OpenID Foundation unveils program aimed at certifying authentication plumbing

Google, Microsoft, PayPal among those who have already certified, registered OpenID Connect implementations
Written by John Fontana, Contributor

The OpenID Foundation Wednesday unveiled a program to certify implementations of its OpenID Connect authentication mechanisms as a step toward ensuring an interoperable identity infrastructure that will scale to the Internet.

The Foundation made the announcement on the third-full day of the RSA Conference in San Francisco.

The goal is consistency in deployments of the standards-base protocol that will foster interoperability, and attract consumer and enterprise adoption across the cloud.

OpenID Connect (OIDC) is built on top of OAuth 2.0, an identity framework standard blessed by the Internet Engineering Task Force (IETF). OIDC is the third-generation and a re-work of the original OpenID specification.

From a very high level, OAuth is about granting access, while OpenID Connect is about authentication on any platform including mobile. The two open identity standards are designed so they can work separately, but when paired they strengthen access control and data security.

"Once we finished Connect a year ago, we all knew that despite the fact we had done five rounds of interop testing, from a business point of view that doing certifications was the next thing in order to get implementations of high quality that work well together," said Mike Jones, secretary of the OpenID Foundation Board.

The Foundation is using a self-certification model. Jones says the group believes self-certification forces the tester to put its reputation on the line, and that it establishes liabilities based on the accuracy of testing and puts the tester under established statutes that prohibit unfair and deceptive business practices.

OIDC members Microsoft, Google, PayPal, Forge Rock, Ping Identity and Nomura Research Institute are the first to complete certifications. In addition those members registered their certifications in the new OIXnet, an international online registry of trust frameworks and identity systems that was introduced today by the Open Identity Exchange.

Next month, OIDC conformance testing will be opened to other Foundation members. Beginning in January 2016, the program will move to general availability.

Eric Sachs, product management director for identity at Google said that on the consumer side "we can certify that Google as an identity provider works exactly to the OpenID Connect spec, which means there is more confidence that integrating with Google will be relatively painless and our users can hope for better security on their apps. That is the main consumer use case."

On the enterprise side, Sachs said the use case is a bit more complicated. OpenID Connect will help alleviate some of the security issues around when employees go around IT to sign-up for services -- known as shadow IT. So when an employee goes to a service provider and signs-up with their email address the provider would see the domain is an OpenID Connect certified identity provider that works in a known way.

"Completely automatically, like what happens with SMTP today, the provider could bounce that user back to their company for authentication verification and get that user logged in," said Sachs. "There would be no need for the IT admin to get involved, employees gets better security, and it happens automatically."

The initial certification program is based on tests against a sub-set of the conformance profiles that outline the OIDC specification. Initially, the conformance testing will focus on OIDC profiles that address OpenID Providers (OP), a party that offers user authentication as a service. The test will eventually expand to include the profiles that address relying parties (RP), or those who agree to accept end-user identities issued by OPs.

The initial OIDC profiles tagged for testing are Basic OP, Implicit OP, Hybrid OP, OP Publishing Config Info, and Dynamic OP.

The OpenID Connect self-certified conformance testing is open to any product or service that implements at least one of the OIDC conformance protocols. Certifications will not expire and there are no testing fees.

The test suite was developed as an open source software product in cooperation among Europe's GÉANT Project, the OpenID Foundation, and Sweden's Umeå University.

In a statement, Licia Florio, GÉANT project activity leader for Identity and Trust Technologies, said "Our work together demonstrates that joint operational and technical collaboration from Europe, North America, Asia, and South America significantly advances the adoption of user centric open identity standards.

Editorial standards