ONVIF · Profile S · Profile T · WS-Discovery · Authentication · 11 min read

ONVIF Profiles: S, T, G, M, C — What Each Profile Covers and Which to Specify

ONVIF defines discrete capability profiles that specify exactly what a conformant device must support. Specifying the correct profile in procurement ensures interoperability with your VMS and building automation system without relying on manufacturer claims — Profile S for basic streaming, Profile T for H.265 and metadata events, Profile M for AI analytics output.

ONVIF overview

ONVIF (Open Network Video Interface Forum) was founded in 2008 by Sony, Bosch and Axis Communications to create a vendor-neutral standard for IP-based physical security devices. The standard uses WSDL service definitions over SOAP/HTTP — each device exposes a set of XML web service endpoints that clients query to discover capabilities, configure streams, and receive events.

The core transport is HTTP POST with SOAP envelopes. Device and media service endpoints are typically at http://<camera-ip>/onvif/device_service and http://<camera-ip>/onvif/media respectively, though manufacturers may deviate. The ONVIF specification requires WSDL-conformant implementation — behaviour deviating from the WSDL schema is a conformance failure.

ONVIF Forum membership vs. conformance: a manufacturer can be an ONVIF Forum member without having any certified products. Always verify conformance at onvif.org/conformant-products — search by model number, not brand. Non-conformant devices labelled "ONVIF compatible" are common and frequently fail with third-party VMS.

Profile comparison

ProfileReleasedFocusKey capabilitiesSpecify when
Profile S2011Basic streaming, PTZ, imagingRTSP/RTP live stream, PTZ control, imaging settings (brightness, contrast, focus), JPEG snapshot, multicast, relay outputs, audio (optional)General IP cameras, entry-level NVR compatibility, any live-view scenario
Profile T2018H.264/H.265, HTTPS, advanced videoH.264 and H.265 (HEVC) streams, HTTPS transport with SNI, metadata streaming, motion alarm events, ONVIF media2 service, bi-directional audioModern VMS installations, smart building integration requiring metadata events
Profile G2014Edge storage and recordingSD card / NAS recording on the camera itself, recording configuration, recording search and playback via ONVIF, export of recordingsEdge-recorded cameras without centralised NVR, bandwidth-constrained sites
Profile M2020Metadata and analyticsONVIF metadata streaming (objects, bounding boxes, classifications), analytics configuration, event rules tied to analytics results, MQTT event broker (from 21.12)AI analytics cameras, LPR, face detection, people counting in smart buildings
Profile C2013Access control integrationDoor control, credential management, access point monitoring, access rules, cardholder data, door interlock, video and access event correlationIP access control panels, door controllers, video intercom — all integrated via single ONVIF API

A device can be conformant to multiple profiles simultaneously. A modern AI camera may carry Profile S + Profile T + Profile M + Profile G certification. Specify the minimum required profile in RFQ documentation — the supplier must provide the ONVIF conformance certificate, not just a datasheet claim.

Device discovery: WS-Discovery

ONVIF devices announce themselves using WS-Discovery (Web Services Dynamic Discovery), a multicast probe/match protocol. On LAN startup or probe receipt, conformant devices send a Hello message to the SOAP-over-UDP multicast address 239.255.255.250 on UDP port 3702. VMS software sends a Probe to the same multicast address; compliant cameras respond with a ProbeMatch containing their XAddrs (service endpoint URLs).

WS-Discovery probe (SOAP over UDP)

Destination: 239.255.255.250:3702 (UDP multicast)

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
  xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope"
  xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
  xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery">
  <SOAP-ENV:Header>
    <wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe</wsa:Action>
    <wsa:MessageID>uuid:12345678-1234-1234-1234-123456789abc</wsa:MessageID>
    <wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To>
  </SOAP-ENV:Header>
  <SOAP-ENV:Body>
    <wsd:Probe>
      <wsd:Types>dn:NetworkVideoTransmitter</wsd:Types>
    </wsd:Probe>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Camera ProbeMatch response contains:
  <wsd:XAddrs>http://192.168.1.64/onvif/device_service</wsd:XAddrs>
  <wsd:Scopes>
    onvif://www.onvif.org/Profile/Streaming
    onvif://www.onvif.org/hardware/DS-2CD2143G2-I
    onvif://www.onvif.org/name/HIKVISION%20DS-2CD2143G2
  </wsd:Scopes>

Discovery requires multicast to be enabled on the network switch (IGMP snooping must not block 239.255.255.250 on the camera VLAN). The onvif-device-test utility and the gSOAP toolkit both include WS-Discovery probe tools for manual verification. If multicast is blocked, use static IP scanning — query the ONVIF device service endpoint directly at the known IP.

Authentication methods

ONVIF defines three authentication mechanisms with increasing security. The Profile in use and the device firmware version determine which methods are available.

MethodTransportHow it worksSecurity level
WS-UsernameToken digestHTTP (no TLS required)Username + PasswordDigest (SHA-1 hash of nonce+timestamp+password) in SOAP header — replay-safe due to nonce+timestampMedium — vulnerable to MITM without TLS
HTTP Digest AuthHTTP or HTTPSRFC 2617 Digest — challenge/response with MD5 hash; used by some cameras on the RTSP streaming URLMedium — MD5 is weak; use with HTTPS
TLS with client certificatesHTTPS onlyMutual TLS — camera verifies client cert, client verifies camera cert. Profile T requirement for HTTPS streamsHigh — recommended for production deployments

WS-UsernameToken digest header (SOAP)

<wsse:Security>
  <wsse:UsernameToken>
    <wsse:Username>admin</wsse:Username>
    <wsse:Password Type="...#PasswordDigest">
      BASE64(SHA-1(nonce + created + password))
    </wsse:Password>
    <wsse:Nonce>BASE64(random 16 bytes)</wsse:Nonce>
    <wsu:Created>2025-03-15T10:00:00Z</wsu:Created>
  </wsse:UsernameToken>
</wsse:Security>

Important: camera clock must be within 5 minutes of client clock.
NTP sync is mandatory — digest auth will fail with "InvalidCredentials"
if the timestamp is outside the tolerance window.

ONVIF conformance testing

The ONVIF Device Test Tool (ODTT) is the official test suite distributed by the ONVIF Forum at onvif.org. It is a Windows application that runs a full sequence of SOAP requests against a candidate device and reports pass/fail per test case for each profile. Manufacturers must pass ODTT for the claimed profile before submitting for ONVIF Forum conformance certification.

ODTT quick test procedure

1. Download ONVIF Device Test Tool from onvif.org/resources/
   (requires free ONVIF member account — registration is free)

2. Connect test PC and camera to the same network segment
   (multicast must work — same VLAN or managed switch with IGMP)

3. Launch ODTT → File → New Test → Select profile (S / T / G / M / C)

4. Discovery tab → Discover Devices
   Devices found via WS-Discovery multicast probe appear in list
   If not found: enter device IP manually → Add Device

5. Authentication: enter ONVIF username/password
   (default on most cameras: admin / admin or admin / <blank>)

6. Run tests → Start All
   Red = FAIL, Green = PASS, Yellow = WARNING (informational)

7. Export report: File → Export → HTML report
   Include in procurement acceptance documentation

Run ODTT against any camera before final acceptance on a project. Cameras that pass the manufacturer's own test suite but fail ODTT are not conformant — a common situation with budget OEM products. Profile T test cases include H.265 stream verification, HTTPS endpoint tests, and metadata event subscription tests.

Common integration issues

Camera claims ONVIF but fails WS-Discovery

Cause: Multicast blocked at switch, IGMP snooping drops 239.255.255.250, or camera has WS-Discovery disabled in firmware

Fix: Use static IP scan — query http://<camera-ip>/onvif/device_service directly with GetDeviceInformation SOAP call. Enable IGMP querier on managed switch. Some cameras require WS-Discovery to be explicitly enabled in web UI (Security → Network → Multicast).

Digest auth fails with 'InvalidCredentials' despite correct password

Cause: Camera clock is out of sync with VMS/client — WS-UsernameToken digest timestamps must be within 5 minutes

Fix: Ensure camera is NTP-synchronised. Set NTP server in camera web UI to the same server as the VMS host. Verify with camera web UI status page — clock difference > 5min will cause every digest request to fail regardless of password.

Profile T camera streams H.264 only despite H.265 capability

Cause: VMS is using Media Service v1 (Profile S endpoint) instead of Media2 Service (Profile T endpoint)

Fix: Verify VMS uses the /onvif/media2 endpoint for Profile T cameras. In Milestone and Genetec, update the ONVIF driver version — older drivers default to Media v1. Check camera web UI for 'Media2 Service' enable option.

Need ONVIF camera integration specified and built into your panel?

We specify conformant ONVIF cameras, design KNX integration panels and commission VMS connections — delivered with full conformance test reports.

Request a quote →
Loading...
Back to top