European Workshop on Trust & Identity

In cooperation with GeantLogo184x80

Session 4 <ORCID as Attribute store: What would it look like?> (10:45/Room K6)

Convener: Laura Paglione

Abstract: ORCID as attribute store: What would it look like? (user centric release). How does the ORCID identifier look like and what are the advantages of getting an ORCID identifier? What models could be thought of in obtaining the ORCID identifier?

Tags: Identifiers

SESSION SUMMARY

  • One of the key things that participants were interested in obtaining via ORCID as an attribute provider is the ORCID identifier itself.
  • Models were discussed for obtaining the ORCID identifier - the key use case was finding an ORCID identifier after a user has logged into an IDP

Primary topic is the difficulty of getting attributes from IDPs.

Discussion around the usefulness of getting an ORCID identifier -- it is useful, but how do you do that?

Everybody has been trying to find a solution to get a persistent identifier, but you don’t get a universal unifier from IDPs. Identifiers can be reassigned and/or require a particular context, that’s why they want an ORCID identifier for an identifier.

ORCID might play a vital role as attribute store.

Harder problem: using the university credentials:

  • on screen where someone signs in: screen with ORCID OR institution OR social login
  • any of these clicks can be tied to the individual
  • ORCID has record of the links the individual used
  • case: we could confirm: this       person has logged in before in one of the 3, which one?

Q: How can I make validation that this is the same user?

ID – alternative person IDs can be identified; we have to understand what the privacy implications are at ePPN.

Q: What if service already has identifier?

A: Own institution has identifier for Individual.

Q: No way to get an identifier for a person?

A: There are sorts of a prerequisite, using the identifier, if I create an ORCID 5 years ago and leave university and try to get access to university again?

Service ---- ORCID ---- IDP

Somehow unique identifier needs to be established. ePPN can be seen, but that cannot be tracked to person / you need some other attribute.

Many IDPs don’t release any info about users. And universities are scared to release the name if they release ORCID.

Q: How can ORCID attribute store see an identifier, which gives us some assurance?

A: Service asks ORCID for identification, ORCID should ask user and confirm.

Q: How do we know that it’s the right user? Also when he logs in back again one week later?

A: There is no unique identifier with IDP – we need another identifier/create one.

Q: how is this different from now? Is that even possible?

A: We need a way of knowing that we talk about the same user, everything happening in that session is the same person.

Q: if user creates more than one ORCID identifier, it his problem?

A: we expect users to use the very same ORCID identifier.