Access management The processes associated with a user’s login across a realm of applications or information repositories. IAM services authorize user access to protected resources, but delegate the authorization decisions to the applications’ owners.

Application owner The users responsible for deciding the business needs of applications with respect to IAM. They work with the IAM program team on how best to integrate their applications with IAM services, as well as directing the configuration of their applications.

Authentication Commonly called “logging in”, it’s the process of validating that people or entities are who they say they are.

Authorization The process of determining if a user has the right to access a service or perform an action.

Central Authentication Service (CAS) A “single sign-on” protocol for the web, as well as an authentication engine implementation. CAS uses a simple but robust authentication protocol that is widely deployed in higher education.

Credential An item — such as login name/password — used by a person or entity to prove him/her/itself to a system.

Directory service The software system that stores, organizes, and provides access to information in a directory for entities such as people, groups, devices, resources, etc.

Federation Also known as federated identity management, this is a technical implementation that enables identity information to be developed and shared among several entities and across trust domains.

Identity and access governance Identity and access governance tools establish a lifecycle process that allows business owners of identities to have comprehensive governance of identities and access requests. It allows organizations to identify access risks and make sure access meets organization policies.

HarvardKey HarvardKey is a unified login credential for users across the Harvard Community, supported by the service that authenticates users of online applications created by or affiliated with Harvard. Authenticating with HarvardKey verifies users’ identities in order to allow them to access applications; to do this, the user provides a unique login name (in the form of an email address) and confirms that identity by submitting the correct password. Two-step verification (see below) is available with HarvardKey for an extra level of security assurance.

Identity management The processes and solutions that provide for the creation and management of user information.

Identity provider (IdP) A system that validates the identity of a user in a federated system. The service provider (or SP; see below) uses the IdP to get the identity of the current user.

Identity stores User information stored across a variety of technologies, including databases, LDAP, Active Directory, etc.

InCommon Operated by the Internet2 consortium of U.S. higher education and research institutions and their partners, InCommon is home to an identity management federation and a related assurance program, and offers certificate and two-step verification services. Harvard acts as a Bronze-certified identity provider (IdP) within the InCommon federation, and a variety of Harvard units are also InCommon service providers (SPs) under Harvard’s membership.

People administrator A person who assigns roles, group memberships, and/or other attributes to a user.

SailPoint IdentityIQ (IIQ) Harvard’s provisioning and identity management toolset.

Security Assertion Markup Language (SAML) Originally developed by the OASIS Security Services Technical Committee, SAML is an XML-based framework for communicating user authentication and attribute information. Harvard’s authentication system supports version 2.0 of the SAML protocol.

Service provider (SP) A system that provides a generic service to the user in a federated system. To users, a service provider is the same thing as the application they are trying to use.

Sponsored affiliation A user who does not have a long-term affiliation with the University, but requires access to Harvard resources. As the name implies, sponsored affiliation must be sponsored by a staff or faculty member with the appropriate authorization.

Two-step verification Sometimes called "multifactor authentication", two-step verification strengthens the security of a user's login by combining something the user knows (login name and password) with something the user has (in may cases, a text-message login code sent to their phone, or a smartphone push notification). HarvardKey users can set up optional two-step verification using their cell phone, mobile device, or even landline phone.

User A term used to generalize and reference multiple user types, such as Harvard users (i.e. staff, students, or faculty), sponsored affiliates, and Harvard application users.

User provisioning A set of technologies that create, modify, and de-activate user accounts and their profiles across IT infrastructure and business applications.

Where appropriate, some terms above have been adapted from the Gartner IT Glossary.