Glossary
Affiliation
A user’s role in their organization, taken from a list of preset terms. Affiliations include member, staff, student and alum. See also scope.
Application
An application represents a resource, product or service, such as an online journal. There are two types of applications. OpenID Connect applications are generated by the OpenAthens Keystone software. External or SAML applications use third-party SAML software.
Attribute
A piece of information about an object, usually a user, supplied by an identity provider.
Authentication & authorization
Authentication is the checking of user credentials, which in a federated context is done by the identity provider. Authorization is whether or not they can access a thing which is decided by the service provider based on the user's scope and attributes.
Connection
The complement to a Keystone application is the connection. This is where you select rules and which federation's metadata to use.
Deep linking
Setting up your site so that a link can send the user directly to the signed-in version of a page.
Discovery
The way a user accessing an SP identifies to that SP which IdP they are from. Ideally a type-ahead search but sometimes just a list, this is sometimes referred to by the Shibboleth term “WAYF” (Where Are You From). Our Wayfinder option is a good and simple way of adding this to your product.
EntityID
The unique identifier of a SAML entity. The entityID usually takes the form of a secure URI, e.g:
https://idp.eduserv.org.uk/openathens
Identity Provider (IdP)
The organization that issues identities to its users, e.g. a library.
Metadata
Information about entities. Each IdP or SP entity will have its own metadata that describe it in terms of signatures, certificates, sign-in addresses and what they support. There will also be a federation maintained central metadata which aggregates all the individual entities' metadata.
This aggregated metadata is cached by entities for quick reference. The OpenAthens federation metadata has eTag support to help with this.
OpenAthens Keystone
A simpler way to interact with SAML federations around the world by leveraging OpenID Connect.
OpenAthens Redirector
When a resource supports both deep linking and WAYFless access, our redirector can be used by identity providers as a simple way to form access links.
OpenAthens SP
An old OpenAthens software, since replaced by Keystone.
Parent organization and sub-organization
The entity that authenticates a user’s identity when the user tries to access your content, products or services.
OpenAthens IdPs can have a hierarchy of organizational units (OUs) if needed. For some organizations, the “parent” is the only identity provider. Other organizations are divided into sub-organizations for subscription licensing purposes. Sub-organizations can have their own scope (see below), and when they do they are shown separately in statistics reports.
SAML
Security Assertion Markup Language. The standard upon which most federations work.
Scope
In federations, scope is used as in “belonging to” or “purview of” an organization. It is an identifier of an organization or an organizational unit (OU) within a larger organization. It is usually expressed as a domain and TLD owned by the organization; an OU or sub-organization’s scope would include a subdomain if it needed to be identified as different, for example if parent organization and sub-organization had different subscription levels. In the OpenAthens federation, the sub-domain part is usually a number. E.g:
domain.com
3032162.domain.com
The scope is supplied as part of the scopedAffiliation attribute (see below).
scopedAffiliation
The friendly name for urn:oid:1.3.6.1.4.1.5923.1.1.1.9. A user's role, such as member, staff, student.
Service provider (SP)
The resource provider that authorizes entry based on the scope and attributes of the user attempting access.
Shibboleth
An open source SP software developed originally by Internet2 and supported by the community. Service Providers can use it in the OpenAthens federation if they like.
targetedID
The friendly name for urn:oid:1.3.6.1.4.1.5923.1.1.1.10. It is a pseudonymous identifier for an individual user that is consistent every time the user visits an SP but different for each separate SP.
Transfer
The unit by which we monitor statistics. A transfer occurs when a user tries to access a service provider’s content, product or service, is successfully authenticated by their own organization, and is then sent back to the service provider for authorization. It is logged whether or not the service provider subsequently grants access to the user.
WAYFless URL
An access URL that includes the entityID of a user's IdP so that the user does not have to pass through discovery to identify their home organization to a service provider.