Access management The processes associated with a user’s login across a realm of applications or information repositories. IAM services authorize user access to protected resources, but delegate the authorization decisions to the applications’ owners.
Application integration The process of enabling independently designed applications to work together.
Application owner The users responsible for deciding the business needs of applications with respect to IAM. They work with the IAM program team on how best to integrate their applications with IAM services, as well as directing the configuration of their applications.
Assertion Also called “SAML assertion” is a set of XML-based statements returned from an Identity Provider, e.g. HarvardKey IdP, to a Service Provider(SP) to make access-control decisions. Three types of statements are provided by the SAML protocol:
- Authentication statements
- Attribute statements
- Authorization decision statements
Attributes Units of personal information about end users of an application (e.g. name, unique identifier, primary affiliation) that may be released to the application for the purposes of authorization, account provisioning, and facilitation of the end user’s session.
Authentication Commonly called “logging in”, it’s the process of validating that people or entities are who they say they are.
Authorization The process of determining if a user has the right to access a service or perform an action.
Authorization filter A general purpose filter created from one or more read-only IAM reference group(s) in Grouper that can be applied to a HarvardKey registration to provide a foundational level of authorization as part of the authentication process.
Central Authentication Service (CAS) A “single sign-on” protocol for the web, as well as an authentication engine implementation. CAS uses a simple but robust authentication protocol that is widely deployed in higher education.
Credential An item — such as login name/password — used by a person or entity to prove him/her/itself to a system.
Digital certificate A small amount of information stored on a computer that indicates that computer is trusted by an independent source (known as a certificate authority). The certificate authority acts as a middleman that multiple computers trust. Authenticating using a digital certificate provides a stronger level of security, because the process is using something that is physically stored on the computer in the process of verifying that computer's identity.
Directory service The software system that stores, organizes, and provides access to information in a directory for entities such as people, groups, devices, resources, etc.
Encryption The process of taking the data that one computer is sending to another and encoding it — without adding additional information — into a form that makes it unreadable by a human being or machine. Encryption provides an additional layer of security for data moving across a network.
Federation Also known as federated identity management, this is a technical implementation that enables identity information to be developed and shared among several entities and across trust domains.
Identity and access governance Identity and access governance tools establish a lifecycle process that allows business owners of identities to have comprehensive governance of identities and access requests. It allows organizations to identify access risks and make sure access meets organization policies.
HarvardKey HarvardKey is a unified login credential for users across the Harvard Community, supported by the service that authenticates users of online applications created by or affiliated with Harvard. Authenticating with HarvardKey verifies users’ identities in order to allow them to access applications; to do this, the user provides a unique login name (in the form of an email address) and confirms that identity by submitting the correct password. Two-step verification (see below) is available with HarvardKey for an extra level of security assurance.
Harvard University ID number (HUID) An eight-digit number issued to people actively associated with Harvard University. If you have been issued an ID card, your ID number is on this card, along with an additional ninth reissue digit. Individuals who are issued HUIDs include employees, students, library borrowers, and other special affiliates. Users with HUIDs and associated passwords may use these credentials to log in to HarvardKey-protected systems by clicking the appropriate tab in the login screen.
Identity management The processes and solutions that provide for the creation and management of user information.
Identity provider (IdP) A system that validates the identity of a user in a federated system. The service provider (or SP; see below) uses the IdP to get the identity of the current user.
Identity stores User information stored across a variety of technologies, including databases, LDAP, Active Directory, etc.
InCommon Operated by the Internet2 consortium of U.S. higher education and research institutions and their partners, InCommon is home to an identity management federation and a related assurance program, and offers certificate and two-step verification services. Harvard acts as a Bronze-certified identity provider (IdP) within the InCommon federation, and a variety of Harvard units are also InCommon service providers (SPs) under Harvard’s membership.
Login name The unique identifier of a user that must be supplied in combination with a password in order for the user to be authenticated. In HarvardKey, the login name takes the form of an email address.
Login type A specific format of login ID that corresponds to a category of users. The Harvard authentication system's default login type is HarvardKey.
NetID Also called ADID, NetID is a login name made up of three letters and three or four numbers (example: abc1234). It is used in systems where HarvardKey login name is not accepted (due to technical constraints), or as an alternative login type in Microsoft Active Directory environments.
Password A secret string of information that a user supplies with his or her login ID in order to verify identity. A password may take different forms, such as a random group of characters, a memorable but not plain-English string of letters and numbers, or even an entire phrase.
People administrator A person who assigns roles, group memberships, and/or other attributes to a user.
Reference groups Institutionally meaningful, programmatically generated read-only groups based on authoritative sources, such as the IAM identity registry organized by role and affiliation (e.g. all students in a school).
SailPoint IdentityIQ (IIQ) Harvard’s provisioning and identity management toolset.
Secure Sockets Layer (SSL) A popular implementation of public-key encryption, is an Internet security protocol used by web browsers and servers to transmit sensitive information. SSL has become part of an overall security protocol known as Transport Layer Security (TLS). You can look in your browser to determine when a website is using a secure protocol such as TLS; locations of websites that use SSL begin with the prefix "https" rather than "http," and you will often see the icon of a closed padlock or a solid, unbroken key in your browser's address bar to indicate that SSL is enabled.
Security Assertion Markup Language (SAML) Originally developed by the OASIS Security Services Technical Committee, SAML is an XML-based framework for communicating user authentication and attribute information. Harvard’s authentication system supports version 2.0 of the SAML protocol.
Service provider (SP) A system that provides a generic service to the user in a federated system. To users, a service provider is the same thing as the application they are trying to use.
Sponsored affiliation A user who does not have a long-term affiliation with the University, but requires access to Harvard resources. As the name implies, sponsored affiliation must be sponsored by a staff or faculty member with the appropriate authorization.
Two-step verification Sometimes called "multifactor authentication", two-step verification strengthens the security of a user's login by combining something the user knows (login name and password) with something the user has (in may cases, a text-message login code sent to their phone, or a smartphone push notification). HarvardKey users can set up optional two-step verification using their cell phone, mobile device, or even landline phone.
User A term used to generalize and reference multiple user types, such as Harvard users (i.e. staff, students, or faculty), sponsored affiliates, and Harvard application users.
User provisioning A set of technologies that create, modify, and de-activate user accounts and their profiles across IT infrastructure and business applications.
Where appropriate, some terms above have been adapted from the Gartner IT Glossary.