Sign into ORCID with Institutional Credentials

Your researchers typically have many sets of sign-in credentials, for their institution, personal accounts, and more. Managing them all can be cumbersome, but ORCID makes it easier by enabling your researchers to sign into the ORCID Registry with credentials that they already use.

ORCID provides institutional Single Sign On (SSO) for the user. This means that researchers can use their institutional credentials to sign into ORCID.

Researchers can still sign into the ORCID Registry with their ORCID username and password, or they can use their institutional credentials or accounts with Google or Facebook.

Institutional sign-in is only available for members of supported access federations (SURFconext, eduGAIN interfederation service); ORCID membership is not required to use this feature. View the map to see which countries are included.

If you are new to this, you may want to review the materials on Federations 101 developed by the AARC (Authentication and Authorization for Research and Collaboration) Project.

ORCID is a Federated Service Provider (SP)

• ORCID provides is institutional Single Sign On (SSO) for the user.
• ORCID is a service provider registered in the eduGAIN interfederation service.
• ORCID is categorized as a Research and Scholarship entity by REFEDS.
• Institutions must be listed by the discovery service for this to be available as an option for users.
• The ORCID Entity ID is https://orcid.org/saml2/sp/1
• ORCID metadata is available in theMetadata Explorer Tool (MET)

Requirements for use

• Institutions must be listed by the discovery service for this to be available as an option for users.
• Institutions must support SAML 2.0
• Institutions must provide locally unique, persistent, non-reassignable identifier to link an institution account to an ORCID account. Any of the following identifiers will be accepted:
  • A persistent NameID
  • eduPersonUniqueID (ePUID)
  • eduPersonTargetedID (ePTID)

What about eduPersonPrincipalName ?
ORCID does not accept ePPN for this attribute, even for research and scholarship entities. This is due to the longevity of ORCID iDs/accounts, as well as the chance, albeit small, of reassignment of eduPersonPrincipalName (ePPN).

What about Name?
If a name (displayName, givenName, sn) is provided by the institution, ORCID will use it to personalize the greeting to the user when they have signed in and are about to link the institutional and ORCID accounts.

Researcher Support

When a researcher is unable to link their SSO account, we provide an information support screen that displays an error message and invites the user to send an email to the IdP support contact listed in the IdP metadata. This email includes sample text directing the recipient to this documentation page, and it automatically copies the ORCID Engagement team too so they can follow up with you directly too.

Researchers will still be able to use the ORCID Registry even if their accounts cannot be linked, however, they will need to do so using their ORCID sign-in credentials or Google or Facebook credentials.

Researchers may link multiple institutional accounts to their ORCID accounts. Once linked, they may use any of these accounts to gain access to the ORCID system. Researchers can also unlink any of these accounts. Further information is available in our user Knowledge Base.

Given the number of identity providers that participate in the eduGAIN interfederation service, it is impossible for ORCID to test each IdP to ensure that the attribute exchange process will provide ORCID with the minimal required attributes defined above.

Need help?

• Visit our federated sign in technical documentation for more details and troubleshooting advice.
• If you have any questions about how your researchers can sign into ORCID using their institutional sign-in credentials, contact the ORCID Engagement Team.

  RFC4512  definition
  ( 1.3.6.1.4.1.5923.1.1.1.16
  NAME 'eduPersonOrcid'
  DESC 'ORCID researcher identifiers belonging to the principal'
  EQUALITY caseIgnoreMatch
  SYNTAX  '1.3.6.1.4.1.1466.115.121.1.15' )