.. _Glossary:

Glossary
=============

A collection of useful terms used throughout the cookbook and more widely when working with SAML.

Basic Terms
-----------

.. glossary:: 

    Identity Provider
        A tool that performs authentication. Shibboleth IdP and SimpleSAMLphp are identity providers.
        
        This is frequently abbreviated to **IdP**.

    Service Provider
        A service that gets user information from the IdP and performs authorization. The examples
        in this repository are all service providers. 
        
        This is frequently abbreviated to **SP**.

    Relying Party
        A synonym for :term:`Service Provider`.

        This is sometimes abbreviated to **RP**. 

    Metadata
        An XML configuration document with a strict format. Both the IdP and SP can generate metadata. Metadata can contain
        entries such as:
        
        - Entity Id
        - SSO Endpoint/ACS Endpoint
        - Description
        - Supported encryption/signing methods

        :SP Metadata URL Example: \https://app.service.com/saml2/metadata
        :IdP Metadata URL Example: \https://login.rit.edu/saml2/metadata

    Entity Id
        A globally-unique URI (Uniform Resource Identifier) used to identify an IdP or SP. You should generate a new 
        entity id for every environment (dev, test, stage, production) as well as every service.

        :SP Entity Id Example: \https://app.service.com/saml2
        :IdP Entity Id Example: \https://login.rit.edu/saml2

    SSO Endpoint
        The IdP single sign-on endpoint. This is where the SP sends the user during login. This information can be found
        in your IdP metadata 
        
        :IdP SSO Endpoint Example: \https://login.rit.edu/saml2/redirect/sso

    ACS Endpoint
        The SP assertion consuming service. This is where the IdP sends the user after authentication and
        attribute filtering happens.

        :SP ACS Endpoint Example: \https://app.service.com/saml2/acs

    Signing/Encryption
        Messages sent to the IdP and SP can be encrypted (to secure data) and signed (to verify data hasn't been tampered with).
        By default, messages sent from the IdP to the ACS should be encrypted and signed.

Advanced Terms
--------------

.. glossary ::

    Subject
        A subject is a grouping of related information for a single entity, including the identity. An example of a subject
        is a person with example attributes height, eye color, birthday, name, social security number.

    Principal
        A principal is an identifier for a :term:`Subject`. A person's principal could be something like their driver's license number, social security number, or an email.