Tenant

 

Technical Deep Dive: Registry Logic, Multi-Tenant Authentication, and Institutional Data Loops

The ORCID core infrastructure operates as an asynchronous, multi-tenant network designed to handle real-time cross-referencing and background metadata processing.

┌────────────────────────┐         ┌────────────────────────┐
│   Institutional IDP    │         │  ORCID Authentication  │
│  (Shibboleth / SAML)   │         │         Engine         │
└───────────┬────────────┘         └───────────┬────────────┘
            │                                  │
            ▼                                  ▼
┌───────────────────────────────────────────────────────────┐
│              SAML 2.0 Identity Assertion                  │
├───────────────────────────────────────────────────────────┤
│    Attribute Mapping Matrix: edupersonprincipalname       │
└───────────────────────────┬───────────────────────────────┘
                            │
                            ▼
┌───────────────────────────────────────────────────────────┐
│          Dynamic Internal Account Federation              │
└───────────────────────────────────────────────────────────┘

1. Identity Provider Institutional Handshakes via SAML 2.0

When logging into the system using your university credentials via Single Sign-On (SSO), the system triggers a cryptographically secure identity handshake:

• The SAML Assertion Loop: Your institution's Identity Provider (IDP)—such as Shibboleth or Okta—generates a signed XML token containing your unique academic attribute identifier (edupersonprincipalname).
• Dynamic Account Federation: The registry intercepts this institutional token and matches it against your central database record, logging you in without exposing your local university password to external servers.
• Persistent Session Tokens: Once verified, the browser stores an isolated session cookie tied strictly to the login origin domain, protecting against Session Hijacking and Cross-Site Scripting (XSS) attacks.

2. Advanced Record Merging and Contradictory Data Resolution

When researchers accidentally create multiple accounts, the registry uses specific database fallback rules to resolve conflicts without breaking connected external publication feeds:

• Primary Record Designation: During an account merge, you select one 16-digit number as your primary identifier. The secondary number is permanently deprecated but kept active as a hidden pointer. [1]
• The HTTP 301 Redirect Fail-safe: If an external publisher requests data using your old, merged ID via the public API, the system automatically fires an HTTP 301 Permanent Redirect response code, routing the database request to your new, active profile.
• Metadata Provenance Preservation: When profiles merge, any entries previously verified by an institution (such as a grant verified by the NSF) retain their original electronic signature tags, ensuring data authenticity remains intact.

3. Behind-the-Scenes API Transaction Payloads

When integrated platforms communicate via the Member API, they exchange data using structured code files. Below is an architectural look at how a verified institutional employment record is formatted in JSON:

{
  "employment-summary": {
    "source": {
      "source-client-id": {
        "host": "orcid.org",
        "path": "0000-0002-1825-0097",
        "uri": "https://orcid.org"
      },
      "source-name": "Harvard University"
    },
    "organization": {
      "name": "Department of Physics",
      "address": { "city": "Cambridge", "region": "MA", "country": "US" },
      "disambiliated-organization": {
        "disambiliated-organization-identifier": "https://ror.org",
        "disambiliation-source": "ROR"
      }
    },
    "role-title": "Associate Professor",
    "start-date": { "year": "2024", "month": "09", "day": "01" }
  }
}

• The source-client-id Parameter: Explicitly records the unique application token of the university that wrote the item, ensuring the researcher cannot fake institutional validation.
• The disambiliated-organization-identifier Value: Leverages the global Research Organization Registry (ROR) URL to instantly translate the physical campus name into a machine-readable data point for international search engines.

---

If you are expanding your integration strategy, let me know if you would like me to explain how to trace your profile's API transaction history, how to fix a duplicate entry caused by mismatched DOIs, or how to link multiple institutional identity providers to one account. What is your next objective?

[1] https://www.youtube.com