Glossary
| Term | Description |
|---|---|
| CA (Certificate Authority) | Authority that issues certificates |
| CA certificate chain | A collection of all CA certificates from the CA issuing a client certificate through the root CA that serves as the first point of trust |
| CRL (Certificate Revocation List) | A list of revoked certificates The IIJ ID Service uses CRL to revoke client certificates when using external CA device restrictions. |
| FIDO | Specification of a simple, robust authentication method using the public key cryptography.This service supports FIDO2. |
| Kerberos | A type of network authentication system |
| OAuth 2.0 | This is an authorization framework that enables limited access to HTTP services from third-party applications. |
| OpenID Connect | A simple identity layer on top of the OAuth 2.0 protocol This service supports OpenID Connect Core 1.0. |
| SAML (Security Assertion Markup Language) | XML-based standard for exchanging user authentication information between different domains. This service supports SAML 2.0. |
SCIM (System for Cross-domain Identity Management) |
SCIM is an open API specification for ID management.
|
| Key Pair | A pair of keys consisting of a public key (client certificate, etc.) and a private key |
| Device Certificate | Refers technically to a client certificate. |
| Client Certificate | One of public keys issued to clients Client certificates are used to authenticate clients. Clients send their client certificate and a signed message to a server during the authentication process. |
| Group | Groups are the unit by which users are managed in this service. Users are more easily managed by creating groups with a name and email address and assigning users to the group. |
| Job | Jobs are created for specific operations such as creating, editing, and deleting users and groups. Viewing jobs provides information on specific processes, run times, and success or failure of a process. Refer to "Viewing Jobs" for more information. |
| Notifications | Notifications on the progress of CSV import process and user operations are sent. Refer to "Notifications" for more information. |
| Private Key | This key is used to sign messages in the public key cryptography. |
| Provisioning | Provisioning is the synchronization of ID information in ID management systems with external services. IDs can be centrally managed using an ID management system by utilizing provisioning. The IIJ ID Service supports user and group provisioning to external services. The IIJ ID Service can also be provisioned with Azure AD user and group information. |
| Integrated Windows Authentication | Authentication method that uses Active Directory accounts Clients that have joined the domain can log into IIJ ID Service and linked services without having to go through authentication again.In addition, this service supports form authentication, making it possible to authenticate clients that cannot join the domain with Active Directory IDs and passwords. |
| Resource server | In OAuth 2.0, the resource server is capable of hosting protected resources, accepting access token based requests for access to those resources, and returning responses. |
| Access token | In OAuth 2.0, access tokens are credentials used for accessing protected resources. |
| Refresh token | In OAuth 2.0, refresh tokens are credentials used for obtaining access tokens. |
SAML
| Term | Description |
|---|---|
| IdP Initiated SSO | Single sign-on process executed by IdP first starting user authentication without receiving an authentication request from SP and then passing the SAML response to SP after the authentication is successful |
| IdP metadata | An XML file that includes IdP information The IdP metadata provided by the IIJ ID Service can be used by SP for an SAML link if SP can configure such SAML link |
SAML (Security Assertion Markup Language) |
XML-based standard for exchanging user authentication information between different domains The IIJ ID Service supports SAML 2.0. |
| SAML IdP (Identity Provider) | An entity that performs user authentication and provides authentication information to SP |
| SAML SP (Service Provider) | An entity that provides services to users |
SAML attribute statement (SAML Attribute Statement) |
Unique identification information included in SAML responses |
| SP Initiated SSO | Single sign-on process executed by IdP first starting the user authentication process after receiving an SAML authentication request from SP and then passing the SAML response to SP after the authentication is successful |
| SP metadata | An XML file that includes IdP information The IdP metadata provided by IIJ ID can be used by SP for an SAML link if SP can configure such SAML link. |
| SSO endpoint URL | Access URL used by SP to send SAML requests to IdP |
| Entity ID | ID that uniquely identifies an entity |
OpenID Connect
| Term | Description |
|---|---|
| Authorization Code Flow | This is one type of flow in which RP receives ID tokens from OP. OP appends the authorization code to the redirect URL specified in the authorization request and passes the URL to RP. RP retrieves the ID token by presenting the authorization code to OP. |
| Authorization endpoint | An endpoint that performs user authentication |
| Discovery endpoint | An endpoint that provides discovery information |
| Discovery information | Information on endpoints provided by OP, supported signature algorithms, or other sources |
| ID token | JSON Web token (JWT) that includes authentication claims |
| Implicit Flow | This is one type of flow in which RP receives ID tokens from OP. OP appends the ID token to the redirect URL specified in the authorization request and passes the URL to RP. |
| issuer | Issuer of ID tokens |
| JSON Web Key Set | Set of JSON data (JWK) that represents encryption keys |
| OpenID Provider (OP) | A Server that actually performs authentication compliant with OpenID Connect standards |
| OpenID Connect | A simple identity link protocol based on OAuth 2.0 The IIJ ID Service supports OpenID Connect Core 1.0. |
| Relaying Party (RP) | An application that uses OpenID Connect to authenticate users and provide services to users |
| Token endpoint | An endpoint for retrieving access tokens, ID tokens, or refresh tokens. |
| UserInfo endpoint | An endpoint that returns claims regarding authenticated users |
| Access token | A token that functions as credential information used to access protected information on resource servers |
| Client ID (client_id) | ID that identifies RPs registered in OP. |
Client secret (client_secret) |
A Private key used by RP to verify signatures of ID tokens issued by OP. |
| Claim (claim) | User attribute information |
| Scope (scope) | A value that specifies the attribute information provided by OP to RP after authorization. |
Redirect URL (redirect_uri) |
A redirect URL used after login. |
| Refresh token | A token used to refresh access tokens |
Microsoft 365
| Term | Description |
|---|---|
| Graph API (provisioning API) | The Microsoft Graph API is the API provided by Azure AD. The Microsoft Graph API provides program access to Azure AD via REST API endpoints. Using the Microsoft Graph API executed by apps enables the ability to create, load, update, and delete directory data, users, groups, organizational contact information, and other directory objects. |
| Maximum account removal rate | The process to import accounts from Azure AD will be aborted when the number of accounts that would be removed exceeds a configured value. The account removal rate is calculated as follows. (Number of accounts that would be removed by the import process / Number of accounts synchronized with an upstream user store) × 100 |