ONVIF Profiles: S, T, G, M, C — What Each Profile Covers and Which to Specify
ONVIF defines discrete capability profiles that specify exactly what a conformant device must support. Specifying the correct profile in procurement ensures interoperability with your VMS and building automation system without relying on manufacturer claims — Profile S for basic streaming, Profile T for H.265 and metadata events, Profile M for AI analytics output.
ONVIF overview
ONVIF (Open Network Video Interface Forum) was founded in 2008 by Sony, Bosch and Axis Communications to create a vendor-neutral standard for IP-based physical security devices. The standard uses WSDL service definitions over SOAP/HTTP — each device exposes a set of XML web service endpoints that clients query to discover capabilities, configure streams, and receive events.
The core transport is HTTP POST with SOAP envelopes. Device and media service endpoints are typically at http://<camera-ip>/onvif/device_service and http://<camera-ip>/onvif/media respectively, though manufacturers may deviate. The ONVIF specification requires WSDL-conformant implementation — behaviour deviating from the WSDL schema is a conformance failure.
ONVIF Forum membership vs. conformance: a manufacturer can be an ONVIF Forum member without having any certified products. Always verify conformance at onvif.org/conformant-products — search by model number, not brand. Non-conformant devices labelled "ONVIF compatible" are common and frequently fail with third-party VMS.
Profile comparison
| Profile | Released | Focus | Key capabilities | Specify when |
|---|---|---|---|---|
| Profile S | 2011 | Basic streaming, PTZ, imaging | RTSP/RTP live stream, PTZ control, imaging settings (brightness, contrast, focus), JPEG snapshot, multicast, relay outputs, audio (optional) | General IP cameras, entry-level NVR compatibility, any live-view scenario |
| Profile T | 2018 | H.264/H.265, HTTPS, advanced video | H.264 and H.265 (HEVC) streams, HTTPS transport with SNI, metadata streaming, motion alarm events, ONVIF media2 service, bi-directional audio | Modern VMS installations, smart building integration requiring metadata events |
| Profile G | 2014 | Edge storage and recording | SD card / NAS recording on the camera itself, recording configuration, recording search and playback via ONVIF, export of recordings | Edge-recorded cameras without centralised NVR, bandwidth-constrained sites |
| Profile M | 2020 | Metadata and analytics | ONVIF metadata streaming (objects, bounding boxes, classifications), analytics configuration, event rules tied to analytics results, MQTT event broker (from 21.12) | AI analytics cameras, LPR, face detection, people counting in smart buildings |
| Profile C | 2013 | Access control integration | Door control, credential management, access point monitoring, access rules, cardholder data, door interlock, video and access event correlation | IP access control panels, door controllers, video intercom — all integrated via single ONVIF API |
A device can be conformant to multiple profiles simultaneously. A modern AI camera may carry Profile S + Profile T + Profile M + Profile G certification. Specify the minimum required profile in RFQ documentation — the supplier must provide the ONVIF conformance certificate, not just a datasheet claim.
Device discovery: WS-Discovery
ONVIF devices announce themselves using WS-Discovery (Web Services Dynamic Discovery), a multicast probe/match protocol. On LAN startup or probe receipt, conformant devices send a Hello message to the SOAP-over-UDP multicast address 239.255.255.250 on UDP port 3702. VMS software sends a Probe to the same multicast address; compliant cameras respond with a ProbeMatch containing their XAddrs (service endpoint URLs).
WS-Discovery probe (SOAP over UDP)
Destination: 239.255.255.250:3702 (UDP multicast)
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery">
<SOAP-ENV:Header>
<wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe</wsa:Action>
<wsa:MessageID>uuid:12345678-1234-1234-1234-123456789abc</wsa:MessageID>
<wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<wsd:Probe>
<wsd:Types>dn:NetworkVideoTransmitter</wsd:Types>
</wsd:Probe>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Camera ProbeMatch response contains:
<wsd:XAddrs>http://192.168.1.64/onvif/device_service</wsd:XAddrs>
<wsd:Scopes>
onvif://www.onvif.org/Profile/Streaming
onvif://www.onvif.org/hardware/DS-2CD2143G2-I
onvif://www.onvif.org/name/HIKVISION%20DS-2CD2143G2
</wsd:Scopes>Discovery requires multicast to be enabled on the network switch (IGMP snooping must not block 239.255.255.250 on the camera VLAN). The onvif-device-test utility and the gSOAP toolkit both include WS-Discovery probe tools for manual verification. If multicast is blocked, use static IP scanning — query the ONVIF device service endpoint directly at the known IP.
Authentication methods
ONVIF defines three authentication mechanisms with increasing security. The Profile in use and the device firmware version determine which methods are available.
| Method | Transport | How it works | Security level |
|---|---|---|---|
| WS-UsernameToken digest | HTTP (no TLS required) | Username + PasswordDigest (SHA-1 hash of nonce+timestamp+password) in SOAP header — replay-safe due to nonce+timestamp | Medium — vulnerable to MITM without TLS |
| HTTP Digest Auth | HTTP or HTTPS | RFC 2617 Digest — challenge/response with MD5 hash; used by some cameras on the RTSP streaming URL | Medium — MD5 is weak; use with HTTPS |
| TLS with client certificates | HTTPS only | Mutual TLS — camera verifies client cert, client verifies camera cert. Profile T requirement for HTTPS streams | High — recommended for production deployments |
WS-UsernameToken digest header (SOAP)
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>admin</wsse:Username>
<wsse:Password Type="...#PasswordDigest">
BASE64(SHA-1(nonce + created + password))
</wsse:Password>
<wsse:Nonce>BASE64(random 16 bytes)</wsse:Nonce>
<wsu:Created>2025-03-15T10:00:00Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
Important: camera clock must be within 5 minutes of client clock.
NTP sync is mandatory — digest auth will fail with "InvalidCredentials"
if the timestamp is outside the tolerance window.ONVIF conformance testing
The ONVIF Device Test Tool (ODTT) is the official test suite distributed by the ONVIF Forum at onvif.org. It is a Windows application that runs a full sequence of SOAP requests against a candidate device and reports pass/fail per test case for each profile. Manufacturers must pass ODTT for the claimed profile before submitting for ONVIF Forum conformance certification.
ODTT quick test procedure
1. Download ONVIF Device Test Tool from onvif.org/resources/ (requires free ONVIF member account — registration is free) 2. Connect test PC and camera to the same network segment (multicast must work — same VLAN or managed switch with IGMP) 3. Launch ODTT → File → New Test → Select profile (S / T / G / M / C) 4. Discovery tab → Discover Devices Devices found via WS-Discovery multicast probe appear in list If not found: enter device IP manually → Add Device 5. Authentication: enter ONVIF username/password (default on most cameras: admin / admin or admin / <blank>) 6. Run tests → Start All Red = FAIL, Green = PASS, Yellow = WARNING (informational) 7. Export report: File → Export → HTML report Include in procurement acceptance documentation
Run ODTT against any camera before final acceptance on a project. Cameras that pass the manufacturer's own test suite but fail ODTT are not conformant — a common situation with budget OEM products. Profile T test cases include H.265 stream verification, HTTPS endpoint tests, and metadata event subscription tests.
Common integration issues
Camera claims ONVIF but fails WS-Discovery
Cause: Multicast blocked at switch, IGMP snooping drops 239.255.255.250, or camera has WS-Discovery disabled in firmware
Fix: Use static IP scan — query http://<camera-ip>/onvif/device_service directly with GetDeviceInformation SOAP call. Enable IGMP querier on managed switch. Some cameras require WS-Discovery to be explicitly enabled in web UI (Security → Network → Multicast).
Digest auth fails with 'InvalidCredentials' despite correct password
Cause: Camera clock is out of sync with VMS/client — WS-UsernameToken digest timestamps must be within 5 minutes
Fix: Ensure camera is NTP-synchronised. Set NTP server in camera web UI to the same server as the VMS host. Verify with camera web UI status page — clock difference > 5min will cause every digest request to fail regardless of password.
Profile T camera streams H.264 only despite H.265 capability
Cause: VMS is using Media Service v1 (Profile S endpoint) instead of Media2 Service (Profile T endpoint)
Fix: Verify VMS uses the /onvif/media2 endpoint for Profile T cameras. In Milestone and Genetec, update the ONVIF driver version — older drivers default to Media v1. Check camera web UI for 'Media2 Service' enable option.
Need ONVIF camera integration specified and built into your panel?
We specify conformant ONVIF cameras, design KNX integration panels and commission VMS connections — delivered with full conformance test reports.
Request a quote →