US Security Assertion Markup Language Authentication Market: Corma's Identity Access Management Glossary

Why companies gowing through digital transformation need to understand the key terminologies around Identity and Access Management.

This glossary is to help organizations seeking to thrive amidst rapid technological advancements. The authentication market is experiencing robust growth, with industry trends and the increasing authentication market size globally highlighting the expanding role of secure identity verification technologies. From the fundamental role of Active Directory in user authentication and access control to cutting-edge concepts like Zero Trust Network Access (ZTNA), familiarity with IAM terminology is essential for driving digital transformation initiatives. By grasping key IAM concepts such as Single Sign-On (SSO), Multi-Factor Authentication (MFA), and Identity as a Service (IDaaS), companies can fortify their security posture, streamline user access, and ensure compliance with stringent regulatory requirements. In addition, stringent data protection regulations and rising cyber threats are driving demand for advanced IAM solutions, emphasizing the importance of data security in today’s landscape. Moreover, as businesses embrace innovative approaches like Zero Trust to mitigate cybersecurity risks, a comprehensive understanding of IAM becomes indispensable for safeguarding digital assets and enabling seamless, secure access to resources across diverse environments. This glossary aims to be a starting point for everybody who wants to dive into this wide topic, reflecting global market perspectives and language authentication market trends shaping the future of IAM.

Access Management (AM)

‍Access Management, or Gestion des Accès, is the process of identifying, tracking, and controlling user access to information systems, applications, or any IT resource through the implementation of secure authentication mechanisms. It encompasses strong authentication and robust authentication protocols, logical access control, Single Sign-On (SSO), identity federation, and access traceability, addressing security concerns and ensuring compliance within an organization’s information system.

Secure access management is increasingly vital in modern IT environments to protect data, ensure regulatory compliance, and enable seamless access across cloud and mobile platforms.

Authorisation & Authentification

Authorization is the process that ensures properly authenticated users can access only the resources they are permitted to, as defined by the resource owner or administrator. In the consumer world, authorization may also refer to the process where a user ensures that a cloud-based application (such as a social network) accesses only specific information from a non-affiliated website (such as the user’s webmail account).

‍Authentication is the process of validating or verifying a user’s identity based on the credentials provided during login to an application, service, computer, or digital environment. Secure identity verification is essential for protecting access to digital environments and reducing security risks. Most authentication credentials include something the user has (e.g., a username) and something the user knows (e.g., a password). If the credentials provided by the user match those stored by the underlying application or Identity Provider, the user is successfully authenticated and granted access. Adaptive authentication can dynamically adjust verification requirements based on user behavior, location, device fingerprinting, and contextual risk factors to enhance security.

Bring Your Own Identity (BYOI)

Not to be mistaken with the party request “bring your own beer”. In the identity management space, vendors and organizations aim to allow employees and partners to use their own identities to access corporate resources. This identity could be any that provides a sufficient level of identity assurance, such as government-issued identity cards, healthcare smart cards, or online identities like social media profiles, professional network accounts, and commercially-available identities like FIDO. The enterprise and consumer worlds are converging, and enterprise security teams are under increasing pressure to implement authentication methods commonly seen in consumer services, while also adopting robust authentication mechanisms and secure authentication solutions to meet enterprise security needs.

Customer Identity and Access Management (CIAM)

‍Customer Identity and Access Management refers to the management of identities and access for a company’s customers, with a strong emphasis on secure identity management to address rising cybersecurity threats. It enables businesses to manage customer identities, control their access to services and applications based on context, and apply security and privacy policies to safeguard sensitive data while enabling secure data exchange between customers and services. CIAM enhances user experience with streamlined registration and secure access pathways while providing businesses with insights into customer access for marketing opportunities and compliance with regulations like GDPR.

Card Management System (CMS)

‍A Card Management System is software that allows organizations to administer their authentication token inventory centrally. It facilitates the lifecycle management and deployment of various authentication tokens, including smart cards, FIDO2 tokens, digital certificates, and access control badges. CMS ensures efficient management of authentication tokens throughout their lifecycle, from issuance to revocation, providing user-friendly interfaces for requesting and retrieving personalized physical tokens and digital certificates. It also includes comprehensive dashboards for tracking token operations, addressing traceability and compliance requirements, and contributing to robust identity management solutions.

Data Access Governance (DAG)

Data Access Governance, or Gouvernance des Accès aux Données Non Structurées, focuses on controlling and securing access rights to unstructured data, such as documents, spreadsheets, presentations, or emails, to protect sensitive information. DAG works in conjunction with document management solutions, including Document Management Systems (DMS), file servers, and SharePoint portals, considering the dynamic nature of data sharing and the importance of mitigating data leakage risks and reducing the risk of data breaches.

FIDO (Fast Identity Online)

Fast Identity Online (FIDO) Alliance, established in 2013, is a consortium aiming to develop open standards for online authentication with secure authentication mechanisms, reducing reliance on passwords while ensuring high authentication levels across devices. FIDO protocols, including CTAP (Client to Authenticator Protocol), enable passwordless authentication using security keys, biometrics, or one-time PINs, enhancing security and user experience. FIDO2, endorsed by the World Wide Web Consortium (W3C), is widely supported by major browsers and operating systems, offering robust authentication methods.

IDaaS (IAM-as-a-service)

IDaaS stands for IAM-as-a-Service, also called identity-as-a-service. It describes Identity and Access Management (IAM) solutions that offer a cloud-based as-a-service delivery model for Access Management and Authentication, supporting secure access to cloud services and leveraging cloud computing to enable scalable identity management. IDaaS has been seen as a separate market in the last years. But given recent market developments and technological shifts, going forward it will be rather treated as two separate disciplines. The two disciplines are that of Access Management and IGA, whose delivery methods include on-premises installations, software or cloud-based platforms, with increasing integration across various cloud platforms.

Identity and Access Governance (IAG)

Identity and Access Governance (IAG) orchestrates user identity and access management with centralized identity governance to enhance security and ensure regulatory compliance within an organization, complementing IAM by overseeing identity legitimacy, preventing orphan accounts, enforcing separation of duties (SoD), and monitoring activities for compliance purposes. IAG solutions integrate supervision tools, role mining, entitlement reviews, and SoD enforcement, enhancing regulatory compliance and security posture.

Identity and Access Management (IAM)

Identity and Access Management, ensures secure access to organizational resources by managing digital identities and their associated permissions. IAM encompasses various components and technologies, including authentication solutions for secure access management, strong authentication, identity federation, Single Sign-On (SSO), lifecycle management, and provisioning, delivering benefits across industries. A robust IAM strategy requires a comprehensive platform capable of accommodating diverse IAM services and addressing future organizational needs.

Identity Federation

Identity federation involves a centralized system known as a trusted Identity Provider (“IdP”) that manages user authentication. When users attempt to access cloud applications, these apps delegate the authentication process to the Identity Provider each time. Federated identity addresses the complexities of managing credentials across multiple web applications, whether they are within an organization or external to it. Identity federation utilizes standards like SAML and OpenID Connect, leveraging SAML-based authentication and markup language authentication to enable secure, federated identity management and single sign-on (SSO) across diverse platforms.

Assertion markup language authentication plays a critical role in enabling secure identity federation and single sign-on, supporting regulatory compliance and seamless access in both cloud and hybrid environments.

Identity as a Service (IDaaS)

Identity as a Service (IDaaS) provides IAM functionalities as a cloud-based service, offering scalability, flexibility, and cost-effectiveness, with cloud based SAML solutions being a key component for secure and scalable authentication. IDaaS solutions include directory services, SSO, multi-factor authentication (MFA), provisioning, and workflows, enabling organizations to streamline identity management processes and accelerate solution deployment while reducing operational overhead.

IdP (Identity Provider)

An Identity Provider (IdP), also known as Identity Provider, creates, maintains, and manages digital user identities and authentication factors. IdPs rely on authentication servers to verify and manage user identities, including usernames, passwords, or biometric data. Popular IdPs include Google, Facebook, Amazon Web Services (AWS), Microsoft Active Directory, OpenLDAP, and Ping Identity, facilitating Single Sign-On (SSO) and identity federation for seamless access across multiple applications.

IM (Identity Management)

Identity Management (IM) involves centrally managing user identity data, profiles, and roles within a network. It encompasses user lifecycle management, account provisioning, and entitlement management to efficiently handle user identities amidst the complexity of modern IT environments. IM ensures compliance, enhances security, and streamlines access management processes, supporting secure identity management to safeguard sensitive data and address rising cybersecurity threats.

MFA (Multi Factor Authentication)

Multi Factor Authentication (MFA) verifies user identity by requiring at least two distinct factors from the following categories: possession (something the user has), inherence (something the user is), and knowledge (something the user knows). By combining multiple authentication factors, such as passwords, biometrics, or security keys, MFA significantly reduces the risk of unauthorized access and enhances security posture within IAM strategies, especially when adaptive authentication is used to dynamically adjust verification requirements based on user behavior and contextual risk factors.

OAuth2

OAuth2 is an open protocol for authorization delegation, allowing limited access to applications or resources with user consent. It enables websites, software, or applications (consumers) to utilize another site's secure API (provider) on behalf of a user. OAuth2 does not handle authentication directly but focuses on authorization delegation. It facilitates obtaining authorization tokens and calling APIs to access user information securely, contributing to secure API access and enhanced user privacy.

OIDC (OpenID Connect)

OpenID Connect (OIDC) is a standard used in identity federation, representing the third generation of the protocol established by the OpenID Foundation. OIDC builds upon OAuth2 capabilities by adding a layer of identification, allowing for user identity verification with an authorization server to obtain user information securely. It addresses OAuth2 limitations in strong authentication, enabling third-party sites to obtain identities more securely than OAuth2 alone. OIDC is commonly used for user authentication in mobile applications or commercial websites.

PAM (Privileged Access Management)

Privileged Access Management (PAM) enables organizations to manage access and authentication for users with privileges on critical resources or administrative applications. It encompasses both internal users, such as system administrators or users handling sensitive data, and external users like managed service providers. PAM solutions not only control user identity and access but also monitor user activity in real-time to detect and prevent unauthorized access attempts. By enforcing strong authentication measures like multi-factor authentication and implementing robust authentication mechanisms, PAM ensures secure privileged access management and compliance with governance requirements.

SAML (Security Assertion Markup Language)

Security Assertion Markup Language (SAML) is a standard used in identity federation, developed by the non-profit consortium OASIS. SAML facilitates identity verification and authorization procedures between a user’s identity provider (IdP) and service provider (SP) by transferring authentication data in XML format. SAML authentication, also referred to as markup language SAML authentication, is a widely adopted protocol for secure, federated identity management across cloud and enterprise environments. Enterprises benefit from SAML’s security enhancements, standardization, and user experience optimization. A wide range of SAML solutions are available, offering enhanced security by integrating advanced technologies and robust features to protect against cyber threats and strengthen identity management. It is commonly utilized to enable enterprise users to access multiple applications with a single sign-on.

When a user tries to log in to a cloud-based application, they are redirected to a trusted Identity Provider for authentication. The Identity Provider collects the user’s credentials, such as their username and one-time password, and sends a response back to the cloud application being accessed. This response is called a SAML assertion, which contains either an accept or reject decision. Based on this response, the Service Provider—such as Salesforce, Office 365, or Dropbox—either grants or denies access to the application.

Security Token Services

Identity Provider models are also known as Token-based Authentication or Security Token Services (STS). An STS functions similarly to an Identity Provider, while a Relying Party (RP) is akin to a Service Provider. Instead of exchanging SAML assertions, these systems use Security Tokens. Despite the different terminology, the underlying concept remains the same.

SLO (Single Logout)

Single Logout (SLO) is a process that allows simultaneous termination of user sessions across all connected applications and web services, which is a critical aspect of web services security, within a Single Sign-On (SSO) environment. By ensuring all sessions are terminated, SLO enhances security and mitigates risks associated with active session exploitation. SLO implementations may use communication protocols like SAML to exchange security information between the resource and Identity Provider or utilize authentication tokens to centrally manage user sessions.

SP (Service Provider)

A Service Provider (SP) delivers application services to clients over a network, typically the Internet. Examples include government services, healthcare providers, banks, and e-commerce platforms. SPs rely on Identity Providers (IdPs) to verify user identity and certain user attributes. Through identity federation, SPs establish trust relationships with IdPs, allowing users to access services using verified identity information provided by the IdP. SPs simplify user access to services and resources while offloading the responsibility of access management.

SSO (Single Sign-On)

Single Sign-On (SSO) enables users to access multiple applications with a single authentication process. It streamlines authentication across various environments, including web, enterprise, and mobile. SSO improves password policies, enhances security with multi-factor authentication, and reduces helpdesk support costs associated with password management. Users benefit from a seamless browsing experience and convenience by eliminating the need to remember multiple passwords.

SSRPM (Self Service Reset Password Management)

Self-Service Reset Password Management (SSRPM) empowers users to reset their passwords independently in case of forgotten or locked accounts. SSRPM solutions reduce helpdesk burden and enhance user autonomy by enabling password reset from both user devices and web portals. They incorporate various authentication methods, including multi-factor authentication, to ensure secure password management and user access.

WebAuthn (Web Authentication)  

WebAuthn, developed by the W3C and based on FIDO 2 specifications, provides a web authentication standard using asymmetric keys. It allows users to authenticate to web applications from registered devices, such as smartphones, laptops, or hardware security keys. By replacing traditional authentication methods like passwords and SMS codes, WebAuthn enhances security against phishing attacks and offers a passwordless authentication experience. Widely supported by major browsers and platforms, WebAuthn sets a new standard for secure and convenient user authentication.

WS-Federation (Web Services Federation)

WS-Federation (sometimes referred to as "Web Services Federation Language" or "WS-Fed") is a standard used in identity federation. It facilitates the exchange of identity information between applications with different security specifications. WS-Federation employs a language for describing trust rules based on WS-Trust (Web Services Trust Language), which is also a security protocol, to communicate with heterogeneous environments. Users can use their credentials to access resources in different systems, ensuring that identification information is managed securely. WS-Federation can be used to implement Single Sign-On (SSO) and streamline access to various resources for users. Like SAML and OAuth, WS-Federation is a mature technology.

ZTNA (Zero Trust Network Access) / Zero Trust  

Zero Trust is a strategic cybersecurity model based on the principle that there is no inherent trust within the network and that access should not be granted by default to any user. Zero Trust Network Access extends this concept, focusing on systematically verifying and continuously monitoring access to applications based on various factors such as user authentication, context, and access control policies. By leveraging technologies like multi-factor and contextual authentication, access control, and privilege management, organizations can implement a Zero Trust security posture tailored to the current digital landscape. ZTNA enhances user experience and agility while aligning cybersecurity strategies with business needs.

Conclusion

As organizations navigate the complexities of the digital era, mastering IAM concepts emerges as a strategic imperative for achieving resilience, agility, and competitive advantage. By embracing IAM best practices and staying abreast of emerging trends, businesses can position themselves for success in an ever-evolving technological landscape, driving sustainable growth and innovation.

‍