IDSync — identity software buyer platform
Run Stack Finder

Glossary

The IDSync identity & access management glossary

Plain-language, vendor-neutral definitions for the acronyms, protocols, and concepts you'll meet when evaluating identity, access, and authentication software — from SSO and SAML to SCIM, IGA, PAM, passkeys, and AI agent identity.

Quick answer

What's in the IDSync identity glossary?

Short answer

60 in-depth entries covering authentication (SSO, SAML, OIDC, OAuth, MFA, passkeys), authorization (RBAC, ABAC, ReBAC), provisioning (SCIM, JML), governance (IGA, access reviews), privileged access (PAM, JIT), customer identity (CIAM), and machine and AI agent identity. Each entry explains what the term means, how it works, when buyers care, and which vendor categories to evaluate.

Best for
Identity, security, and IT teams evaluating tools or learning the vocabulary of modern IAM.
When to choose
You want a quick definition plus enough buyer context to know what to do next.
When not to choose
You need an implementation runbook — pair the glossary with the IDSync resources library or the IAM Stack Finder.
Related tools & categories
IAM Stack FinderBrowse vendorsResources

A

  • Identity Governance

    Access Review

    An access review is a periodic check where managers or system owners confirm that each user's current access is still appropriate — typically required by SOX, SOC 2, ISO 27001, and HIPAA.

  • Standards

    Access Token

    An access token is a short-lived credential issued by an OAuth 2.0 authorization server that a client presents to a resource server (API) to prove it has been authorized to act on behalf of a user or workload, within a specific scope.

  • Architecture

    Active DirectoryAD

    Active Directory (AD) is Microsoft's on-premises directory service — a combination of LDAP, Kerberos, and DNS — that has authenticated and authorized users, computers, groups, and policies inside Windows networks for 25+ years and remains the identity backbone of most enterprises.

  • Machine & Agent Identity

    AI Agent Identity

    AI agent identity is the practice of giving autonomous AI agents, copilots, and bots their own first-class identities — with scoped credentials, delegated authority, audit trails, and lifecycle controls — instead of letting them impersonate users with broad permissions.

  • Machine Identity

    API Key

    An API key is a long, opaque string an application sends with each request to authenticate to an API — simple to implement but weak compared to OAuth, mTLS, or workload identity for high-value APIs.

  • Authorization

    Attribute-Based Access ControlABAC

    Attribute-Based Access Control (ABAC) decides whether a user can take an action by evaluating attributes of the user, the resource, the action, and the environment against a policy — instead of relying solely on group or role membership.

  • Standards

    Authorization Code Flow

    The Authorization Code Flow is the OAuth 2.0 grant in which a client redirects the user to the authorization server, receives a one-time code at a registered redirect_uri, and exchanges that code (with PKCE and/or a client secret) for tokens — the standard flow for almost every modern app.

B

  • Privileged Access

    Break-Glass Access

    Break-glass access is a pre-provisioned, heavily monitored emergency account used only when normal authentication paths fail — for example when the IdP itself is down or an admin is locked out during an incident.

C

  • Cloud Security

    Cloud Infrastructure Entitlement ManagementCIEM

    Cloud Infrastructure Entitlement Management (CIEM) tools discover, visualize, and right-size the permissions that human and machine identities have across cloud providers (AWS, Azure, GCP) — closing the gap between what identities are *granted* and what they actually *use*.

  • Authentication

    Conditional Access

    Conditional Access is an IdP policy capability that evaluates signals (user, device, location, app, risk score) at authentication time and decides whether to allow, block, require MFA, require a compliant device, or require step-up authentication.

  • Authentication

    Continuous Authentication

    Continuous authentication re-evaluates a user's session in near real time using signals like device posture, location, and token revocation — so a compromised or stale session can be terminated mid-flight instead of waiting for token expiry.

  • Customer Identity

    Customer Identity & Access ManagementCIAM

    Customer Identity & Access Management (CIAM) is the identity stack for your customers — registration, login, social and passkey sign-in, profile management, consent, and progressive profiling — at consumer scale.

D

  • Decentralized Identity

    Decentralized IdentifierDID

    A decentralized identifier (DID) is a W3C standard for globally unique identifiers that are controlled by the subject — not issued by a central registrar — and that resolve to a public-key document used to verify signatures.

  • Authentication

    Device Trust

    Device trust uses signals from a managed or attested device — MDM enrollment, disk encryption, OS version, EDR presence — as a factor in access decisions, ensuring only healthy devices can reach sensitive apps.

  • Authentication

    DPoPDemonstrating Proof-of-Possession

    DPoP (Demonstrating Proof-of-Possession, RFC 9449) binds an OAuth access token to a client-held key, so a stolen bearer token cannot be replayed from a different device or process.

F

  • Authentication

    FIDO2

    FIDO2 is the open authentication standard that lets users sign in to websites and apps using public-key cryptography — implemented by WebAuthn in browsers and CTAP2 between the browser and the authenticator (security key, phone, or platform TPM).

I

  • Architecture

    Identity Federation

    Identity federation is the practice of letting one organization's identity provider authenticate users into another organization's applications — enabling B2B SSO, customer SSO into partner apps, and cross-domain single sign-on without duplicating accounts.

  • Governance

    Identity Governance & AdministrationIGA

    Identity Governance & Administration (IGA) is the discipline — and the tooling category — for managing who should have access to what, granting and revoking that access, and proving it to auditors.

  • Architecture

    Identity ProviderIdP

    An Identity Provider (IdP) is the system that authenticates users (or workloads) and issues signed assertions about their identity to other applications — Okta, Microsoft Entra ID, Google Workspace, Auth0, Ping Identity, and Keycloak are common examples.

  • Detection & Response

    Identity Threat Detection and ResponseITDR

    Identity Threat Detection and Response (ITDR) is a category of security tooling focused on detecting and responding to attacks that target identity infrastructure itself — credential theft, MFA bombing, session hijacking, AD/Entra compromise, OAuth abuse, and identity-based lateral movement.

J

  • Provisioning

    Joiner / Mover / LeaverJML

    Joiner / Mover / Leaver (JML) is the operational model for managing identity through the employee lifecycle — granting access on hire, changing it on role change, and removing it on exit — typically driven from an HR system through the IdP and into downstream apps via SCIM.

  • Standards

    JSON Web TokenJWT

    A JSON Web Token (JWT) is a compact, signed (and optionally encrypted) JSON payload used to transmit claims about a user or workload between parties — most commonly as an OAuth 2.0 access token or OpenID Connect ID token.

  • Privileged Access

    Just-in-Time AccessJIT Access

    Just-in-time access grants elevated permissions only for the moment they're needed and revokes them automatically — eliminating standing privilege and shrinking the blast radius of compromised admin accounts.

  • Provisioning

    Just-in-Time ProvisioningJIT

    Just-in-Time (JIT) provisioning creates or updates a user account in a downstream application at the moment the user first signs in via SSO — using attributes from the SAML/OIDC assertion instead of a pre-built SCIM sync.

K

  • Authentication

    Kerberos

    Kerberos is a network authentication protocol that uses time-bound, encrypted tickets issued by a trusted Key Distribution Center (KDC) so users and services can prove their identity without sending passwords over the wire — most famously the authentication engine behind Active Directory.

L

  • Architecture

    Lightweight Directory Access ProtocolLDAP

    LDAP is the open, decades-old protocol for querying and modifying directory services — used most famously by Microsoft Active Directory and OpenLDAP — and still the backbone of authentication for Linux servers, network gear, legacy apps, and on-prem infrastructure.

M

  • Authentication

    Magic Links

    Magic links are a passwordless sign-in method that emails the user a single-use, time-limited URL — clicking it logs them in without needing a password.

  • Authentication

    Multi-Factor AuthenticationMFA

    Multi-factor authentication (MFA) requires a user to present two or more independent factors — something they know, have, or are — before being granted access.

  • Authentication

    Mutual TLSmTLS

    Mutual TLS (mTLS) is TLS where both the client and the server present X.509 certificates and authenticate each other — used for strong, phishing-resistant, machine-to-machine authentication in service meshes, Zero Trust networks, and high-security APIs.

N

  • Machine & Agent Identity

    Non-Human IdentityNHI

    Non-Human Identity (NHI) is the umbrella term for service accounts, API keys, OAuth tokens, certificates, secrets, workload identities, and AI agent identities — every identity in the environment that isn't a person.

O

  • Standards & Protocols

    OAuth 2.0Open Authorization 2.0

    OAuth 2.0 is an authorization framework that lets a user grant a third-party application limited access to their data on another service without sharing their password.

  • Standards

    OAuth Scopes

    OAuth scopes are strings (like 'read:users' or 'mail.send') that a client requests at authorization time and that the resource server uses to enforce least privilege — they declare *what* an access token is allowed to do, not *who* the user is.

  • Standards & Protocols

    OpenID ConnectOIDC

    OpenID Connect (OIDC) is a thin identity layer on top of OAuth 2.0 that lets a relying party verify a user's identity and obtain basic profile information via a signed JSON Web Token (ID token).

P

  • Authentication

    Passkeys

    Passkeys are phishing-resistant, password-replacing credentials based on FIDO2/WebAuthn that are synced across a user's devices via their platform or password manager.

  • MFA

    Phishing-Resistant MFA

    Phishing-resistant MFA is multi-factor authentication that cannot be intercepted, replayed, or socially engineered around — in practice today this means FIDO2/WebAuthn (security keys and passkeys) or PIV / CAC smart cards. SMS, TOTP, and push-approve MFA are *not* phishing-resistant.

  • Authorization

    Policy as Code

    Policy as Code is the practice of expressing authorization, compliance, and governance rules in version-controlled, testable code — evaluated by a dedicated policy engine — instead of hardcoding them in application code or maintaining them in config files and tickets.

  • Identity Governance

    Principle of Least PrivilegePoLP

    The principle of least privilege says every user, service, and process should hold only the minimum access required to perform its job — and nothing more — at any given moment.

  • Privileged Access

    Privileged Access ManagementPAM

    Privileged Access Management (PAM) is the discipline and tooling for securing, controlling, monitoring, and auditing accounts that have elevated rights — admins, root accounts, service accounts, and break-glass credentials.

  • Privileged Access

    Privileged Session ManagementPSM

    Privileged session management proxies, monitors, and records sessions where users access sensitive systems with elevated rights — providing real-time visibility, recording, and the ability to terminate suspicious activity.

  • Standards

    Proof Key for Code ExchangePKCE

    Proof Key for Code Exchange (PKCE, pronounced 'pixie') is an OAuth 2.0 extension (RFC 7636) that protects the authorization code flow from interception attacks by requiring the client to prove it initiated the original authorization request.

R

  • Standards

    Refresh Token

    A refresh token is a long-lived credential issued alongside an access token in OAuth 2.0; the client exchanges it for a new access token (and optionally a new refresh token) without prompting the user to re-authenticate.

  • Authorization

    Relationship-Based Access ControlReBAC

    ReBAC models authorization as a graph of relationships — *user is editor of document, document is in folder, folder belongs to team* — making it ideal for collaborative products like Google Docs, Notion, GitHub, and Figma.

  • Authentication

    Risk-Based AuthenticationRBA

    Risk-based authentication scores each login or action using signals like device, location, IP reputation, and behavior, then decides whether to allow, challenge, or block — rather than treating every request the same.

  • Authorization

    Role-Based Access ControlRBAC

    Role-Based Access Control (RBAC) grants permissions to named roles and assigns users to those roles, instead of granting permissions to users directly.

S

  • Standards & Protocols

    SAML 2.0Security Assertion Markup Language

    SAML 2.0 is an XML-based standard that lets an identity provider (IdP) issue signed assertions about a user so a service provider (SP) can sign them in without a separate password.

  • Provisioning

    SCIMSystem for Cross-domain Identity Management

    SCIM is an open standard REST/JSON protocol for automatically creating, updating, and deactivating user accounts and groups across SaaS applications from a central identity source.

  • Machine Identity

    Secrets Management

    Secrets management is the discipline (and tooling) for securely storing, distributing, rotating, and auditing access to sensitive values — API keys, database passwords, TLS keys, OAuth client secrets — used by humans and workloads.

  • Identity Governance

    Segregation of DutiesSoD

    Segregation of duties is a control that prevents any single user from holding combinations of permissions that would enable fraud — for example, creating a vendor *and* approving payments to it.

  • Machine Identity

    Service Account

    A service account is a non-human identity used by an application, script, or system to authenticate to other systems — historically a long-lived username + password or API key, increasingly replaced by workload identity and short-lived tokens.

  • Architecture

    Service ProviderSP

    A Service Provider (SP) is an application that delegates authentication to an Identity Provider and consumes signed identity assertions to grant access — 'Sign in with Okta' makes Salesforce the SP and Okta the IdP. In OIDC the equivalent term is Relying Party (RP).

  • Authentication

    Single Sign-OnSSO

    Single Sign-On (SSO) lets a user authenticate once with an identity provider and then access many independent applications without signing in again.

  • Privileged Access

    Standing Privilege

    Standing privilege is any elevated permission that remains assigned to a user, role, or service account when it isn't actively being used — making it a persistent target for attackers and the single biggest source of blast radius in modern breaches.

  • Authentication

    Step-Up Authentication

    Step-up authentication prompts a user who is already signed in for an additional, stronger factor before allowing a sensitive action — like transferring money, changing payout details, or accessing PII.

T

  • Authorization

    Token Introspection

    Token introspection is an OAuth 2.0 endpoint (RFC 7662) where a resource server asks the authorization server whether an opaque access token is still active and what scopes and subject it represents.

  • Multi-Factor Authentication

    TOTPTime-Based One-Time Password

    TOTP is the algorithm behind authenticator-app codes (Google Authenticator, Authy, 1Password) — a 6-digit code that changes every 30 seconds, derived from a shared secret and the current time.

V

  • Decentralized Identity

    Verifiable CredentialsVC

    Verifiable credentials are a W3C standard for cryptographically signed digital attestations — a tamper-evident way to prove things like 'I'm over 18', 'I'm a licensed nurse', or 'I work for Acme' without phoning home to the issuer each time.

W

  • Authentication

    WebAuthnWeb Authentication API

    WebAuthn is the W3C browser API that lets web apps authenticate users with public-key cryptography backed by hardware — the foundation underneath passkeys and security keys.

  • Machine Identity

    Workload Identity

    Workload identity is the practice of giving non-human compute (containers, VMs, Lambdas, CI jobs, Kubernetes pods) cryptographic, short-lived identities — instead of long-lived secrets — so they can authenticate to APIs and each other.

Z

  • Architecture

    Zero Trust

    Zero Trust is a security model that assumes no implicit trust based on network location and instead verifies every access request against identity, device posture, and context before granting least-privilege access.

  • Network Security

    Zero Trust Network AccessZTNA

    Zero Trust Network Access (ZTNA) replaces the implicit trust of a VPN with per-application, identity- and context-aware access — users authenticate to a broker that brokers connections to specific apps based on identity, device posture, and policy, hiding the apps from the public internet.

Missing a term?

Tell us what's missing and we'll add it. The IDSync glossary is editorially independent and updated continuously.

Suggest a term