Terms related to IDaaS
IDaaS
Alibaba Cloud Identity as a Service (IDaaS) is a cloud-based identity management service that allows enterprises to centrally manage identities.
EIAM
Alibaba Cloud Enterprise Identity Access Management (EIAM) is a cloud-based identity management service that provides the features of a unified identity authentication platform, identity and access management (IAM) system, and authentication, authorization, account, and audit (4A) platform. EIAM allows enterprises to manage the identities of internal personnel and partners, such as employees, interns, temporary staff, suppliers, and store staff.
CIAM
Alibaba Cloud Customer Identity Access Management (CIAM) is a cloud-based identity management service. CIAM allows enterprises to manage the identities of external users, such as consumers, members, and citizens.
internationalization
Internationalization refers to the provision of multilingual services, user interfaces, images, documentation, operations, and support. IDaaS supports both Chinese and English.
Security Authentication
Alibaba Cloud Security Authentication is an identity authentication service. Security Authentication provides password-free logon methods such as phone number verification, authentication based on International Internet Finance Authentication Alliance (IIFAA), WebAuthn, text message verification, and one-time passwords (OTPs), and offers SDKs for these methods.
zero trust
Zero trust is an emerging network architecture that is widely used in the industry. The zero-trust architecture requires trusted identities and authorization for access to all services. This improves the security and ease of use of the overall network architecture. The zero-trust architecture can be used in modern workplace scenarios, such as telecommuting, multi-cloud deployment, and bring your own device (BYOD).
IDaaS Public Cloud and IDaaS private deployment
Alibaba Cloud IDaaS Public Cloud is a ready-to-use cloud service that has flexible billing. Administrators can activate the service by using their Alibaba Cloud accounts.
IDaaS private deployment refers to a private deployment of Alibaba Cloud IDaaS to a specified environment, such as your Alibaba Cloud virtual private cloud (VPC), an Amazon Web Services (AWS) environment, or a data center.
Terms related to identity providers
IdP
In Security Assertion Markup Language (SAML), an identity provider (IdP) verifies and authenticates the user and returns the SAML response information to a service provider (SP). IdP now refers to a unified identity management platform in general. In IDaaS, IDaaS is the IdP.
SP
In SAML, a service provider (SP) is a resolver that receives the response returned by an IdP. SP now refers to an application to which an IdP is connected. In IDaaS, an SP is an application.
AD
Active Directory (AD) is a directory service developed by Microsoft and is used to manage organizations, accounts, and permissions in enterprise business scenarios. AD can be separately deployed. A large number of modern applications also support the AD account system. However, enterprises usually look for other identity management solutions, such as IDaaS, because AD has compatibility issues and thus affects user experience.
LDAP
Lightweight Directory Access Protocol (LDAP) is usually used with AD and OpenLDAP but is also used with other systems such as Apache Directory.
OpenLDAP
OpenLDAP is an open source implementation of LDAP.
ADFS
Active Directory Federation Services (ADFS) is a default component of Windows Server and is used to extend AD access to external applications. However, ADFS is difficult to use and requires O&M.
DingTalk Contacts
DingTalk Contacts can be connected to IDaaS. You can synchronize identities between DingTalk and other account systems.
Terms related to accounts
organizational structure
An organizational structure is a tree structure of an enterprise. A department is a unit in the structure.
organization
An organization, organizational unit (OU), or department is a node in an organizational structure. In general, an organization is a department in an enterprise.
root organization node
Each IDaaS instance has only one root node, which is the enterprise itself. In IDaaS, you can modify the name of the root node.
account
In theory, each user has only one IDaaS account. A user can use an account to log on to the IDaaS application portal. A user can also be authorized to access applications after single sign-on (SSO) is implemented.
account lifecycle management
Account lifecycle management is the process of managing the full lifecycle of an account, from the creation of an account (onboarding of the employee) to the termination of an account (offboarding of the employee), and includes operations such as disabling, locking, moving, and modifying the account.
group
A group is a set of accounts and is used to assign permissions and set the synchronization scope.
synchronization
In IDaaS, synchronization refers to the transfer of accounts and organizations between different systems. You can synchronize incremental data or full data, perform instant synchronization or scheduled synchronization, and synchronize data from IDaaS to an external system or from an external system to IDaaS.
SCIM
System for Cross-domain Identity Management (SCIM) is an international specification for the synchronization of accounts and organizations between different systems. A large number of applications receive SCIM synchronization requests to achieve the interoperability of different system identities.
Terms related to applications
SSO
SSO means that users can access all applications after a single logon. SSO is implemented in different forms as applications evolve over time. In the context of IDaaS, SSO refers only to federated identity management based on standard protocols such as SAML and OpenID Connect (OIDC).
IdP-initiated SSO
IdP-initiated SSO is triggered when a user accesses an application after the user is logged on to the IDaaS application portal. In this process, the request is initiated by IDaaS (IdP).
SP-initiated SSO
SP-initiated SSO occurs when a user accesses an application and the application determines whether logon is required. If logon is required, the user is redirected to IDaaS (IdP) for authentication and redirected back to the application. In this process, the request is initiated by the application (SP).
application user
An application user is the identity assumed by a logged-on IDaaS account in the application during SSO. For example, zhangsan (IDaaS account) is the administrator (application user) in the Operations Platform application. IDaaS supports multiple ways to associate application users with IDaaS accounts. When multiple identities can be assumed in an application, users need to select one identity to access the application.
signature generation and verification
A signature that uses asymmetric encryption algorithms is usually used to ensure that tokens are not forged or tampered with. When OIDC-based SSO is implemented, IDaaS uses an RSA-256 private key to sign the issued id_token. To ensure that the token is not forged or tampered with, the application uses a public key to verify the token.
encryption and decryption
Encryption is implemented by using symmetric or asymmetric encryption algorithms. When data of an IDaaS application is synchronized, IDaaS uses AES-256 to encrypt the data before the data is transmitted. The application uses a symmetric key to decrypt the data, which ensures privacy and accuracy in insecure network environments.
authorization
Authorization refers to the assignment of permissions on objects (applications or other resources) to subjects (organizations or accounts). In IDaaS, you can grant access to all connected applications to manage permissions in a centralized manner. An organization can access an application only after you grant the organization access to the application in IDaaS.
SAML
Security Assertion Markup Language (SAML) is a widely adopted XML-based authentication standard for SSO. SAML is more complex than OIDC. IDaaS supports SAML 2.0.
OIDC
OpenID Connect (OIDC) is an identity federation protocol that is commonly used worldwide in scenarios such as SSO, authentication, and delegated authentication. OIDC was published in 2014 and is built on OpenID and OAuth 2.0.
JWT
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a format for transmitting information between parties as a JSON object. In the context of identity and access management (IAM) in China, JWT often represents a simplified SSO implementation that is partially based on the OIDC implicit flow because the transmitted content can be signed and encrypted.
CAS
Central Authentication Service (CAS) is a global SSO protocol for the web.
OAuth 2.0
OAuth 2.0 is an authorization protocol that is often used to implement SSO. Because OIDC is implemented based on OAuth 2.0, most of the flows in OIDC and OAuth 2.0 are the similar.
access_token/id_token/refresh_token
An access token is used to call an API operation provided by an IdP.
An ID token is used to obtain information about the account that is logged on.
A refresh token is used to obtain a new access token after the original access token expires.
OIDC and OAuth client credentials flow
In the client credentials flow, the application service instead of the user or account is granted permissions. The application obtains the permissions to call the resource or API operation. IDaaS provides the client_id and client_secret parameters to applications. Applications can exchange the parameters for an access token and call the API operation specified by IDaaS.
OAuth authorization code flow
In the authorization code flow, the user is authorized. The application obtains the identity information of the third-party system and logs on to the system by using the identity. DingTalk and WeChat both use the authorization code flow for logon.
OAuth device flow
The device flow is used in specific hardware devices and allows a user to access the IDaaS logon page in a computer or mobile browser when the device cannot display the IDaaS logon page. After the user logs on, the identity of the user is transmitted to the device to complete the logon.
Terms related to logon
password complexity
The passwords of the accounts must meet the complexity requirements.
lazy loading
Lazy loading and just-in-time provisioning refer to the following design. If IDaaS cannot find the identity information of a user who logs on, an authentication request is automatically forwarded to the original identity system of the enterprise. When the user is authenticated, the account information is stored in IDaaS. Such designs are usually used in scenarios in which passwords in the original system cannot be imported to IDaaS and can only be imported by using lazy loading.
MFA and 2FA
Multi-factor authentication (MFA) and two-factor authentication (2FA) refer to the cross-verification of multiple credentials presented by a user. MFA and 2FA are usually used to enhance account security for password-based logon due to the security risks of passwords. IDaaS allows you to use 2FA methods such as text message verification code, email verification code, and OTP.
OTP
An OTP is a dynamic password that is valid for only one time. The most common type of OTP is the time-based OTP (TOTP), which is usually valid for 30 seconds. The server and the client need to align the seed and synchronize the time in advance. During the same time window, the OTP calculated by the client must be the same as the OTP of the server for authentication to complete.
Application portal
IDaaS application portal is the page on which you can initiate SSO to all applications. You can customize the page at a charge.