Subject Re: [MACE-Dir] eduPersonSubjectIDGUID
From Keith Hazelton <keith.hazelton@xxxxxxxx>
Date Fri, 23 Oct 2015 16:31:06 +0000

The situation on the ground is that a couple universities have self-service utilities in place that allow users to perform a verified linking of their NetId with their ORCID (basically an SP-protected site that does Oauth calls back to ORCID.  Alternatively, ORCID is on the way to having a SAML SP fronting their site, and they might offer a similar self-service linking service.  Based on discussions with their Tech Director at TechEx, they are exploring ways to share that verified linking back to the home campus IAM services.

Personally, I don’t favor the idea of ORCID as an IdP, I think it takes them away from their core value, and makes it easier for them to slip into the ‘one global and persistent identifier per person’ honeypot role.

email & jabber: keith.hazelton@xxxxxxxx

From: Nate Klingenstein <ndk@xxxxxxxxxxxxx>
Date: Friday, October 23, 2015 at 11:13
To: Paul Caskey <pcaskey@xxxxxxxxxxxxx>
Cc: "Mark.B.Jones@xxxxxxxxxxx" <Mark.B.Jones@xxxxxxxxxxx>, "cantor.2@xxxxxxx" <cantor.2@xxxxxxx>, "barkills@xxxxxx" <barkills@xxxxxx>, Eric Goodman <Eric.Goodman@xxxxxxxx>, MACE-Dir <mace-dir@xxxxxxxxxxxxx>, refeds <refeds@xxxxxxxxxx>
Subject: Re: [refeds] [MACE-Dir] eduPersonSubjectIDGUID

I wonder what answers our researchers would give. Seems they might actually prefer such a blending, but I'm definitely speculating.

It’s a very good question.

I’m pretty much a nerd in a wide variety of topics from virology to climate science and spend all my entire life in my house reading and editing Wikipedia, and I’ve been seeing ORCID’s appearing spontaneously on public personal pages of some of the leading researchers.  It’s fascinated me.

Personally, I think that a closer collaboration with ORCID gives us the best shot at satisfying the preferences of the research community in this regard.

In my dogma/dream world, the university would host a persistentId-style key representing the user’s identity at ORCID, and ORCID would host one representing the user’s identity at their present organization.  The ORCID itself would be expressed as an attribute by ORCID as the authority, no matter which provider the user authenticated at initially, for applications that needed to leverage it.

I haven’t heard other people support the above integration approach, though, and I have heard good arguments against it from others, mostly around ORCID acting more as a service provider and less as an identity provider.