Enterprise Development Kit (EDK)
The Enterprise Development Kit (EDK) extends the open-source Identity Development Kit (IDK) with capabilities required for production enterprise deployments. Where the IDK provides the foundational building blocks, cryptography, DIDs, verifiable credentials, SD-JWT, OID4VP, key management, and the command/DI framework, the EDK adds the enterprise layers that turn those building blocks into scalable, secure, multi-tenant services.
The EDK is Sphereon's proprietary product. It builds on every IDK module and shares the same architecture: Metro DI for dependency injection, the -public / -impl module pattern, and the command abstraction that makes operations transport-transparent.
Architecture Overview
What the EDK Adds
The IDK gives you the identity primitives. The EDK gives you the production infrastructure around them.
Zero-Trust Authorization
The IDK has no authorization system, it provides identity operations without access control. The EDK adds a full policy-based authorization framework that evaluates every command against external Policy Decision Points using the OpenID AuthZEN specification. Cedarling (Cedar), OPA, and any AuthZEN-compliant PDP are supported. Authorization is transparent, the PolicyCommandExtension intercepts commands before execution, so business logic doesn't contain access control checks.
Identity Verification & Reconciliation
The IDK provides wallet-based credential presentation (OID4VP) and basic identity models. The EDK adds the layers that make those presentations meaningful in an enterprise context: composable IDV workflows that chain OIDC, document scanning, biometric, and OTP verification into graph-based flows; privacy-preserving identity matching with HMAC-hashed linking and encrypted canonical attributes; a reconciliation policy engine that decides whether to accept, verify, step up, or reject based on configurable rules; and an auth bridge that connects wallet presentations to OAuth2/OIDC authorization servers.
Microservice Transport
The IDK executes commands locally. The EDK adds a dual transport system that makes command execution location-transparent, the same command can run in-process or be forwarded to a remote microservice via HTTP RPC or gRPC, controlled by configuration. This enables deployments ranging from a single monolith to a fully distributed microservice architecture without code changes. The Universal HTTP Adapter provides framework-agnostic REST APIs backed by the command lifecycle.
Cloud Configuration & Secrets
The IDK has a configuration system with property sources and interpolation. The EDK extends it with cloud configuration providers (Azure App Configuration, REST Config Client) and secret vault integrations (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault). Secrets are never stored in plaintext, they're referenced via ${secret:vault:path} interpolation and resolved at runtime. An offline cache ensures applications survive cloud provider outages gracefully.
Audit & Compliance
The IDK has no audit system. The EDK provides structured audit logging with automatic sensitive data redaction, multiple output formats (JSON, CEF, OCSF), and tamper evidence via hash chaining and signed checkpoints. Every command execution, authorization decision, and authentication event is recorded with full session context, distributed trace IDs, and correlation IDs.
Events & Shared Signals
The IDK has a basic event bus. The EDK extends it with persistent event storage (PostgreSQL, MySQL, SQLite), event transmission with retry and dead-letter queues, and the Shared Signals Framework (SSF) for cross-domain security event exchange. When a credential is compromised at an identity provider, CAEP and RISC events propagate to all relying parties in real time.
Telemetry & Observability
The EDK adds OpenTelemetry-based telemetry: distributed tracing with W3C Trace Context propagation across service boundaries, metrics collection (counters, histograms, gauges), and log correlation. Traces follow requests through the command transport layer so a single trace ID links the API gateway, KMS service, DID resolver, and any other service that participated in a request.
Persistence
The IDK uses in-memory stores for development. The EDK provides production persistence backed by PostgreSQL, MySQL, and SQLite, for parties, identities, contacts, settings, key-value data, events, and audit records. Multi-tenant database routing enables tenant-specific databases or schemas with connection pooling via HikariCP.
eIDAS Digital Signatures
The EDK includes an eIDAS signature framework with EU DSS integration for creating and validating AdES-compliant digital signatures (XAdES, PAdES, CAdES, JAdES). It supports both local signing and remote signing services.
Physical Access Control
The EDK integrates with physical access control systems like Simac Pronto V2, bridging wallet-verified digital identities with physical access, NFC card provisioning, time-bounded zone access, and reader control.
Spring Boot Integration
The EDK provides first-class Spring Boot support with auto-configuration for all EDK subsystems, a DI bridge between Metro and Spring's IoC container, request-scoped multi-tenant contexts, and JWT-based tenant/principal resolution.
EDK vs IDK
| IDK | EDK | |
|---|---|---|
| License | Open Source (Apache 2.0) | Proprietary |
| Focus | Identity primitives and protocols | Enterprise infrastructure and production services |
| Platform | Kotlin Multiplatform (JVM, iOS, Android, JS, WASM, Linux) | Kotlin Multiplatform (JVM for some provider-specific modules) |
| Authorization | - | AuthZEN, Cedar, OPA with command interception |
| Identity verification | - | IDV workflows, matching, reconciliation, auth bridge |
| Transport | Local command execution | Local + HTTP RPC + gRPC, monolith or microservices |
| Configuration | Property sources, interpolation | + Azure App Config, REST Config, AWS/Azure/Vault secrets |
| Persistence | In-memory stores | PostgreSQL, MySQL, SQLite with multi-tenant routing |
| Audit | - | Structured audit with redaction, tamper evidence, CEF/OCSF |
| Events | Basic event bus | + Persistent storage, transmission, SSF (CAEP/RISC) |
| Telemetry | - | OpenTelemetry tracing, metrics, log correlation |
| Spring Boot | - | Full auto-configuration, DI bridge |
Requirements
- JDK 17 or higher (for JVM modules)
- Kotlin 2.2 or higher
- Spring Boot 3.5 (for Spring Boot integration)
- Database: PostgreSQL 14+, MySQL 8+, or SQLite 3.35+ (for persistent modules)
Installation
The EDK is distributed as Maven artifacts through Sphereon's authenticated Nexus repository. The repository URL and access credentials are provided by Sphereon during onboarding. EDK modules are published under the com.sphereon.edk group; the IDK modules they build on are published under com.sphereon.idk.
repositories {
maven("https://nexus.sphereon.com/repository/sphereon-releases/") {
credentials {
username = System.getenv("SPHEREON_MAVEN_USER")
password = System.getenv("SPHEREON_MAVEN_PASSWORD")
}
}
}
dependencies {
// Pick the modules you need
implementation("com.sphereon.edk:lib-authz-authzen-impl:$edkVersion")
implementation("com.sphereon.edk:lib-transport-routing-api:$edkVersion")
implementation("com.sphereon.edk:lib-conf-secret-vault:$edkVersion")
implementation("com.sphereon.edk:lib-audit-impl:$edkVersion")
// ...
}
Next Steps
- Configuration: Cloud providers, secrets, offline cache
- HTTP & Transport: REST APIs, command transport, telemetry
- Authentication & Identity: JWT validation, IDV, matching, auth bridge
- Authorization: Policy engines, command extension
- OID4VP Verification: Verify credentials from digital wallets
- Spring Boot: Auto-configuration and DI bridge
Support
The EDK is a proprietary product. For support inquiries, contact Sphereon at support@sphereon.com.