PingFederate 7.0.1

access token

A data object by which a client authenticates to a Resource Server and lays claim to authorizations for accessing particular resources.

account link

A persistent name identifier that enables federation of separately established accounts among disparate domains (see alsoaccount linking and pseudonym).

account linking

A form of identity mapping among separate user accounts managed under different domains. The mapping typically involves a name identifier—which may be a pseudonym—used to link the user to each account. The identifier is persisted at the SP site to enable seamless SSO/SLO. Additional attributes may be sent with the identifier.

account mapping

A form of identity mapping by which one or more user attributes is passed in a single sign-on transaction. The attributes are used at the destination site as a means identifying the user and looking up local account information.


Supplementary software that allows PingFederate to interact with Web applications and systems. Two adapter choices are bundled with PingFederate: an OpenToken Adapter for use with separately available developer integration kits, and an LDAP adapter for use with your active directory data store.

adapter contract

A list of attributes “hard-wired” to an adapter and conveyed generally via cookies between the adapter and application.


A reference to a SAML protocol message. The federation partner that receives the artifact dereferences it, identifying the sender, and requests the complete message in a separate SOAP transaction.

Artifact Resolution Service

The SOAP endpoint that processes artifacts returned from a federation partner to retrieve the referenced XML message. Can be used to dereference authentication requests, assertion responses, and SLO messages.


A SAML XML document that contains identifying information about a particular subject; i.e., a person, company, application, or system. A SAML assertion can contain authentication, authorization, and attribute information about the subject.

Assertion Consumer Service

A SAML-compliant portion of PingFederate in an SP role that receives and processes assertions from an IdP.


Distinct characteristics that describe a subject. If the subject is a Web site user, attributes may include a name, group affiliation, email address, etc.

attribute contract

A list of attributes, agreed to by the partners in an identity federation, representing information about a user (SAML subject). The attributes are sent from the IdP to the SP during SSO or STS processing.

attribute mapping

A form of identity mapping between IdP and SP user accounts that uses attributes to identify the user or provide supplemental information.

attribute source

An data source used to fulfill a requestor’s attribute contract.


The XML element in a SAML assertion that uniquely identifies a Service Provider.

authentication context

An element in a SAML assertion indicating the method or process used by an IdP to authenticate the subject of the assertion; may be used for authorization decisions or auditing compliance.

attribute source

Specific database or directory location containing data needed by an IdP to fulfill a connection partner’s attribute contract or by an SP to look up additional attributes to fulfill an adapter contract.


Server-to-server, cross-domain communication path using a protocol, typically SOAP, that does not rely on a browser as an intermediary.


A mapping of SAML request and response messages to specific transport protocols (redirect, POST, or artifact).


A digital file used for identity verification and other security purposes. The certificate, which is often issued by a Certificate Authority (CA), contains a public key, which can be used to verify the originator’s identity.

Certificate Revocation List

(CRL) A list of revoked signing certificates, maintained by the issuing authority at a public URL.


A dedicated Outbound Provisioning configuration specific to a particular service partner, data source, and target service.

connection partner

Entities, such as companies, that are part of an identity federation. These entities are referred to as connection partners in the PingFederate configuration process.


Information used to identify a subject for access purposes (e.g., username and password). A credential can also be a certificate.

Database Management System

A system for storing and maintaining user account information and attributes. The tables and columns in the RDBMS are used by PingFederate to create user look-up and attribute retrieval queries. (See Java Database Connectivity.)

data store

A database or directory location containing user account records and associated user attributes.

Data Encryption Standard (DES)

A symmetric-key method of encryption.


Optional user-initiated delinking of an identity federation that uses a persistent name identifier or pseudonym for account linking.

digital signature

A process for verifying the identity of the originator of an electronic document and whether the document has been intercepted or altered. The process involves message signing, signature validation, and signing policy coordination between partners.


A terminal or gateway that generates or terminates a stream of information. For example, a PingFederate SP server contains an endpoint for the Assertion Consumer URL.

entity ID

The XML element in a SAML assertion that uniquely identifies an Identity Provider.

Extensible Markup Language

A structured, hierarchical text format—based on SGML (Standard Generalized Markup Language)—for the flexible and organized exchange of data.

grant type

The intermediate credentials that represent a resource owner authorization. Grant types are exchanged by the client with the OAuth Authorization Server in order to obtain an access token.

HTTP cookie

Information sent from a server to a Web browser to identify a registered Web site user. Once the cookie is placed in the browser, it is sent back to the server to identify the user every time the user accesses the site. PingFederate’s integration adapters interface with the cookie.

HTTP header

The section of an HTTP request or response containing information about the client or the server. PingFederate can use HTTP headers to look up session information passed by the IdP’s Web application.

HTTP request parameter

A named parameter sent as part of a URL request from a browser to a Web server.

identity federation

A trust agreement between or among organizations, implemented using accepted standards, to provide user-authentication tokens and other user or system attributes securely across domains, primarily to enable cross-domain SSO.

Identity Provider

The identity source or SAML authority that authenticates a subject and provides an SP with a security assertion vouching for that authentication.

IdP-initiated SSO or SLO

An identity federation transaction in which the initial action requiring a security context from an IdP occurs at a IdP’s site. For example, the user is logged on to the IdP and requests protected resources on an SP. The IdP sends authentication information to the SP.


A direction of message flow coming into a server relative to the server’s identity federation role (IdP or SP). For an IdP, inbound messages include SAML authentication requests. For an SP, inbound messages include SAML assertions.

Java Database Connectivity (JDBC)

A Java API that allows Java programs to interact with databases.

Kerberos ticket

The security token for the Kerberos protocol.

Key Distribution Center

The control center for authentication and authorization for Kerberos.


The length (in bits) of each key in a keypair.


The private key and public key represented by a certificate. PingFederate uses the private key of its keypair(s) to generate signatures for assertions, requests, and responses, as applicable.

Lightweight Directory Access Protocol

A set of protocols used for accessing information directories. PingFederate uses the LDAP v3 protocol for user look-up and attribute processing.


The SAML 2.0 standards define a metadata exchange schema for conveying XML-formatted information between two SAML entities. Metadata includes endpoint URLs, binding types, attributes, and security-policy information.

OAuth Authorization Server

A server that issues access tokens to clients (sometimes on behalf of a resource owner) for use in authenticating a subsequent Representational State Transfer (REST) API call.

OAuth Client

An application that desires access to a resource protected by a Resource Server and interacts with an OAuth Authorization Server to obtain access tokens to do so.

Online Certificate Status Protocol

(OCSP) A standard developed by the Internet Engineering Task Force that enables applications to obtain the current status of signing certificates, indicating whether a certificate has been revoked, via HTTP.


Not readable. If a user’s subject identifier is opaque, the an SSO partner cannot directly identify the user with reference to the source. An persistent identifier, or pseudonym, can be used for Account Linking.


A direction of message flow leaving a server. For an IdP, outbound messages include SAML assertions. For an SP, outbound messages include SAML authentication requests.


See connection partner.


A set of rules for handling security token requests in PingFederate.


A Web-based application, accessed using a Web browser, that often aggregates content from multiple providers and/or serves as a central point of entry.


An HTTP method of transmitting data contained in HTML forms, by which the data appears in the message body.

Primary Domain Controller

A role that is assigned to a particular server participating in a Windows network.


A user, system, or process whose identity can be authenticated. See subject.


Rules that describe how to embed SAML assertions into and extract them out of other protocols in order to enable SSO or SLO. Profiles describe SAML request and response flows that fulfill specific use cases.

protected resource

Information, typically accessed via a Web URL, that is protected by an access management system. See target URL.


An agreed-upon format for transmitting data. XML format of SAML request or response messages.


A persistent name identifier assigned to a user and shared among entities, usually with the user’s permission, to enable SSO and SLO. Pseudonyms are often used with the SAML account linking protocol to enable SSO while preventing the discovery of the user’s identity or activities.

Public Key Infrastructure

(PKI) Enables users of an unsecured public network, such as the Internet, to securely and privately exchange data and money through the use of keypairs and certificates. The PKI provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates.


A SAML binding that conveys a request or response by sending the user’s browser to another location. For instance, an authentication request can be sent from an SP through a browser to an IdP.

refresh token

A long-lived token used by the client to obtain a new access token without having to obtain fresh authorization from the resource owner.


(RST) WS-Trust or WS-Federation XML element identifying a request for validation of a security token, or for validation and then issuance of a replacement security token.


WS-Trust or WS-Federation XML element identifying a response to an RST and containing either the status of the submitted security token or both the status and (if requested and the received token is valid) a newly issued token for further SSO or Web-Services processing.

Resource Server

A server capable of accepting and responding to resource requests on which an access token is presented.


See Security Assertion Markup Language.

SAML authority

A security domain that issues SAML assertions.


Permissions (for example, creating an event on a calendar) associated with an access token.

Secure Sockets Layer

An encryption protocol that sends data between a client and server over a secure HTTP connection.

Security Assertion Markup Language

(SAML) A standard, XML-based, message-exchange framework enabling the secure transmittal of authentication tokens and other user attributes across domains.

System for Cross-domain Identity Management

(SCIM) A REST-based protocol for provisioning and managing user identities across the Internet (see

security domain

An application or group of applications that trust a common security token used for authentication, authorization, or session management. The token is issued to a user after the user has authenticated to the security domain.

security token

A collection of information used to establish acceptable identity for security purposes. Tokens can be in binary or XML format. A SAML assertion is one kind of security token.

Security Token Service

An entity responsible for responding to WS-Trust requests for validation and issuance of security tokens used for SSO authentication to Web Services.

service-oriented architecture

A loosely coupled application architecture in which all functions or services are accessible via standard protocols. Interfaces are platform and programming-language independent.

Service Provider

A system entity that provides access to a protected resource based on authentication information supplied by an IdP.

SP-initiated SSO or SLO

An identity-federation transaction in which the initial action requiring a security context from an IdP occurs at a SP’s site.

session persistence

A mechanism for identifying a user or browser for subsequent requests to a server, needed because the HTTP protocol is stateless. This information is used to lookup state information for the user—for example, items in a shopping cart. PingFederate does not implement session persistence; it facilitates the communication of session information between systems that do.

Simple Object Access Protocol

(SOAP) Defines the use of XML and HTTP to access services, objects, and servers in a platform-independent manner.

Single Logout

The process of logging a user out of multiple “session participants” or sites where the user has started an SSO session.

Single Logout Return Service

The SAML implementation endpoint URL that returns logout requests.

Single Logout Service

The SAML implementation endpoint URL that receives logout requests for processing.

Single Sign-On

(SSO) The process of authenticating an identity (signing on) at one Web site (usually with a user ID and password) and then accessing resources secured by other domains without re-authenticating.

Single Sign-on Service

The SAML implementation endpoint URL that receives authentication requests for processing.

Source ID

A 20-byte sequence used to determine an IdP’s identity.


A person, computer system, or application. In the SAML context, assertions make statements about subjects. See principal.

target URL

The SP’s protected resource; the end destination of an SSO event. See protected resource.

transient name identifier

A temporary ID used to preserve user anonymity while facilitating account linking.

token authorization

A mechanism for evaluating attribute criteria available during a transaction to determine whether a user is authorized to access resources. A token in this instance can mean any type of security token—for example, SSO, session cookie, or OAuth token.

token exchange

The process by which a security token is exchanged for another security token.

token translators

An aggregate term for both token processors (used by the IdP PingFederate Security Token Service (STS) to handle different types of incoming security tokens) and token generators (used by the SP PingFederate STS to issue various types of tokens).

Uniform Resource Identifier

Identifies a Web resource with a string of characters conforming to a specified format.

Uniform Resource Locator

Identifies a resource according to its Internet location.

virtual server ID

An optional unique identifier by which an identity federation deployment can be known to a specific connection partner.

Web Services Security

A standard mechanism for securing Web Service interactions, often by binding a security token to the Web Service request.

Web Services

Nonbrowser-based, loosely coupled applications that provide modular, programming-language-independent access to specific functions and data across the Internet, via XML and standard protocols.

Web Service Client

An entity that requests a Web Service interaction. In the context of an STS, the Web Service Client would request that a security token be issued for the interaction.

Web Service Enhancement

Supplemental software for the .NET framework provided by Microsoft.

Web Service Provider

In the context of an STS, an entity that requests validation of the security token sent with a client’s request for service.


The OASIS committee working on WS-Trust.


A standard protocol by which an application can request that an STS issue, validate, or exchange security tokens.

Leave a Reply

Your email address will not be published. Required fields are marked *