As part of the GEANT Trust & Identity Incubator project, I had the opportunity to implement and demonstrate proof-of-concept functionalities for the emerging OpenID for Verifiable Credential Issuance (OpenID4VCI) specification within the widely used SimpleSAMLphp identity framework. This work represents a meaningful step toward enabling interoperable, standards-based credential issuance in academic and research identity infrastructures.

My contribution focused on extending the oidc module in SimpleSAMLphp to support credential issuance flows compliant with OpenID4VCI draft 15. The goal was to create a lightweight, standards-aligned issuer that could be easily adopted by identity providers (IdPs) in federated environments.

To validate the implementation, I demonstrated credential issuance using three different wallets:

  • Sphereon Wallet
  • Lissi Wallet
  • Data Wallet

Since the specification is still in draft phase, each wallet had different capabilities compatible with different specification draft, with an overview of the supported features below.

Img

By embedding OpenID4VCI into SimpleSAMLphp, we enable existing IdPs to act as credential issuers with minimal disruption, paving the way for:

  • User-centric credential management in academic and research settings
  • Cross-wallet compatibility through standards-based issuance
  • Future integration with OpenID4VP for selective disclosure and verification

Since this is “just” a proof-of-concept, I’m happy to share the code and documentation with anyone interested in exploring the implementation. However, please note that this is not a production-ready solution.

My next milestone is to implement OpenID4VP support in SimpleSAMLphp, enabling full issuer–holder–verifier flows. This will allow verifiable credentials issued via OpenID4VCI to be presented and verified using OpenID4VP protocols, completing the trust triangle.