Conformance Testing for OpenID Federation

This page describes how to run the conformance tests for OpenID Federation entities. At the time of writing, the set of tests currently available in production are in an early stage. Do not hesitate to register issues in the conformance suite project (https://gitlab.com/openid/conformance-suite) if you're observing unexpected or incorrect behavior, or if you have questions regarding the tests.

First, go to https://www.certification.openid.net and log in with your Google or Gitlab account. Next, choose to Create a new test plan. On the next screen, make sure to check the “Show early version tests” box in order to be able to view the Federation test plans.

Available test plans

In the dropdown list, under the subheading “Test an OpenID Federation entity”, there are three test plans available:

Deployed federation entity test
Entity joined to test federation OP test
Entity joined to test federation RP test

The first test, “Deployed federation entity test”, tests the properties of an entity deployed in a federation. These tests are mainly concerned with validation of federation entity metadata as well as the response structure from the exposed federation endpoints.

Test 2 and 3 test the behavior of an entity within a custom federation created for certification testing purposes. In these test plans, the entity under test can enroll in a small federation hosted by the test suite where it is then subjected to both positive and negative tests.

Deployed federation entity test

Test setup

In the Test Plan dropdown menu, select OpenID Federation: Deployed federation entity test plan. In the dropdowns that appear, select the following:

Entity configuration location: Select “discovery”. The “static” option allows you to configure a static entity configuration instead of fetching it remotely, which is not commonly applicable.
Client registration type: Set it to the value that reflects the client registration type that will be used in the test. Currently, only “automatic” is supported.

In the Configure Test section that appears, configure the following:

Test information

alias: Used to make any URLs used in the test unique to the user. Set it to something unique to avoid clashes with other testers.
description: Add a brief description for your own convenience, or leave it empty.
publish: Leave it to “No”. Test plans can be published and shared later.

Federation entity under test

entity_identifier: The entity identifier for the primary federation entity under test, which could be a leaf, an intermediate or a trust_anchor.
trust_anchor: The intended trust anchor for the entity specified by the entity_identifier. If the federation entity under test is a trust anchor, set this value equal to the entity_identifier field.
trust_anchor_jwks (optional): Pre-configured public keys for the entity’s trust anchor as a JWKSet, e.g. { "keys": [ { "kty": "RSA", ... } ] }.

Click “Create Test Plan” and continue to the section Running the tests

Entity joined to test federation OP test

Test setup

In the Test Plan dropdown menu, select OpenID Federation: Entity joined to test federation OP test. In the dropdowns that appear, select the following:

Entity configuration location: Select “discovery”. The “static” option allows you to configure a static entity configuration instead of fetching it remotely, which typically is not applicable.
Client registration type: Set it to the value that reflects the client registration type that will be used in the test. Currently, only “automatic” is supported.

In the Configure Test section that appears, configure the following:

Test information

alias: Used to make any URLs used in the test unique to the user. Set it to something unique to avoid clashes with other testers.
description: Add a brief description for your own convenience, or leave it empty.
publish: Leave it to “No”. Test plans can be published and shared later.

Federation entity under test

entity_identifier: The entity identifier for your OP federation entity.
trust_anchor: This field is read-only, and it contains the entity identifier of the trust anchor that your software must trust. This trust anchor will be shared between your OP software and the test suite as it is acting as an RP.

Test suite RP

rp_ec_jwks: This is the JWKS containing the private key that will be used by the test suite to sign entity configurations and similar, when it’s acting as a federation entity. You can click “Generate” to have the test suite generate it for you, or provide your own.
rp_client_jwks: This is the JWKS containing the private key that will be used by the test suite to sign request objects and similar, when it’s acting as an RP. You can click “Generate” to have the test suite generate it for you, or provide your own.
rp_entity_identifier_override: Leave it empty

Test suite trust anchor

trust_anchor_jwks: This is the JWKS containing the private key that will be used by the test suite to sign entity statements and similar, when it’s acting as a federation trust anchor. You can click “Generate” to have the test suite generate it for you, or provide your own.

Entity joined to test federation RP test

Test setup

In the Test Plan dropdown menu, select OpenID Federation: Entity joined to test federation RP test. In the dropdowns that appear, select the following:

Entity configuration location: Select “discovery”. The “static” option allows you to configure a static entity configuration instead of fetching it remotely, which typically is not applicable.
Client registration type: Set it to the value that reflects the client registration type that will be used in the test. Currently, only “automatic” is supported.

In the Configure Test section that appears, configure the following:

Test information

alias: Used to make any URLs used in the test unique to the user. Set it to something unique to avoid clashes with other testers.
description: Add a brief description for your own convenience, or leave it empty.
publish: Leave it to “No”. Test plans can be published and shared later.

Federation entity under test

entity_identifier: The entity identifier for your RP federation entity.
trust_anchor: This field is read-only, and it contains the entity identifier of the trust anchor that your software must trust. This trust anchor will be shared between your RP software and the test suite as it is acting as an OP.

Test suite OP

op_ec_jwks: This is the JWKS containing the private key that will be used by the test suite to sign entity configurations and similar, when it’s acting as a federation entity. You can click “Generate” to have the test suite generate it for you, or provide your own.
op_server_jwks: This is the JWKS containing the private keys that will be used by the test suite for signing and encryption, when it’s acting as an OP. You can click “Generate” to have the test suite generate it for you, or provide your own.
op_entity_identifier_override: Leave it empty

Test suite trust anchor

trust_anchor_jwks: This is the JWKS containing the private key that will be used by the test suite to sign entity statements and similar, when it’s acting as a federation trust anchor. You can click “Generate” to have the test suite generate it for you, or provide your own.

Running the tests

In the test plan overview, you are presented with a list of individual tests. Click Run Test to execute each individual test.

Sharing the test results

In the test plan overview, click Publish everything to make the test results visible for anyone (and not just the logged in user).

Getting help

Do not hesitate to register issues in the conformance suite project if you’re observing unexpected or incorrect behavior. You can also reach out to certification@oidf.org if you have questions regarding the tests.