Key Terminologies

This section provides an overview of fundamental terms and concepts referenced in this document.

Users

Users are individuals or entities permitted to access your system. They possess distinct attributes such as email, username, address, phone number, and birthdate. They can be associated with specific groups and can be assigned varying roles based on necessity.

Authentication

Authentication involves confirming the authenticity of a fact or document.

In this context, authentication entails verifying the identity of a user, device, or process. Typically, users authenticate themselves by providing credentials. This process facilitates access control for systems by comparing the provided credentials with those stored in an authorized user database.

Authorization

Authorization is the act of granting someone permission to access a resource.

After a user has been authenticated using their credentials like username and password, their authorization level will dictate the applications and functionalities they can access, as well as their ability to make modifications to the underlying data.

Groups

These represent a group of authenticated users organized based on shared characteristics like job title or profile. Groups enable the centralized assignment of roles and attributes.

Instead of individually assigning permissions to each user, permissions are granted to the group. Consequently, as individuals are added to or removed from the group, their access to assigned accounts and applications dynamically adjusts accordingly.

Roles

Roles define the category or type of a user, such as Administrator, User, Manager, and Employee, which are common roles found in most organizations.

Applications frequently assign access and permissions to roles rather than individual users, as managing users individually can be challenging.

User-Role Mapping

User-Role Mapping refers to assigning specific roles, like manager or associate user, to individual users. It establishes the connection between a user and a role, allowing users to have access to different parts of a system. Users can be linked with multiple roles, defining their access privileges within the system. This process facilitates access control and determines which system components each user can interact with. Role mapping details are often incorporated into tokens and assertions, enabling applications to manage access permissions for different resources effectively.

Composite Roles

A Composite Role is a role that comprises other roles within it. It combines individual roles from various functional categories into a single role.

For example, a superuser composite role might include the sales-admin and order-entry-admin roles. When a user is assigned to the superuser role, they automatically gain the privileges associated with the sales-admin and order-entry-admin roles.

Composite roles are advantageous when certain users require authorization for multiple roles simultaneously.

Role-Based Access Control

Role-Based Access Control (RBAC) is a method of controlling network access based on an individual's role within an organization. It serves as a primary approach to advanced access control. In RBAC, roles represent the varying levels of access that users possess on the network.

With RBAC, you can regulate the actions end-users are permitted to take, both broadly and specifically. You can define whether a user holds administrative privileges, specialized user permissions, or standard end-user access, and tailor roles and access rights according to the users' positions within the organizational hierarchy. Access permissions are granted only to the extent necessary for users to carry out their routine tasks.

URI

It refers to "Uniform Resource Identifier," which is a string of characters that sets apart one resource from another. It doesn't necessarily require components like scheme name, authority, path, query, and fragment; all it needs is a scheme name and a file path, which can be left empty. URIs come in two varieties: URNs and URLs.

URL

It stands for "Uniform Resource Locator," is a particular form of identifier that not only designates the resource but also provides instructions on how to reach it or indicates its location. It encompasses additional elements like protocol and domain.

Realm

A realm oversees users, their credentials, roles, and groups. Users are affiliated with and access a realm after logging in. Realms operate independently from one another and can solely manage and authenticate the users within their jurisdiction.

Additionally, the protected resources on a server can be divided into distinct protection spaces, each with its unique authentication scheme and/or authorization database, housing a collection of users and groups. In the context of a web application, a realm represents a comprehensive database of users and groups recognized as valid users for a particular web application or a set of web applications, all governed by the same authentication policy.

Clients

Clients are entities that can request authentication services from ZTrust. There are two main types of clients. The first type includes applications seeking to participate in single sign-on. These are typically applications and services aiming to enhance their security by leveraging ZTrust for a single sign-on solution. The second type consists of clients requesting identity information or access tokens to access other secured services on the network through ZTrust.

Client Adapters

Client Adapters are libraries designed to simplify the process of securing applications and services using ZTrust. These typically consist of plugins that can be integrated into your application environment, enabling seamless communication and security integration with ZTrust.

ZTrust offers a variety of adapters tailored for different platforms, which users can download as needed.

Client Scopes

When registering a client, it's necessary to specify protocol mappers and role scope mappings. Storing a client scope simplifies the process of creating new clients by sharing common settings.

Client scope helps limit the roles included in an access token. When a client requests authentication for a user, the resulting access token will only include the role mappings explicitly defined for the client's scope. This approach enables fine-grained control over access permissions for individual access tokens, rather than granting the client access to all of the user's permissions. By default, each client inherits all of the user's role mappings.

Client Roles

Client Roles are basically a namespace dedicated to a client. Each client gets its own namespace.

Clients can define roles that are specific to them. It defines access within an application.

Client Profile

It is the ability to specify which fields are required or available on forms for specific scope parameter values. This allows for progressive profiling, allowing users to gradually provide information based on the needs of the client applications they interact with.

Consent

When an administrator requires a user to grant permission to a client before that client can engage in the authentication process. After a user enters their credentials, ZTrust will display a prompt showing the client seeking login access and the specific identity details requested from the user. Users retain the choice to approve or deny the request.

Executors

It outlines the action performed on a client where a policy is implemented. The executor carries out one or multiple designated actions as specified.

Protocol Mappers

You can customize the claims and assertions stored in the OIDC token or SAML assertion for each client by configuring Protocol Mappers.

These mappers map attributes (for example - email addresses) to specific realms in the Identity and Access token.

Claims

Claims are pieces of information about a user that the Identity Provider sends to an application during Single Sign-On authentication. These claims are packaged within tokens issued by an issuer, also referred to as a security token service (STS).

They can include various types of information such as strings, lists, dictionaries, or booleans, and may be transmitted in plain text format.

Security Token Service (STS)

The Secure Token Service (STS) is a vital component responsible for issuing, validating, renewing, and revoking security tokens for trusted systems, users, and resources seeking access within a federation.

It gathers user information from identity sources and securely delivers it to applications in the form of tokens to facilitate federation.

Assertions

Assertions are a fundamental element of Security Assertion Markup Language (SAML) and serve as the primary means of communication between an identity provider (IdP) and a service provider (SP).

These messages convey the user's identity, relevant details about them, and their authorized access while maintaining the confidentiality.

Additionally, assertions include security parameters, such as the origin of the assertion, and assurances regarding their validity.

Role Scope Mappings

You can use Role Scope Mapping to restrict the roles included in access tokens.

When a client initiates user authentication, the resulting access token only contains the role mappings explicitly designated for the client's scope. This approach effectively confines the permissions associated with each access token, rather than granting the client access to all of the user's permissions.

Tokens

Tokens are sets of data transmitted between systems during the Single Sign-On (SSO) process. They typically contain user details like email addresses and details about the sending system.

To ensure authenticity, tokens must be digitally signed, enabling the recipient to verify their source. The certificate that is being used for this digital signature is exchanged during the initial configuration process.

Identity Token

The Identity Token serves as evidence of user authentication and is exchanged between systems during the Single Sign-On (SSO) process.

It was introduced by OpenID Connect (OIDC), a widely used authentication standard.

These tokens contain identity details such as username, address, email, and other profile information.

Access Token

It enables a client application to interact with a particular resource, carrying out predefined actions on behalf of the user.

This token is provided by the authorization server following successful user authentication and consent. This functionality aligns with the OpenID Connect and OAuth 2.0 standards.

Refresh Token

A Refresh Token serves the purpose of obtaining additional access tokens without needing to re-enter credentials each time one expires.

During the initial authentication process, along with receiving an access or ID token, the application also receives a refresh token. This refresh token is associated with both the user and client, though not specifically linked to a resource or tenant. Consequently, a client can utilize a refresh token to acquire access tokens across various combinations of resource and tenant, provided it has the necessary permissions.

Locale

A locale refers to the regional settings that define how information is presented to users, including language, date and time formats, number formats, and other regional preferences. ZTrust utilizes locales to support internationalization and localization, enabling the user interface and messages to be displayed in the user's preferred language and format, thereby enhancing the user experience for people from various regions.

Direct Grant

It's a method for a client to acquire an access token for a user via a REST invocation. It enables the exchange of user credentials for tokens.

StartTLS

StartTLS is an email protocol command that converts an insecure connection into a secure one. Without StartTLS, emails sent via SMTP can be intercepted and read easily. When an email client uses StartTLS, it tells the server to encrypt the content, ensuring that intercepted emails are scrambled and difficult to decipher. Only the server and the client can decode the message.

SSL

Secure Sockets Layer (SSL) is a security protocol designed to encrypt data exchanged between a server and a client, like a web browser. It's employed to safeguard most interactions individuals have with websites or applications, covering tasks such as logging in, sharing personal details, and conducting financial transactions. By encrypting the data, SSL thwarts hackers from intercepting or stealing any transferred information, including sensitive personal or financial data.

Endpoints

For Single Sign-On, an endpoint marks the beginning of the initial user authentication process.

These endpoints are utilized when a non-ZTrust client adapter tries to connect with the authentication server.

User Federation Provider

ZTrust has the capability to store and oversee user management tasks. Frequently, businesses utilize LDAP or Active Directory services to store user data and credentials. ZTrust can be configured to verify credentials from these external repositories and retrieve identity details.

Identity Provider

An identity provider (IdP) is responsible for storing and overseeing users' digital identities. It's a service capable of verifying a user's identity.

An IdP may authenticate user identities using various methods, such as username-password pairs and additional authentication factors. Alternatively, it may offer a list of user identities for another service provider, like a Single Sign-On (SSO) system, to authenticate against.

Service Providers

A Service Provider (SP) refers to a website or application that offers services to users.

While the SP delivers services to end users, it doesn't handle user authentication directly. Instead, it depends on an identity provider (IdP) to authenticate users and manage particular user-related attributes.

OIDC

OpenID Connect (OIDC) is an authentication protocol that enables identity providers (IdP) to verify users and manage access control.

It establishes a standard for exchanging user identity information between the Identity Provider and Service Provider.

OIDC is constructed upon the OAuth 2.0 framework and employs JSON-based web tokens (JWT) to organize data. JWT, an industry standard, governs the secure transfer of encrypted claims, which are sensitive user data supporting identity management and verification.

SAML

Security Assertion Markup Language (SAML) is an authentication protocol which allows identity providers (IdP) to implement user validation and access control.

It is a standard that defines how the user identity information flows between the two parties (Identity Provider and Service Provider)

It uses XML to format identity information. XML is an established information-formatting standard which encodes documents, such that they are easily understandable by both humans and computers.

Authentication Context Class

An Authentication Context Class (ACC) comprises a collection of business rules that authentication processes need to meet, and these rules can be fulfilled through various authentication methods. Typically, these rules can be met by employing different specific authentication methods, either individually or in combination.

Authentication Context Class Reference (ACR)

Authentication Context Class Reference (ACR) is an optional string that identifies the Authentication Context Class (ACC) satisfied by an authentication process.

Level of Authentication (LoA)

In ZTrust, the Level of Authentication (LoA) is represented by an integer that serves as markers within an authentication flow.

Multiple LoA levels can be defined within a single flow, with each level denoted by a numeric value.

Bounce

An email bounce, also referred to as a Non-Delivery Report (NDR), is an automated notification sent by the recipient's email server to inform the sender that an email could not be successfully delivered.

SMTP

Simple Mail Transfer Protocol (SMTP) is a TCP/IP protocol utilized for sending and receiving emails. However, email clients usually employ a program equipped with SMTP for sending emails. It is primarily relied upon for transmitting messages from a sender to a recipient.

Bounce Address

A bounce address, also referred to as a mail-from or return-path address, is an email address designated to receive bounced emails.

It’s a hidden SMTP address distinct from the original sender's address and is utilized to gather and manage bounced messages.

Time Based OTP

A Time-Based One-Time Password (TOTP), also known as OTP, is a series of dynamic digits that change periodically based on time. Typically, these are displayed as six-digit numbers that refresh every 30 seconds.

TOTPs are commonly employed for two-factor authentication (2FA) or multi-factor authentication (MFA). After a user has entered the username and password, users are often required to enter a valid TOTP in an extra login field to demonstrate possession.

Counter Based OTP

Counter-based one-time passwords (OTPs) are event-driven OTPs that utilize a counter as a variable factor in generating each code. With each request and validation of the OTP, the counter increments, and the generated code remains valid until a new OTP is requested. This method is also known as HMAC-based One-time Password algorithm (HOTP) or counter-based authentication.

Cross-Origin Resource Sharing (CORS)

Cross-Origin Resource Sharing (CORS) is a method based on HTTP headers that enables a server to specify which origins (domains, protocols, or ports) apart from its own are permitted by a browser to load resources.

Adapter

In single sign-on (SSO), an adapter is a service that facilitates user access to applications, including web applications and portal servers, through authentication. Adapters help secure applications and services and can be combined to support multi-factor authentication.

WAR apps

A WAR file (Web Application Resource or Web Application Archive) is a compressed file format utilized for distributing a compilation of resources essential for a web application. These resources typically include JAR files, JavaServer Pages, Java Servlets, Java classes, XML files, tag libraries, static web pages (such as HTML files), and other necessary components.

Single Page Application (SPA)

An SPA (Single-page application) is a type of web application design where only one web document is initially loaded, and subsequent content updates occur within that same document using JavaScript APIs like Fetch whenever different content needs to be displayed.

Nonce

In OpenID Connect (OIDC) or when logging in with Identity Providers (IdPs), the Nonce serves the purpose of ensuring that the login token generated by the IdP for the user remains valid for only one use, preventing unauthorized reuse. The Service Provider (SP) verifies the nonce to confirm that it aligns with the expected value and hasn't been recently utilized, which helps thwart potential replay attacks.

Grant

In authentication, a grant refers to a credential indicating a resource owner's permission for a client to access their protected resources. The client can subsequently utilize the grant to acquire an access token.

Pushed Authorization Request (PAR)

Pushed Authorization Request (PAR) is a backend protocol enabling client applications to transmit authorization requests directly to an authorization server. It forms a vital technical aspect of the Financial-Grade API (FAPI) Security Profile 1.0 and is utilized by applications necessitating heightened security measures. PAR stands out as a significant security enhancement to the OAuth2 framework.

User Agent

In single sign-on (SSO), a user agent refers to software facilitating user interaction with web content and resource access. Within SAML-based SSO, the user agent typically manifests as a web browser, and the user is commonly referred to as the subject.

Clustering

Clustering enables multiple servers to collaborate by sharing a unified configuration and servicing SSO requests as a cohesive system. This approach enhances scalability and fault tolerance, contributing to business continuity in case of node failures. Additionally, clustering facilitates automatic system scaling during periods of increased load.

Relying Party

A relying party (RP) is a server that uses a user's credentials to authorize access to a system, data, or to carry out a transaction. RPs encompass web applications as well as third-party Single Sign-On (SSO) solutions. These parties leverage the Cloud Authentication Service either as the Authorization Server or as the identity provider (IdP) to oversee authentication processes.

Introspection Endpoint

An introspection endpoint is a part of the OAuth 2.0 framework that provides information about an access token. This information may encompass the token's current status, the user who granted authorization, its expiration time, and the authorized scopes. Resource servers utilize this endpoint to ascertain whether API requests should be permitted.

Keys

Keys are private and public key pairs used for signing and encrypting authentication protocols.

Encryption Algorithm

An encryption algorithm is a technique that converts data into ciphertext using an encryption key. The resulting encrypted data seems random but can be reverted to plaintext using a decryption key. Encryption algorithms are employed to secure electronic data during transmission and deter data manipulation.

Public Key Credentials

Public key credentials refer to a cryptographic key pair that serves to identify a user and provide them access to a system or SSH server. During a connection session, the public key is utilized to encrypt messages.

Salted SHA-256 hash

A salted SHA-256 hash refers to a password that undergoes hashing using the SHA-256 algorithm alongside a distinct salt. The salt, a randomly generated string of characters, is appended to the password before hashing. This method enhances password security as even if two users share the same password, their salted-hashed passwords will differ due to the individualized salt.

Command-line interface (CLI)

A command-line interface (CLI) is a form of user interface (UI) primarily based on text that enables users to interact with a computer or software application through command input. Other terms used to describe CLIs include command-line user interfaces, console user interfaces, and character user interfaces.

SSH

SSH is a protocol for securely exchanging data between two computers over an untrusted network. SSH protects the privacy and integrity of the transferred identities, data, and files. It runs on most computers and on practically every server.

Authenticator Attestation Global Unique Identifier (AAGUID)

An Authenticator Attestation Global Unique Identifier (AAGUID) is a 128-bit identifier that specifies the model of an authenticator.

It aids in identifying the security features and source of the authenticator during the registration phase, thereby contributing to a secure user authentication procedure.

Hashing Algorithm

A hashing algorithm is a cryptographic technique used to generate a fixed-length output, known as a hash value or hash, from a given input. This hash value serves as a condensed summary of the original data.

WebAuthn

WebAuthn, also known as Web Authentication, is an API authentication protocol designed to operate within a web browser, enabling the registration, management, and authentication of users without passwords. This protocol eliminates the need for passwords, enhances resistance to phishing attacks, and combines two factors into one method.

WebAuthn simplifies authentication processes while providing security, offering advantages for both users and service providers. By utilizing WebAuthn, user credentials remain on their devices and are not stored on servers, reducing vulnerabilities to phishing attempts, password theft, and replay attacks.

Operator

Operators are software extensions to Kubernetes that make use of custom resources to manage applications and their components.

Operators follow Kubernetes principles.

Message Queue

A message queue is an asynchronous communication method used in serverless and microservices architectures. Messages remain in the queue until they are processed and removed. Each message is handled once, by a sole consumer.

Message queues serve as intermediaries between two communicating services or layers. The entity responsible for initiating communication by adding a message to the queue is referred to as a message producer. Conversely, the entity responsible for retrieving messages from the queue and performing the primary processing is known as the message consumer.

Message Broker

A message broker stores messages in a queue until they are consumed, after which the message is deleted. Message brokers provide adaptable routing and ensure reliability.

RabbitMQ

It's a message broker supporting various messaging protocols like the Advanced Message Queuing Protocol (AMQP). It provides a centralized platform for apps to send and receive messages securely, ensuring messages are safely stored until they are received.

Advanced Message Queuing Protocol (AMQP)

AMQP, or the Advanced Message Queuing Protocol, is an open standard protocol for message-oriented middleware at the application layer. Key features of AMQP include its message orientation, queuing, routing (including point-to-point and publish-and-subscribe), reliability, and security.

OLM

Operator Lifecycle Manager (OLM) is part of the Operator Framework, which is an open-source toolkit designed to efficiently, automatically, and scalably manage Kubernetes native applications known as Operators.

OLM enhances Kubernetes functionality by offering a declarative method for installing, overseeing, and updating Operators and their associated dependencies within a cluster.

Connection Pooling

Connection pooling is a strategy that maintains a reservoir of active database connections available for reuse rather than shutting them down after handling a query. This approach can lower the overhead of establishing and terminating database connections, leading to enhanced application efficiency.

Resource Path

A resource path is a URI that defines a wildcard pattern to indicate that a resource represents all application paths.

Wildcard Pattern

It's a sequence of characters used to compare against incoming character strings. These patterns are applied to define criteria for pattern matching. Matching occurs in a strict left-to-right manner, evaluating one character or basic wildcard pattern at a time.

Event Listeners

An event listener is a component that monitors for specific events and reacts to them when they occur. These listeners are capable of executing diverse tasks, including modifying the user interface, handling data, or initiating additional events. Integral to interactive and responsive applications, event listeners facilitate interactivity and contribute to the creation of dynamic user experiences.

Pagination

It enables clients to fetch a portion of search results instead of the entire set. This functionality is beneficial when there's a server-side restriction on the number of entries that can be returned. Pagination enables users to make multiple smaller queries to access larger result sets.