ORCID and Federated Identity and Access Management

ORCID Outreach, Chicago, May 21, 2014Keith Hazelton, Internet2, Univ. of Wisconsin-Madison

• ORCID iDs can be passed as part of the attribute payload when a user accesses a federated service

• Raises a question that doesn’t yet have a definitive answer:

• Are there valid usage scenarios for this possibility?

• First: What is federated use of ORCID iDs and what value might it have?

ORCID in Identity Federation Scenarios

Attribute Schema for Federated Access• Whenever an organization wants its members to get access to

third party digital resources and services • In federated scenarios, the organization offers an Identity

Provider (IdP) serving its members/users while third party resources and services are represented as Service Providers (SPs)

Federated Flows

Deliver Content

Assert Attributes

Authenticate

Federated Flows

Deliver Content

Assert Attributes

Authenticate

eduPersonOrcid:http://orcid.org/0000-0102-9134-699X

There is now a defined way to do this

• What is the risk to SP of accepting IdPs assertion?• Could standardized verification methods at IdP institution

mitigate the risk?• How would the SP know if a particular ORCID iD had been

verified?• Is SP-side verification always the better alternative?– Since the user is “present”, ORCID APIs could be

leveraged– But that adds a computational step to the SP processing

Federated exchange of ORCID iDs -- good practice?