A
ABAC — Attribute-Based Access Control (ABAC). An access control model that grants or denies permissions based on attributes associated with users, resources, and the environment, rather than predefined roles.
access token — A short-lived credential used to call APIs provided by an Identity Provider (IdP). The token represents the authorization granted to the caller and expires after a configured validity period. See also: refresh token, ID token.
ACL — Access Control List (ACL). An access control mechanism based on packet filtering that defines which entities are permitted or denied access to a resource.
AD — Active Directory (AD). A Microsoft directory service for Windows Server environments that stores information about network objects—users, computers, and groups—and allows administrators to manage access across the network.
AK/SK — Access Key ID / Secret Access Key (AK/SK). Your long-term identity credential in Alibaba Cloud. The Access Key ID (AK) identifies your account when you call Alibaba Cloud APIs through tools such as the CLI, SDKs, or direct API requests. The Secret Access Key (SK) is used to sign requests, allowing Alibaba Cloud to verify the integrity and authenticity of each request. Keep the SK confidential and do not share it.
authentication — The process of verifying the identity of an entity—a person, system, or automated agent—before granting access to a service or resource. Authentication confirms who you are, while authorization determines what you can do. See also: OAuth 2.0, OpenID Connect (OIDC).
automation — The use of rules or workflows to perform identity-related actions—such as provisioning, deprovisioning, or policy enforcement—without manual intervention.
B
branding — The process of customizing the appearance of your enterprise portal, including the logo, color scheme, text content, language settings, and other visual elements displayed to users during authentication and customer service flows.
C
CAS — Apereo Central Authentication Service (CAS). A legacy single sign-on protocol that is less commonly used in modern identity architectures, largely replaced by standards such as SAML and OIDC.
CIAM — Customer Identity and Access Management (CIAM). An identity management solution that handles authentication and access control for external users such as customers, consumers, and members. CIAM is distinct from EIAM, which focuses on internal enterprise users. See also: IDaaS.
D
DLP — Data Loss Prevention (DLP). A security strategy and set of technologies that prevent sensitive data or information assets from leaving an enterprise in violation of security policies.
E
EIAM — Enterprise Identity and Access Management (EIAM). An identity and access management system for internal users, ecosystem partners, and tiered offline store networks. EIAM consolidates identities from on-premises systems, cloud-based business applications, and third-party SaaS tools, enabling users to access all services with a single account. See also: CIAM, SSO.
EU — End User (EU). The person who authenticates with an identity system to access a service. In OIDC flows, the EU is the subject whose identity is being asserted.
F
facial recognition — A biometric authentication method that verifies a user's identity by analyzing facial features captured via camera.
FC — Function Compute (FC). Alibaba Cloud's serverless compute service. In IDaaS contexts, FC is used to implement custom authentication logic or process node events in identity workflows.
fingerprint recognition — A biometric authentication method that verifies a user's identity by scanning and matching fingerprint patterns.
G
GCP — Google Cloud Platform (GCP). Google's public cloud platform. Referenced in IDaaS documentation as an external environment that may integrate with identity federation workflows.
H
Historical Passwords — A password policy setting that controls whether users can reuse previous passwords when setting a new one. Preventing reuse of recent passwords reduces the risk of account compromise from credential theft.
I
IAM — Identity and Access Management (IAM). A framework for managing digital identities and controlling access to resources. Core IAM capabilities include single sign-on, robust authentication management, policy-based centralized authorization and auditing, dynamic authorization, and enterprise manageability.
IDaaS — Identity as a Service (IDaaS). A cloud-delivered set of centralized identity, permission, and application management services for enterprise users. IDaaS consolidates identities from on-premises and cloud-based systems—including internal office systems, business applications, and third-party SaaS tools—into a single account that provides access to all connected services.
IdP — Identity Provider (IdP). A service that manages and authenticates user identities. In SAML flows, the IdP generates and sends SAML assertions to service providers (SPs) to verify that a user has authenticated. See also: IdP-initiated flow, IdP-initiated SSO, RP.
IdP-initiated flow — A SAML authentication flow initiated by the Identity Provider. The IdP generates a SAML response asserting the user's identity and redirects the user to the service provider, without a prior authentication request from the SP. This flow is triggered when a user clicks an application tile in the IdP portal.
IdP-initiated SSO — A Single Sign-On flow that starts from the IdP's security domain. The IdP federation server creates a federation SSO response and redirects the user—along with the response and optional status information—to the service provider. See also: SSO, IdP-initiated flow.
ID token — A token in JSON Web Token (JWT) format that contains authentication claims about the End User (EU). Parse the ID token to retrieve information about the currently logged-in account, such as user ID, email, and authentication time. See also: JWT, access token.
IPG — Identity Provider Gateway (IPG). An IDaaS series product that acts as a gateway for identity provider integrations.
J
JWT — JSON Web Token (JWT). A compact, URL-safe token format defined in RFC 7519. JWT encodes claims as a JSON object that can be signed and optionally encrypted, making it suitable for securely transmitting identity and authorization information between parties. JWTs are widely used in SSO scenarios and can serve as ID tokens or access tokens in OIDC and OAuth 2.0 flows.
K
key rotation — The process of replacing an existing cryptographic key or password with a newly generated one, invalidating the old credential. Regular key rotation limits the window of exposure if a key is compromised.
L
Lazy Loading — Just-in-Time (JIT) provisioning. Also called lazy loading. An account provisioning strategy where user accounts are created in IDaaS on-demand at login time. When a user signs in and their identity is not found in IDaaS, the authentication request is forwarded to the original enterprise identity system. If authentication succeeds, the account information is saved in IDaaS for future logins. This approach is common when passwords in the original system cannot be migrated to IDaaS directly.
LDAP — Lightweight Directory Access Protocol (LDAP). A client-server protocol for querying and modifying entries in a directory service that follows the X.500 standard. LDAP runs over TCP/IP and is commonly used to authenticate users against corporate directories such as Active Directory.
M
MAU — Monthly Active Users (MAU). A metric that counts the number of unique users who logged in or actively used a product within a statistical month, excluding duplicate sessions by the same user.
MFA — Multi-Factor Authentication (MFA). An authentication method that requires users to verify their identity using two or more independent factors—typically something they know (password), something they have (OTP device or app), and something they are (biometric). MFA reduces the risk of account takeover from compromised passwords.
MSG — Micro-Segmentation (MSG). A network security technique, first introduced by Gartner and also known as Software-Defined Segmentation, that enforces fine-grained isolation between networks/microservices along the east-west traffic path within a network.
N
NIST — National Institute of Standards and Technology (NIST). A U.S. federal agency that publishes cybersecurity standards and frameworks widely adopted across the industry, including guidelines for identity management and Zero Trust Architecture.
node event — An event that defines a specific interaction point in an IDaaS workflow. Node events are used to model the sequence of operations when IDaaS communicates with third-party IAM systems. See also: process interaction.
O
OAuth 2.0 — An industry-standard authorization framework (IETF RFC 6749) that allows applications to obtain limited access to user accounts on behalf of the user, without exposing credentials. OAuth 2.0 handles authorization—what the application is permitted to do—but does not define how to authenticate the user's identity. See also: OIDC.
OIDC — OpenID Connect (OIDC). An authentication layer built on top of OAuth 2.0 (defined in the OpenID Foundation specifications). OIDC adds identity verification to OAuth 2.0's authorization framework.
Understanding the relationship between OpenID, OAuth 2.0, and OIDC:
| Protocol | Purpose | What it confirms |
|---|---|---|
| OpenID / OIDC | Authentication | Who you are — verifies and asserts the user's identity |
| OAuth 2.0 | Authorization | What you can do — grants permission to perform actions after identity is established |
| OpenID Connect (OIDC) | Both | Authentication + OAuth 2.0 combined into one interoperable standard |
Authorization always follows authentication: a user's identity must be confirmed before access can be granted.
OP — OpenID Provider (OP). A server capable of authenticating end users and providing identity information to Relying Parties (RPs). The OP is equivalent to the authorization server role in OAuth 2.0. See also: RP, OIDC.
OTP — One-Time Password (OTP). A single-use authentication code that is valid for only one login session or transaction. The most common implementation is Time-based One-Time Password (TOTP), defined in RFC 6238, which generates a new code every 30 seconds. TOTP requires the server and the client app to share a seed and maintain synchronized clocks; the code generated on both sides must match within the same time window for authentication to succeed.
P
PKCE — Proof Key for Code Exchange (PKCE, pronounced "pixie"). A security extension to the OAuth 2.0 Authorization Code flow that prevents authorization code interception attacks. During the token exchange, PKCE generates a cryptographic challenge that proves the token request comes from the same client that initiated the authorization request—stopping attackers from exchanging a stolen authorization code for tokens. PKCE is recommended for all OAuth 2.0 clients, especially public clients such as mobile and single-page apps.
process interaction — A sequence of two or more node events arranged in a defined logical order to complete a business operation. Process interactions are used to model the communication between IDaaS and third-party IAM systems. See also: node event.
Q
None.
R
RAM — Resource Access Management (RAM). An Alibaba Cloud service for managing user identities and controlling access to cloud resources. RAM lets you create and manage sub-accounts and define fine-grained permission policies for each.
RBAC — Role-Based Access Control (RBAC). An access control model where permissions are assigned to roles rather than directly to users. Administrators define a set of roles, each with a corresponding set of permissions, and then assign users to appropriate roles. This approach simplifies permission management in large organizations.
refresh token — A long-lived credential used to obtain a new access token after the current one expires, without requiring the user to re-authenticate. Unlike access tokens, refresh tokens can be revoked by the authorization server. Store refresh tokens securely. See also: access token.
RP — Relying Party (RP). In OIDC and OAuth 2.0, the trusted client application that consumes identity and authorization information from an OpenID Provider (OP) or Identity Provider (IdP). The RP delegates authentication to the IdP and relies on the returned tokens to grant access. See also: OP, IdP.
S
SAML — Security Assertion Markup Language (SAML). An XML-based standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a service provider (SP). SAML is widely used for enterprise SSO.
SCIM — System for Cross-domain Identity Management (SCIM). An open standard protocol (RFC 7644) primarily used for automating user account synchronization between identity systems, such as provisioning and deprovisioning accounts across SaaS applications.
SD-IAM — Service Delivered IAM (SD-IAM). An authentication and access management service model delivered as a managed service.
SK — Secret Access Key (SK). The private key used to sign requests to Alibaba Cloud APIs, allowing the cloud platform to verify the authenticity of each request. Keep the SK confidential. See also: AK/SK.
SDK — Software Development Kit (SDK). A collection of libraries, code samples, documentation, and tools that simplifies building applications against a service's API.
SLA — Service-Level Agreement (SLA). A formal commitment that defines the availability and performance standards for a service. Each Alibaba Cloud product maintains its own SLA; if a product does not define one, the general Alibaba Cloud SLA applies.
Amazon S3 — Simple Storage Service (S3). AWS's object storage service, supporting files from 0 to 5 TB. Referenced in IDaaS documentation as an external storage integration point.
SPG — Service Provider Gateway (SPG). An IDaaS series product that acts as a gateway for service provider integrations.
SSO — Single Sign-On (SSO). An authentication mechanism that lets users access multiple applications with a single set of credentials and one login session. In IDaaS, SSO refers specifically to identity federation based on standard protocols such as OIDC and OAuth 2.0, rather than legacy session-sharing approaches. See also: IdP-initiated SSO, SAML.
T
token — A digital artifact used to represent an authenticated identity or an authorization grant. Tokens are issued by authorization servers and presented by clients to access protected resources. Common token types include access tokens, refresh tokens, and ID tokens.
U
UD — User Directory (UD). A repository that stores and manages user identity records, attributes, and credentials. User directories serve as the authoritative source of identity information for authentication and provisioning.
UEBA — User and Entity Behavior Analytics (UEBA). A security analytics approach that uses dynamic environment models to detect anomalous activity by users and entities—such as service accounts or devices—then generates analysis reports to support incident investigation.
UserInfo endpoint — An OAuth 2.0-protected API endpoint defined by the OIDC specification. When a Relying Party (RP) calls the endpoint using a valid access token, it returns claims about the authenticated end user. The endpoint must be served over HTTPS.
V
validity period — The time window during which a token or credential remains active. Once the validity period expires, the token is rejected and the user or application must obtain a new one.
W
weak password — A password that can be easily guessed by people with knowledge of the user or cracked using automated tools. Common examples include dictionary words, sequences, and passwords reused from other services. Enforce password complexity policies to reduce this risk.
WeChat — A social and messaging platform primarily used in the Chinese mainland, developed by Tencent. WeChat can be configured as an external identity source in IDaaS to allow users to authenticate using their WeChat accounts.
X
X-Engine — A self-developed online transaction processing (OLTP) database storage engine built by Alibaba Cloud's Database Product Business Unit.
XpackRelateDB — A type of database for Alibaba Cloud services.
Y
N/A.
Z
ZTA — Zero Trust Architecture (ZTA). A security model defined by NIST (SP 800-207) based on the principle of "never trust, always verify." ZTA assumes no implicit trust based on network location and requires continuous verification of every request to access resources.
ZTE — Zero Trust Ecosystem (ZTE). The broader set of technologies, integrations, and practices that together implement and support Zero Trust principles across an organization.
If you have any other questions, please contact the IDaaS team.