User having privileges only to read and write policy agent profile configuration information, typically created to delegate policy agent profile creation to the user installing a policy agent

The act of confirming the identity of a principal

OpenAM authentication unit that handles one way of obtaining and verifying credentials

A series of authentication modules configured together which a principal must negotiate as configured in order to authenticate successfully

Control to grant or to deny access to a resource

The act of making an account temporarily or permanently inactive after successive authentication failures

Entity with read-only access to multiple agent profiles defined in the same realm; allows an agent to read web service profiles

In the context of OpenAM entitlements, protected resources that share a common set of actions and related policies

Access control that is based on attributes of a user, such as how old a user is or whether she is a paying customer

Positive integer associated with an authentication module, usually used to require success with more stringent authentication measures when requesting resources requiring special protection

The act of determining whether to grant or to deny a principal access to a resource

In OAuth 2.0, issues access tokens to the client after authenticating a resource owner and confirming that the owner authorizes the client to access the protected resource. OpenAM can play this role in the OAuth 2.0 authorization framework.

Arrangement to federate a principal's identity automatically based on a common attribute value shared across the principal's profiles at different providers

Batch job permanently federating user profiles between a service provider and an identity provider based on a list of matched user identifiers that exist on both providers

Group of providers, including at least one identity provider, who have agreed to trust each other to participate in a SAML 2.0 provider federation

In OAuth 2.0, requests protected web resources on behalf of the resource owner given the owner's authorization. OpenAM can play this role in the OAuth 2.0 authorization framework.

Optional conditions under which a policy applies

LDAP directory service holding OpenAM configuration data

OpenAM capability allowing single sign on across different DNS domains

In the context of OpenAM entitlements, a means of granting specific users privileges to manage policies

XACML-based policy

Federation configuration information specific to OpenAM

Standard, XML-based access control policy language, including a processing model for making authorization decisions based on policies

Standardized means for aggregating identities, sharing authentication and authorization data information between trusted providers, and allowing principals to access services across different providers without authenticating repeatedly

Service provider application capable of participating in a circle of trust and allowing federation without installing all of OpenAM on the service provider side; OpenAM lets you create both .NET and Java Fedlets.

Refers to configuration properties for which changes can take effect without restarting the container where OpenAM runs

Set of data that uniquely describes a person or a thing such as a device or an application

Linking of a principal's identity across multiple providers

Entity that produces assertions about a principal (such as how and when a principal authenticated, or that the principal's profile has a specified attribute value)

Data store holding user profiles and group information; different identity repositories can be defined for different realms.

Java web application installed in a web container that acts as a policy agent, filtering requests to other applications in the container with policies based on application resource URLs

Federation configuration information for a provider

Set of rules that define who is granted access to a protected resource when, how, and under what conditions

Entity that manages and stores policy definitions

Agent that intercepts requests for resources, directs principals to OpenAM for authentication, and enforces policy decisions from OpenAM

Entity that evaluates access rights and then issues authorization decisions

Entity that intercepts a request for a resource and then enforces policy decisions from a PDP

Entity that provides extra information such as user profile attributes that a PDP needs in order to make a decision

Entity that can be authenticated (such as a user, a device, or an application)

Agreement among providers to participate in a circle of trust

OpenAM unit for organizing configuration and identity information, making it possible to delegate administration for part of OpenAM configuration; realms can be used for example when different parts of an organization using OpenAM have different policies and different identity repositories

Means to delegate policy management and decision making for a realm

Something a principal can access over the network such as a web page

In OAuth 2.0, entity who can authorize access to protected web resources, such as an end user

In OAuth 2.0, server hosting protected web resources, capable of handling access tokens to respond to requests for such resources

Policy extensions that define additional information to return in an authorization decision beyond "allow" or "deny"

Access control that is based on whether a user has been granted a set of permissions (a role)

Definitions identifying how a policy matches resources to which access is granted or denied

Standard, XML-based language for exchanging authentication and authorization data between identity providers and service providers

Entity that consumes assertions about a principal (and provides a service that the principal is trying to access)

In OpenAM a user session is the interval that starts with the user authenticating through OpenAM and ends when the user logs out, or when her session is terminated. OpenAM manages user sessions across one or more applications by issuing a session token used to identify the session and by tracking the session state in order to handle session events like logout and timeout, to permit session constraints, and to notify applications involved in SSO when a session ends.

Capability to allow another OpenAM server to manage a session when the OpenAM server that initially authenticated the principal goes offline

Unique identifier issued by OpenAM after successful authentication, used to track a principal's session

Capability allowing a principal to end a session once, thereby ending her session across multiple applications

Capability allowing a principal to authenticate once and gain access to multiple applications without authenticating again

Standard federation configuration information that you can share with other access management software

Entity that can request access to a resource

Data storage service holding principals' profiles; underlying storage can be an LDAP directory service, a relational database, or a custom IdRepo implementation

Native library installed in a web server that acts as a policy agent with policies based on web page URLs