Below is a list of definitions for important terms in common use related to FedCM. Many of the definitions are intended to match existing terms in identity standards, in some cases adapted and constrained for relevance in the context of FedCM.
This document is continually evolving. Feedback is welcome.
- Process used by an Identity Provider to achieve sufficient confidence in the binding between the user and a presented identity.
Note that in some discussions and documentation, the term authentication is used to refer to the federated sign-in process. However, the user does not authenticate to the RP during federated sign-in. The user authenticates to the IdP, which then provides a claim to the RP asserting the user’s identity. The user does not prove their identity to the RP directly.
External references: OIDC terminology, OIDC authentication, SAML glossary
- Process used by a Relying Party to obtain access grants to information or capabilities for the user on an Identity Provider.
References: OAuth 2.0, SAML glossary
- The property of data flows between a Relying Party and an Identity Provider being forced through channels that are visible to and controllable by the user agent.
- A protocol that includes both network data flows and user interaction for the purpose of achieving authentication, authorization or sign-in.
References: WebAuthn glossary
- A part of a ceremony that comprises a user interaction with a clear user agent-controlled UI element that can be taken to mean the user accepts privacy risk that has been explained in accompanying text, and the ceremony may proceed accordingly.
- A piece of information asserted by an Identity Provider about a user.
References: OIDC terminology
- Category of use cases that apply generally to publicly-accessible Relying Parties and Identity Providers.
- A set of claims that is a restricted subset of OpenID standard claims that satisifes the restriction to be a directed identifier.
This term is novel in FedCM and its details could be subject to change.
- A claim granted to a Relying Party by an Identity Provider that constitutes an identifier for the user but cannot be correlated with other identifiers granted to different Relying Parties.
- Category of use cases that apply to private restricted-access Relying Parties and Identity Providers, in particular where organizations can have provisioning capabilities over user agents. This typically encompasses use cases of corporations, institutions, or government agencies.
- Process used by a Relying Party to obtain a user identifier from an Identity Provider to which the user has authenticated.
References: OIDC
- A claim or set of claims that comprises a unique mapping to a user within a given scope, such as for a particular Relying Party.
References: SAML glossary
- A service that has information about the user and can grant that information to Relying Parties.
References: OIDC terminology
- The property of a federated sign-in and authorization design that would allow deployment by Identity Providers who use existing standardized federation flows without them having to modify their services.
- The property of the Identity Provider not being aware of the specific Relying Party through all or part of a ceremony.
- A privacy threat in which an Identity Provider is able to surveil or correlate user activity across the web.
References: FedCM Threat Model
- A service that requests user information from an Identity Provider for user account sign-in or for other purposes.
References: OIDC terminology, SAML glossary
- The property of a federated sign-in and authorization design that would allow deployment by Relying Parties who use existing standardized federation flows without them having to modify their web properties or account systems. This particularly applies to RPs that import scripts from Identity Providers to implement federation.
- The property of the Relying Party not having access to a correlatable identifier (i.e. an identifier that is not a directed identifier) in a federated sign-in ceremony.
- A privacy threat in which a Relying Party is able to surveil or correlate user activity across the web.
References: FedCM Threat Model
- A predefined set of claims that are included in a standard OIDC request for the purpose of user identification.
This term is defined as a part of the OpenID Connect specification. The use of this term in FedCM refers to the OIDC definition.
References: OIDC
- A directed identifier that has the property that the user agent is able to validate that it is directed.
- Client software such as a web browser that renders web content and can implement FedCM.