Institutional Connect via IdP

  • Do you want to help reduce the burden on your researchers when submitting papers and grants?
  • Do you want to be able to better control how your organization name is listed in publications and grants?
  • Do you want to be able to easily find your researchers’ published research output?

We invite you to work with ORCID on an early adopter program to test the feasibility of coupling institutional sign-in with affiliation assertions.

We recently launched functionality to enable ORCID users to sign into their ORCID account using their institutional username and password. This works for any institution that is member of SURFconext or eduGAIN, the federation and interfederation services in which ORCID participates. ORCID membership is not required.

When users connect their institutional account to their ORCID iD in the institutional sign-in process, no information is sent to the institution from ORCID. Institutional Connect via IdP takes institutional sign-in for ORCID member organizations to the next level, by linking the user to your existing ORCID-integrated system immediately after linking their institutional account. The user is prompted to grant you permission to collect their verified ORCID iD as well as to read and update data on their ORCID record. Any system can be used to make this connection, as long as the institution belongs to one of the supported (inter)federations and is also an ORCID member.

To participate in the Institutional Connect via IdP Early Adopter Program, your institution must qualify for institutional sign-in and have already built, tested, and released an ORCID integration using the ORCID Member API. We recommend using your institution’s directory, human resources management, profile or other system which can serve as the source of proof for researcher affiliations. You can adapt the process with other system workflows to assert researchers’ affiliations. Interested? Let us know!

How does Institutional Connect via IdP work?

Your institution collects ORCID iDs into your system while simultaneously asserting affiliation (your organization name and identifier) on the user’s ORCID record. Specifically, you:

  • Obtain and store the user’s authenticated ORCID iD.
  • Request and store persistent access tokens to read/write/update the user’s ORCID record together with the researcher’s information.
  • Immediately update the user’s ORCID record with your organization name, identifier, and the affiliation relationship between your organization and the user.

For more information, see our slides from the June 2017 webinar on the Institutional Connect via IdP

Institutional Connect via IdP Workflow

1. Configure institutional sign-in for your organization

To participate in Institutional Collect & Connect, your institution must be a part of one of our supported federations (SURFconext, eduGAIN interfederation service).

Your IdP system also must be configured to support ORCID institutional sign-in. ORCID requires a locally unique, persistent, non-reassignable identifier to link an institution account to an ORCID account. Any of the following identifiers will be accepted for this purpose:

  • a persistent NameID (transient NameIDs will not be accepted)
  • eduPersonUniqueID (ePUID)
  • eduPersonTargetedID (ePTID)

Further setup information is available at sign into ORCID with institutional credentials.

2. Configure your custom ORCID integration

In the normal workflow for a directory, human resources management, or profile system, the user is invited to connect their ORCID iD starting from within your system, such as an internal webpage or a customized email you send to the user.

Institutional Connect starts from within ORCID, using an OAuth authorization link similar to the one that researchers use to connect their ORCID iDs to your integration. Your system must be configured to expect an ORCID OAuth response at your specified redirect URI to come directly from ORCID, rather than starting from your system. It also will not include any state parameters.

Using the ORCID developers sandbox, test that your system is able to successfully receive an authorization code at your redirect URI and exchange it for the token you’ll need to post an affiliation to the user’s ORCID record. For full details and required system setup, see the research information management and profile systems workflow.

3. Configure your Member API credentials

You will need to request that we update your ORCID Member API credentials to support Institutional Connect. We suggest first updating your Sandbox credentials -- but note that institutional sign-in may not work on the ORCID sandbox.

Submit a request to update your Sandbox Member API client credentials to support Institutional Connect, including the following information in the notes section:

  • Client ID
  • Your identity provider entity ID (e.g. https://idp.example.org/idp/shibboleth)
  • Your redirect URI: The page within your ORCID-integrated system that users will be directed to after they authorize the connection
  • The permission scope(s) you need: These should be the same as required for your system:
    • /activities/update (required): add/update an affiliation with your institution. Can also be used to add/update research works, funding, and peer review activities.
    • /read-limited: read limited-access data on the ORCID record and obtain the authenticated ORCID iD.
    • /person/update: add/update a unique identifier for your institution, a link to the user's faculty webpage, and other personal data in the biographical section of the of the ORCID record.

4. Test the Institutional Connect via IdP user flow

Connect your institutional account to the new or existing ORCID account. Once connected, you will receive an invitation to connect your institutional account to your ORCID-integrated system. Note: The message to kick off Institutional Connect will only display the first time a user connects and signs into their ORCID record using their institutional credentials and only if your API client does not already have permission to read or edit their record.

Click Connect to start the OAuth flow and grant permission to the system.

You will be redirected to your specified URI, and your system will update the ORCID record with the affiliation information.

5. Release -- and let your researchers know!

Once you have successfully tested Institutional Connect via IdP, you’re ready to release! Your researchers will be able to immediately benefit by connecting their ORCID iDs to your system.

You can make Institutional Connect your recommended method for researchers to connect their ORCID iDs to your institution, but be certain to also offer them the option to connect their ORCID iDs using the normal workflow for your system.

6. Go one step further: Display ORCID iDs in your IdP

You can supply the validated ORCID iDs that you have collected with your IdP using the eduPersonOrcid attribute. The ORCID iD should be displayed with the user’s personal information as per the eduPerson specification:

RFC4512 definition
( 1.3.6.1.4.1.5923.1.1.1.16
NAME 'eduPersonOrcid'
DESC 'ORCID researcher identifiers belonging to the principal'
EQUALITY caseIgnoreMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )

Christopher McAvaney (@clmcavaney) of Deakin University, an ORCID Australian consortium member, on how Deakin is supplying collected ORCID iDs via its IdP.