NOTICE: This OpenID Connect Certification Frequently Asked Questions (FAQ) document is designed to assist in understanding the concept of, process for, and rules applicable to self-certification of conformance with conformance profiles of the OpenID Connect protocol. This FAQ is subject to change at any time by the OpenID Foundation.
- What is OpenID Connect self-certification?
Self-certification is a formal declaration by an entity that its identified deployment of a product or service conforms to a specific conformance profile of the OpenID Connect protocol.
- Why are the benefits of certification?
Entities looking to use or rely on a deployment of a product or service that implements a specific conformance profile of the OpenID Connect protocol often need some assurance that the deployment actually conforms to the profile. A certification can help provide that assurance.
- What certification profiles of OpenID Connect are available?
The conformance profiles of OpenID Connect are posted at OpenID Connect Conformance Profiles. The initial profiles are Basic OP, Implicit OP, Hybrid OP, OP Publishing Config Info, and Dynamic OP. The set of defined conformance profiles was expanded in December 2016 to include the corresponding RP profiles Basic RP, Implicit RP, Hybrid RP, RP Using Config Info, and Dynamic RP. Additional conformance profiles are also being planned for the future.
- How does self-certification differ from third party certification?
In the case of self-certification, the party implementing a deployment of a product or service conducts its own review to determine whether its deployment complies with a specific conformance profile, and upon successful completion of such review, issues its own declaration of compliance.
In the case of third-party certification, someone other than the entity deploying the product or service (usually a specially accredited and trustworthy auditor or assessor authorized to conduct such a review) reviews, tests, assesses, and verifies that the entity’s deployment of the product or service conforms to a specific conformance profile, and then issues a statement to the effect that it has conducted the specified assessment, and certifies that the entity’s deployment of the product or service conforms to the specified conformance profile.
In the case of self-certification, the trustworthiness of the certification is a function of the trustworthiness of the entity that is assessing itself. In the case of third-party certification, the trustworthiness of the certification is a function of the trustworthiness of the assessing entities/certifying entity as well as the trustworthiness of the entity requesting the assessment.
Self-certification is also easier, quicker, and significantly cheaper than third-party certification.
- Why is a self-certification trustworthy?
The trustworthiness of a self-certification is partially a function of the trustworthiness of the entity that is certifying itself, discounted, perhaps, by the self-interest involved. When an entity makes a self-certification, it puts its reputation on the line. In addition, it undertakes potential liability for damages suffered by those who rely on its self-certification in the event that the self-certification is not accurate. And it also exposes itself to potential liability under government regulatory statutes and regulations, such as laws that prohibit unfair and deceptive business practices.
- What can be self-certified to the OpenID Foundation?
Any online deployment of a product or service that implements a conformance profile of the OpenID Connect protocol is eligible for self-certification.
- What about a deployment is being certified?
An entity that submits a self-certification to the OpenID Foundation is certifying that it has conducted specified testing of its deployment of a product or service, including the use of the OpenID Connect Software Test Suite, and that it has verified that its deployment conforms to one or more specific conformance profiles of the OpenID Connect protocol.
- Who can self-certify?
Anyone is eligible to self-certify that their deployments of products or services implementing an OpenID Provider or Relying Party conform to generally available conformance profiles of the OpenID Connect protocol. The entity making the certification request must be affiliated with or responsible for the implementation being certified; it cannot be an unrelated party.
While a conformance profile is still in the pilot phase, certification to it is open only to OpenID Foundation members. The entity making the certification request must be an OpenID Foundation member, whether it be an organization or an individual. No fee is yet required for these certifications, since they are still in the pilot phase, during which we are “testing the tests”. Like certification to production conformance profiles, payment will be required once the pilot phase has been completed.
- Do certifications expire?
They do not expire. The date that the certification was performed is part of the certification.
- Who is operating the OpenID Connect self-certification program?
The OpenID Connect self-certification program is operated by the OpenID Foundation. OpenID Connect is a trademark of the OpenID Foundation.
- What is the status of the OpenID Connect self-certification program?
After its launch in April 2015, the certification program for OpenID Providers progressed from the pilot phase open to members to general availability to all in January 2016. The Relying Party certification program entered the pilot phase in December 2016 and progressed to general availability in August 2017. These production OpenID Provider profiles are generally available: Basic OP, Implicit OP, Hybrid OP, Config OP, and Dynamic OP. These production Relying profiles are generally available: Basic RP, Implicit RP, Hybrid RP, Config RP, and Dynamic RP.
NEW! Conformance profiles for OPs and RPs implementing the Form Post Response Mode entered the pilot phase in June 2018. They are Form Post OP and Form Post RP. Please give them a try!
Certification to conformance profiles in the pilot phase is open to all OpenID Foundation members. Members interested in “testing the tests” should send a note to email@example.com asking to be part of the certification pilot phase for new profiles.
- Is payment of a fee required to self-certify?
A fee is required for certifications of both OpenID Providers and Relying Parties, unless the certification profile is still in the pilot phase. The fee is intentionally low, to encourage participation, but is there to help cover the ongoing costs of operating the certification program. The price to OpenID foundation members is US$ 200.00 per deployment. The price to non-members is US$ 999.00 for certifying a new deployment. However, the non-member price for certifying a new deployment of an already-certified implementation is only US$ 499.00. These prices enable participants to certify a deployment to as many profiles as they choose within a calendar year for this one payment. For instance, a member could certify to the Basic OP and Config OP profiles by paying US$ 200.00 and then later add certifications for Implicit OP, Hybrid OP, and Dyanmic OP within the same calendar year at no additional cost. Separate payments are required for OP deployments and RP deployments.
No fee is required for certifications to conformance profiles in the pilot phase, since for those we are still “testing the tests”. Payment will be required for new certifications to those profiles once the pilot phase has been completed and the profiles reach general availability.
- Is the Certification of Conformance legally binding?
Yes. By signing and submitting the Certification of Conformance, the organization is declaring both to the OpenID Foundation and to the general public the accuracy of the matters set forth in the Certification.
- How is a self-certification publicized?
Self-certifications submitted to the OpenID Foundation are published at http://openid.net/certification/ and registered with the OIXnet registry at http://oixnet.org/openid-certifications/. Certified implementations are featured for developers at http://openid.net/developers/certified/. Announcements are also made from time to time on the OpenID Foundation website.
- What if I have more questions or want to file a bug report?