Highlights
- Centralized identity management policies at research institutions can allow researchers to access other systems in the institution with one set of credentials.
- Implementing ORCID at this level can be a more streamlined approach than managing multiple ORCID integrations into many local systems.
- Integrating ORCID into a centralized system can save time and financial resources while fast-tracking ORCID adoption amongst researchers.
- A centralized system uses a Light Directory Access Protocol (LDAP) on the back end to store core attributes of the users, such as username, name, department, etc.
- At Stanford, integrating ORCID centrally helped the institution meet guidelines set by NSPM-33 and provided downstream benefits to other Stanford systems.
Centralized identity management policies and technologies allow institutions to grant users access to their systems with a single account that authenticates users into a centralized system. Once authenticated, users can then access other systems without needing to use separate credentials. These systems might include Course Management Systems, Research Information Management systems, Human Resources systems, repositories, and other internal systems and apps, and in some cases external systems as well.
This practice of centralizing identity management has been developed over the last 20 years and adopted by an increasing number of universities and research institutions in the quest to increase security and provide a more seamless and productive workspace. For institutions that already have a strong centralized identity management policy and infrastructure, implementing ORCID at this level can be a more streamlined approach than managing multiple ORCID integrations into many local systems. Institutions that integrate ORCID into a centralized system can save time and financial resources while fast-tracking ORCID adoption amongst researchers at any stage of their career.
Stanford University is one example of a university that chose to integrate ORCID into its centralized identity management system, which it did to comply with US research security directives issued by the National Security Presidential Memorandum-33, better known as NSPM-33. Stanford University offers an ideal case study for similar research institutions that already have a centralized system and want to compound the benefits of ORCID membership across campus.
This blog details the ways that Stanford’s ORCID integration is benefitting the university and how other institutions can follow suit.
Stanford’s “gateway” to research security
Among the mandates of NSPM-33 is the establishment of research security programs at research institutions receiving federal funds. The guidance says that digital persistent identifier (DPI) services, also known as persistent identifier (PID) providers, must “support secure integration with standard authentication services, such as Security Assertion Markup Language (SAML) and Open Authentication (OAuth).” It is worth noting that ORCID is the only PID provider for individuals that meets the requirements outlined in the NSPM-33 guidance.
Zach Chandler, Director of Open Scholarship Strategy at the Stanford Data Science Initiative, was part of a multi-disciplinary team co-led by Tom Cramer, Associate University Librarian at Stanford University tasked with integrating ORCID into the Stanford University Network Identifier (SUNetID). The team comprised staff from Stanford Data Science’s Center for Open and REproducible Science (CORES), Stanford University IT, Stanford Libraries, and Stanford School of Medicine. Together they built the Stanford-ORCID gateway and app that pairs ORCID iDs with a local Stanford unique ID through an OAuth workflow.
When new users log into the gateway, they’re routed to ORCID to first claim an ORCID iD, which is then returned to Stanford along with a persistent token that allows the university to update users’ ORCID records on their behalf through Stanford’s ORCID member API.
“We leveraged the ORCID public API to build the portal for Stanford Researchers to link their SUNetID to ORCID iDs, enabling ease of use and data flow now and in the future,” said Sangeetha Chowhan, MaIS Technical Manager at Stanford.
The linking between ORCID and Stanford University’s centralized system is set up as a self-service process, which allows users full control to access the portal and change permissions related to linking, reading, or writing data to their ORCID record.
Zach added that there are over 1,100 faculty that have done this so far. “We have a growing corpus to build from so that now in any downstream system that work is available,” he said. “We aspire for 100 percent adoption across all fields of study at Stanford.”
An alternate path to ORCID integration
Centralized systems such as the one at Stanford University are using methods of Federated Identity Management (FIM), which enable a user’s identity to be linked across a variety of separate identity management systems. FIM allows users to move securely and quickly between systems.
A centralized system has a front-end where users sign in, and a back-end directory, often implemented using the Light Directory Access Protocol (LDAP), which is a database containing all the core attributes of the users, such as username, name, department, status, whether they’re faculty, staff, or student, and other key details.
“Once authorized and linked by users, their ORCID iDs are fetched and then stored in Stanford’s LDAP,” said Sangeetha. “Integrated ORCID iDs are available and accessible via LDAP and Registry Web Services, subject to data owner approvals.”
By integrating with ORCID, the centralized system can also add authenticated ORCID iDs into that directory. Doing so allows administrators of the institution’s other internal systems to very easily pull authenticated ORCID iDs out of the central directory without having to do local ORCID integration. In this way, a centralized ORCID integration provides an alternate path to integrating ORCID into multiple different systems at a university.
At Stanford University, the ORCID iD is stored in LDAP as an eduPerson identifier and released as part of the SAML attributes, which then becomes available to any web-based application that can authenticate through single sign-on and gets the SAML attributes as a default value.
In addition, the access tokens provided by ORCID when the user links their Stanford and ORCID profiles are also stored in LDAP and are available for reuse via an internal Stanford API. This means that the permission that Stanford has obtained to update their researcher’s ORCID records during the account linking process can be used by any Stanford system without having to obtain further permission from the user.
For example, Stanford’s institutional repository uses these tokens to update ORCID records with research data deposits as “Works” in ORCID. Writing data deposits to ORCID records is an important step in acknowledging research data as scholarly work.
In another example, the Stanford Profiles system is able to use the tokens to push confirmed publications that have been added to researchers’ Stanford Profiles page to their ORCID profile automatically.
Universities that have ORCID IDs stored in source systems like Stanford can also release them as SAML metadata to non-Stanford external systems that offer sign-in via the Stanford credential, which could have valuable follow-on effects and gets the research community closer to the “DPI Services” outlined in NSPM-33.
The advantages for universities taking a centralized approach to integrating with ORCID are threefold:
- It’s net less work to integrate ORCID centrally,
- The university gives users the opportunity to link or register their ORCID iD as part of the enrollment process, which leads to a higher compliance rate than trying to encourage the institution’s researchers to separately link their ORCIDs into different contexts, and
- It helps universities integrate data for analysis and insight generation.
If the institution has both internal and external datasets that contain ORCID iDs, then they have a set of links between those two datasets that they can use to integrate at a later time.
A centralized strategy
ORCID seeks to bring value to any workflows or processes that universities have. Sometimes it makes sense for institutions to seek separate ORCID integrations for its different local systems.
However, with the increasing prevalence of centralized identity management, it is worthwhile for administrators to consider seeking strategic gains from integrating ORCID into a central system, such as seen at Stanford.
“Most universities have identity management processes, but it varies as to how strategic they are,” said ORCID’s Executive Director Chris Shillum. “There are good reasons for centralized identity management. Users hate to have to remember multiple account credentials, and there are numerous security benefits. In terms of integrating with ORCID, an institution might otherwise have to integrate, say, five different systems separately, can do one integration through a central identity management system that can be used by all its other systems, reducing the total technical effort involved and avoiding users having to link their ORCID IDs in multiple places.”
Other universities can integrate with ORCID centrally and reap the same benefits that Stanford University did. At Stanford, integrating ORCID into a centralized identity management system not only helped the institution meet guidelines set by NSPM-33, it also provided downstream benefits to other Stanford systems—all with less work and cost than separate integrations. Whether the goal is improving research security, improving workplace productivity, or gaining institutional insights from new data, institutions with a centralized system should consider this approach to ORCID membership.
When research institutions integrate their systems with ORCID, they more easily stay up to date with the research produced at their institution, while making researchers’ lives easier. Research institution administrators who are seeking to integrate with ORCID can learn more about the benefits of membership here.