting requests to alternate authorizers is called

escalation.

Baseline An effective method for identifying security attacks on a network,

baselining starts by measuring normal activity on a network or

network device. That measurement is used as threshold, or

baseline, to detect unusual patterns or changes in levels of activity.

With this method, the security expert can focus efforts on evaluating

anomalies instead of looking for them by reviewing huge log files.

Some commonly baselined security events are:

initiation and termination of network sessions,

bandwidth use,

user logins and logouts,

failed logins, and

rates and types of network traffic.

The term is also used to refer to other security practices. A baseline,

or security baseline often refers to an organizational standard forsecurely configuring network devices.

It can also refer to the results of an organizations first security

assessment. This becomes the baseline against which the

organization measures improvements and changes.

Biometrics In a security context, biometrics and biometric authentication refer to

using a persons physical characteristic in order to authenticate

them for access to a resource.

Some of the characteristics commonly used include those of the


8/35



Page

8

eye, face, voice, fingerprints or the shape of a hand. Since these

characteristics are unique and change very little over time, they offer

strong proof of the persons identity. Since these authentication

systems are much more expensive to acquire and maintain, they are

often used for access to very sensitive or classified information.

Card Management

Systems (CMS)

Card Management Systems (CMS) provide support for the use of

cryptographic cards, often called smart cards, in an organization.

While the specific functions may vary depending on the vendor, in

general, CMS provide the software and hardware mechanisms to

create cards and bind them to the identity of the person who will use

the card to authenticate to various systems.

Most products include the ability to manage USB or hardwaretokens as well as PKI certificates. Tools that make it possible to

share identity and credentials with a centralized directory that

provides authorization for the authenticated user are also an

important feature thats frequently a part of the system.

Its important that the cryptographic modules and interfaces are

standards based to ensure interoperability with access controls to

many kinds of resources. FIPS compliance adds an additional level

of assurance.

Certificate Authority

(CA)

A certification authority, or CA, holds a trusted position because the

certificate that it issues binds the identity of a person or business to

the public and private keys (asymmetric cryptography) that are used

to secure most internet transactions.

Certificate

Revocation List

(CRL)

A Certificate Revocation List (CRL) is a signed data structure that

contains information about revoked certificates.

Coarse-Grained

User Provisioning

Coarse grained user provisioning is a process where new accounts

are created for new users, with basic entitlements rather than all of

the required entitlements.

This may be easier to automate and faster to deploy, but requires

further, manual intervention before a new user can be fully

productive.

Consensus

Authorization

Approval by consensus is a form of parallel authorization where not

all authorizers must respond before a change request is

implemented. For example, any two of three authorizers may be


9/35



Page

9

sufficient to approve a request.

Consensus authorization is implemented in order to expedite the

approvals process and make sure that it is completed even in cases

where some authorizers are unavailable to respond.

Credentials,

Credential Store

Credentials are sets of information that the owner presents in order

to prove identity to a computer-based application. Although this is a

general term and can be used for many kinds of credentials, the

problem of storing credentials is most commonly discussed in the

context of asymmetric cryptography where credentials consist of

certified public keys. Common credential stores include databases,

directories and smart cards.

Most enterprise SSO systems work by storing the various login IDs

and passwords for a user in a database of some form and retrieving

this information when the time comes to auto-populate a login

prompt. This database should be protected, as it contains sensitive

information. It may be physically local to the user's workstation, or

stored in a directory, or in an enterprise relational database (ERDB).

The credential database should definitely be encrypted.

Credential Provider

(CP)

An organization that manages and operates an identity

management system and offers information about members of itscommunity to other participants.

Change Request A change request consists of one or more proposed changes to

user profiles , such as creating new profiles, adding new accounts to

existing profiles, changing identity attributes , Requests may be

subject to authorization before being implemented

Data Owner A data owner is a business role associated with responsibility for a

given set of data. Normally this comes with responsibility to decide

what users in the organization may access the data in question and

for the quality of the data

Data

Synchronization

The ability for data in different databases to be kept up-to-date so

that each repository contains the same information.

Deactivation Deactivation is the process of disabling a users accounts, so that

the user can no longer authenticate to those systems or access their

resources or functions. Deactivation does not necessarily imply that

the accounts are deleted simply that they are made inoperative.


10/35



Page

10

Delegated

Authorizer

A given authorizer may not always be available. For example,

authorizers may take holidays, be ill, be too busy to respond, etc. In

these cases, an authorizer may wish to delegate his authority to

another user temporarily or permanent. The new authorizer is a

delegated one.

Delegated User

Administration

As the number of accounts in a system grows, central user

administration becomes impractical. Delegated user administration

is a feature found in some systems to enable designated users to

create new users and manage existing users in just a segment of

the user directory.

Dial Back Dial back validates a users physical location using the telephone

system. In its original form, when users connected their PCs to thenetwork with telephone modems, a user would connect to a

corporate network, identify himself, hang-up and wait for a corporate

server to call him back at home.

With more modern technology, a user may sign into a corporate

network, identify himself and wait for a single-use random PIN to be

phoned or text messaged to his home or cellular telephone. This

PIN is subsequently used to authenticate to a network service.

Digital Certificate In general use, a certificate is a document issued by some authorityto attest to a truth or to offer certain evidence. A digital certificate is

commonly used to offer evidence in electronic form about the holder

of the certificate. In PKI it comes from a trusted third party, called a

certification authority (CA) and it bears the digital signature of that

authority.

Digital Identity The representation of a human identity that is used in a distributed

network interaction with other machines or people. The purpose of

the digital identity is to establish the level of comfort and confidenceassociated with face to face human interactions in a digital

environment.

Digital Signature An electronic signature that can be used to authenticate the identity

of the sender of a message, or of the signer of a document. It can

also be used to ensure that the original content of the message or

document that has been conveyed is unchanged.

Directory A specialized database that provides a simplified view for easier

access to specific data. A directory is similar to a dictionary. It


11/35



Page

11

enables the look up of a name and information associated with that

name.

Directory Hierarchy A directory can be organized into a hierarchy, in order to make it

easier to browse or manage. Directory hierarchies normally

represent something in the physical world, such as organizational

hierarchies or physical locations. For example, the top level of a

directory may represent a company, the next level down divisions,

the next level down departments, etc. Alternately, the top level may

represent the world, the next level down countries, next states or

provinces, next cities, etc.

Directory Migration Mergers, divestitures, and software changes periodically necessitate

that large numbers of user accounts are moved from one system toanother in a short period of time. User provisioning systems may

provide tools to assist in such migrations: to list and characterize

users on one system, and to automatically create batches of users

on another system.

Directory

Synchronization

A directory synchronization process compares users, user groups,

and user attributes as they are defined on two or more systems. It

applies business logic to detected differences, and automatically

updates the users, user groups, and/or user attributes on at least

one system to match those found on others.

Disabled Account A disabled account is one where the administrator lockout flag has

been set

Dynamic SoD Policy A dynamic segregation of duties policy is one that prevents one

login account or user profile from performing two or more conflicting

actions relating to the same business transaction. For example,

while it may be appropriate for the same user to have both the

vendor-management and payment-management entitlements, it isnot acceptable for the same user to both create a vendor and

authorize a payment to that vendor

Email Based

Authentication

Applications may defer identification and authentication of a user to

an e-mail system, essentially eliminating any need to manage or

support the authentication process directly. This is typically as

follows:

1. The user identifies himself to an application by typing his e-

mail address.


12/35



Page

12

2. An e-mail containing a randomized URL is sent to that

address.

3. If the user can click on the e-mail, he has demonstrated that

he has access to the e-mail account, and is therefore

authenticated.

This is a weak form of authentication, since it is impossible to say

how secure the users e-mail service is, but it is adequate for many

applications.

Embedded

Application

Password

An embedded application password is a password stored in one

application and used to connect to another. A common example is a

database (ID and) password stored on a web application and used

to connect to the database, to fetch and update database records

Endpoint

Authentication

A security system that verifies the identity of a remotely connected

device (and its user) such as a PDA or laptop before allowing

access to enterprise network resources or data.

Enterprise Role An enterprise role is a collection of entitlements spanning multiple

systems or applications. Like simple roles, enterprise roles are used

to simplify security administration on systems and applications, by

encapsulating popular sets of entitlements and assigning them aspackages, rather than individually, to users

Enterprise Single

Sign On

A technology which reduces the number of times that a user must

sign into systems and applications by automatically populating login

ID and password fields when applications ask for user

authentication. This is done by monitoring what is displayed on a

users desktop and when appropriate typing keystrokes on

behalf of the user. In shortscreen scraping the users desktop.

In short, applications are unmodified and continue to perform userauthentication. Reduced sign-on is achieved by auto-populating

rather than removing login prompts.

Entitlement

Management

Entitlement management refers to a set of technologies and

processes used to coherently manage security rights across an

organization. The objectives are to reduce the cost of administration,

to improve service and to ensure that users get exactly the security

rights they need.

These objectives are attained by creating a set of robust, consistent


13/35



Page

13

processes to grant and revoke entitlements across multiple systems

and applications:

1. Create and regularly update a consolidated database of

entitlements.

2. Define roles, so that entitlements can be assigned to users in

sets that are easier for business users to understand.

3. Enable self-service requests and approvals, so that

decisions about entitlements can be made by business users

with contextual knowledge, rather than by IT staff.

4. Synchronize entitlements between systems, where

appropriate.

5. Periodically invite business stake-holders to review

entitlements and roles assigned to users and identify no-

longer-appropriate ones for further examination and removal

Escalated

Authorizer

A given authorizer may not always be available. In cases where an

authorizer fails to respond to a request to approve or reject a

requested change, and where the authorizer has not named a

delegated authorizer, an automatic escalation process may select a

replacement authorizer after a period of time. This replacement is

the escalated authorizer.

Events Per Second

(EPS)

Events Per Second (EPS) is a metric used in evaluating log

management and related tools. It represents the total number of

network and security events, accumulated from various network

devices that must be managed per second.

Expired Password An account is said to have an expired password if the user will be

forced to change passwords after the next successful login

Explicit Role

Assignment

A role may be explicitly assigned to a user i.e., some database will

include a record of the form user X should have role Y.

Federated Identity The management of identity information between different

organizations that have separate identity and access management

systems in place.

Federation An association of organizations that come together to exchange

information as appropriate about their users and resources in order


14/35



Page

14

to enable collaborations and transactions.

Fine-Grained User

Provisioning

Fine-grained user provisioning is a process where new accounts are

created for new users, with all of the entitlements that a new user

will require identity attributes , group memberships and other

objects, such as home directories and mail folders, already created.

This may be more complex to automate and longer to deploy, but

eliminates further, manual intervention before a new user can be

fully productive.

GINA GINA is a generic acronym for the Graphical Identification and

Authentication, the subsystem that handles the logon presentation

to the user. The Microsoft GINA is represented by the logon screen

that pops up on the PC when the user presses Ctrl+Alt+Delete.

Windows 2000 and XP rely on a GINA DLL for Graphical

Identification and Authentication. The Microsoft GINA DLL is called

MSGINA.DLL.

Global ID A global ID is a unique identifier that spans two or more systems. A

truly global ID one that is guaranteed to be unique among every

system in the world, is a user s fully qualified SMTP e-mail address.

Another truly global ID might be a users country code followed bythat countrys local equivalent of a social security number, social

insurance number or resident number. Global IDs may be global

only over a few systems, rather than every system on Earth.

Global Password

Policy

A global password policy is a policy designed to combine the

policies of multiple target systems. It the product of combining the

strongest of each type of complexity rule and the most limited

representation capabilities of the systems where passwords will be

synchronized.

Group Membership A group membership is the assignment of a given user to a given

security group

Group Owner Access to data, to applications and to features within applications is

often controlled using security groups. Groups normally have

owners people in an organization responsible for managing

membership in the group

Hardware

Authenticator

One of the ways that a person can authenticate to a computer

system or application is by using a small, portable hardware device


15/35



Page

15

called a hardware authenticator; sometimes called a security token.

Hijacking Hijacking is used to describe several kinds of attacks where the

attacker takes control of the session between a browser and a web

server.

Identification The process by which information about a person is gathered and

used to provide some level of assurance that the person is who they

claim to be. Generally, this identity verification takes place within the

office (e.g. Human Resources or Student Services) or self-service

application that first encounters the individual and creates their

record within the institutional system(s) of record.

Identity Identity is the set of information associated with a specific physical

person or other entity. Typically a Credential Provider will be

authoritative for only a subset of a persons identity information.

What identity attributes might be relevant in any situation depend on

the context in which it is being questioned.

Identity Attributes Each piece of identifying information about a user can be thought of

as an attribute of that user. Users have identity attributes, each of

which may be stored on one or more target systems.

Identity Change User identity information may change for time to time. For example,people change their names after marriage or divorce, their phone

number and address changes periodically, etc. Where systems and

applications track this data, it must be changed whenever the real-

world information changes. Such changes are called identity

changes

Identity

Reconciliation / ID

reconciliation

ID reconciliation is a process by which an organization maps local

IDs in different name spaces to one-another, and to the global

profile IDs of the users that own them. For example, ID

reconciliation may be required to map IDs such as smithj on a

mainframe system to IDs such as john.w.smith on an Active

Directory domain

Identity and Access

Management (IAM)

Sometimes abbreviated to IAM, identity and access management

refers to all of the policies, processes, procedures and applications

that help an organization manage access to information.

Specific concepts, standards and applications that help with identity

and access management include authentication, user life-cycle

maintenance, federated identity, single sign-on, provisioning and


16/35



Page

16

Role Based Access Control (RBAC).

Identity

Synchronization

Identity synchronization systems map identity attributes between

different systems and automatically propagate changes from one

system to another.

It should be noted that identity synchronization normally operates

without a user interface i.e., data flows in from one system and out


between.

For example, an e-mail system may be authoritative for each users

SMTP e-mail address, an HR system for the same users employee

number and department code, a white pages application for each

users phone number and so on. An identity synchronization system

makes sure that all of these systems have correct and up-to-date

information in each of these fields.

Identity Theft Identity theft is the theft of the credentials that we use to do

business. When access controls are inadequate, the credentials that

people use to authenticate to their credit card companies, banks or

shopping sites may be disclosed to the wrong people. In addition,

thieves have developed many ways to use e-mail and the Internet to

collect this information.

Once perpetrators have the information they can use it as if they

were the victim, running up credit card debt, or taking money out of

bank accounts or investment savings.

Identity Vetting The process used to establish the identity of the individual to whom

the credential was issued. This is typically done during credentialing.

Implicit Role

Assignment

A role may be implicitly assigned to a user i.e., some database will

include a rule of the form users matching requirements X should beautomatically assigned role Y.

Intruder Lockout An intruder lockout is a flag set on a login account when too many

consecutive, failed login attempts have been made in too short a

time period. Intruder lockouts are intended to prevent attackers from

carrying out brute force password guessing attacks.

On some systems, intruder lockouts are cleared automatically, after

a period of time has elapsed. On others, administrative intervention

is required to clear a lockout.


17/35



Page

17

Note that on some systems and applications, intruder lockouts and

administrator lockouts are entangled (they use the same flag). This

is a poor but common design.

ID Namespace A name space for unique identifiers is a system or domain within

which no two users may have the same ID. Every system has its

own namespace. Another example is mail domains (i.e., the part of

an SMTP e-mail address following the @ sign), where the part of

each user ID preceding the @ sign must be unique within its

domain.

Key Logging Key logging software runs in the background, in a stealth mode that

isnt easy to detect on a PC. It collects every keystroke and hides

that information in a file.

Key Management A collection of procedures involved with the generation, exchange,

storage, safeguarding, use, vetting, and replacement of encryption

keys. Key management is essential to the secure ongoing operation

of any cryptosystem.

Layered

Authentication

Layered authentication describes an identity and access

management architecture that requires varying levels of

authentication proofs based on the risk of the transaction.

Local Administrator

Password

A local administrator password is the password to an account used

by system administrators to install, configure and manage a system

or application. Examples are Administrator on Windows, root on

Unix/Linux and sa on Microsoft SQL Server

Local Agent A local agent is an agent installed on the target system itself.

Installation of local agents requires change control on the target

system itself something which may be difficult and/or undesirable

on a production system or application.

Local agents are well positioned to detect changes to user objects

on a target system in real time, forwarding these changes to an

identity management system which may act on them.

Communication between an identity management system and a

local agent can always be protected, even if the native

communication protocols of the target system are insecure.

Local ID A local ID is a users unique identifier within the context of a singlesystem. It may be the same as that users profile ID , or it may be an


18/35



Page

18

alias

LDAP An open protocol that provides access to directories. Applications

that use LDAP (known as directory-enabled applications) can use

the directory as a common data store for retrieving information

about people or services, such as email addresses, public keys or

service-specific configuration parameters.

Level of Assurance

(LoA)

Refers to the degree of certainty that (1) a persons identity has

been adequately verified before credentials are issued, and (2) a

user indeed owns the credentials they are subsequently presenting

to access the resource.

Login Accounts Systems and applications where users have the ability to login and

access features and data generally assign a login account to each

user. Login accounts usually include a unique identifier for the user,

some means of authentication , security entitlements and other,

personally identifying information such as the users name, location,

etc.

Login ID A login id is a generic term for a unique electronic identifier used to

control access to applications or services. Logon id may or may not

be a secret shared between the system and the user to identify the

user. Login id is normally combined with other personal secret

information (pin, password, etc).

Management Chain In a business setting, users normally have managers, who in turn

have their own managers. The sequence of managers, starting with

a given user and ending with the highest individual in an

organization is that users management chain. Management chains

are relevant to identity management as they are often used to

authorize security changes

Meta Directory Some organizations deploy a meta directory to synchronize user

and user attributes between multiple user directories. A meta

directory program is software that compares users and user

attributes as defined on multiple systems, and automatically

propagates changes made on an authoritative system to other

systems. For example, if a users HR record is updated with a new

home telephone number, a meta directory might update the

corporate e-mail system and LDAP directory with the same new

information. Meta directory software normally implements a directory


19/35



Page

19

synchronization process.

Multifactor

Authentication

Multi-factor authentication means authentication using multiple

factors. For example, a user might sign into a system with a

combination of two things he knows, or a combination of something

he knows and something he has, or perhaps something he knows,

something he has and something he is.

The premise is that adding authentication factors makes it more

difficult for a would-be attacker to simulate a legitimate

authentication and consequently impersonate a legitimate user.

Multi-Key Password

Release

Password disclosure may require authorization. For example,

system administrator A may need a password, but might not be

allowed to see the password until other people -- say B and C,

approve the disclosure. Multi-key password disclosure refers to any

process where the actions of more than one person are required to

disclose a password.

Nested Groups Nested groups are groups that contain, among their members, other

groups. This is a powerful construct but it can be complicated for

applications to support and may cause performance problems if not

implemented well. Active Directory is one system that effectively

supports nested groups.

Onboarding This is the process where users join an organization. It may refer to

hiring new employees, bringing in contractors or signing up visitors

to a web portal.

One Time Password

(OTP)

A one-time password can only be used once. There are a great

many varieties of one-time password systems including time-

synchronous, event-synchronous and challenge-response

technologies, along with multiple underlying cryptographic

algorithms. RSA SecurID authentication is an example of a one-

time password system.

Organizational

Hierarchy

An organizational hierarchy is an organization of user profiles that

identifies zero or one managers for each user. This hierarchy may

be useful in the context of access certification , change authorization

or automated escalation

Password A password or its numerical form, sometimes called a passcode or

PIN, is one of the simplest authentication methods. It is usually used

with an identifier, as a shared secret between the person who wants


20/35



Page

20

access and the system thats protected.

If its not encrypted, or if the encryption is easy to break, passwords

and passcodes are vulnerable to eavesdropping and replay. And if it

is encrypted, there are other attacks that are used. A brute force, or

dictionary attack consists of an attack that just tries possibility after

possibility until the right one is found. Utilities to help an attacker

with this kind of attempt are easily found on the Internet. Short

passwords, made of one simple word are the easiest to find with this

kind of attack. So many administrators require pass phrases,

complex combinations of word. Controls will also often require that

numbers or special characters are used with the password or pass

phrase, this makes it more random in nature and harder to guess.

In some environments, users must remember many complex

passwords and pass phrases and end up writing them down near

the computer. This becomes the vulnerability.

Password Age Password age is the number of days since a password was last

changed

Password Change A routine password change is a process where a user authenticates

to a system using his login ID and password, and chooses a new

password either voluntarily or because the old password hasexpired.

The only credentials involved in a routine password change are the

users identifier, old password and new password.

Password

Disclosure

Password disclosure is a process where a stored copy of a

password, matching a password in a target system s security

database, is revealed to a human or machine user. For example, it

might the process of revealing a stored copy of an administrator

password to a system administrator

Password Expiry Password expiry is a process whereby users are forced to

periodically change their passwords. An expiration policy may be

represented as the longest number of days for which a user may

use the same password value.

The reason for password expiry is the notion that, given enough

time, an attacker could guess a given password. To avoid this,

passwords should be changed periodically and not reused


21/35



Page

21

Password Expiry

Date

An password has an expiry date if the user will be forced to change

it on the first successful login after a given time/date

Password History A password history is some representation of one or more

previously used passwords for a given user. These passwords are

stored in order that they may be compared to new passwords

chosen by the user, to prevent the user from reusing old passwords.

The reason for password history is the notion that, given enough

time, an attacker could guess a given password. To avoid this,

passwords should be changed periodically and not reused.

Password Policy A password policy is a set of rules regarding what sequence of

characters constitutes an acceptable password. Acceptable

passwords are generally those that would be too difficult for another

user or an automated program to guess (thereby defeating the

password mechanism).

Password policies may require a minimum length, a mixture of

different types of characters (lowercase, uppercase, digits,

punctuation marks, etc.), avoidance of dictionary words or

passwords based on the users name, etc.

Password policies may also require that users not reuse oldpasswords and that users change their passwords regularly.

Password Recovery Many applications offer weak encryption of data, such as office

documents or spreadsheets. Such encryption is susceptible to brute

force to key recovery, and such key recovery is offered by password

recovery applications, most often offered to users who forgot the

passwords they used to protect their own documents.

Password Reset A password reset is a process where a user who has either

forgotten his own password or triggered an intruder lockout on hisown account can authenticate with something other than his

password and have a new password administratively set on his

account.

Password resets may be performed by a support analyst or by the

user himself (self-service)

Password

Synchronization

Password synchronization technology helps users to maintain the

same password on two or more systems. This, in turn, makes it

easier for users to remember their passwords, reducing the need to


22/35



Page

22

write down passwords or to call an IT help desk to request a new

password, to replace a forgotten one

Password

Synchronization

Trigger

A password synchronization trigger is the component of a

transparent password synchronization system which detects the

initial password change event and starts the synchronization

process

Password Wallet A password wallet is an application used by a single user to store

that users various passwords, typically in encrypted form

Parallel Approvals A parallel authorization process is one where multiple authorizers

are invited to comment concurrently i.e., the identity management

system does not wait for one authorizer to respond before inviting

the next.

Parallel authorization has the advantage of completing more quickly,

as the time required to finish an authorization process is the single

longest response time, rather than the sum of all response times

PKI Public-Key Infrastructure (PKI) is the infrastructure needed to

support asymmetric cryptography. At a minimum, this includes the

structure and services needed to do the following:

Register and verify identities,

Build and store credentials,

Certify the credentials (issue digital certificates),

Disseminate the public key, and

Secure the private key and yet make it available for use.

The infrastructure will also need to have the structure and services

to renew keys, recover keys, and to notify others when a key is

revoked.

A set of highly trusted certification authorities must be able to certify

other Cas, this includes being able to make and assert decisions

based on use and policy.

In addition, the elements of the PKI need to be able to interoperate

seamlessly with all of the other elements whether they are within the

same organization or not. Since they must provide these services to

a wide variety of applications and entities; use of standards is


23/35



Page

23

absolutely required.

Privileged Account A privileged account is a login ID on a system or application which

has more privileges than a normal user. Privileged accounts are

normally used by system administrators to manage the system, or to

run services on that system, or by one application to connect to

another.

Profile ID A profile ID is a globally unique identifier for a human user

Provisioning The process of providing users with access to data and technology

resources. The term typically is used in reference to enterprise-level

resource management. Provisioning can be thought of as a

combination of the duties of the human resources and IT

departments in an enterprise, where (1) users are given access to

data repositories or granted authorization to systems, applications

and databases based on a unique user identity, and (2) users are

appropriated hardware resources, such as computers, mobile

phones and pagers. The process implies that the access rights and

privileges are monitored and tracked to ensure the security of an

enterprises resources.

Account provisioning describes the tasks and framework for

authorizing and documenting access. Its the first step in user life-cycle management.

As people join an organization, or change responsibilities, someone

needs to make decisions about the information resources that they

need to do their job and these policies must be enforced with the

appropriate applications. De-provisioning must be done efficiently

when people leave the organization or no longer need certain rights.

RADIUS Remote Authentication Dial-In User Service (RADIUS), also known

as RADIUS Authentication Server, was originally developed to

provide centralized authentication, authorization, and accounting for

dial-up access to a network. Now it supports many kinds of remote,

authenticated access including VPNs, wireless and DSL.

Recipient Changes to user profiles or entitlements always have a recipient

that user profile which will be created, modified or deleted

Requester Changes to user profiles or entitlements are often initiated by a

requester literally a person who makes a change request. In other

cases they may be initiated by an automated process, which may or


24/35



Page

24

may not have a virtual (i.e., non-human) ID.

Reduced Sign On A synonym for single sign-on which recognizes that authentication is

normally reduced but often not to just one step

Remote Agent A remote agent is an agent installed on an identity management

server, rather than on the target system.

Installation of remote agents requires no change control on the

target system itself, making them easier to deploy and possibly

more scalable, when hundreds or thousands or target systems are

involved.

Local agents normally cannot detect changes to user objects on a

target system in real time, so must poll target systems for changesperiodically.

Communication between an identity management system and a

local agent may not be secure, since it relies on the native

communication protocols of the target system, which in some cases

may be vulnerable to eavesdropping or data injection.

Reverse Web Proxy A reverse web proxy intercepts user attempts to access one or more

web applications, may modify the HTTP or HTTPS requests (for

instance, inserting credentials), and requests web pages on behalf

of the user.

Reverse web proxies act on behalf of one or more web servers.

WebSSO systems may be implemented using a reverse web proxy

architecture, which insert user application credentials into each

HTTP stream.

The reverse web proxy architecture has the advantage of not

requiring software to be installed on each web application attractive when a WebSSO system is integrated with a large number

of web applications.

Role The specific right and duties and activities that a person or

organisation (an identity) has/does within a certain context. A role is

usually characterised by a subset of an identitys attributes. An

identity can have multiple roles, and each role should have a unique

identifier.


25/35



Page

25

Role Change A role change is a business process where a user s job function

changes and consequently the set of roles and entitlements that the

user is assigned should also change. Some old entitlements should

be removed (immediately or after a period of time), some old

entitlements should be retained, and some new entitlements should

be added.

Role Based Access

Control (RBAC)

Role Based Access Control (RBAC) is the establishment of access

rights based on a users role in the organization. When an

organization looks at the job of provisioning thousands of users and

thousands of network devices for hundreds of applications, it can be

daunting. One of the ways to simplify this task is to implement

access controls for a limited number of roles instead of for each

individual.

Role Management Roles and role assignment are unlikely to remain static for any

length of time. Because of this, they must be managed the

entitlements associated with a role must be reviewed and updated

and the users assigned the role, implicitly or explicitly, must be

reviewed and changed. The business processes used to effect

these reviews and changes are collectively referred to as role

management (sometimes enterprise role management).

Role Policy

Enforcement

Where entitlements on multiple systems are modelled with

enterprise roles, an enforcement process can periodically compare

actual entitlements with those predicted by the model and respond

to variances by automatically making corrections, asking for

deviations to be approved, etc. This periodic checking process is

called role policy enforcement

Role Violation A role violation is a situation where a user is assigned an entitlement

that contradicts a users role assignment. The entitlement may be

excessive i.e., not predicted by the role, or it may be inadequate i.e., the role assignment predicts that the user should have an

entitlement, but the user does not

Risk Based

Authentication

Similar to layered authentication, risk-based authentication requires

various levels of proofs, depending on the risk level of the

transaction.

This term is used interchangeably for systems where risk

assessment is used in two different ways. In some systems, risk

assessment is used to determine the stringency of the processes


26/35



Page

26

and procedures to 26nrol and use a particular set of resources. The

same credentials will be used in every session but people who need

different kinds of resources may use different credentials. A user

name and password will be sufficient for some people where others

with more access to sensitive information may need a two-factor

hardware token, for example.

The second way that risk-based authentication is used is where

systems actually require different authentication levels for the same

user, based on the specific transaction, not identity. For example,

many web services will use a cookie, placed on the browser from an

earlier session as a proof of identity for browsing catalogue pages

but will ask for a user name and password to make a purchase.

S/MIME S/MIME (Secure/Multipurpose Internet Mail Extensions) is a protocol

that adds digital signatures and encryption to Internet MIME

(Multipurpose Internet Mail Extensions) messages.

MIME is the standard for Internet mail that makes it possible to send

more than text. A mail message is splits into two parts, the header,

which contains the information needed to move the mail from the

source to its destination and the body. The MIME structure allows

an e-mail body to contain graphics, audio and many other features

that improve communication over simple text. Almost all modern e-

mail systems support it.

SAML The Security Assertion Markup Language (SAML), was developed

by the OASIS Security Services Technical Committee (SSTC). It

provides an XML-based frameworkboth structures and

processesfor authorities to exchange authentication, attribute and

authorization information about a subject. The subject is usually a

person, but may be a computer or other entity, as long as it exists in

some security domain. SAML provides a standard way to do singlesign-on (SSO) that works independently of the underlying business

systems and therefore can be an integral part of Federated Identity

Management (FIM).

The previous browser-based methods for maintaining identity during

a session had serious deficiencies which the designers wanted to

address, including the issues associated with using cookies to

establish authenticated sessions. Cookies do not let one

organization vouch for an entity that theyve already authenticated,


27/35



Page

27

but SAML assertions support this.

Secure Kiosk

Account (SKA)

A secure kiosk account is a special Windows login ID and password,

which is well known to users (for example, it may be advertised on

the wallpaper image of the login screen). Special security policies

are applied to this account, so that when it signs into a Windows

workstation, a locked down (kiosk-mode) web browser is launched

instead of the normal Windows desktop.

A SKA is a mechanism that allows users to access a self-service

password reset web application despite being locked out of the

initial workstation login screen.

Security

Administrator

A security administrator is a person responsible for maintaining a list

of users, their identity attributes, their passwords or other

authentication factors and their security privileges on one or more

target systems. The security administrator may not have the

responsibility or ability to reconfigure or otherwise manage the

system itself that is the job of a system administrator

Security Credentials Credentials are the data used to both identify and authenticate a

user. The most common credentials are login IDs and passwords.

Other credentials refer to other types of authentication factors,

including biometric samples of the user, public key certificates, etc.

Security Database A security database is the native storage used by a system or

application to house records about users, passwords and privileges.

Examples are the SAM database in Windows, passwd file on

Unix/Linux and RACF on mainframes

Security Entitlement An entitlement is the object in a systems security model that can be

granted or associated to a user account to enable that account to

perform (or in some cases prevent the performance of) some set of

actions in that system. It was commonly accepted that this definition

of entitlement referred to the highest-order grantable object in a

systems security model, such as an Active Directory group

membership or SAP role, and not lower-order objects such as

single-file permission setting

Security Entitlement

Audit

In many organizations, security entitlements have to be reviewed

from time to time. This is done because business processes relating

to changing needs are often reliable with respect to granting new

entitlements, but less reliable with respect to deactivating old,


28/35



Page

28

unneeded entitlements. A periodic audit can be used to find and

remove such old, unneeded entitlements.

Security Entitlement

Change

Users needs to access sensitive resources may change for time to

time. For example, an employee may join a new project, finish an

old one or change roles. When this happens, new security

entitlements are often needed and old ones should be removed.

Security

Equivalence

Two authentication processes are considered to be equivalent if (a)

they are about equally difficult to defeat or (b) by defeating one of

them, an intruder can subsequently defeat the other.

An example of the latter is a PIN-based 28nrolment of

challenge/response data. In this scenario, users are e-mailed a PIN,

which they use to authenticate and complete a personal

challenge/response profile. This profile may later be used in the

context of self-service password reset. In this scenario, the PINs are

equivalent to the challenge/response data, and that is equivalent to

user login passwords so ultimately 28nrolment PINs are security-

equivalent to login passwords (a bad thing!).

Security Group A security group is a named collection of users, which has been

defined in order to simplify the assignment of entitlements. The idea

is to assign multiple entitlements to the group, rather than assigningentitlements, again and again, to every user that belongs to the

group.

Self Service

Password Reset

Self-service password reset (SSPR) is a self-service password reset

process. Users normally authenticate using challenge/response,

hardware token or a biometric.

SSPR is normally deployed to reduce IT support cost, by diverting

the resolution of password problems away from the (expensive,

human) help desk.

Segregation of

Duties Policy

A segregation of duties (SoD) policy is a rule regarding user

entitlements intended to prevent fraud. It stipulates that one user

may not concurrently be assigned two or more key functions in a

sensitive business process

Sequential

Approvals

A sequential authorization process is one where multiple authorizers

are invited to comment, one after another.

Sequential (or serial) authorization has the advantage of minimizing


29/35



Page

29

the nuisance to authorizers in the event that an early authorizer

rejects a change request

Service Account

Password

A service account password is used on Windows systems to start a

service program which runs in a context other than that of the

SYSTEM user. The service control manager uses a login ID and

password (of the service account) to start the service program

Shared Account A shared account is a login ID on a system or application that is

used by more than one human or machine user. Privileged accounts

are often shared: for example, root, sa or Administrator by

system administrators

Simple Role A simple role is a collection of entitlements defined within the

context of a single system. Roles are used to simplify security

administration on systems and applications, by encapsulating

popular sets of entitlements and assigning them as packages, rather

than individually, to users.

Single Sign On

(SSO)

Single sign-on (SSO) describes the ability to use one set of

credentials, an ID and password or a passcode for example, to

authenticate and access information across a system, application

and even organizational boundaries. It may be called Web SSO

when everything is accessed through a browser.

With SSO a person authenticates only one time for a particular

working session regardless of where the information that they want

to access is located. This process offers enhanced security over a

simple synchronization of passwords.

Smart Card A smart card is a credit card sized device that contains a tamper

proof computer chip. When it is used for security, this chip can hold

and protect various types of credentials that the bearer can use for

authentication. Smart card authentication requires a card reader.

Smart cards, like tokens, were developed for strong or two-factor

authentication. So in addition to swiping the card to prove ownership

of the credentials contained on itsomething he hasthe owner

usually has to enter a PIN or passwordsomething he knows.

The infrastructure to support smart cards must include a method to

securely write the credentials to the card, usually a dedicated a

computer and an application with administrator-only access to the


30/35



Page

30

server. Administrator access is often supplied with a mother card.

The advantage that smart cards have over tokens is that the

memory chip can hold more information: separate credentials for

multiple applications or for different authentication methods, for

example.

SSL-VPN Although the Secure Sockets Layer (SSL) is a protocol designed

specifically for web browsers to securely access web-based

applications, the fact that it encrypts information and that it

authenticates at least one of the parties, also makes it a Virtual

Private Network (VPN). One of the best things about this protocol is

that most computers have a browser; that means that no new

software needs to be added to the client in order to use this method.

Static SoD Policy A static segregation of duties policy is one that prevents one login

account or user profile from having two or more conflicting

entitlements. These entitlements may be thought of as a toxic

combination. For example, the same user may not both authorize an

expense and print the cheque to pay for it.

Strong

Authentication

Strong authentication refers to an authentication process which is

difficult to simulate. It may be based on use of multiple

authentication factors or use of a single but hard-to-spoofauthentication factor.

Support Analyst An IT support analyst is a user with special privileges, which allow

him to assist other users, for example by resetting their forgotten

passwords.

Target Connector A connector is a piece of software used to integrate an identity

management system with a given type of target system

Target Platform A target platform is a type of target system. For example, it might bean operating system (e.g., Unix, Windows), a type of database (e.g.,

Oracle, Microsoft SQL) or a type of application (e.g., SAP R/3,

PeopleSoft). An identity management system typically needs a

different connector for each type of integrated target platform.

Target System Systems and applications where information about users resides

and which are integrated into an identity management infrastructure

are called target systems. They may include directories, operating

systems, databases, application programs, mainframes, e-mail


31/35



Page

31

systems, etc.

Target System

Administrator

A system administrator is a user with absolute control over a target

system. The system administrator may install any or all software on

the managed system, can create or delete other users on that

system, etc.

Termination All users eventually leave an organization. Likewise, customers may

terminate their relationship with vendors. Generically, these events

are called termination.

Token A token (sometimes called a security token) is an object that

controls access to a digital asset. Traditionally, this term has been

used to describe a hardware authenticator, a small device used in a

networked environment to create a one-time password that the

owner enters into a login screen along with an ID and a PIN.

However, in the context of web services and with the emerging need

for devices and processes to authenticate to each other over open

networks, the term token has been expanded to include software

mechanisms, too.

Transparent

(Automatic)

PasswordSynchronization

Transparent password synchronization works by intercepting native

password changes on an existing system or application and

automatically forwarding the users chosen new password to other

systems. It is called transparent since the user is not presented with

any new user interface.

Transparent password synchronization typically must enforce a

multi-system password policy in addition to the native policy of the

system where synchronization is initiated. This policy should be at

least as strong as the policies in each of the target applications

Trust Relationship A trust relationship is a codified arrangement between two domains

where users and/or services exist. One domain (A) trusts the other

(B) to identify, authenticate and authorizer Bs users to access As

resources.

Simple trust relationships are two-way, while complex ones may

have groups of multi-way trust (i.e., any organization in a group

trusts any other to make assertions about its own users).

Two-Factor

Authentication

Two-factor authentication is also called strong authentication. It is

defined as two out of the following three proofs:


32/35



Page

32

Something known, like a password,

Something possessed, like your ATM card, or

Something unique about your appearance or person, like afingerprint.

User Creation When users join an organization, they are normally granted access

to systems and applications. This is called user creation.

User Life Cycle

Management

User life-cycle management covers the entire process of identity

management over time. It includes the technologies used for

provisioning and password resets but it also includes the processes

and policies associated with these technologies.

Who decides what access a user needs; how easy should it be for a

user to reset a password; do we need different levels of

authentication for highly sensitive information; and when do we

disable a users account or delete it? These are all policy issues.

The security architecture and tools that a company chooses need to

support the policies in a way thats consistent with the organizations

goals.

An organization needs to analyze the policies and tasks associated

with provisioning access to information resourcesthis is highly

visible to new customers, employees, or partners. But it also needs

to look at frequently repeated tasks like password resets, moves

and changes; to save time and reduce costs. A way to efficiently de-

provision must be built into the architecture because un-used

accounts, and accounts that are linked to people who no longer

need access continue to be a major source of security breaches in

the enterprise.

User Provisioning A user provisioning system is shared IT infrastructure which is usedto externalize the management of users, identity attributes and

entitlements from individual systems and applications.

User provisioning is intended to make the creation, management

and deactivation of login accounts and other user objects, which are

spread across multiple systems, faster, cheaper and more reliable.

This is done by automating and codifying business processes such

as onboarding and termination and connecting these processes to

multiple systems.


33/35



Page

33

User provisioning systems work by automating one or more

processes:

Identity synchronization:

Detect changes to personal data, such as phone numbers or

department codes, on one system and automatically make

matching changes on other systems for the same user.

Auto-provisioning:

Detect new user records on a system of record (such as HR)

and automatically provision those users with appropriate

access on other systems and applications.

Auto-deactivation:

Detect deleted or deactivated users on an authoritative

system and automatically deactivate those users on all other

systems and applications.

Self-service requests:

Enable users to update their own profiles (e.g., new home

phone number) and to request new entitlements (e.g.,

access to an application or share).

Delegated administration:

Enable managers, application owners and other stake-

holders to modify users and entitlements within their scope

of authority.

Authorization workflow:

Validate all proposed changes, regardless of their origin and

invite business stake-holders to approve them before they

are applied to integrated systems and applications.

Consolidated reporting:

Provide data about what users have what entitlements, what

accounts are dormant or orphaned, change history, etc.

across multiple systems and applications.

As well, a user provisioning system must be able to connect these

processes to systems and applications, using connectors that can:

List existing accounts and groups.

Create new and delete existing accounts.

Read and write identity attributes associated with a user

object.

Read and set flags, such as "account enabled/disabled,"

"account locked," and "intruder lockout."


34/35



Page

34

Change the login ID of an existing account (rename user).

Read a user's group memberships.

Read a list of a group's member users.

Add an account to or remove an account from a group.

Create, delete and set the attributes of a group.

Move a user between directory organizational units (OUs)

User Profile The set of login accounts, identity attributes and security

entitlements associated with a single (human) user.

Verification During a Knowledge Based Authentication session, the process that

ensures that the data provided for an individual exists and matches

(name, address, social security number, date of birth, drivers

license).

Veto Power Veto power is a right assigned to authorizers in an approvals

process whereby rejection of a change request by the authorizer

who has veto power cancels the request, regardless of any

approvals previously received from other authorizers

Vetting The process of thorough examination and evaluation

Virtual Directory A virtual directory is an application that exposes a consolidated view

of multiple physical directories over an LDAP interface. Consumersof the directory information connect to the virtual directorys LDAP

service and behind the scenes requests for information and

updates to the directory are sent to one or more physical directories,

where the actual information resides. Virtual directories enable

organizations to create a consolidated view of information that for

legal or technical reasons cannot be consolidated into a single

physical copy.

Web Access

Management

Web access management enables organizations to carefully

manage access rights to web-based resources on intranets,

extranets, portals and exchange infrastructures. With growing

numbers of internal and external users, and more and more

enterprise resources being made available online, it is critical to

ensure that qualified users can access only those resources to

which they are entitled. Web access management does just that: it

offers business rule-based access management that is easy to

deploy and monitor for compliance.

Web Based Web-based password synchronization works by having a user sign


35/35


ge

35

Password

Synchronization

into a consolidated web page to change multiple passwords, rather

than waiting for each system or application to prompt the user to

change just one password.

Users typically sign into the password synchronization web page

using a primary login ID and password and can then specify a new

password, which will be applied to multiple systems and

applications.

A password synchronization web application typically must enforce

a password policy, which should be at least as strong as the policies

in each of the target applications.

Web Proxy A web proxy acts on behalf of one or more web browsers, fetching

web pages for users and possibly adding capabilities such as

caching (to reduce an organization's bandwidth usage), filtering (to

block unwanted content) and monitoring (to record user activity).

Web proxies act on behalf of one or more users.

Web Server Agent An agent installed on a web server may be used to implement a

WebSSO system by injecting user identification, authentication and

authorization data into the requests sent from a user's browser to

the web server. more web applications, may modify the HTTP orHTTPS requests (for instance, inserting credentials), and requests

web pages on behalf of the user.

The server agent architecture has the advantage of not requiring

new hardware to be deployed when implementing a WebSSO

system.

Web SSO

Authentication

Server

In a WebSSO system, one or more servers are dedicated to the

function of authenticating users and determining what operations

they will be permitted to perform. These are called authenticationservers

Documents

Identity Access Management Glossary 1 1