Submission of Results for FAPI RPs
This page describes how to submit completed FAPI-RW, FAPI 1 Advanced Final and FAPI 2 RP conformance testing results to the OpenID Foundation to request OpenID Certifications. Before submission, first all tests must be successfully passed for the desired conformance profiles and testing results gathered, as described in the FAPI RP Testing Instructions. All tests MUST be in the ‘FINISHED’ status. Note that results with warnings are acceptable for certification purposes.
Please note that the full supplied log files will be published as part of a successful certification and these may contain client credentials, private keys, and other potentially sensitive data that are part of the test configuration, so it is recommended to deactivate any configurations and clients and revoke keys as necessary prior to submitting your results.
For each conformance profile being certified to, the following information must be submitted in its own certification package:
- A signed copy of the Certification of Conformance (docx)
(PDF).
The fields in the document must be filled according to the following rules:
- ‘Software or Service (“Deployment”) Name & Version #’ field must contain a version number. If you are certifying a service which does not have a version number then you can use an artificial version number such as ‘as of June 2024 or ‘June 2024 Release’. A version string is always required and you will be asked to resubmit if you do not provide a version number.
- ‘OpenID Conformance Profile’ field must contain a valid profile name, i.e one of the certification table column labels at https://openid.net/certification/. Example: ‘FAPI Adv. RP w/ Private Key’. Test plan names cannot be used instead of a profile name.
- ‘Conformance Test Suite Software’ field must contain the string “www.certification.openid.net” and the conformance suite version number. Example: www.certification.openid.net version 5.1.10. The conformance test suite software version number is displayed in the test plan user interface.
- ‘Authorized Signature’ field must contain a signature. It can be a regular signature or an electronic one such as Docusign. The document can be signed by any authorized person who actually works for the implementer, the document cannot be signed by third parties, e.g by an external consultant.
- Test plan logs produced by the conformance suite. These logs are added automatically when you use the “Publish for certification” option in the test plan user interface.
- Evidence demonstrating the behavior of the relying party for each test. This can take the form of RP log files, screen captures (image files), or both.
- The client logs must demonstrate that your application behaves correctly and, if applicable, is detecting the error condition under test. As an example, for the test fapi1-advanced-final-client-test-invalid-shash, it is expected that your client logs include a file fapi1-advanced-final-client-test-invalid-shash.log which contains the log lines where the invalid s_hash was detected.
- Files should be named consistently using the test name as the file name prefix. For example the log file for fapi1-advanced-final-client-test should be named fapi1-advanced-final-client-test.log or fapi1-advanced-final-client-test-logs.txt or similar.
- If more than one file needs to be included for a test then they should be named like fapi1-advanced-final-client-test-1.log, fapi1-advanced-final-client-test-2.log or similar.
- When you press the “Publish for certification” button in the test plan user interface, you’ll be prompted to upload your client side logs as a .zip file.
A typical submission package will have the following folder structure:
- OpenID-Certification-of-Conformance.pdf
- fapi1-advanced-final-client-test-PLAN_ID.zip
- client-data
- fapi1-advanced-final-client-test.log
- fapi1-advanced-final-client-test-invalid-shash.log
- fapi1-advanced-final-client-test-invalid-chash.log
- …
The certification package must consist of a single .zip file containing all the files and using the paths above. The certification package must be created using the ‘Publish for certification’ button on the page that shows the plan results.
To prepare the certification package using the ‘Publish for certification’ button:
- Select the OpenID-Certification-of-Conformance.pdf and ‘Client Data’ files that will be uploaded and added to the package.
- Click ‘Create Certification Package’ button.
The downloaded certification package must be renamed before submission as follows: The certification package filename
must contain the name of the organization, the software being certified, the profile being certified to, and the
current date. For example, a certification request by the ProseWare organization of its “Humongous Identity”
software for the FAPI Adv. RP w/ Private Key profile on April 1, 2024 should use a filename like
ProseWare-Humongous_Identity-FAPI-Adv-Final-RP-MTLS-1-Apr-2024.zip
. If you instead tested with private_key_jwt
client authentication, the filename would be like
ProseWare-Humongous_Identity-FAPI-Adv-Final-RP-Private_Key-1-Apr-2024.zip
.
Example values for the blanks in the Certification of Conformance (docx) (PDF) are as follows:
- Name of Entity (“Implementer”) Making this Certification: ProseWare
- Software or Service (“Deployment”) Name & Version #: Humongous Identity 3.14159
- OpenID Connect Conformance Profile: FAPI Adv. RP w/ Private Key
- Conformance Test Suite Software & Version #: www.certification.openid.net 5.1.10
- Test Date: April 1, 2024
- Authorized Signature: HQB
- Name: Harry Q. Bovik
- Title: Senior Computer Scientist
- Date: April 1, 2024
- Implementer’s Name: Jane Doe
- Implementer’s Title: Programmer Extraordinaire
- Implementer’s Phone: +1 (412) 555-1234
- Implementer’s Email: jane@proseware.org
- Implementer’s Address: 5000 Forbes Ave.
- Implementer’s City, State/Province, Postal Code: Pittsburgh, PA 15213
- Implementer’s Country: United States of America
A fee is required for certifications unless the conformance profile is still in the pilot phase. See the OpenID Certification Fee Schedule page for more information. Please pay for your certification application at the Certification Payment page when you make your submission.
The certification package must be sent to us using the certification request form. An immediate automatic e-mail will be sent acknowledging receipt. Please check you received this e-mail, as any questions we have will be sent in the same way. If you don’t receive any further response within 4 working days, feel free to inquire about status by e-mailing a message to certification@oidf.org.