Terms and definitions

Authenticator Attestation ID, AAID

The AAID is a manufacturer-chosen identifier for the make and model of a FIDO Authenticator. Authenticators with the same ID share the same set of characteristics.

The AAID must be set if the authenticator implements FIDO UAF.

artifact, SAML

A SAML artifact is a unique identifier used to pass a SAML assertion from the identity provider (IDP) to the service provider (SP) by reference. It is used in the SAML artifact binding protocol.


The implementation of an OAuth 2.0 and OIDC authorization server in Airlock IAM where one authorization server supports multiple static and/or dynamic clients.

authentication method

Name of authentication means.

  • Examples:
  • Airlock 2FA
  • Password/username or PIN

authorization code grant

OAuth 2.0 implementation. The authorization code grant is used to obtain both access tokens and refresh tokens and is optimized for confidential clients.

authorization endpoint

Service capable of authenticating the user. Starts the authentication process when prompted by a client and returns the result. Also responsible for exchanging authorization codes for access tokens, refreshing access tokens, and managing active OAuth 2.0 sessions.

circle of trust, CoT, SAML

The term circle of trust (CoT) is used in the SAML protocol to group one or more identity providers (IDPs) and service providers (SPs) that share authentication information.


Service or application that relies on the authorization server to handle authentication and authorization.

The client holds an access token after a successful OAuth 2.0 authorization code flow. This access token has rights tied to it, which allows the client to make requests on behalf of the user.

ID token

The ID token is a security token that contains claims about the authentication of an end-user. It is issued by the authorization server (or Open ID provider).

The ID Token is represented as a JSON Web Token (JWT).

identity provider, IDP

An identity provider is a service that maintains and manages identity information and provides information about users and authentication to other systems. Airlock IAM is the recommended IDP for other components of the Airlock Secure Access Hub and other services.

IDP-initiated SSO, SAML

An IDP-initiated single sign-on is a SAML sign-in flow that is triggered by the identity provider (IDP) rather than the service provider (SP).

IP Aggregates

Airlock Anomaly Shield can aggregate sessions from the same IP address to a virtual session.

This allows for identifying suspicious IP addresses (e.g., from a bot node or automated tools) and detecting fragmented attacks that may span multiple regular sessions. Suspicious IPs can then be temporarily blocked.

OAuth 2.0

OAuth 2.0 is a standard for access delegation. Clients can act on behalf of users by using bearer tokens for authentication during resource access.


An OpenID Connect Provider (OP) is a OAuth 2.0 authorization aerver that is capable of authenticating the end-user and providing claims to a relying party about the authentication event and the End-User.

OpenID Connect

OpenID Connect (OIDC) is an identity layer on top of the OAuth 2.0 protocol. It allows for the verification of identities and for obtaining profile attributes of the identity.

Realm Administration

Realm Administration is a feature that enables realm adminstrators to administer end-users of a certain realm. Realms are implemented using a context data item of the end-user and a context data item of a realm administrator.

refresh token

Refresh tokens are tokens with a long lifetime and are used to authorize refresh requests to the Authorization Endpoint in the Authorization Code Grant. Upon receiving a refresh request with a valid refresh token, the Authorization Endpoint issues a new set of access and refresh tokens to the OAuth 2.0 client. Access tokens may be refreshed at any time.

roaming FIDO Authenticator

In contrast to bound FIDO Authenticators, which are part of the end user's device, roaming FIDO Authenticators are external pieces of hardware or software.

user agent

Program making requests on behalf of the user, usually a web browser.

userInfo endpoint, OAuth

Protected resource that, when presented with an access token by the client, returns authorized information about the end-user represented by the corresponding authorization grant.