Question about authenticated ORCIDs in account profile

[Dieuwertje Bloemen]

Hi,

We've been testing with the new ORCID feature (https://github.com/IQSS/dataverse/pull/11222), where we add ORCIDs to Shibboleth accounts. However we seem to run into an issue, is it true that once you've added an ORCID to your Shibboleth account that you're no longer able to create an ORCID account separately on the same ORCID? And we see there's a way to only turn on this feature but disallow general ORCID login, but not the other way around (allow ORCID login, but don't allow addition of ORCIDs to other accounts).

And one more question: would be able to enter ORCIDs into the ORCID field on Shibboleth accounts via the API or something? We namely have ORCIDs in our HR system we would like to be able to import straight into the relevant Dataverse Shibboleth accounts.

BTW: our use case for these questions:

• Only KU Leuven researchers who log in with Shibboleth get editing rights/create dataset rights. If they leave the university, we don't delete their account from Dataverse (and the related rights) in case they might return later on to the university. They cannot login anymore anyway, because their Shibboleth authentication won't work in general.
• We allow ORCID login for people who want to request access to restricted datasets. This can include researchers who previously worked for KU Leuven and had access via Shibboleth.
• We don't allow creation of local users to prevent unnecessary GDPR issues and because ORCID at least has some validation of users in relation to access requests.

So, if we let users connect an ORCID to their Shibboleth account and this makes creation of a non-KU Leuven account via ORCID possible, we would have a bit of an issue. Currently connecting ORCIDs isn't working on our production because we haven't added the second redirect url yet, which is a workaround we don't want to keep forever.

Kind regards,

Dieuwertje

[Philipp Conzett]

Hi Dieuwertje, all,

I'm not sure if I understand your last paragraph entirely. Could there be a typo there and you meant "impossible" instead of "possible", thus: "... this makes creation of a non-KU Leuven account via ORCID impossible ...."?

At DataverseNO we've just run into the first situation you describe: "once you've added an ORCID to your Shibboleth account that you're no longer able to create an ORCID account separately on the same ORCID". A depositor who previously worked at a DataverseNO partner institution using Shibboleth for login added an ORCID to his Dataverse user account. Now, he has left the institution and wants to create a user account using ORCID login in order to get edit access to his datasets. When trying to login with ORCID, he gets an error message.

We'd be interested to know how to proceed to allow the user login with ORCID.

Best

Philipp

[James Myers]

I haven’t looked at this code recently, but associating your ORCID with an existing non-ORCID account should be fully reversible. (Account Info/Edit Account/Remove ORCID).

 

-- Jim

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/dataverse-community/4470e571-0226-47d7-bf7f-39aa84b24203n%40googlegroups.com.

[Philipp Conzett]

Thanks, Jim. Removing the ORCID association through the GUI would be the easiest solution. But in our use case, the user doesn't have access to the user account anymore. Is there a way a Superuser or SysAdmin can remove the ORCID association of a user account, preferably by API?

Best,

Philipp