From ratification to certification, OpenID Conenct grows up

April 24, 2015


It's tough watching your kids grow up. From their first steps to their first day at school, parents everywhere get a little teary-eyed as they realize how much their kids have grown, and how much less they're needed as parents. That time comes for everyone. While putting them on the bus for the first time is heartbreaking, it's also rather satisfying to see that you've succeeded in getting them to the next stage of their lives.


It's that kind of pride that the OpenID Connect authors should feel from the OpenID Foundation's latest announcement, which describes a comprehensive conformance testing suite along with a self-certification program that vendors can use to assure their compliance with the OpenID Connect standard.


OpenID Connect was ratified early last year by the OpenID Foundation, opening the way for digital identities to be used across websites and applications in a simple, secure and privacy-enhancing manner. The standard has been widely adopted since then, often replacing legacy OpenID 2.0 and OAuth implementations because of the increased security and usability offered by OpenID Connect.




This week, the Open Identity Exchange (OIX) launched OIXnet, an "online registry of trust frameworks and identity systems," and the OpenID Foundation announced that they are the first group to utilize the registry with the OpenID Connect Certification program. Google, Microsoft, ForgeRock, Nomura Research Institute and PayPal have joined us in being the first certified OpenID Connect identity providers.


The OpenID Connect Certification program aims to provide assurance to developers that the participating providers conform to the OpenID Connect standard. The certification outlines detailed conformance profiles, and the OpenID Connect Conformance Test Suite™ is used by providers to self-certify that their product conforms to one or more of these profiles.


Brian Campbell, a distinguished engineer here at Ping Identity, was responsible for much of the OpenID Connect implementation. In a recent discussion, he explained that "certification plays an important role in ensuring that predictable and interoperable implementations of open standards are available in the marketplace. This is critical to the success and adoption of OpenID Connect at scale. The OpenID Foundation has taken a unique and more lightweight approach with self-certification and we are pleased to be a part of the launch of the program."


As you can see from the certification overview, we've certified PingFederate as an OpenID Provider for the basic, implicit, hybrid and config profiles. You can read more about these profiles in the conformance document linked above, but it should come as no surprise that we offer broad support for OpenID Connect since we've been involved with drafting the standard from the beginning.


As a certified OpenID Provider, PingFederate can be used to authenticate users against any number of disparate data stores and provide tokens that can be consumed by any compliant relying party, including services like Amazon Web Services (AWS) Cognito as well as many software as a service (SaaS) and cloud applications. We also offer an open source module that enables the Apache web server to operate as an OpenID Connect relying party, providing a complete, standards-based solution for identity federation and single sign-on for web services provided by Apache, the most popular web server in use today. PingFederate also supports other OpenID Connect providers as a relying party, such as Google's authentication service. Finally, we've also leveraged OpenID Connect to provide a standardized integration with PingAccess, our web and API access management solution.


The OpenID Foundation will continue to expand the certification program by adding relying party certification next month, and then make the OpenID Connect Certification program generally available early next year.


OpenID Connect will continue to mature, and the ability to certify these profiles and implementations is a huge step towards broader adoption of the standard--and a more secure, connected world. It might not be as satisfying as that last diaper that needs changing, but it's certainly a good indication that the standard is indeed growing up.