Glossary
These acronyms, terms, and concepts are relevant to migration efforts, Identity and Access Management in general, and appear throughout this docusite.
| Term | Definition |
|---|---|
| Access group | Groups of users that can be used to restrict access to your group; can be created based on department, region or other category by using a naming convention that reflects the purpose or audience of the group (e.g., US-Sales-All). |
| ACS | Assertion Consumer Service |
| ADFS | Active Directory Federated Services |
| Admin account | This is usually someone from the application team who is delegated to perform several app management tasks, such as renewing certificates and secrets or adding owners, users or groups to the app. |
| API | Application Programme Interface |
| App integration | This is the process where the IAM team will create a trust between the IdP and the application using a configuration provided by the app team. Upon completion, the IAM team will provide metadata, endpoints, certificates and other IdP configuration information that the app team will need to upload to the app. |
| App migration | This is the process where the IAM team will create a copy of the application integration from PwC ID, in Entra ID, and the app team will replace the PwC ID configuration information with Entra ID configuration information. This will enable users to authenticate with Entra ID as opposed to PwC ID. |
| Application permissions | Application permissions are applied to those Entra apps that authenticate directly against Entra and there are no users authenticating. This type of permission is needed for background service, automations, daemons, etc. These permissions are also known as app roles. Learn more. |
| ARR | Application Readiness Review (NIS) or Application Review Request (M365) |
| Assigned group | An assigned group is a group in Entra where the member users and groups must be manually managed/added/removed by the group owners. This type of group can be created on GUM/One AD and synced to Entra or created directly in Entra. Anyone can create assigned groups in Entra by logging into https://mygroups.microsoft.com. |
| Authentication | Authentication is the process where a user or service proves or authenticates their identity to an IdP. |
| Authorisation | Authorisation is the process where an IdP verifies if the user is allowed to access the resource or application that they are trying to log in to. |
| B2B | Business to Business |
| BAU | Business As Usual |
| CAP | Conditional Access Policy |
| CBA | Certificate-Based Authentication |
| CI | Configuration Item |
| Delegated permissions | Delegated permissions are applied to Entra apps to allow the app to act on behalf of the authenticating user. These are needed for public apps that require an end user authentication. They are also known as scopes. Learn more. |
| Dynamic group | A dynamic group describes any group that does not require the manual addition/removal of users and other groups but does so automatically based on group membership rules as defined either during the creation of the group or modified later. Dynamic groups are to be created only on-premises (SailPoint) and then synced to Entra ID and should not be created directly in Entra ID. |
| Entra ID | Entra ID is the cloud-based IAM tool from Microsoft. |
| GUID | Global User ID |
| GUM | Global User Management (GUM) is the portal where PwC users can create/manage/delete internal as well as external users and groups. |
| IAM | Identity and Access Management |
| IDaaS | Identity as a Service |
| IdP | Identity Provider (IdP) refers to any product or service that is capable of authenticating, authorizing and federating trust between users and other applications within and outside the internal network. Entra, ForgeRock OpenAM, Okta are examples of Identity Providers. |
| KMSI | Keep Me Signed In |
| LDAP | Lightweight Directory Access Protocol |
| MFA | Multi-factor authentication |
| OAuth | Open Authorisation (OAuth) is an industry standard protocol used for authorisation. Learn more. |
| OTP | One Time Password |
| PoC | Proof of Concept |
| PwC ID | PwC Identity (PwC ID) is a term that usually refers to the PwC on-premises instance of ForgeRock OpenAM IdP service. Learn more. |
| RFC | Request for Change |
| RP | Relying Party or Resource Provider (RP) is the organisation that receives and processes claims; it typically references the application that the user is trying to authenticate with. |
| SaaS | Software as a Service |
| SAML | Security Assertion Markup Language (SAML) is an industry standard protocol for authentication. Learn more. |
| SCIM | System for Cross-Domain Identity Management (SCIM) is an open standard protocol for automating the exchange of user identity information between identity domains and IT systems. SCIM ensures that employees added to the Human Capital Management (HCM) system automatically have accounts created in Microsoft Entra ID or Windows Server Active Directory. User attributes and profiles are synchronized between the two systems, updating and removing users based on the user status or role change. Learn more. |
| Scopes | Scopes is also referred to as delegate permissions; these permissions are sent on the authentication request, and an access token will be issued by Entra only if these permissions are assigned to the migrated app on Entra. |
| SLA | Service Level Agreement |
| SNow | ServiceNow |
| SPA | Single Page App |
| SSO | Single Sign On (SSO) is the authentication process where the user is prompted for the username/email address, no more than once. This is done by re-using tokens cached on the user's PC or the browser to perform silent/non-interactive authentication in the background. |
| Static Group | A static group is the same as an assigned group. It is a group that can be added in GUM/One AD/Entra where the membership is manually managed by the group owner. |
| Token | A token is a document that is usually signed using certificates, and that contains sensitive authentication and/or authorisation information of the user, service, application, IdP and resource; it also contains details of the authenticated session and validity token. |
| WAP | Web Application Firewall |
| WS-Fed | Web Service Federation (WS-Fed) is an identity federation protocol that can be used for authentication and is supported by PwC ID and Entra ID. Learn more. |