1.1 Glossary
This document uses the following terms:
account: A user (including machine account), group, or alias object. Also a synonym for security principal or principal.
Active Directory: The Windows implementation of a general-purpose directory service, which uses LDAP as its primary access protocol. Active Directory stores information about a variety of objects in the network such as user accounts, computer accounts, groups, and all related credential information used by Kerberos [MS-KILE]. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), which are both described in [MS-ADOD]: Active Directory Protocols Overview.
aggregated result: The assembly of received parts transferred using the Query String Response Transfer Protocol. The aggregated result is assembled at a relying party and might not represent the complete result if all parts have not been received. Once complete, the relying party extracts a RequestSecurityTokenResponse (RSTR) from the aggregated result. For more information, see section 3.2.1.1.1.
base64 encoding: A binary-to-text encoding scheme whereby an arbitrary sequence of bytes is converted to a sequence of printable ASCII characters, as described in [RFC4648].
claim: A declaration made by an entity (for example, name, identity, key, group, privilege, and capability). For more information, see [WSFederation1.2].
domain: A set of users and computers sharing a common namespace and management infrastructure. At least one computer member of the set must act as a domain controller (DC) and host a member list that identifies all members of the domain, as well as optionally hosting the Active Directory service. The domain controller provides authentication of members, creating a unit of trust for its members. Each domain has an identifier that is shared among its members. For more information, see [MS-AUTHSOD] section 1.1.1.5 and [MS-ADTS].
forest: One or more domains that share a common schema and trust each other transitively. An organization can have multiple forests. A forest establishes the security and administrative boundary for all the objects that reside within the domains that belong to the forest. In contrast, a domain establishes the administrative boundary for managing objects, such as users, groups, and computers. In addition, each domain has individual security policies and trust relationships with other domains.
global group: An Active Directory group that allows user objects from its own domain and global groups from its own domain as members. Also called domain global group. Universal groups can contain global groups. A group object g is a global group if and only if GROUP_TYPE_ACCOUNT_GROUP is present in g! groupType; see [MS-ADTS] section 2.2.12, "Group Type Flags". A global group that is also a security-enabled group is valid for inclusion within ACLs anywhere in the forest. If a domain is in mixed mode, then a global group in that domain that is also a security-enabled group allows only user object as members. See also domain local group, security-enabled group.
identity provider/security token service (IP/STS): An STS that might also be an identity provider (IP). This term is used as shorthand to see both identity that verifies token services and general token services that do not verify identity. Note that the "/" symbol implies an "or" relationship.
Lightweight Directory Access Protocol (LDAP): The primary access protocol for Active Directory. Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol, established by the Internet Engineering Task Force (IETF), which allows users to query and update information in a directory service (DS), as described in [MS-ADTS]. The Lightweight Directory Access Protocol can be either version 2 [RFC1777] or version 3 [RFC3377].
little-endian: Multiple-byte values that are byte-ordered with the least significant byte stored in the memory location with the lowest address.
NetBIOS: A particular network transport that is part of the LAN Manager protocol suite. NetBIOS uses a broadcast communication style that was applicable to early segmented local area networks. A protocol family including name resolution, datagram, and connection services. For more information, see [RFC1001] and [RFC1002].
pending result: The transformed RequestSecurityTokenResponse (RSTR) that an identity provider/security token service (IP/STS) maintains for the duration of a Query String Response Transfer Protocol message series. Each message in the Query String Response Transfer Protocol transfers a portion of the pending result to the relying party, where the portions are assembled into the aggregated result. For more information, see section 3.1.1.1.1.
relative identifier (RID): The last item in the series of SubAuthority values in a security identifier (SID) [SIDD]. It distinguishes one account or group from all other accounts and groups in the domain. No two accounts or groups in any domain share the same RID.
relying party (RP): A web application or service that consumes security tokens issued by a security token service (STS).
requestor IP/STS: An IP/STS in the same security realms as the web browser requestor. The requestor IP/STS has an existing relationship with the user that enables it to issue security tokens containing user information.
RequestSecurityTokenResponse (RSTR): An XML element used to return an issued security token and associated metadata. An RSTR element is the result of the wsignin1.0 action in the Web Browser Federated Sign-On Protocol. For more information, see [MS-MWBF] section 2.2.4.1.
resource IP/STS: An IP/STS in the same security realm as the web service (WS) resource. The resource IP/STS has an existing relationship with the WS resource that enables it to issue security tokens that are trusted by the WS resource.
SAML advice: The advice element of a SAML assertion. The data in the advice element is advisory and can be ignored without affecting the validity of the assertion. See [SAMLCore] section 2.3.2.2. The SAML 1.1 Assertion Extension includes security identifiers (SIDs) and related data in the SAML advice element.
SAML assertion: The Security Assertion Markup Language (SAML) 1.1 assertion is a standard XML format for representing a security token. For more information, see [SAMLCore] section 2.
security identifier (SID): An identifier for security principals that is used to identify an account or a group. Conceptually, the SID is composed of an account authority portion (typically a domain) and a smaller integer representing an identity relative to the account authority, termed the relative identifier (RID). The SID format is specified in [MS-DTYP] section 2.4.2; a string representation of SIDs is specified in [MS-DTYP] section 2.4.2 and [MS-AZOD] section 1.1.1.2.
security realm or security domain: Represents a single unit of security administration or trust, for example, a Kerberos realm (for more information, see [RFC4120]) or a Windows Domain (for more information, see [MSFT-ADC]).
security token: A collection of one or more claims. Specifically in the case of mobile devices, a security token represents a previously authenticated user as defined in the Mobile Device Enrollment Protocol [MS-MDE].
subject: The entity to which the claims and other data in a SAML assertion apply. For more information, see [SAMLCore] section 1.3.1.
trusted forest: A forest that is trusted to make authentication statements for security principals in that forest. Assuming forest A trusts forest B, all domains belonging to forest A will trust all domains in forest B, subject to policy configuration.
universal group: An Active Directory group that allows user objects, global groups, and universal groups from anywhere in the forest as members. A group object g is a universal group if and only if GROUP_TYPE_UNIVERSAL_GROUP is present in g! groupType. A security-enabled universal group is valid for inclusion within ACLs anywhere in the forest. If a domain is in mixed mode, then a universal group cannot be created in that domain. See also domain local group, security-enabled group.
user: A person who employs a web browser requestor to access a WS resource.
user agent: An HTTP user agent, as specified in [RFC2616].
web browser requestor: An HTTP 1.1 web browser client that transmits protocol messages between an IP/STS and a relying party.
web service (WS) resource: A destination HTTP 1.1 web application or an HTTP 1.1 resource serviced by the application. In the context of this protocol, it refers to the application or manager of the resource that receives identity information and assertions issued by an IP/STS using this protocol. The WS resource is a relying party in the context of this protocol. For more information, see [WSFederation1.2].
wsignin1.0: A protocol message exchange defined in [WSFederation1.2] sections 2.1 and 3.1. The wsignin1.0 request and response are the HTTP binding for the WS-Trust Issue action and response; as such, the WS-Trust RSTR element is used to return the issued security token in the wsignin1.0 response ([WSTrust] section 3.2). For more information, see [MS-MWBF] section 2.2.
MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.