Menu
▾
▴
unity-idm-discuss
|
From: Sander A. <sa....@fz...> - 2023-07-06 08:42:13
Attachments:
smime.p7s
|
Hi Krzysztof, hi Roman, we see a growing number of requests to the ORCID ID of researchers and services who want this information from the IdM system. The primary identity of the users is bound to the home organisation. Since there are resources bound to this identities, we do not want to perform account linking, unless we can remove all privileges, based on the organisation login, of the users, if the user left the organisation. ORCID login is an alternativ for researchers where the home organisation does not release all mandatory attributes. Is it possible to get the ID directly from ORCID and storing this as attribute, without account/identity linking? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-07-06 10:00:54
|
Hi Sander, W dniu 6.07.2023 o 10:42, Sander Apweiler pisze: > Hi Krzysztof, hi Roman, > we see a growing number of requests to the ORCID ID of researchers and > services who want this information from the IdM system. The primary > identity of the users is bound to the home organisation. Since there > are resources bound to this identities, we do not want to perform > account linking, unless we can remove all privileges, based on the > organisation login, of the users, if the user left the organisation. > ORCID login is an alternativ for researchers where the home > organisation does not release all mandatory attributes. > > Is it possible to get the ID directly from ORCID and storing this as > attribute, without account/identity linking? I'm not sure if I understand the scenario. Can you describe the flow precisely? I wonder how and when Unity instance shall authorize to ORCID to get this identity info? I understand that you have a user that has some home IdP + ORCID id. This user can login via Unity acting as a proxy to home IdP. And now how ORCID fits here? Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2023-07-06 10:19:16
Attachments:
smime.p7s
|
Hi Krzysztof, we have home IdPs + ORCID/Google/Github as upstream IdPs. Unity interacts as proxy. User can sign in with all of them, but using home IdP can give already access to resources. We can not use the account linking because the user must lose access to the resources, when they leave the home organisation. We have some services which already want to have the ORCID ID of the user. Of course we can create an attribute and user needs to enter it manually during sign up or later in userhome endpoint. But manual steps offer the option for mistakes. So our question would be if there is a way to get the ID from ORCID directly, like the sign up using ORCID, but without account linking. Best regards, Sander On Thu, 2023-07-06 at 12:00 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 6.07.2023 o 10:42, Sander Apweiler pisze: > > Hi Krzysztof, hi Roman, > > we see a growing number of requests to the ORCID ID of researchers > > and > > services who want this information from the IdM system. The primary > > identity of the users is bound to the home organisation. Since > > there > > are resources bound to this identities, we do not want to perform > > account linking, unless we can remove all privileges, based on the > > organisation login, of the users, if the user left the > > organisation. > > ORCID login is an alternativ for researchers where the home > > organisation does not release all mandatory attributes. > > > > Is it possible to get the ID directly from ORCID and storing this > > as > > attribute, without account/identity linking? > > I'm not sure if I understand the scenario. Can you describe the flow > precisely? I wonder how and when Unity instance shall authorize to > ORCID > to get this identity info? > > I understand that you have a user that has some home IdP + ORCID id. > This user can login via Unity acting as a proxy to home IdP. And now > how > ORCID fits here? > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-07-12 10:39:18
|
Hi Sander, W dniu 6.07.2023 o 12:18, Sander Apweiler pisze: > Hi Krzysztof, > we have home IdPs + ORCID/Google/Github as upstream IdPs. Unity > interacts as proxy. User can sign in with all of them, but using home > IdP can give already access to resources. We can not use the account > linking because the user must lose access to the resources, when they > leave the home organisation. > > We have some services which already want to have the ORCID ID of the > user. Of course we can create an attribute and user needs to enter it > manually during sign up or later in userhome endpoint. But manual steps > offer the option for mistakes. So our question would be if there is a > way to get the ID from ORCID directly, like the sign up using ORCID, > but without account linking. Hmm, I was close to write this is not doable, but I realized I don't understand the scenario. So on one hand you want to keep the feature to sign in using ORCID as an alternative to sign-in using your home org IdP. Right? This means that you need those two sign-in methods supported and also both should be linked to the same entity in Unity. At the same time if ORCID id is only stored as a plain attribute, users won't be able to login with ORCID. What do I miss? Isn't it just a deprovisioning concern, that after user leaves home-org, some aspects of the Unity account should be removed so authZ is lost to relevant items? Best, Krzysztof |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X