Submission of Results for OP Certification

This page describes how to submit completed conformance testing results to the OpenID Foundation to request OpenID Certifications. Before submission, first all tests must be successfully passed for the desired conformance profiles and testing results gathered, as described in the instructions. All tests MUST be in the ‘FINISHED’ status. Note that results with warnings are acceptable for certification purposes.

Please note that the full supplied log files will be published as part of a successful certification and these may contain client credentials, private keys, and other potentially sensitive data that are part of the test configuration, so it is strongly recommended to deactivate clients and revoke keys prior to submitting your results.

Some certification profiles require more than one test plan to be run:

  • Form Post OP: The tests must be run for each of basic/hybrid/implicit that your system supports.
  • All logout OP profiles: The tests must be run for each response type that your system supports.

For these profiles, you will need to download multiple log files and prepare a submission package manually, adding all of the separately downloaded test plan logs to the submission package. For all other profiles, simply running the relevant test plan once is all that is required.

Note that FAPI-RW, FAPI1 Advanced Final and FAPI-CIBA have separate profiles for MTLS and private_key_jwt authentication – a separate submission package must be prepared for each one. FAPI-CIBA also has separate profiles for poll and ping modes.

For each conformance profile being certified to, the following information must be submitted in its own certification package:

  1. A signed copy of the Certification of Conformance (docx) (PDF) naming that profile. This file should use the filename OpenID-Certification-of-Conformance.pdf in the submitted results. (A different extension such as .jpg for the scanned document may be used as appropriate.) Fields in this file must be filled according to the following rules:
    1. ‘Software or Service (“Deployment”) Name & Version #’ field must contain a version number. If you are certifying a service which does not have a version number then you can use an artificial version number such as ‘as of June 2021’ or ‘June 2021 Release’. A version string is always required and you will be asked to resubmit if you do not provide a version number.
    2. ‘OpenID Conformance Profile’ field must contain a valid profile name, i.e one of the certification table column labels at https://openid.net/certification/, e.g ‘FAPI R/W OP w/ Private Key’. Test plan names cannot be used instead of a profile name.
    3. ‘Conformance Test Suite Software’ field must contain the string “www.certification.openid.net” and the conformance suite version number, for example “www.certification.openid.net version 4.1.18”.
    4. ‘Authorized Signature’ field must contain a signature. It can be a regular signature or an electronic one such as Docusign. The document can be signed by any authorized person who actually works for the implementer, the document cannot be signed by third parties, e.g by an external consultant.
  2. Downloaded test logs.

The certification package should consist of a single .zip file containing all the files and using the paths above. The certification package must be created by using the ‘Publish for certification’ button.

To prepare the certification package using the ‘Publish for certification’ button:

  • Select the OpenID-Certification-of-Conformance.pdf file to be uploaded and added to the package
  • Click ‘Create Certification Package’ button

The downloaded certification package must be renamed before submission as follows: The certification package filename must contain the name of the organization, the software being certified, the profile being certified to, and the current date. For example, a certification request by the ProseWare organization of its “Humongous Identity” software for the FAPI-RW OP w/MTLS profile, second implementers draft on April 1, 2019 should use a filename like ProseWare-Humongous_Identity-FAPI-RW-OP-MTLS-1-Apr-2019.zip. Or if you tested with private_key_jwt client authentication, the filename would be like ProseWare-Humongous_Identity-FAPI-RW-OP-Private_Key-1-Apr-2019.zip.

Other example submission filenames are:

  • ProseWare-Humongous_Identity-Basic-OP-13-Apr-2015.zip
  • ProseWare-Humongous_Identity-Implicit-OP-13-Apr-2015.zip
  • ProseWare-Humongous_Identity-Hybrid-OP-13-Apr-2015.zip
  • ProseWare-Humongous_Identity-Config-OP-13-Apr-2015.zip
  • ProseWare-Humongous_Identity-Dynamic-OP-13-Apr-2015.zip
  • ProseWare-Humongous_Identity-FormPost-OP-4-Jul-2018.zip
  • ProseWare-Humongous_Identity-ThirdParty-OP-28-Feb-2019.zip
  • ProseWare-Humongous_Identity-RPInitLogout-OP-22-Mar-2020.zip
  • ProseWare-Humongous_Identity-Session-OP-22-Mar-2020.zip
  • ProseWare-Humongous_Identity-FrontChannel-OP-22-Mar-2020.zip
  • ProseWare-Humongous_Identity-BackChannel-OP-22-Mar-2020.zip
  • ProseWare-Humongous_Identity-FAPI_CIBA-OP-Poll_MTLS-1-Sep-2019.zip

Example values for the blanks in the Certification of Conformance (docx) (PDF) are as follows:

  • Name of Entity (“Implementer”) Making this Certification: ProseWare
  • Software or Service (“Deployment”) Name & Version #: Humongous Identity 3.14159
  • OpenID Connect Conformance Profile: FAPI R/W OP w/ Private Key
  • Conformance Test Suite Software & Version #: www.certification.openid.net 2.0.99
  • Test Date: April 1, 2019
  • Authorized Signature: HQB
  • Name: Harry Q. Bovik
  • Title: Senior Computer Scientist
  • Date: April 1, 2019
  • Implementer’s Name: Jane Doe
  • Implementer’s Title: Programmer Extraordinaire
  • Implementer’s Phone: +1 (412) 555-1234
  • Implementer’s Email: jane@proseware.org
  • Implementer’s Address: 5000 Forbes Ave.
  • Implementer’s City, State/Province, Postal Code: Pittsburgh, PA 15213
  • Implementer’s Country: United States of America

The conformance test suite software version number you used can be found on the results page for your test plan.

The certification package must be sent to us using the certification request form. If you are submitting for multiple profiles at the same time, for example multiple FAPI OP profiles, please fill in only one certification request form and submit a ‘zip of zips’ containing all the FAPI packages – and similarly a separate single ticket for any OpenID Connect OP profiles or FAPI-CIBA OP profiles.

An immediate automatic e-mail will be sent acknowledging receipt. Please check you received this e-mail, as any questions we have will be sent in the same way. If you don’t receive any further response within 5 working days, feel free to inquire about status by e-mailing a message to certification@oidf.org.

A fee is required for certifications unless the conformance profile is still in the pilot phase. See the OpenID Certification Fee Schedule page for more information. Please pay for your certification application at the Certification Payment page when you make your submission.