Federated and Service-Oriented Identity Management at a University

1. EXECUTIVE SUMMARY In this contribution we state the following thesis: The concept of federation represents a promising way to ease the establishment and operation of organizational and technical issues of identity management at a university. This concept fits well for most universities due to the fact that typically universities consist of " somewhat " independent organizational units like library, computing center, administration and various faculties, with each having their own identity repository or even local identity management. We show two main advantages of this conceptual view of a university. On the one side the identity management can be build up successively in a step-by-step manner. On the other side the organizational units are seen as satellites with each needing just one or a small number of interfaces to the overall identity management system thus setting up a kind of hierarchy of identity management systems. This system can use different technologies, namely identity as a service and (de-)provisioning, to provide identity information to the organizational units and processes across the university. We exemplify how to integrate a satellite in the federation. Another contribution is the structuring of the establishment of a federation by categorizing artifacts and components in four models and by proposing a reasonable sequence of phases. This classification distinguishes between information, functional, communication and organizational aspects known from the integrated management of distributed systems. We conclude the paper with a discussion reflecting our experiences gained while setting up an identity management for a university.