Skip to main content

Infinite BrassRing Platform

Common Single Sign-On Terminology

Abstract

This page describes Common Single Sign-On Terminology

Table 55. Common Single Sign-On Terminology

Term

Description

Assertion Consumer Service (ACS)

This is the URL where the Security Assertion Markup Language (SAML) assertion is sent. In some systems, this might also be labeled as the Recipient URL.

Encryption certificate

SAML communications are encrypted at the HTTPS network level by using Secure Sockets Layer (SSL) with TLS. Using an Encryption certificate allows another layer of encryption at the application level, providing an extra security for the SAML Assertion. The encryption certificates are based on X.509 public key infrastructure (PKI).

EntityId

A globally unique end point for Identity Provider and Service Provider systems

Identity Provider (IdP) / Authorization Server

The server that owns the user identities and credentials, against which the user authenticates. This is a service that can authoritatively verify users performing authentication; checking usernames and passwords. Examples include: ADFS, Okta, Ping Identity, Windows Login Services.

IdP-initiated

An IdP-initiated login starts with the user first navigating to the IdP, typically by using a login page or dashboard, and then going to the SP with a SAML assertion.

Inbound SSO

Inbound identity federation allows an organization to securely provide access to its applications and services, web applications or websites, to identities (persons) that are outside the organization's traditional boundary or trust domain, typically people that are not members of the organization. In an identity federation flow, an identity broker that receives an assertion from another identity broker is known as inbound identity federation.

NameIDFormat

As an SP and IdP communicate with each other about a subject or user, they need to know how to identify a subject or user and what the valid formats are. The NameIDFormat field describes the valid formats. Infinite BrassRing Platform supports emailAddress and unspecified. If unspecified is selected in Infinite BrassRing Platform, it is up to the IdP to determine which name identifier format to use.

ADFS does not support unspecified and emailAddress must be used in this case. This just describes the format in the SAML protocol, not the data values, and Infinite BrassRing Platform always matches the case given the subject or user information that is provided by IdP to the user name attribute in the Infinite BrassRing Platform user management system.

Outbound SSO

Outbound identity federation allows identities that an organization manages (typically people who are members of the organization) to access applications and services that are outside the organization’s traditional network boundary or trust domain. An identity provider (IdP) which produces an assertion to be consumed by another identity broker is known as outbound identity federation.

SAML (Security Assertion Markup Language)

An open standard XML data format for exchanging authorization and authentication data between systems, such as an identity provider (a producer of assertions) and a service provider (a consumer of assertions).

SAML Assertion

The XML content that contains a user's identity and other attributes (also known as subject) provided by the identify provider and handled by the browser redirects. This assertion also includes certificate information to verify the trust between the assertion producer and consumer. Basically, authentication requests and information are passed by using standards-based secure protocols, such as SAML.

SAML metadata

It is the data file that contains and describes the information that is needed for the SAML communication, such as entityId, certificates, NameIDFormat, and other services offered by that system. General information on metadata can be found here. Infinite is not responsible for the content on third party websites.

Service Provider (SP) / Resource Server

The server that provides the service, website, or application, that the user is attempting to use.

Signing certificate

SAML messages can be signed by the sender. If messages are signed the message receiver can verify the message, came from the sender by using the senders public signing certificate. The signing certificates are based on X.509 public key infrastructure (PKI).

Single Sign- On (SSO)

Single Sign-On (SSO) is a system that enables users to securely authenticate with multiple applications and websites by logging in only once, with one set of credentials (username and password). With SSO, the application or website that the user is trying to access relies on a trusted third party to verify that users are who they say they are. By configuring and enabling SSO with Infinite BrassRing Platform, a user must log in only once and can securely connect and use applications that they are authorized to use within the Infinite BrassRing Platform.

SP-initiated

An SP-initiated login starts with the user first navigating to the SP, getting redirected to the IdP with a SAML request, and then redirected back to the SP with a SAML assertion. A SAML request unique for SP-initiated login.