SSO Glossary

The following list provides brief descriptions of some of the common terms related to setting up single sign-on.

Term

Definition

AD FS

Active Directory Federation Services is a single sign-on solution created by Microsoft. It is a component of the Windows Server operating systems that provides users with authenticated access to applications that are not able to authenticate through Windows Authentication using Active Directory.

Assertion

A package of information that provides one or more statements from a SAML authority. There are three kinds of assertions:

  • Authentication - Indicates the user was authenticated by the identity provider and the time when they were authenticated.
  • Attribute - Provides additional information about the user.
  • Authorization decision - declares if a request to allow the user to access a specified resource has been granted or denied.
Assertion Consumer Service (ACS)The service provider's endpoint (URL) that will process the SAML assertion. This may also be referred to as the Reply URL when setting up an identity provider for SAML.
AttributeSet of data about a user, such as username, employee id, or first name.
AuthenticationThe process of verifying the identity of a user.
AuthorizationThe process of verifying what resources a user has permission to access.

Claim

A claim is information that an identity provider states about a user inside the token they issue for that user. As part of setting up SSO, you'll specify which claim is used to identify a user. For example, Google uses email address to uniquely identify the user.

Entity IDGlobally unique name for the identity provider or service provider required to set up SSO with SAML.

Global ID

Unique identifier code for the user in the IdP. The Global ID stores the unique value that is sent as the claim for the application. 

Identity Provider (IdP)

Identity providers are trusted partners that verify user authentication as a service. For example, Google and Microsoft.

MetadataRequired set of information provided in an xml format used to set up SSO with SAML. Metadata is provided by the identity provider to the service provider or vice versa.

MFA

Multi-Factor Authentication is an authentication method in which a user is granted access only after successfully providing two or more pieces of evidence. For example, the user may be required to enter a password and a code received on the user's smart phone.

OAuth 2.0

Method through which a third-party app can access web-hosted resources on behalf of a user.

OIDC

OpenID Connect is an authentication layer on top of OAuth 2.0, which is an authorization framework. It's an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

Redirect URI

This URI is the location that the authorization server will direct the user once the app has been successfully authorized and granted an authorization code or access token. When you register an application with the identity provider, you need to enter the Redirect URI for the PowerSchool application you are configuring for SSO.

Relying Party

 A website or other entity on the Internet that relies on an identity provider to authenticate a user who wants to log in.

SAML

Security Assertion Markup Language (pronounced SAM-el) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

Scopes

Scopes are used to return a set of user attributes, known as claims. Scopes are sent between the application and identity provider. 

SSO

Single sign-on (SSO) enables users to authenticate through a single source known as an identity provider so they can navigate between applications and websites with one set of credentials.

Token

Tokens are passed between applications to share information.  ID tokens are a feature of OIDC designed to share identity assertions on the Internet.

URI

Uniform Resource Identifier is a string of characters that unambiguously identifies a particular resource. As part of SSO, the redirect URI is the location that the authorization server will send the user to once the app has been successfully authorized, and granted an authorization code or access token.

User Provisioning

Synchronization of users in IdP and product by associating the unique ID from the IdP with the user.