Digital Identity Glossary

A periodic assessment process where managers or application owners review and validate that users' current access rights are appropriate and aligned with their roles and responsibilities.

AD

Microsoft's directory service for Windows domain networks that provides authentication, authorization, directory services, and group policy management for enterprise environments.

An authentication approach that dynamically adjusts security requirements based on real-time risk assessment, user behavior analysis, and contextual signals, balancing security with user experience.

The practices, patterns, and technologies used to protect application programming interfaces from unauthorized access, data breaches, and abuse, including authentication, authorization, rate limiting, and input validation.

ABAC

An access control model that evaluates access requests based on attributes of the user, resource, action, and environment, enabling fine-grained, context-aware authorization decisions.

An OAuth 2.0 grant type where the client receives an authorization code from the authorization server and exchanges it for access and refresh tokens via a back-channel request, providing the most secure flow for server-side applications.

An authentication method that verifies a user's identity using unique biological characteristics such as fingerprints, facial features, iris patterns, or voice recognition.

CIAM

A specialized subset of IAM focused on managing and securing external customer identities, providing seamless registration, authentication, and profile management for consumer-facing applications.

An identity model where individuals own and control their digital identity data using cryptographic keys and decentralized infrastructure, rather than relying on centralized identity providers.

The process of revoking and removing a user's access rights and accounts across IT systems when they no longer need access, such as when they change roles or leave the organization.

A system that allows users to use the same identity credentials across multiple independent organizations or domains, enabled by trust relationships between identity providers and service providers.

An open authentication standard by the FIDO Alliance that enables passwordless authentication using public-key cryptography, comprising the WebAuthn web API and CTAP2 client-to-authenticator protocol.

GDPR

A comprehensive EU regulation on data protection and privacy that establishes rules for how organizations collect, process, store, and transfer personal data of EU residents, with significant penalties for non-compliance.

An architectural pattern that provides a unified, integrated layer of identity services across an organization's hybrid and multi-cloud environment, abstracting the complexity of underlying identity infrastructure.

The process of establishing trust relationships between separate identity management systems so that users authenticated by one system can access resources managed by another without re-authentication.

IGA

A framework of policies, processes, and technologies that manage and govern digital identities and their access rights across an organization, including provisioning, certification, and compliance reporting.

The end-to-end process of managing a digital identity from creation through modification, access changes, and eventual deactivation or deletion, ensuring appropriate access at every stage.

A distributed identity architecture concept where identity services are decomposed into modular, interoperable components that can be composed flexibly, rather than relying on a single monolithic identity platform.

IdP

A service that creates, manages, and verifies digital identities, issuing authentication tokens or assertions that other applications and services trust to grant access.

An international standard for information security management systems (ISMS) that specifies requirements for establishing, implementing, maintaining, and continually improving an organization's information security posture.

JWT

A compact, URL-safe token format that encodes claims as a JSON object, digitally signed for integrity verification, commonly used to transmit authentication and authorization information between parties.

JIT Provisioning

An automated provisioning method that creates or updates user accounts in a target application at the moment of the user's first authentication, rather than pre-provisioning accounts in advance.

A network authentication protocol that uses tickets issued by a trusted third party (Key Distribution Center) to allow nodes to prove their identity securely over a non-secure network.

A security principle that grants users, applications, and systems only the minimum access rights and permissions necessary to perform their required tasks, reducing the attack surface and blast radius.

LDAP

An open, vendor-neutral protocol for accessing and managing distributed directory information services, commonly used to store and retrieve user identity data, group memberships, and organizational structures.

MFA

A security mechanism that requires users to provide two or more independent verification factors (something you know, have, or are) to authenticate their identity.

The NIST Digital Identity Guidelines that provide technical requirements and recommendations for digital identity services, defining Identity Assurance Levels (IAL), Authenticator Assurance Levels (AAL), and Federation Assurance Levels (FAL).

An authorization framework that enables third-party applications to obtain limited access to a web service on behalf of a resource owner, without exposing credentials.

A mechanism in OAuth 2.0 that limits the access granted to a client application, defining specific permissions the client can request and the resource owner can approve.

OIDC

An identity layer built on top of OAuth 2.0 that allows clients to verify the identity of an end-user and obtain basic profile information using an ID Token.

A passwordless authentication credential based on FIDO2/WebAuthn that syncs across devices using platform cloud services, providing phishing-resistant authentication without requiring users to manage physical security keys.

An authentication approach that verifies user identity without requiring a traditional password, using alternatives such as biometrics, security keys, magic links, or passkeys.

PAM

A set of cybersecurity strategies, technologies, and practices for controlling, monitoring, securing, and auditing elevated access and permissions for users, accounts, and systems across an IT environment.

PKCE

An extension to the OAuth 2.0 Authorization Code flow that protects against authorization code interception attacks by requiring the client to create a cryptographic code verifier and challenge.

RBA

An adaptive authentication method that evaluates contextual risk signals (device, location, behavior patterns) to dynamically adjust the authentication requirements, requesting additional verification only when risk is elevated.

RBAC

An access control model that assigns permissions to users based on their organizational roles, simplifying access management by grouping permissions into roles rather than assigning them individually.

SAML

An XML-based open standard for exchanging authentication and authorization data between an identity provider and a service provider, widely used for enterprise SSO.

SSI

An identity model that gives individuals full ownership and control of their digital identities without relying on any centralized authority, using decentralized identifiers and verifiable credentials.

SoD

A security control principle that divides critical tasks among multiple people or roles to prevent any single individual from having enough access to commit fraud or cause significant harm undetected.

SP

An application or service that relies on an identity provider to authenticate users and make authorization decisions, consuming authentication tokens or assertions issued by the IdP.

The process of securely handling user sessions after authentication, including session creation, tracking, timeout, invalidation, and protection against session hijacking and fixation attacks.

SSO

An authentication method that allows users to log in once and gain access to multiple applications or systems without re-entering credentials for each one.

A compliance framework developed by the AICPA that defines criteria for managing customer data based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

A security mechanism that requires a user to complete additional authentication challenges when attempting to access higher-risk resources or perform sensitive operations within an already authenticated session.

SCIM

An open standard protocol for automating the exchange of user identity information between identity domains and IT systems, enabling automated provisioning and deprovisioning of user accounts.

An authentication method where a server generates an encrypted token upon successful login that the client includes in subsequent requests, eliminating the need to send credentials with every request.

The process of creating, managing, and maintaining user accounts and their associated access rights across IT systems and applications, ensuring users have the appropriate access to perform their roles.

VCs

A W3C standard for tamper-evident digital credentials that can be cryptographically verified, enabling individuals to present trusted claims about their identity, qualifications, or attributes without contacting the issuer.

WebAuthn

A W3C web standard and core component of FIDO2 that provides a browser API for creating and using public-key credentials for passwordless, phishing-resistant authentication on the web.

A security model based on the principle of 'never trust, always verify' that requires strict identity verification for every person and device attempting to access resources, regardless of network location.