In the current talk we discuss our experience with federated identity management at the Karlsruhe Institute of Technology (KIT, merger of the University of Karlsruhe and the Research Centre Karlsruhe), where a federated provisioning service has been implemented by the Steinbuch Centre for Computing (SCC) and the project Karlsruhe Integrated InformationManagement (KIM). This IDM-service is intended to overcome the heterogeneity of the highly diverse structure of organizational units (OU) of the KIT without interfering existing self-reliance of any OU. Besides the operation of such an inner-organizational federation, KIT is a member of the German federation DFN-AAI which is Germanys largest authentication and authorization infrastructure for research. This federation provides SAML-based and cross-organizational access to almost one hundred services for researchers of German universities and research institutions. Furthermore, we are also involved in current intents of providing federated single sign-on to so far locally administered services and resources for researchers of the state of Baden-Württemberg. After five years of developing and operating identity management at KIT, in particular in the aforementioned aspects (provisioning, authentication, and authorization), this talk will critically examine in which areas and under which conditions federated approaches have more advantages and are more manageable than central solutions. Furthermore, we will show our experience in development and operation of federated identity management services, our identified advantages, challenges, and restrictions of federated approaches and an insight into the current and future structure of identity management at KIT.
