Glossary

TermDescription
CA (Certificate Authority)Authority that issues certificates
CA certificate chain

A collection of all CA certificates from the CA issuing a client certificate through the root CA that serves as the first point of trust

CRL (Certificate Revocation List)

A list of revoked certificates

The IIJ ID Service uses CRL to revoke client certificates when using external CA device restrictions.

FIDOSpecification of a simple, robust authentication method using the public key cryptography.This service supports FIDO2.
KerberosA type of network authentication system
OAuth 2.0This is an authorization framework that enables limited access to HTTP services from third-party applications.
OpenID Connect

A simple identity layer on top of the OAuth 2.0 protocol This service supports OpenID Connect Core 1.0.

SCIM (System for Cross-domain Identity Management)SCIM is an open API specification used for ID management. This service supports SCIM 2.0.

SAML (Security Assertion Markup Language)

XML-based standard for exchanging user authentication information between different domains. This service supports SAML 2.0.

Key PairA pair of keys consisting of a public key (client certificate, etc.) and a private key
Client Certificate

One of public keys issued to clients

Client certificates are used to authenticate clients. Clients send their client certificate and a signed message to a server during the authentication process.

Group

Groups are the unit by which users are managed in this service. Users are more easily managed by creating groups with a name and email address and assigning users to the group.

Job

Jobs are created for specific operations such as creating, editing, and deleting users and groups. Viewing jobs provides information on specific processes, run times, and success or failure of a process. Refer to "Viewing Jobs" for more information.

Notifications

Notifications on the progress of CSV import process and user operations are sent. Refer to "Notifications" for more information.

Private KeyThis key is used to sign messages in the public key cryptography.
Provisioning

Provisioning is the synchronization of ID information in ID management systems with external services. IDs can be centrally managed using an ID management system by utilizing provisioning.

The IIJ ID Service supports user and group provisioning to external services. The IIJ ID Service can also be provisioned with Azure AD user and group information.

Integrated Windows Authentication

Authentication method that uses Active Directory accounts

Clients that have joined the domain can log into IIJ ID Service and linked services without having to go through authentication again.In addition, this service supports form authentication, making it possible to authenticate clients that cannot join the domain with Active Directory IDs and passwords.

Resource serverIn OAuth 2.0, the resource server is capable of hosting protected resources, accepting access token based requests for access to those resources, and returning responses.
Access tokenIn OAuth 2.0, access tokens are credentials used for accessing protected resources.
Refresh tokenIn OAuth 2.0, refresh tokens are credentials used for obtaining access tokens.
SAML
TermDescription
IdP Initiated SSO

Single sign-on process executed by IdP first starting user authentication without receiving an authentication request from SP and then passing the SAML response to SP after the authentication is successful

IdP metadata

An XML file that includes IdP information The IdP metadata provided by the IIJ ID Service can be used by SP for an SAML link if SP can configure such SAML link

SAML

(Security Assertion Markup Language)

XML-based standard for exchanging user authentication information between different domains The IIJ ID Service supports SAML 2.0.

SAML IdP (Identity Provider)An entity that performs user authentication and provides authentication information to SP
SAML SP (Service Provider)An entity that provides services to users

SAML attribute statement

(SAML Attribute Statement)

Unique identification information included in SAML responses
SP Initiated SSO

Single sign-on process executed by IdP first starting the user authentication process after receiving an SAML authentication request from SP and then passing the SAML response to SP after the authentication is successful

SP metadata

An XML file that includes IdP information The IdP metadata provided by IIJ ID can be used by SP for an SAML link if SP can configure such SAML link.

SSO endpoint URLAccess URL used by SP to send SAML requests to IdP
Entity IDID that uniquely identifies an entity
OpenID Connect
TermDescription
Authorization Code Flow

This is one type of flow in which RP receives ID tokens from OP. OP appends the authorization code to the redirect URL specified in the authorization request and passes the URL to RP. RP retrieves the ID token by presenting the authorization code to OP.

Authorization endpointAn endpoint that performs user authentication
Discovery endpointAn endpoint that provides discovery information
Discovery informationInformation on endpoints provided by OP, supported signature algorithms, or other sources
ID tokenJSON Web token (JWT) that includes authentication claims
Implicit Flow

This is one type of flow in which RP receives ID tokens from OP. OP appends the ID token to the redirect URL specified in the authorization request and passes the URL to RP.

issuerIssuer of ID tokens 
JSON Web Key SetSet of JSON data (JWK) that represents encryption keys
OpenID Provider (OP)A Server that actually performs authentication compliant with OpenID Connect standards
OpenID Connect

A simple identity link protocol based on OAuth 2.0 The IIJ ID Service supports OpenID Connect Core 1.0.

Relaying Party (RP)

An application that uses OpenID Connect to authenticate users and provide services to users

Token endpointAn endpoint for retrieving access tokens, ID tokens, or refresh tokens.
UserInfo endpointAn endpoint that returns claims regarding authenticated users 
Access tokenA token that functions as credential information used to access protected information on resource servers 
Client ID (client_id)ID that identifies RPs registered in OP.

Client secret

(client_secret)

A Private key used by RP to verify signatures of ID tokens issued by OP.
Claim (claim)User attribute information 
Scope (scope)A value that specifies the attribute information provided by OP to RP after authorization.

Redirect URL

(redirect_uri)

A redirect URL used after login.
Refresh tokenA token used to refresh access tokens 
Microsoft 365
TermDescription
Graph API (provisioning API)The Microsoft Graph API is the API provided by Azure AD. The Microsoft Graph API provides program access to Azure AD via REST API endpoints. Using the Microsoft Graph API executed by apps enables the ability to create, load, update, and delete directory data, users, groups, organizational contact information, and other directory objects.
Maximum account removal rate

The process to import accounts from Azure AD will be aborted when the number of accounts that would be removed exceeds a configured value.

The account removal rate is calculated as follows.

(Number of accounts that would be removed by the import process / Number of accounts synchronized with an upstream user store) × 100