This document uses the following terms:
Active Directory: A general-purpose network directory service. Active Directory also refers to the Windows implementation of a directory service. Active Directory stores information about a variety of objects in the network. Importantly, user accounts, computer accounts, groups, and all related credential information used by the Windows implementation of Kerberos are stored in Active Directory. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). [MS-ADTS] describes both forms. For more information, see [MS-AUTHSOD] section 184.108.40.206.2, Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Kerberos, and DNS.
claim: A declaration made by an entity (for example, name, identity, key, group, privilege, and capability). For more information, see [WSFederation1.2] sections 1.4 and 2.
globally unique identifier (GUID): A term used interchangeably with universally unique identifier (UUID) in Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the value. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] must be used for generating the GUID. See also universally unique identifier (UUID).
security realm or security domain: Represents a single unit of security administration or trust, for example, a Kerberos realm (for more information, see [RFC4120]) or a Windows Domain (for more information, see [MSFT-ADC]).
security token: A collection of one or more claims. Specifically in the case of mobile devices, a security token represents a previously authenticated user as defined in the Mobile Device Enrollment Protocol [MS-MDE].
security token service (STS): A web service that issues security tokens. That is, it makes assertions based on evidence that it trusts; these assertions are for consumption by whoever trusts it.
web browser requestor: An HTTP 1.1 web browser client that transmits protocol messages between an IP/STS and a relying party.
web service (WS) resource: A destination HTTP 1.1 web application or an HTTP 1.1 resource serviced by the application. In the context of this protocol, it refers to the application or manager of the resource that receives identity information and assertions issued by an IP/STS using this protocol. The WS resource is a relying party in the context of this protocol. For more information, see [WSFederation1.2] sections 1.4 and 2.
MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.