Research Institutions Enabling Institutional Sign-In for your Researchers to their ORCID Accounts

In 2016, ORCID signed an agreement with SURF to enable all researchers at SURF and eduGAIN member institutions to access the ORCID registry using the same credentials they use to log into their university accounts.

By default, all eduGAIN member institutions are listed in the “Institutional Account” drop-down menu on the ORCID sign-in page. For this functionality to work, eduGAIN member institutions must configure and support institutional sign-in within their own systems. Please note that if your institution does not already have the configuration set-up, it will still be listed. This will lead to error messages being delivered to the researcher (although they can still sign-in using their ORCID sign-in credentials). If the institutional sign-in process is successful for the researcher, the authorisation will be listed in “Account Settings” under “Alternate sign in accounts”.

This feature is available to all SURF and eduGAIN member institutions and is not an ORCID consortium member benefit. When users connect their institutional account to their ORCID iD in the institutional sign-in process, no information is sent to the institution from ORCID. It is an alternative sign-in process for the researcher only and does not provide the institution with any additional permissions to read/write etc. However, as part of the process of developing member integrations and rolling out ORCID within your institution, it is important to ensure that this part of the researcher experience is working without error.

This documentation is for those responsible for configuring and supporting institutional sign-in within their institution’s systems.

If you are new to this, you may want to review the materials on Federations 101 developed by the AARC (Authentication and Authorization for Research and Collaboration) Project.

ORCID IS A SERVICE PROVIDER

ORCID is a service provider registered in the eduGAIN interfederation service. We are categorized as a Research and Scholarship entity by REFEDS.

At this time, the only Identity Provider (IdP)-dependent service that ORCID provides is institutional Single Sign On (SSO) for the user. Institutions must be listed by the discovery service for this to be available as an option for users.

SPECIFICS ON ORCID’S CLASSIFICATION

Federation(s):

SURFconext
eduGAIN interfederation service

Entity type:

Service provider

Entity ID:

https://orcid.org/saml2/sp/1

ORCID metadata:

Available in the Metadata Explorer Tool (MET)

Supported protocols:

SAML 2.0

Required attributes:

ORCID requires a locally unique, persistent, non-reassignable identifier to link an institution account to an ORCID account. Specifically, any of the following identifiers will be accepted for this purpose:

  1. a persistent NameID (transient NameIDs will not be accepted)
     
  2. eduPersonUniqueID (ePUID)
     
  3. eduPersonTargetedID (ePTID)
     

What about eduPersonPrincipalName (ePPN)?
ORCID does not accept ePPN for this attribute, even for research and scholarship entities. This is due to the longevity of ORCID iDs/accounts, as well as the chance, albeit small, of reassignment of eduPersonPrincipalName (ePPN).

Optional attributes:

ORCID will use the following attributes if provided by the institution, but none are required for the SSO service to work.

  1. NAME (displayNamegivenNamesn): If a name is provided by the institution, ORCID will use it in the following ways:
    1. Personalize the greeting to the user when they have signed in and are about to link the institutional and ORCID accounts.
       
    2. FUTURE: Add the name to the researcher’s ORCID record as an “also known as” name(s) by the researcher (i.e. the researcher is listed as the source).
       
  2. EMAIL (mail): If an email address is provided, ORCID will use it in the following way:
    1. FUTURE: Add the email address to the ORCID record.
       

Note: The visibility of items added to ORCID records is determined by the individual researcher on the ORCID site. The researcher may delete added items at any time.

 ORCID IN THE EDUPERSON SCHEMA

The eduPerson schema added the eduPersonOrcid attribute in its February 2016 update.

As per the eduPerson specification:

  RFC4512  definition

  ( 1.3.6.1.4.1.5923.1.1.1.16

  NAME ‘eduPersonOrcid’

  DESC ‘ORCID researcher identifiers belonging to the principal’

  EQUALITY caseIgnoreMatch

  SYNTAX  ‘1.3.6.1.4.1.1466.115.121.1.15’ )

Note that the format for this field is the ORCID-preferred URI representation of the iD, i.e. https://orcid.org/0000-0001-2345-6789.

Further information about the format of the ORCID iD can be found in Structure of the ORCID identifier.