OpenID Connect Certification A big step forward in secure and trusted identity transactions February 28, 2017 by Eric Schreiner At this year’s RSA Conference 2017 in San Francisco, the Internet of Things (IoT) was the buzz of the conference and as is common in forward-looking conferences like RSA, the list of challenges is long and solutions will take time to develop. This reminded me of a keynote delivered at RSA 2007 (10 years ago!) by John Thompson, former CEO of Symantec, highlighting the importance of instilling trust and confidence in a connected world: “There is no doubt in my mind that managing user identities is the most pressing challenge facing the industry today. Building confidence in the connected world is everybody’s job-no company is so dominant or so all knowing that it can provide a level of confidence.” That sentiment of establishing trust and confidence across the entire ecosystem has come full circle with the OpenID Foundation’s OpenID Connect (OIDC) certification program and recent launch of the Relying Party (RP) conformance tests, which aim to make interoperability easier and identity systems more secure. Janrain was proud to be a launch partner for the RP certification program, working with others in the identity community to drive further adoption of the OIDC standard. As the creators of social login, Janrain has extensive experience integrating with identity providers (IdPs) – we work with over 35 global IdPs today. Many IdP integrations are based on a standard (OpenId, OAuth1, OAuth2, OIDC, SAML, CAS); however, most are not conformant to the specification that they are based on, turning each into a special snowflake. This increases the maintenance burden on developers and erodes confidence in the identity ecosystem if one of these snowflakes is found to have a security vulnerability. With OIDC emerging as the industry-standard authentication protocol, accelerating not only adoption but conformance to the spec takes on critical importance. “The OpenID Connect and Relying Party (RP) self-certification process really opens doors to creating an internet ecosystem that people can trust when doing business online,” said Don Thibeau, executive director of the OpenID Foundation. “Organizations and tech professionals now have a list of technologies that have been verified and can be trusted to conform to industry standards and ensure more secure transactions.” With RP certification, Janrain clients can be assured that we are securing transactions to OIDC providers. Now, IdPs in turn, must adopt OIDC and have their implementations verified in order to ensure end-to-end interoperability and security for identity transactions. It is rewarding to see the industry reach this point. For years, one of Janrain’s core benefits has been the mediation of the myriad authentication methods out in the wild and we look forward to the day when all of our IdPs are OIDC-certified, realizing the vision of standardized and secure identity transactions for all applications. A list of certified IdPs and RPs can be found on the OpenId Foundation’s website. In the future, Janrain will also be identifying IdPs that have achieved certification on both our corporate website and our provider guide so that clients can select IdPs that meet the security requirements of their applications.