Version: v0.25.0 (Latest)

Enterprise Development Kit (EDK)

The Enterprise Development Kit (EDK) extends the open-source Identity Development Kit (IDK) with capabilities required for production enterprise deployments. Where the IDK provides the foundational building blocks, cryptography, DIDs, verifiable credentials, SD-JWT, OID4VP, key management, and the command/DI framework, the EDK adds the enterprise layers that turn those building blocks into scalable, secure, multi-tenant services.

The EDK is Sphereon's proprietary product. It builds on every IDK module and shares the same architecture: Metro DI for dependency injection, the -public / -impl module pattern, and the command abstraction that makes operations transport-transparent.

Architecture Overview

What the EDK Adds

The IDK gives you the identity primitives. The EDK gives you the production infrastructure around them.

Zero-Trust Authorization

The IDK has no authorization system, it provides identity operations without access control. The EDK adds a full policy-based authorization framework that evaluates every command against external Policy Decision Points using the OpenID AuthZEN specification. Cedarling (Cedar), OPA, and any AuthZEN-compliant PDP are supported. Authorization is transparent, the PolicyCommandExtension intercepts commands before execution, so business logic doesn't contain access control checks.

Identity Verification & Reconciliation

The IDK provides wallet-based credential presentation (OID4VP) and basic identity models. The EDK adds the layers that make those presentations meaningful in an enterprise context: composable IDV workflows that chain OIDC, document scanning, biometric, and OTP verification into graph-based flows; privacy-preserving identity matching with HMAC-hashed linking and encrypted canonical attributes; a reconciliation policy engine that decides whether to accept, verify, step up, or reject based on configurable rules; and an auth bridge that connects wallet presentations to OAuth2/OIDC authorization servers.

Microservice Transport

The IDK executes commands locally. The EDK adds a dual transport system that makes command execution location-transparent, the same command can run in-process or be forwarded to a remote microservice via HTTP RPC or gRPC, controlled by configuration. This enables deployments ranging from a single monolith to a fully distributed microservice architecture without code changes. The Universal HTTP Adapter provides framework-agnostic REST APIs backed by the command lifecycle.

Cloud Configuration & Secrets

The IDK has a configuration system with property sources and interpolation. The EDK extends it with cloud configuration providers (Azure App Configuration, REST Config Client) and secret vault integrations (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault). Secrets are never stored in plaintext, they're referenced via ${secret:vault:path} interpolation and resolved at runtime. An offline cache ensures applications survive cloud provider outages gracefully.

Audit & Compliance

The IDK has no audit system. The EDK provides structured audit logging with automatic sensitive data redaction, multiple output formats (JSON, CEF, OCSF), and tamper evidence via hash chaining and signed checkpoints. Every command execution, authorization decision, and authentication event is recorded with full session context, distributed trace IDs, and correlation IDs.

Events & Shared Signals

The IDK has a basic event bus. The EDK extends it with persistent event storage (PostgreSQL, MySQL, SQLite), event transmission with retry and dead-letter queues, and the Shared Signals Framework (SSF) for cross-domain security event exchange. When a credential is compromised at an identity provider, CAEP and RISC events propagate to all relying parties in real time.

Telemetry & Observability

The EDK adds OpenTelemetry-based telemetry: distributed tracing with W3C Trace Context propagation across service boundaries, metrics collection (counters, histograms, gauges), and log correlation. Traces follow requests through the command transport layer so a single trace ID links the API gateway, KMS service, DID resolver, and any other service that participated in a request.

Persistence

The IDK uses in-memory stores for development. The EDK provides production persistence backed by PostgreSQL, MySQL, and SQLite, for parties, identities, contacts, settings, key-value data, events, and audit records. Multi-tenant database routing enables tenant-specific databases or schemas with connection pooling via HikariCP.

eIDAS Digital Signatures

The EDK includes an eIDAS signature framework with EU DSS integration for creating and validating AdES-compliant digital signatures (XAdES, PAdES, CAdES, JAdES). It supports both local signing and remote signing services.

Physical Access Control

The EDK integrates with physical access control systems like Simac Pronto V2, bridging wallet-verified digital identities with physical access, NFC card provisioning, time-bounded zone access, and reader control.

Spring Boot Integration

The EDK provides first-class Spring Boot support with auto-configuration for all EDK subsystems, a DI bridge between Metro and Spring's IoC container, request-scoped multi-tenant contexts, and JWT-based tenant/principal resolution.

EDK vs IDK

	IDK	EDK
License	Open Source (Apache 2.0)	Proprietary
Focus	Identity primitives and protocols	Enterprise infrastructure and production services
Platform	Kotlin Multiplatform (JVM, iOS, Android, JS, WASM, Linux)	Kotlin Multiplatform (JVM for some provider-specific modules)
Authorization	-	AuthZEN, Cedar, OPA with command interception
Identity verification	-	IDV workflows, matching, reconciliation, auth bridge
Transport	Local command execution	Local + HTTP RPC + gRPC, monolith or microservices
Configuration	Property sources, interpolation	+ Azure App Config, REST Config, AWS/Azure/Vault secrets
Persistence	In-memory stores	PostgreSQL, MySQL, SQLite with multi-tenant routing
Audit	-	Structured audit with redaction, tamper evidence, CEF/OCSF
Events	Basic event bus	+ Persistent storage, transmission, SSF (CAEP/RISC)
Telemetry	-	OpenTelemetry tracing, metrics, log correlation
Spring Boot	-	Full auto-configuration, DI bridge

Requirements

JDK 17 or higher (for JVM modules)
Kotlin 2.2 or higher
Spring Boot 3.5 (for Spring Boot integration)
Database: PostgreSQL 14+, MySQL 8+, or SQLite 3.35+ (for persistent modules)

Installation

The EDK is distributed as Maven artifacts through Sphereon's authenticated Nexus repository. The repository URL and access credentials are provided by Sphereon during onboarding. EDK modules are published under the com.sphereon.edk group; the IDK modules they build on are published under com.sphereon.idk.

build.gradle.kts
repositories {
    maven("https://nexus.sphereon.com/repository/sphereon-releases/") {
        credentials {
            username = System.getenv("SPHEREON_MAVEN_USER")
            password = System.getenv("SPHEREON_MAVEN_PASSWORD")
        }
    }
}

dependencies {
    // Pick the modules you need
    implementation("com.sphereon.edk:lib-authz-authzen-impl:$edkVersion")
    implementation("com.sphereon.edk:lib-transport-routing-api:$edkVersion")
    implementation("com.sphereon.edk:lib-conf-secret-vault:$edkVersion")
    implementation("com.sphereon.edk:lib-audit-impl:$edkVersion")
    // ...
}

How These Docs Are Organized

The EDK documentation is split by reading mode:

Section	Use it when you need to
Start Here	Understand what the EDK adds on top of the IDK and how to consume the Maven artifacts
Concepts and Models	Learn the enterprise model: parties, semantic attributes, tenants, identity, authorization, credential design, OCA, eIDAS, and access control
Walkthroughs	Follow end-to-end flows that combine concepts, REST calls, deployment steps, and captured request/response examples
Technical Guides	Implement or extend a capability in code: configuration, audit, command transport, IDV, authorization, OpenID4VCI, OpenID4VP, persistence, or Spring Boot
Deployment and Operations	Run the enterprise containers, understand service topology, configure tenant operations, and operate the runtime
Reference	Open the generated REST API reference and combined API browser

Start with concept pages when you are still deciding how the EDK model should represent your organization or tenant setup. Use technical guides once you know the capability and need concrete APIs, configuration, modules, or integration behavior. Use walkthroughs when you want a complete path from a fresh deployment to issuing and verifying credentials.

Next Steps

Party Model: how EDK represents people, organizations, services, identities, and relationships
Semantic Model: how catalogs, profiles, attribute sets, and channels drive credentials and verification
Tenant and Onboarding: tenant routing, registration journeys, domains, public endpoints, and isolation
Authorization: policy engines, AuthZEN, Cedarling, OPA, and command enforcement
Enterprise Deployment Walkthrough: deploy the container stack and exercise the REST APIs end to end
Roles and Topology: understand the six enterprise service images and runtime topology

Support

The EDK is a proprietary product. For support inquiries, contact Sphereon at support@sphereon.com.

Architecture Overview​

What the EDK Adds​

Zero-Trust Authorization​

Identity Verification & Reconciliation​

Microservice Transport​

Cloud Configuration & Secrets​

Audit & Compliance​

Events & Shared Signals​

Telemetry & Observability​

Persistence​

eIDAS Digital Signatures​

Physical Access Control​

Spring Boot Integration​

EDK vs IDK​

Requirements​

Installation​

How These Docs Are Organized​

Next Steps​

Support​