This section describes the setup of a SAML <-> ORCID account linking service based on simpleSamlPhp. In addition it exposes the linked ORCID attribute via the SAML Attribute Query protocol.
Goals
- Create a SP to get the Orcid ID for the logged in user
- Store the orcid ID in an Attribute Authority (AA)
- In OpenConext: fetch the orcid ID from the Attribute Authority using an Attribute Query
- Read new attributes in a connected SP (note: this SP could connect to the AA as well)
Architecture and components
The core of the setup is an ORCID account linking services, which contains an ORCID SP and an ORCID AA component. The ORCID SP allows endusers to link their SAML based Home Institution account to their ORCID. THis is done by logging in twice: once at the home institution, and once at ORCID. The combination of the ePPN attribute value and the ORCID is then stored in a database. An ORCID AA component allows SAML based SPs to query the attribute authority.
In this scenario, as SURFnet is operating a Hub-and-Spoke federation, it was also investigated how the hub could be used to provide the ORCID attribute to SPs connected to the hub as part of the regular Authentication flow. For this a attribute query client was used in the hub (OpenConext) to query the ORCID AA component just before passing on an authentication to a SP.
Setup
1. Orcid SP
- The orcid SP is installed on an OpenConext Virtual machine as 'orcid.demo.openconext.org'
- It uses simplesaml to connect to OpenConext
- A simplesaml module is used to conect to orcid: https://git.man.poznan.pl/stash/projects/SSP/repos/simplesamlphp/browse/modules/orcid
- The only code required in the SP is to store the orcid id in a MySQL database, Have a look at the main orcid.php script
- You can read the install notes
- The result is the orcid within simplesaml attributes
1-2. MySQL, the glue
- The Orcid SP stores the orcid Id in MySQL
- The Attribute Authority reads this orcid Id
- Its a database (orcidAA) with one table (orcid) that lists 'Users' and 'Ids'
mysql> show tables;
+-------------------+
| Tables_in_orcidAA |
+-------------------+
| orcid |
+-------------------+
mysql> select * from orcid;
+-------------------+---------------------+
| orcidUser | orcidId |
+-------------------+---------------------+
| j.doe@example.com | 0000-0001-5470-3703 |
+-------------------+---------------------+
NOTE: secure the orcidUser with some hashing. (not yet done for demo purposes)
use for example sha2:
- php in orcidSP : hash (sha256, $STRING)
- mysql in AA : sha2('$STRING',256)
2. Attribute Authority
- A shibboleth IdP is installed on a OpenConext Virtual Machine as 'aa.demo.openconext.org'
- For testing the OpenConext code this IdP delivers static attributes
- The AA also delivers the orcid from MySQL
- The most import configuration file is the attribute-resolver.xml that connects to mysql
- You can read the install notes
- Without the orcid SP, the result of the AA is static attributes in profile
3. OpenConext AM code
- Attribute Manipulation code is the glue between OpenConext SP and the AA
- Attribute Manipulation code is written to send an Attribute Query to the AA, download it here:
- version 0.1 - 20150407
- version 0.2 - 20150507
- version 0.3 - 20150602
- Add the attribute manipulation code to each service that requires orcid (or other attributes from the AA)
4. SP (profile)
- 'profile.demo.openconext.org' is used for testing, it displays the fetched attributes
- once everything is in place the output of profile includes static AA attributes AND the orcid attribute from the orcid SP
1-2-3-4 OpenConext, glue
OpenConext binds everything together
- the orcid sp is configured as SP
- the AA is configured as IdP
- the attribute manipulation code is added to the already connected profile SP
How to test
The demo is installed on the host: orcidaa.pt-27.utr.surfcloud.nl
This testing can only be done from within the SURFnet network!
1. add some pointers to this host to your hosts files
145.100.180.187 demo.openconext.org db.demo.openconext.org ldap.demo.openconext.org
145.100.180.187 grouper.demo.openconext.org serviceregistry.demo.openconext.org engine.demo.openconext.org
145.100.180.187 profile.demo.openconext.org manage.demo.openconext.org teams.demo.openconext.org
145.100.180.187 static.demo.openconext.org mujina-sp.demo.openconext.org mujina-idp.demo.openconext.org
145.100.180.187 api.demo.openconext.org apis.demo.openconext.org cruncher.demo.openconext.org
145.100.180.187 csa.demo.openconext.org welcome.demo.openconext.org dashboard.demo.openconext.org
145.100.180.187 aa.demo.openconext.org orcid.demo.openconext.org
2. Visit orcid.demo.openconext.org and login with a standard openconext account. You will be forwarded to orcid and need to login there as well. Your orcid will be stored.
page 1 of orcid-sp:
page 2 of orcid-sp:
3. Visit profile.demo.openconext.org and your orcid id will be displayed next to your other attributes
ORCID: http://orcid.org/
ORCID API: http://support.orcid.org/knowledgebase/articles/180285-introduction-to-the-orcid-api
SimpleSAMLORCID module: https://git.man.poznan.pl/stash/projects/SSP/repos/simplesamlphp/browse
Shibboleth AA setup (Example): https://wiki.terena.org/download/attachments/24215762/HOWTO%20Install%20Grouper%20on%20Ubuntu%20Linux%2012.04.pdf?version=1&modificationDate=1404143729867&api=v2
SimpleSAMLPHP attribute Aggregator: https://github.com/NIIF/simplesamlphp-module-attributeaggregator