The following list provides brief descriptions of some of the common terms related to setting up single sign-on.
Active Directory Federation Services is a single sign-on solution created by Microsoft. It is a component of the Windows Server operating systems that provides users with authenticated access to applications that are not able to authenticate through Windows Authentication using Active Directory.
A package of information that provides one or more statements from a SAML authority. There are three kinds of assertions:
|Assertion Consumer Service (ACS)||The service provider's endpoint (URL) that will process the SAML assertion. This may also be referred to as the Reply URL when setting up an identity provider for SAML.|
|Attribute||Set of data about a user, such as username, employee id, or first name.|
|Authentication||The process of verifying the identity of a user.|
|Authorization||The process of verifying what resources a user has permission to access.|
A claim is information that an identity provider states about a user inside the token they issue for that user. As part of setting up SSO, you'll specify which claim is used to identify a user. For example, Google uses email address to uniquely identify the user.
|Entity ID||Globally unique name for the identity provider or service provider required to set up SSO with SAML.|
Unique identifier code for the user in the IdP. The Global ID stores the unique value that is sent as the claim for the application.
Identity Provider (IdP)
Identity providers are trusted partners that verify user authentication as a service. For example, Google and Microsoft.
|Metadata||Required set of information provided in an xml format used to set up SSO with SAML. Metadata is provided by the identity provider to the service provider or vice versa.|
Multi-Factor Authentication is an authentication method in which a user is granted access only after successfully providing two or more pieces of evidence. For example, the user may be required to enter a password and a code received on the user's smart phone.
Method through which a third-party app can access web-hosted resources on behalf of a user.
OpenID Connect is an authentication layer on top of OAuth 2.0, which is an authorization framework. It's an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
This URI is the location that the authorization server will direct the user once the app has been successfully authorized and granted an authorization code or access token. When you register an application with the identity provider, you need to enter the Redirect URI for the PowerSchool application you are configuring for SSO.
A website or other entity on the Internet that relies on an identity provider to authenticate a user who wants to log in.
Security Assertion Markup Language (pronounced SAM-el) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
Scopes are used to return a set of user attributes, known as claims. Scopes are sent between the application and identity provider.
Single sign-on (SSO) enables users to authenticate through a single source known as an identity provider so they can navigate between applications and websites with one set of credentials.
Tokens are passed between applications to share information. ID tokens are a feature of OIDC designed to share identity assertions on the Internet.
Uniform Resource Identifier is a string of characters that unambiguously identifies a particular resource. As part of SSO, the redirect URI is the location that the authorization server will send the user to once the app has been successfully authorized, and granted an authorization code or access token.
Synchronization of users in IdP and product by associating the unique ID from the IdP with the user.