Sign into ORCID with institutional credentials

Your researchers typically have many sets of sign-in credentials, for their institution, personal accounts, and more. Managing them all can be cumbersome, but ORCID makes it easier by enabling your researchers to sign into the ORCID Registry with credentials that they already use.

Already have an integration with the ORCID Registry and qualify for institutional sign-in? You can join our early adopter program for Institutional Collect & Connect, a new process to enable your researchers sign into ORCID using their institutional accounts and then immediately your system permission to read and update their ORCID record. Contact us for more information.

Researchers can still sign into the ORCID Registry with their ORCID username and password, or they can use their institutional credentials or accounts with Google or Facebook.

Institutional sign-in is only available for members of supported access federations (SURFconexteduGAIN interfederation service); ORCID membership is not required. View the map to see which countries are included.

This documentation is for those responsible for configuring and supporting institutional sign-in within their institution’s systems.

If you are new to this, you may want to review the materials on Federations 101 developed by the AARC (Authentication and Authorization for Research and Collaboration) Project.

Contents

  1. ORCID is a service provider
  2. Specifics on ORCID’s classification
  3. Supporting institutional sign-in in practice
  4. Institutional sign-in management
  5. Need help?
  6. ORCID in the eduPerson schema

ORCID is a service provider

ORCID is a service provider registered in the eduGAIN interfederation service. We are categorized as a Research and Scholarship entity by REFEDS.

At this time, the only Identity Provider (IdP)-dependent service that ORCID provides is institutional Single Sign On (SSO) for the user. Institutions must be listed by the discovery service for this to be available as an option for users.


Specifics on ORCID’s classification

Federation(s):

SURFconext
eduGAIN interfederation service

Entity type:

Service provider

Entity ID:

https://orcid.org/saml2/sp/1

ORCID metadata:

Available in theMetadata Explorer Tool (MET)

Supported protocols:

SAML 2.0

Required attributes:

ORCID requires a locally unique, persistent, non-reassignable identifier to link an institution account to an ORCID account. Specifically, any of the following identifiers will be accepted for this purpose:

  1. a persistent NameID (transient NameIDs will not be accepted)
     
  2. eduPersonUniqueID (ePUID)
     
  3. eduPersonTargetedID (ePTID)
     

What about eduPersonPrincipalName (ePPN)?
ORCID does not accept ePPN for this attribute, even for research and scholarship entities. This is due to the longevity of ORCID iDs/accounts, as well as the chance, albeit small, of reassignment of eduPersonPrincipalName (ePPN).

Optional attributes:

ORCID will use the following attributes if provided by the institution, but none are required for the SSO service to work.

  1. NAME (displayName, givenName, sn): If a name is provided by the institution, ORCID will use it in the following ways:
    1. Personalize the greeting to the user when they have signed in and are about to link the institutional and ORCID accounts.
       
    2. FUTURE: Add the name to the researcher’s ORCID record as an “also known as” name(s) by the researcher (i.e. the researcher is listed as the source).
       
  2. EMAIL (mail): If an email address is provided, ORCID will use it in the following way:
    1. FUTURE: Add the email address to the ORCID record.
       

Note: The visibility of items added to ORCID records is determined by the individual researcher on the ORCID site. The researcher may delete added items at any time.


Supporting institutional sign in in practice

Given the number of identity providers that participate in the eduGAIN interfederation service, it is impossible for ORCID to test each IdP to ensure that the attribute exchange process will provide ORCID with the minimal required attributes defined above.

When a researcher is unable to link their SSO account, we provide an information support screen that displays an error message and invites the user to send an email to the IdP support contact listed in the IdP metadata. This email includes sample text directing the recipient to this documentation page, and it automatically copies the ORCID Community team.

Researchers will still be able to use the ORCID Registry even if their accounts cannot be linked, however, they will need to do so using their ORCID sign-in credentials.


Institutional sign-in management

Researchers may link multiple institutional accounts to their ORCID accounts. Once linked, they may use any of these accounts to gain access to the ORCID system. Researchers can also unlink any of these accounts. Further information is available in our user Knowledge Base.


Need help with institutional sign in?

If you have any questions about how your researchers can sign into ORCID using their institutional sign-in credentials, contact the ORCID Community Team.


ORCID in the eduPerson schema

The eduPerson schema added the eduPersonOrcid attribute in its February 2016 update.

As per the eduPerson specification:

  RFC4512  definition
  ( 1.3.6.1.4.1.5923.1.1.1.16
  NAME 'eduPersonOrcid'
  DESC 'ORCID researcher identifiers belonging to the principal'
  EQUALITY caseIgnoreMatch
  SYNTAX  '1.3.6.1.4.1.1466.115.121.1.15' )

Note that the format for this field is the ORCID-preferred URI representation of the iD, i.e. http://orcid.org/0000-0001-2345-6789.

Further information about the format of the ORCID iD can be found in Structure of the ORCID identifier.