This page describes how to submit completed conformance testing results to the OpenID Foundation to request OpenID Certifications. Before submission, first all tests must be successfully passed for the desired conformance profiles and testing results gathered, as described in the OP testing instructions. Note that results with warnings are acceptable for certification purposes.
While the Basic profile requires only one set of test runs (for the
code response type), the Implicit profile requires two (for the
id_token+token response types), and the Hybrid profile requires three (for the
code+id_token+token response types). The Config and Dynamic profiles require only one set of test runs each, which can be performed using any response type.
For each conformance profile being certified to, the following information must be submitted in its own certification package:
- A signed copy of the Certification of Conformance (docx) (PDF) naming that profile. This should use the filename
OpenID-Certification-of-Conformance.pdfin the submitted results. (A different extension such as .jpg for the scanned document may be used as appropriate.)
- A copy of the Certification Terms and Conditions document accompanying the Certification of Conformance. This must use the filename
OpenID-Certification-Terms-and-Conditions.pdfin the submitted results. (This document is not signed but is included for completeness since it is referenced from the Certification of Conformance.)
- Test log files for each test in the profile (HTML or text) for each response_type value required for the profile. Each log file should either be retrieved from your test page https://op.certification.openid.net:your_port and saved with the filename profile-name/test-ID.html or from https://op.certification.openid.net:your_port;/log and use profile-name/test-ID.html as the filename. For instance, the filename
code.config.static.sign/OP-Response-code.htmlshould be used for the OP-Response-code test log when run with the configuration response_type=code, support for .well-known/openid-configuration, static registration, and support for signing when downloaded from the test page or use the name
code.config.static.sign/OP-Response-code.txtwhen downloaded from the /log page.
- Screen captures for each test requiring them (image files) for each response_type value required for the profile. For instance, the filename
code.config.static.sign/OP-redirect_uri-NotReg.pngshould be used for the screen shot of the error shown by the OP when a request uses an unregistered redirect_uri value. (A different extension such as .jpg for the screen shot may be used as appropriate.)
- For the Dynamic profile only, a signed Attestation Statement (docx) (PDF) declaring that the implementation correctly implements behaviors required for the profile that are not testable or were not tested by the tool. This should use the filename
OpenID-Certification-Attestation-Statement.pdfin the submitted results. (A different extension such as .jpg for the scanned document may be used as appropriate.).
The certification package should consist of a single .zip or .tar file containing all the files and using the paths above. The filename should contain the name of the organization, the software being certified, the profile being certified to, and the current date. For example, a certification request by the ProseWare organization of its “Humongous Identity” software for the OP Basic profile on April 13, 2015 should use a filename like
- Name of Entity (“Implementer”) Making this Certification: ProseWare
- Software or Service (“Deployment”) Name & Version #: Humongous Identity 3.14159
- OpenID Connect Conformance Profile: Basic OpenID Provider
- Conformance Test Suite Software: op.certification.openid.net as of April 10, 2015
- Test Date: April 10, 2015
- Implementer’s Address: 5000 Forbes Ave.
- Implementer’s City, State/Province, Postal Code: Pittsburgh, PA 15213
- Implementer’s Country: United States of America
- Implementer’s Name: Jane Doe
- Implementer’s Title: Programmer Extraordinaire
- Implementer’s Phone: +1 (412) 555-1234
- Implementer’s Email: firstname.lastname@example.org
- Authorized Signature: HQB
- Name: Harry Q. Bovik
- Title: Senior Computer Scientist
- Date: April 13, 2015
Contents for several certification submission examples can be viewed at Certification Submission Examples. These examples show the expected contents of the .zip or .tar files for certification submissions for each conformance profile.
The certification package must be sent to the OpenID Foundation as an attachment at email@example.com. The subject line of the e-mail request should be along the lines of “Certification request by ProseWare of Humongous Identity for the Basic OP profile”. If receipt the submission is not acknowledged within two days (or three days if over a weekend), feel free to inquire about whether it was received by e-mailing a message without the attachment (to keep the size of the inquiry small) to firstname.lastname@example.org, cc’ing email@example.com.
Now that the pilot phase of OpenID Provider certification has completed, a fee is required for certifications of OpenID Providers. The fee is intentionally low, to encourage participation, but is there to help cover the ongoing costs of operating the certification program. The price to OpenID foundation members is US$ 200.00 per deployment. The price to non-members is US$ 999.00 for certifying a new deployment. However, the non-member price for certifying a new deployment of an already-certified implementation is only US$ 499.00. Contact firstname.lastname@example.org to inquire about methods of payment. These prices enable participants to certify a deployment to as many profiles as they choose within a calendar year for this one payment. For instance, a member could certify to the OP Basic and OP Config profiles by paying US$ 200.00 and then later add certifications for OP Implicit, OP Hybrid, and OP Dyanmic within the same calendar year at no additional cost. See the OpenID Certification Fee Schedule page for more information.