The Federation Architecture Pattern (FAP) on credentials issuing (Principal Credential Issuance, short PCI) covers an important function for giving people access in a shared digital ecosystem by using verifiable credentials – digital proofs that show something is true. For example: “This person works for company X.” or “This person is allowed to access a system.” This FAP provides a clear, step-by-step process to define, set up, and give credentials across different organizations. It connects administrators, data systems, and digital wallets.
Purpose & Value
The purpose of this FAP is to help organizations create and give out digital credentials to their employees in a safe and simple way.
This FAP allows organizations to define what a credential looks like, how it is branded, and what information it contains, and then issue it securely to verified employees.
It also helps to use the same simple process across different organizations, so credentials are managed and issued in a consistent way.
The FAP supports decentralized trust, meaning no single central authority is in control, and credentials can be used and trusted across different systems and domains.
Overall, it provides an easy-to-use framework for issuing digital credentials.
Less Complexity
Reduces complexity and cost of credential setup and issuance.
Compliance
Ensures compliance with federated trust frameworks (e.g., Gaia-X, eIDAS).
Digital Wallet
Enables employees to carry portable, verifiable credentials in digital wallets.
Scalability
Supports scalability across domains such as education, health, mobility, supply chain, etc.
Easy Login
Works on top of existing login systems.
Scope & Boundaries
Included in the PCI FAP:
- Provision of SaaS toolstack for issuance including Orchestration Engine (ORCE) basic workflows
- Multi-account usage
- Credential definition and configuration via Administration Page (schemas, images, definitions)
- Metadata storage for credential templates and issuance parameters.
- Integration with OAuth2-based authentication and employee data APIs.
- Issuance workflow orchestration through ORCE and Issuing Plugins.
- Credential delivery for OID4VCI-compatible wallets via QR codes, deep links and offering links.
- Credential verification and revocation
Excluded from the PCI FAP:
- Full HR or data system management
- Legal identity validation beyond trusted SSI/eIDAS providers
- Wallet implementation
- OCM W-Stack deployment (provided separately)
This FAP combines two main sub-patterns.
1. Credential Administration & Configuration Workflow
Administrators manage credential metadata, templates, and issuance rules used later in the issuance process.
Key Components:
- Administrator: Configures and manages credential templates.
- Administration Page (Web): UI for defining schemas, uploading images, and setting credential definitions.
- Metadata Credential Storage: Repository holding credential schemas, branding, and definitions.
- Key Storage, Crypto, Signer: Manages cryptographic material for secure credential signing.
- API: Exposes credential templates and metadata to issuance systems.
- Issuance System Connector: Consumes credential definitions to produce offering links or QR codes.
2. Employee Issuance Workflow
Once credential templates are defined, the issuance workflow securely issues credentials to employees.
Key Components:
- Landing Page: Entry point for employees.
- Login (OAuth2): Authenticates users and obtains JWT.
- Data API: Provides verified employee data for issuance.
- Issuance Page: Displays issuance offer (QR code or link).
- Issuing Plugin: Creates and sends issuance offers to wallets, integrated with OCM W-Stack.
- Wallet: Employee’s digital wallet where credentials are stored.
- OCM W-Stack: Manages credential creation, signing, and issuance.
- ORCE Workflow: Orchestrates the end-to-end process.
- W3C Verifiable Credentials (VC/VP) – credential data and exchange model.
- OIDC4VCI – standard issuance interaction between issuer and wallet.
- OAuth2 / OpenID Connect – user authentication and authorization.
- JSON-LD / JSON Schema – schema and metadata definitions.
- DIDComm v2 – secure messaging channel between issuer and wallet (optional).
- Gaia-X Trust Framework – compliance, trust anchors, and federation governance.
- eIDAS 2.0 – legal identity and qualified trust alignment.
- GDPR – consent and data minimisation during issuance.
Reusable Modules:
- Credential Definition & Metadata Storage.
- OAuth2 Authentication Flow.
- Issuance Page + Issuing Plugin integration.
- QR-Code / Offering Link Generation.
Variants:
- Self-Service Issuance: Employee initiates issuance via landing page.
- Automated HR Integration: Batch issuance triggered by HR or IAM systems.
- Federated Issuer Networks: Shared credential definitions across organisations.