Menu
▾
▴
Re: [Unity-idm-discuss] adding ORCID as attribute without identity linking
|
From: Krzysztof B. <kb...@un...> - 2023-07-12 10:39:18
|
Hi Sander, W dniu 6.07.2023 o 12:18, Sander Apweiler pisze: > Hi Krzysztof, > we have home IdPs + ORCID/Google/Github as upstream IdPs. Unity > interacts as proxy. User can sign in with all of them, but using home > IdP can give already access to resources. We can not use the account > linking because the user must lose access to the resources, when they > leave the home organisation. > > We have some services which already want to have the ORCID ID of the > user. Of course we can create an attribute and user needs to enter it > manually during sign up or later in userhome endpoint. But manual steps > offer the option for mistakes. So our question would be if there is a > way to get the ID from ORCID directly, like the sign up using ORCID, > but without account linking. Hmm, I was close to write this is not doable, but I realized I don't understand the scenario. So on one hand you want to keep the feature to sign in using ORCID as an alternative to sign-in using your home org IdP. Right? This means that you need those two sign-in methods supported and also both should be linked to the same entity in Unity. At the same time if ORCID id is only stored as a plain attribute, users won't be able to login with ORCID. What do I miss? Isn't it just a deprovisioning concern, that after user leaves home-org, some aspects of the Unity account should be removed so authZ is lost to relevant items? Best, Krzysztof |
