13.1.4. Terms and definitions
Authenticator Attestation ID, AAID
The AAID is a manufacturer-chosen identifier for the make and model of a FIDO Authenticator. Authenticators with the same ID share the same set of characteristics.
The AAID must be set if the authenticator implements FIDO UAF.
artifact, SAML
A SAML artifact is a unique identifier used to pass a SAML assertion from the identity provider (IDP) to the service provider (SP) by reference. It is used in the SAML artifact binding protocol.
The implementation of an OAuth 2.0 and OIDC authorization server in Airlock IAM where one authorization server supports multiple static and/or dynamic clients.
authentication method
Name of authentication means.
  • Examples:
  • Airlock 2FA
  • Password/username or PIN
authorization code grant
OAuth 2.0 implementation. The authorization code grant is used to obtain both access tokens and refresh tokens and is optimized for confidential clients.
authorization endpoint
Service capable of authenticating the user. Starts the authentication process when prompted by a client and returns the result. Also responsible for exchanging authorization codes for access tokens, refreshing access tokens, and managing active OAuth 2.0 sessions.
circle of trust, CoT, SAML
The term circle of trust (CoT) is used in the SAML protocol to group one or more identity providers (IDPs) and service providers (SPs) that share authentication information.
Service or application that relies on the authorization server to handle authentication and authorization.
The client holds an access token after a successful OAuth 2.0 authorization code flow. This access token has rights tied to it, which allows the client to make requests on behalf of the user.
The implementation of an OAuth 2.0 and OIDC authorization server in Airlock IAM where one authorization server supports exactly one statically configured client.
ID token
The ID token is a security token that contains claims about the authentication of an end-user. It is issued by the authorization server (or Open ID provider).
The ID Token is represented as a JSON Web Token (JWT).
identity provider, IDP
An identity provider is a service that maintains and manages identity information and provides information about users and authentication to other systems. Airlock IAM is the recommended IDP for other components of the Airlock Secure Access Hub and other services.
IDP-initiated SSO, SAML
An IDP-initiated single sign-on is a SAML sign-in flow that is triggered by the identity provider (IDP) rather than the service provider (SP).
OAuth 2.0
OAuth 2.0 is a standard for access delegation. Clients can act on behalf of users by using bearer tokens for authentication during resource access.
An OpenID Connect Provider (OP) is a OAuth 2.0 authorization aerver that is capable of authenticating the end-user and providing claims to a relying party about the authentication event and the End-User.
OpenID Connect
OpenID Connect (OIDC) is an identity layer on top of the OAuth 2.0 protocol. It allows for the verification of identities and for obtaining profile attributes of the identity.
Realm Administration
Realm Administration is a feature that enables realm adminstrators to administer end-users of a certain realm. Realms are implemented using a context data item of the end-user and a context data item of a realm administrator.
refresh token
Refresh tokens are tokens with a long lifetime and are used to authorize refresh requests to the Authorization Endpoint in the Authorization Code Grant. Upon receiving a refresh request with a valid refresh token, the Authorization Endpoint issues a new set of access and refresh tokens to the OAuth 2.0 client. Access tokens may be refreshed at any time.
roaming FIDO Authenticator
In contrast to bound FIDO Authenticators, which are part of the end user's device, roaming FIDO Authenticators are external pieces of hardware or software.
user agent
Program making requests on behalf of the user, usually a web browser.
userInfo endpoint, OAuth
Protected resource that, when presented with an access token by the client, returns authorized information about the end-user represented by the corresponding authorization grant.