NOTICE: This OpenID Connect Certification Frequently Asked Questions (FAQ) document is designed to assist in understanding the concept of, process for, and rules applicable to self-certification of conformance with conformance profiles of the OpenID Connect protocol. This FAQ is subject to change at any time by the OpenID Foundation.
- What is OpenID Connect self-certification?
Self-certification is a formal declaration by an entity that its identified deployment of a product or service conforms to a specific conformance profile of the OpenID Connect protocol.
- Why are the benefits of certification?
Entities looking to use or rely on a deployment of a product or service that implements a specific conformance profile of the OpenID Connect protocol often need some assurance that the deployment actually conforms to the profile. A certification can help provide that assurance.
- What certification profiles of OpenID Connect are available?
The conformance profiles of OpenID Connect are posted at OpenID Connect Conformance Profiles. The initial profiles are Basic OP, Implicit OP, Hybrid OP, OP Publishing Config Info, and Dynamic OP. The set of defined conformance profiles was expanded in December 2016 to include the corresponding RP profiles Basic RP, Implicit RP, Hybrid RP, RP Using Config Info, and Dynamic RP. Additional conformance profiles are also being planned for the future.
- How does self-certification differ from third party certification?
In the case of self-certification, the party implementing a deployment of a product or service conducts its own review to determine whether its deployment complies with a specific conformance profile, and upon successful completion of such review, issues its own declaration of compliance.
In the case of third-party certification, someone other than the entity deploying the product or service (usually a specially accredited and trustworthy auditor or assessor authorized to conduct such a review) reviews, tests, assesses, and verifies that the entity’s deployment of the product or service conforms to a specific conformance profile, and then issues a statement to the effect that it has conducted the specified assessment, and certifies that the entity’s deployment of the product or service conforms to the specified conformance profile.
In the case of self-certification, the trustworthiness of the certification is a function of the trustworthiness of the entity that is assessing itself. In the case of third-party certification, the trustworthiness of the certification is a function of the trustworthiness of the assessing entities/certifying entity as well as the trustworthiness of the entity requesting the assessment.
Self-certification is also easier, quicker, and significantly cheaper than third-party certification.
- Why is a self-certification trustworthy?
The trustworthiness of a self-certification is partially a function of the trustworthiness of the entity that is certifying itself, discounted, perhaps, by the self-interest involved. When an entity makes a self-certification, it puts its reputation on the line. In addition, it undertakes potential liability for damages suffered by those who rely on its self-certification in the event that the self-certification is not accurate. And it also exposes itself to potential liability under government regulatory statutes and regulations, such as laws that prohibit unfair and deceptive business practices.
- What can be self-certified to the OpenID Foundation?
Any online deployment of a product or service that implements a conformance profile of the OpenID Connect protocol is eligible for self-certification.
- What about a deployment is being certified?
An entity that submits a self-certification to the OpenID Foundation is certifying that it has conducted specified testing of its deployment of a product or service, including the use of the OpenID Connect Software Test Suite, and that it has verified that its deployment conforms to one or more specific conformance profiles of the OpenID Connect protocol.
- Who can self-certify?
Anyone is eligible to self-certify that their deployments of products or services implementing an OpenID Provider conform to the OpenID Connect protocol. The entity making the certification must be affiliated with or responsible for the implementation being certified; it cannot be an unrelated party.
The Relying Party certification program is still in the pilot phase, which is open only to OpenID Foundation members. The entity making the RP certification must be an OpenID Foundation member, whether it be an organization or an individual. The entity making the certification must be affiliated with or responsible for the implementation being certified; it cannot be an unrelated party.
In the future, it is planned that the RP certification program will also be opened to non-members.
- Do certifications expire?
They do not expire. The date that the certification was performed is part of the certification.
- Who is operating the OpenID Connect self-certification program?
The OpenID Connect self-certification program is operated by the OpenID Foundation. OpenID Connect is a trademark of the OpenID Foundation.
- What is the status of the OpenID Connect self-certification program?
Since its launch in April 2015, the certification program for OpenID Providers has progressed from a pilot phase open to members to general availability to all, which began in January 2016. Over 100 OpenID Provider certifications have been performed.
The accompanying Relying Party certification program entered the pilot phase in December 2016. The pilot is open to all OpenID Foundation members. Members interested in “testing the tests” should send a note to firstname.lastname@example.org asking to be part of the RP certification pilot phase.
- Is payment of a fee required to self-certify?
A fee is now required for certifications of OpenID Providers. The fee is intentionally low, to encourage participation, but is there to help cover the ongoing costs of operating the certification program. The price to OpenID foundation members is US$ 200.00 per deployment. The price to non-members is US$ 999.00 for certifying a new deployment. However, the non-member price for certifying a new deployment of an already-certified implementation is only US$ 499.00. Contact email@example.com to inquire about methods of payment. These prices enable participants to certify a deployment to as many profiles as they choose within a calendar year for this one payment. For instance, a member could certify to the OP Basic and OP Config profiles by paying US$ 200.00 and then later add certifications for OP Implicit, OP Hybrid, and OP Dyanmic within the same calendar year at no additional cost.
No fee is yet required for certifications of Relying Parties, since the RP certification program is still in the pilot phase. Like OP certification, payment will be required once the pilot phase has been completed.
See the OpenID Certification Fee Schedule page for more information.
- Is the Certification of Conformance legally binding?
Yes. By signing and submitting the Certification of Conformance, the organization is declaring both to the OpenID Foundation and to the general public the accuracy of the matters set forth in the Certification.
- How is a self-certification publicized?
Self-certifications submitted to the OpenID Foundation are published at http://openid.net/certification/ and registered with the OIXnet registry at http://oixnet.org/openid-certifications/. Certified implementations are featured for developers at http://openid.net/developers/certified/. Announcements are also made from time to time on the OpenID Foundation website.