Selerix Developer Tools
Glossary
This glossary attempts to bridge the ambiguity gap that is common in the insurance industry, and to provide some essential definitions for terminology used in this documentation.
Access Control - Protection of resources against unauthorized access; a process by which use of resources is regulated according to a security policy and is permitted by only authorized system entities according to that policy.
Active Requestor - An active requestor is an application (possibly a Web browser) that is capable of issuing Web services messages such as those described in WS-Security and WS-Trust.
Administrator - In general terms, an administrator is a person who oversees the management and operation of system elements such as users, roles, permissions, content and system resources. However, in the Selerix Web Services documentation, an administrator is one who builds, tests and/or maintains an enrollment site hosted on Selerix BenSelect.
Adult Beneficiary - an individual who meets all of the following conditions (1) At least 18 years of age
Recipient (2) during the Plan Year, and for a minimum of 12 months prior to enrollment has his or her principal place of residence in the employee's home (3) is a member of the employee's household (4) is not the employee (i.e. nanny) (5) is not an eligible child, and (6) does not have access to other medical coverage (group or Medicare).
Affordable Care Act (ACA) - A government created misnomer commonly referred to as Obamacare.
Affordability Rule - Part of the ACA that stipulates the maximum percentage of an employee's salary that can be consumed by the cost of health care. Currently this means that the cost of employee-only health coverage cannot cost more than 9.5% of the employee's annual income.
Age Band - A limit to benefits based on age; a table listing age ranges and the percentage of benefit reduced or remaining, depending on how it is being handled.
Age Out - A person is no longer eligible for coverage because he/she is no longer within the required age range. For example, a dependent who turns 26 can no longer be covered under the dependent umbrella.
Agent Pending - Agent Pending is a status that can be applied to an enrollment in BenSelect and indicates an agent must manually approve an application before an enrollment can be considered complete. Agent pending may be assigned to enrollments even though forms have been signed and the enrollment process completed.
Application - A request for coverage in a given benefit plan. Enrollment is flagged as an application as soon as enrollment begins and remains an application until all required forms are signed, at which time it becomes a coverage.
Application Program Interface (API) - A software tool by which developers may access software features without necessarily knowing the implementation details. An API grants access to a particular system or subsystem.
Appointment - Contract number of agent tied to a carrier
Artifact - A data object within a SAML message. SAML artifacts are embedded in URLs and conveyed in HTTP messages, such as HTTP response messages with "3xx Redirection" status codes, and subsequent HTTP GET messages. Artifacts are bits of data in SAML assertions may include user permissions
Assertion - A piece of data produced by a SAML authority regarding either an act of authentication performed on a subject, attribute information about the subject, or authorization data applying to the subject with respect to a specified resource. An assertion may refer to information transmitted in a data package or the process of data package transmission itself.
Asserting Party - A site or domain that provides an Assertion.
Association - Association is the process by which principals become associated or affiliated with a trust realm or federation.
Attribute - A distinct characteristic of an object or data collection; often a SAML Subject. Attributes describe an object such as size, weight, name, address, status, encoding, network address, and so forth. It often equates to a field in a database. When applied to XML, an attribute consists of a name-value pair such as color and blue.
Attribute Service - An attribute service is a Web service that maintains information (attributes) about principals within a trust realm or federation. The term principal, in this context, can be applied to any system entity, not just a person.
Authentication - A process by which a person or entity is identified by a trusted authority, usually an Identity Provider.
Benefits workbook - A document that is created during group case implementation that describes the case setup requirements in terms of census, forms, product offerings, eligibility, rates and so forth.
Binding - In general terms, a binding specifies the mapping of a protocol's messages and the means by which messages are exchanged, such as mapping the SAML <AuthnRequest> to HTTP or SOAP.
Carrier - An insurance benefits provider, often also the underwriter (Allstate, Colonial, Trustmark, etc.).
Case - A Selerix Case consists of an administration site and an enrollment site. The administration site allows individuals with administrative rights to build, test and maintain a BenSelect enrollment site. The enrollment site allows individuals to enroll themselves and their family members in insurance and other products. A case may sometimes be referred to as an Employer or a Group.
Case Administrator - Person or persons responsible for configuring a BenSelect enrollment. This includes defining the enrollment flow, products that are to be offered, rates, enrollment rules, who has enrollment access, and so forth. Also referred to as a case builder.
Case Wrap Up - A process initiated by the BenSelect case builder or site administrator after open enrollment. It performs various steps to ensure enrollments are complete and applicants are automatically enrolled as defined in the plan rules.
Census Data - Enrollee data that includes basic demographic information, family members and employment information that are used in business rules processing to determine product eligibility. May include existing enrollments.
Census Template - Data container, typically Excel or Access database file, used to communicate census data between employers and BenSelect. Click here to download the Excel version of the Selerix census template. See also: Census Data.
Census Upload - Process of uploading Census Data to Selerix BenSelect in preparation for insurance and related benefits enrollment.
Claim - A claim is a declaration made by an entity (e.g. name, identity, key, group, privilege, capability, attribute, etc.).
Coverage - A benefit enrollment. To become a coverage, an applicant must be eligible for a product as determined by Case business rules, must have either enrolled in a product actively or have been automatically enrolled during Case Wrap Up, and must have signed necessary forms. Until the form is signed, which includes the final confirmation form, the product is still considered an Application. Note that a Coverage may be in a Pending state whereby the coverage is not yet in force and the person is not being charged a premium.
Coverage Tier - Indicates level of coverage in terms of persons that are included on a policy. The most common coverage tiers in BenSelect enrollments are employee only (EO), employee and spouse (ES), employee and child (EC), spouse and child (SC) and family (FA).
Credentials - Data that is transferred to establish a claimed principal identity.
Data Access Layer (DAL) - Often seen in the Selerix developer namespaces, the DAL encapsulates the Selerix Data Model. This data model is used both internally on BenSelect and by case administrators and partner developers to customize enrollments with JScript.NET, establish integration relationships between Selerix and third parties, and access data used in reporting. The Selerix .NET library exists in the DAL namespace.
Digest - A digest is a cryptographic checksum of an octet stream.
Direct Brokered Trust - Direct Brokered Trust is when one party trusts a second party who, in turn, trusts or vouches for, the claims of a third party.
Direct Trust - Direct trust is when a relying party accepts as true all (or some subset of) the claims in the token sent by the requestor.
DOH - An exclamation uttered by Homer Simpson during periods of intense annoyance, frustration, or surprise. See also: Date of Hire.
Domain - See Realm
Effective Date - The date an Application goes into effect; also referred to as being in force.
Election - Product that was selected by an applicant. Does not necessarily imply Coverage, but may refer to an Application.
Eligibility Date - The date an applicant, usually the employee, is eligible for to enroll in benefits. This is often the same as the employee's date of hire.
Entity - An active element of a computerized network system which may include automated processes, subsystems, persons or groups that incorporates a distinct set of functionality.
EOI - See Evidence of Insurability
Evidence of Insurability - Either the questions posed by a carrier to determine an individual's eligibility, or the answers to those questions. When included as part of a product's enrollment rules, a Coverage remains in a Pending state until necessary EOI is provided to the carrier and the carrier approves the application.
EXtensible Markup Language (XML) - A W3C standard markup language similar to HTML in appearance used to store data in a way that it is not machine or platform dependent. It defines a set of rules for encoding information in a format that is both human and machine-readable.
EXtensible Stylesheet Language (XSL) - a style sheet language for XML documents. XSL defines how a browser should display data contained in an XML document.
EXtensible Stylesheet Language Transformations (XSLT) - Defines how an XML documented is converted to another format.
Federated Identity - See Federation
Federation - Provides a way to identify and validate users in partner organizations. They allow a user to traverse multiple partner sites using sessions to eliminate the need to re-authenticate with a password. Federations incorporate trusted attributes (e.g. X509 certificates, X509v3 attribute certificates, Kerberos tokens, SAML assertions) about users (e.g. including roles and group information) allowing for privacy and business-specific rules. Federations are comprised of Identity Providers, Attribute Services, and Pseudonym Services.
Federation Profile - Describes how a Federation is applied in terms of the digital contracts within the Federation.
Form Transmittal - Delivery of custom forms, especially those that require a signature.
FTE - See Full-Time Equivalent
Full Time Equivalent - A measurement used to determine when an employee is considered a full-time employee. In BenSelect, a FTE of 70 indicates the employee works 70% of the time worked by a full-time employee.
GI - See Guaranteed Issue
Grace Period - The number of days after the Eligibility Date that an employee is allowed to log on to BenSelect and enroll. See also: Waiting period.
Guaranteed Issue - Refers to the conditions under which a carrier will automatically approve an application for coverage. Applications that fall within GI rules go into effect as defined by the product's enrollment rules without requiring carrier approval. When an application exceeds GI, it goes into a pending state such that the Application has been promoted to Coverage status, but there is no deduction and the insurance is not yet in force until the carrier approves the application.
Globally Unique Identifier (GUID) - A string of numbers divided by dashes that is guaranteed to be unique.
HTML Entities - A W3C standard browser-independent means by which character symbols may be represented. HTML Entities are used when embedding Selerix Transmittal XML into a SOAP or SAML message used in a BenSelect integration. See also: developer's quick reference.
Hypertext Markup Language (HTML) - The language used by the World Wide Web to describe how a web page should be rendered in terms of layout, typography, links, and so forth.
Hypertext Transfer Protocol (HTTP) - The most common protocol used by the World Wide Web to communicate between web sites and browsers. See also: HTTPS.
Identity Mapping - Identity Mapping is a method of creating relationships between identity properties. Some Identity Providers may make use of ID mapping.
Identity Provider - An entity that provides an authentication service to end users and data origin authentication service to service providers (this is typically an extension of a security token service).
Indirect Brokered Trust - Indirect Brokered Trust is a variation on direct brokered trust where the second party cannot immediately validate the claims of the third party to the first party and negotiates with the third party, or additional parties, to validate the claims and assess the trust of the third party.
Message Authentication - Message authentication is the process of verifying that the message received is the same as the one sent.
Open Enrollment - The period of time during which employees are allowed to enroll in benefits. Most companies have one OE period a year.
Passive Browser - A passive browser is an HTTP browser capable of broadly supported HTTP (e.g. HTTP/1.1).
Pay Group - A payroll category that defines things like pay and deduction frequencies (full-time, part-time, weekly, bimonthly, etc.). A pay group may have a biweekly pay schedule and a bimonthly deduction schedule. Pay groups in BenSelect may also affect Eligibility.
Payer - Although it typically refers to the company that provides underwriting for an insurance policy, a payer may also be a third party administrator or a financial institution.
Payer Product - a benefit product associated with a particular Payer. BenSelect enrollment cases may include multiple Plans with multiple Payers in each plan, all of which use the same Payer. Contextual example: The Critical Illness offered on this case is a Trustmark payer product.
Pending - Identifies the state of a product enrollment. Typically, a policy goes into effect (in force) the first day of the month after it has been elected and the necessary forms have been signed. However, if the applicant requests more than the Guaranteed Issue or has to submit Evidence of Insurability to the Carrier, the coverage may be put in a pending state whereby no premiums are paid and no coverage is in force until the carrier approves the application. In this state the coverage is active but not in force. A coverage may also be placed into a pending state as determined by product enrollment business rules defined on the case until the application is approved by a case administrator. In this state the policy is said to be in an Agent Pending state.
Plan - An umbrella for one or more Products that are offered to Applicants during enrollment. For example, an enrollment group may have a Critical Illness plan that allows the applicant to choose between an Aetna or a Trustmark product. Typically, an applicant may elect only one product that is offered by a plan. An important concept to understand here is that plans, not products, may be waived. If a plan is waived, there is no product associated with the application and the plan is flagged as waived. Like a product, a plan has a set of enrollment rules. Applicants that are not eligible for a plan are, by definition, not eligible for any of the plan's products. Lastly, an applicant that is eligible for a plan may only be eligible for a single product although several products are associated with the plan. Products, not plans, have rates. Plans are referred to as Case Products in the Selerix data model.
PPO - Preferred Provider Organization. Members of a PPO typically have a higher payout for services than comparable HMO organizations.
Principal - A system entity whose identity can be authenticated.
Product - A product is a specific Carrier policy. Refer to the Plan description for more information about Plans and Products in BenSelect.
Profile - A profile is a document that describes how this model is applied to a specific class of requestor (e.g., passive, or active).
Proof-of-Possession - Proof-of-possession is authentication data that is provided with a message to prove that the message was sent and or created by a claimed identity.
Proof-of-Possession Token - A proof-of-possession token is a security token that contains data that a sending party can use to demonstrate proof-of-possession. Typically although not exclusively, the proof-of-possession information is encrypted with a key known only to the sender and recipient parties.
Proxy - An entity authorized and empowered to act on behalf of another.
Pseudonym Service - A pseudonym service is a Web service that maintains alternate identity information about principals within a trust realm or federation. The term principal, in this context, can be applied to any system entity, not just a person.
Realm (or "Domain") - A realm or domain represents a single unit of security administration or trust.
Relying Party - An entity participant who is a member of a Federation.
Role - A collection of user permissions. Users may have one or more roles and each role tends to define a set of permissions in BenSelect. A user that is assigned the system default permissions for the QX Enroller can only connect to BenSelect programmatically using the Selerix web services API.
SAML - See Security Assertion Markup Language
SAML Assertion - Sent as the first step in a Service Provider Initiated SAML session. The SAML Assertion contains information the Identity Provider needs to authenticate the user specified in the SAML message XML.
SAML Response - Sent as the first step in an Identity Provider Initiated SAML session or the second step in a Service Provider Initiated SAML session. The SAML Response contains the information that describes a web service request sent to the Service Provider.
Security Assertion Markup Language (SAML) - An OASIS Security Services Technical Committee open standard that uses XML to define a means by which members of a Federation, such as an end user, may be identified between an Identity Provider and a Service Provider. Although the goal of SAML is identification, authentication and verification of identity, SAML XML data envelopes may also include other information such as roles, permissions and data.
Security Token - A security token represents a collection of claims.
Security Token Service (STS) - A security token service is a Web service that issues security tokens (see WS-Security and WS-Trust). That is, it makes assertions based on evidence that it trusts, to whoever trusts it. To communicate trust, a service requires proof, such as a security token or set of security tokens, and issues a security token with its own trust statement (note that for some security token formats this can just be a re-issuance or co-signature). This forms the basis of trust brokering.
Sender Authentication - Sender authentication is corroborated authentication evidence possibly across Web service actors/roles indicating the sender of a Web service message (and its associated data). Note that it is possible that a message may have multiple senders if authenticated intermediaries exist. Also note that it is application-dependent (and out of scope) as to how it is determined who first created the messages as the message originator might be independent of, or hidden behind an authenticated sender.
Serialize - A software development term that describes the process of converting an object in memory to a representation of that object in a static form, typically using XML as the storage medium. The field mapping in BenSelect that is used to populate the fields on an enrollment form is another example of serialized data (e.g., Event.Fields). Serialized data may be the product of an XSL Transformation (XSLT) or may be generated programmatically.
Service Provider - A system entity that provides information to a Principal in a Federation.
Session - Allows data communications between two or more members of a Federation without requiring authentication each time. For security purposes, Selerix Web Service sessions automatically terminate after a prescribed period of user inactivity, after which time the user will have to re-authenticate to resume activities.
Signature - A signature is a value computed with a cryptographic algorithm and bound to data in such a way that intended recipients of the data can use the signature to verify that the data has not been altered since it was signed by the signer.
Sign-Out - A sign-out is the process by which security tokens are destroyed for a realm/domain or federation.
Signed Security Token - A signed security token is a security token that is asserted and cryptographically signed by a specific authority (e.g. an X.509 certificate or a Kerberos ticket)
Simple Object Access Protocol (SOAP) - An XML-based protocol used to exchange structured information in a decentralized, distributed environment. The SOAP specification breaks the protocol down into three basic parts: an envelope that defines a framework for describing what is in a message and how to process it, a set of encoding rules for expressing instances of application-defined datatypes, and a convention for representing remote procedure calls and responses. Developers use the SOAP protocol to make remote procedure calls (RPC) to Selerix Web Services.
Simplified Issue (SI) - Simplified Issue is a product that is underwritten only after Carrier approval. Simplified Issue refers to the simplification of risk calculation rather than the business rules required to set it up for enrollment. See also: Guaranteed Issue.
Single Sign Off - Added in SAML 2.0, single sign off is used when a person is logged in to multiple sites. It provides a means by which a person may be logged out of all sites with a single operation. Single sign off does not apply to BenSelect enrollments.
Single Sign On (SSO) - Single Sign On is an optimization of the authentication sequence to remove the burden of repeating actions placed on the end user. To facilitate SSO, an element called an Identity Provider can act as a proxy on a user's behalf to provide evidence of authentication events to 3rd parties requesting information about the user. These Identity Providers are trusted 3rd parties and need to be trusted both by the user (to maintain the user's identity information as the loss of this information can result in the compromise of the users identity) and the Web services which may grant access to valuable resources and information based upon the integrity of the identity information provided by the IP.
Subject - A Principal in the context of a security domain. SAML assertions make declarations about subjects.
Transport Layer Security (TLS) - A protocol used as a means by which data may be exchanged securely over a computer network.
cryptographic protocols that provide communications security over a computer network
Trust - Trust is the characteristic that one entity is willing to rely upon a second entity to execute a set of actions and/or to make set of assertions about a set of subjects and/or scopes.
Trust Domain - A Trust Domain is an administered security space in which the source and target of a request can determine and agree whether particular sets of credentials from a source satisfy the relevant security policies of the target. The target may defer the trust decision to a third party thus including the trusted third party in the Trust Domain.
Underwriter - See Carrier.
Uniform Resource Identifier (URI) - A compact string of characters that identify a resource. URIs are the universal addressing mechanism for resources on the World Wide Web. A URL is a URI subset.
Uniform Resource Locator (URL) - A URI that references a web resource, where the resource is located on a computer network, and a mechanism for referring to it. URLs most commonly reference web pages (http), are used for file transfer (ftp), email (mailto), database access (JDBC), and other uses.
Validation Service - A validation service is a Web service that uses the WS-Trust mechanisms to validate provided tokens and assess their level of trust (e.g. claims trusted).
Waiting Period - Number of days an employee has to wait after the eligibility date before a product goes into effect (in force).
Web Services Description Language (WSDL) - Uses XML to describe functionality offered by a web service. The Selerix BenSelect WSDL for enrollment services may be obtained here, and administrative services here.
Web Services Security (WS-Security) - An extension to SOAP to apply security to Web services
XML - See Extensible Markup Language
XML Element - A logical document component that either begins with a start-tag and ends with a matching end-tag or consists only of an empty-element tag. The characters between the start-tag and end-tag, if any, are the element's content, and may contain values or additional child elements. Whereas HTML describes how a document should be rendered, XML effectively contains field identifiers and their values, such as <Name>Lyle Griffin</Name>. An empty element, that is a field with no value, contains only one element marker followed by a forward slash such as <Name />.
XML Namespace - Namespaces are commonly used to identify a URI reference used in an XML document. In general terms, a namespace is a string of characters used to differentiate between XML tags with the same name, and are usually applied as a prefix to an XML element. For example, since both people and companies may have a <City> Element, a namespace could be used to provide context to the data, such as: <employee: City>Dallas</employee: City>.
XML Tag Name - See XML Element
XML Schema Definition (XSD) - A World Wide Web Consortium (W3C) recommendation to formally describe the Elements in an XML document in order to ensure information in the document is valid. It may define parameters for data such as limits and the type of data element such as to distinguish between a string and a number. Schemas typically include grammatical rules, the order of elements, Boolean predicates that must be satisfied to be valid, data types for values enclosed in an Element, and so forth.
XSD - See XML Schema Definition.
XSL - See EXtensible Stylesheet Language.
XSLT - See EXtensible Stylesheet Language Transformations
Document content created April 2017 by Mike Welch, Systems Integration Engineer at Selerix Systems Inc.