ORCID and Federated Identity and Access Management
ORCID Outreach, Chicago, May 21, 2014Keith Hazelton, Internet2, Univ. of Wisconsin-Madison
• ORCID iDs can be passed as part of the attribute payload when a user accesses a federated service
• Raises a question that doesn’t yet have a definitive answer:
• Are there valid usage scenarios for this possibility?
• First: What is federated use of ORCID iDs and what value might it have?
ORCID in Identity Federation Scenarios
Attribute Schema for Federated Access• Whenever an organization wants its members to get access to
third party digital resources and services • In federated scenarios, the organization offers an Identity
Provider (IdP) serving its members/users while third party resources and services are represented as Service Providers (SPs)
Federated Flows
Deliver Content
Assert Attributes
Authenticate
Federated Flows
Deliver Content
Assert Attributes
Authenticate
eduPersonOrcid:http://orcid.org/0000-0102-9134-699X
There is now a defined way to do this
• What is the risk to SP of accepting IdPs assertion?• Could standardized verification methods at IdP institution
mitigate the risk?• How would the SP know if a particular ORCID iD had been
verified?• Is SP-side verification always the better alternative?– Since the user is “present”, ORCID APIs could be
leveraged– But that adds a computational step to the SP processing
Federated exchange of ORCID iDs -- good practice?