diff --git a/testbed/authentication/shibboleth-idp/Dockerfile b/testbed/authentication/shibboleth-idp/Dockerfile
index 2b10847f0..ed663d8b5 100644
--- a/testbed/authentication/shibboleth-idp/Dockerfile
+++ b/testbed/authentication/shibboleth-idp/Dockerfile
@@ -1,4 +1,4 @@
-FROM tier/shib-idp:4.0.0_20200518
+FROM i2incommon/shib-idp:4.2.1_20220624
 
 # The build args below can be used at build-time to tell the build process where to find your config files.  This is for a completely burned-in config.
 ARG TOMCFG=config/tomcat
diff --git a/testbed/authentication/shibboleth-idp/config/shib-idp/conf/relying-party.xml b/testbed/authentication/shibboleth-idp/config/shib-idp/conf/relying-party.xml
index 5127515ed..f216e2f5e 100644
--- a/testbed/authentication/shibboleth-idp/config/shib-idp/conf/relying-party.xml
+++ b/testbed/authentication/shibboleth-idp/config/shib-idp/conf/relying-party.xml
@@ -40,7 +40,7 @@
                 <ref bean="SAML1.AttributeQuery" />
                 <ref bean="SAML1.ArtifactResolution" />
                 -->
-                <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
+                <ref bean="SAML2.SSO" />
                 <ref bean="SAML2.ECP" />
                 <ref bean="SAML2.Logout" />
                 <!--
diff --git a/testbed/integration/docker-compose.yml b/testbed/integration/docker-compose.yml
index eb448e56d..d249fc2be 100644
--- a/testbed/integration/docker-compose.yml
+++ b/testbed/integration/docker-compose.yml
@@ -48,9 +48,11 @@ services:
     depends_on:
       - directory
       - reverse-proxy
+      - database
     networks:
       - reverse-proxy
       - idp
+      - backend
     volumes:
       - ../directory/certs/ca.crt:/opt/shibboleth-idp/credentials/ldap-server.crt
       - dynamic_metadata:/opt/shibboleth-idp/metadata/dynamic
@@ -86,6 +88,8 @@ services:
       - backend
     volumes:
       - database_data:/var/lib/postgresql/data
+      - ./shibboleth-idp/db/oidc_dynreg.sql:/docker-entrypoint-initdb.d/oidc_dynreg.sql
+      
 networks:
   reverse-proxy:
   idp:
diff --git a/testbed/integration/shibboleth-idp/Dockerfile b/testbed/integration/shibboleth-idp/Dockerfile
index 1a4087074..31684bb89 100644
--- a/testbed/integration/shibboleth-idp/Dockerfile
+++ b/testbed/integration/shibboleth-idp/Dockerfile
@@ -1,4 +1,4 @@
-FROM i2incommon/shib-idp:4.1.4_20210802
+FROM i2incommon/shib-idp:4.2.1_20220624
 
 # The build args below can be used at build-time to tell the build process where to find your config files.  This is for a completely burned-in config.
 ARG TOMCFG=config/tomcat
@@ -10,16 +10,28 @@ ARG SHBVIEWS=config/shib-idp/views
 ARG SHBEDWAPP=config/shib-idp/edit-webapp
 ARG SHBMSGS=config/shib-idp/messages
 ARG SHBMD=config/shib-idp/metadata
+ARG OIDCREG=config/shib-idp/static
+ARG TOMREWRITE=config/tomcat/rewrite.config
+
+#enable OIDC plugins and generate needed keys
+ADD ${SHBCREDS} /opt/shibboleth-idp/credentials
+RUN /opt/shibboleth-idp/bin/plugin.sh -i https://shibboleth.net/downloads/identity-provider/plugins/oidc-common/2.1.0/oidc-common-dist-2.1.0.tar.gz --noPrompt
+RUN /opt/shibboleth-idp/bin/plugin.sh -i https://shibboleth.net/downloads/identity-provider/plugins/oidc-op/3.2.1/idp-plugin-oidc-op-distribution-3.2.1.tar.gz --noPrompt
+RUN /opt/shibboleth-idp/bin/module.sh -e idp.authn.RemoteUserInternal
+RUN /opt/shibboleth-idp/bin/jwtgen.sh -t RSA -s 2048 -u sig -i defaultRSASign | tail -n +2 > /opt/shibboleth-idp/credentials/idp-signing-rs.jwk
+RUN /opt/shibboleth-idp/bin/jwtgen.sh	-t EC -c P-256 -u sig -i defaultECSign | tail -n +2 > /opt/shibboleth-idp/credentials/idp-signing-es.jwk
+RUN /opt/shibboleth-idp/bin/jwtgen.sh	-t RSA -s 2048 -u enc -i defaultRSAEnc | tail -n +2 > /opt/shibboleth-idp/credentials/idp-encryption-rsa.jwk
 
 # copy in the needed config files
 ADD ${TOMCFG} /usr/local/tomcat/conf
 ADD ${TOMCERT} /opt/certs
 ADD ${TOMWWWROOT} /usr/local/tomcat/webapps/ROOT
 ADD ${SHBCFG} /opt/shibboleth-idp/conf
-ADD ${SHBCREDS} /opt/shibboleth-idp/credentials
 #ADD ${SHBVIEWS} /opt/shibboleth-idp/views
-#ADD ${SHBEDWAPP} /opt/shibboleth-idp/edit-webapp
+ADD ${SHBEDWAPP} /opt/shibboleth-idp/edit-webapp
 #ADD ${SHBMSGS} /opt/shibboleth-idp/messages
 ADD ${SHBMD} /opt/shibboleth-idp/metadata
+ADD ${OIDCREG} /opt/shibboleth-idp/static
+ADD ${TOMREWRITE} /usr/local/tomcat/conf/Catalina/localhost/rewrite.config
 
 EXPOSE 8080
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/access-control.xml b/testbed/integration/shibboleth-idp/config/shib-idp/conf/access-control.xml
index e8215e441..5a0b0d14b 100644
--- a/testbed/integration/shibboleth-idp/config/shib-idp/conf/access-control.xml
+++ b/testbed/integration/shibboleth-idp/config/shib-idp/conf/access-control.xml
@@ -28,20 +28,18 @@
 
     <util:map id="shibboleth.AccessControlPolicies">
 
-        <entry key="AccessByIPAddress">
-            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
-                  p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.16.0.0/12'} }" />
-        </entry>
-
-        <!--
         <entry key="AccessByAdminUser">
             <bean parent="shibboleth.PredicateAccessControl">
                 <constructor-arg>
-                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
+                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'banderson'}" />
                 </constructor-arg>
             </bean>
         </entry>
-        -->
+
+        <entry key="AccessByIPAddress">
+            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
+                  p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.16.0.0/12'} }" />
+        </entry>
 
         <!--
         <entry key="AccessByAttribute">
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/credentials.xml b/testbed/integration/shibboleth-idp/config/shib-idp/conf/credentials.xml
new file mode 100644
index 000000000..f2d3309b1
--- /dev/null
+++ b/testbed/integration/shibboleth-idp/config/shib-idp/conf/credentials.xml
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    NOTE: if you're using a legacy relying-party.xml file from a V2 configuration, this file is ignored.
+
+    This defines the signing and encryption key and certificate pairs referenced by your relying-party.xml
+    configuration. You don't normally need to touch this, unless you have advanced requirements such as
+    supporting multiple sets of keys for different relying parties, in which case you may want to define
+    all your credentials here for convenience.
+    -->
+
+    <!--
+    The list of ALL of your IdP's signing credentials. If you define additional signing credentials,
+    for example for specific relying parties or different key types, make sure to include them within this list.
+    -->
+    <util:list id="shibboleth.SigningCredentials">
+        <ref bean="shibboleth.DefaultSigningCredential" />
+    </util:list>
+    
+    <!-- Your IdP's default signing key, set via property file. -->
+    <bean id="shibboleth.DefaultSigningCredential"
+        class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
+        p:privateKeyResource="%{idp.signing.key}"
+        p:certificateResource="%{idp.signing.cert}"
+        p:entityId-ref="entityID" />
+        
+    <!-- Your IdP's default client TLS credential, by default the same as the default signing credential. -->
+    <alias alias="shibboleth.DefaultClientTLSCredential" name="shibboleth.DefaultSigningCredential" />
+    
+    <!--
+    The list of ALL of your IdP's encryption credentials. By default this is just an alias
+    for 'shibboleth.DefaultEncryptionCredentials'. It could be re-defined as
+    a list with additional credentials if needed.
+    -->
+    <alias alias="shibboleth.EncryptionCredentials" name="shibboleth.DefaultEncryptionCredentials" />
+        
+    <!-- Your IdP's default encryption (really decryption) keys, set via property file. -->
+    <util:list id="shibboleth.DefaultEncryptionCredentials">
+        <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
+            p:privateKeyResource="%{idp.encryption.key}"
+            p:certificateResource="%{idp.encryption.cert}"
+            p:entityId-ref="entityID" />
+
+        <!--
+        For key rollover, uncomment and point to your original keypair, and use the one above
+        to point to your new keypair. Once metadata has propagated, comment this one out again.
+        -->
+        <!--
+        <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
+            p:privateKeyResource="%{idp.encryption.key.2}"
+            p:certificateResource="%{idp.encryption.cert.2}"
+            p:entityId-ref="entityID" />
+        -->
+    </util:list>
+
+  <!-- OIDC extension default credential definitions -->
+  <import resource="oidc-credentials.xml" />
+
+</beans>
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/global.xml b/testbed/integration/shibboleth-idp/config/shib-idp/conf/global.xml
new file mode 100644
index 000000000..ce4d699e6
--- /dev/null
+++ b/testbed/integration/shibboleth-idp/config/shib-idp/conf/global.xml
@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!-- Use this file to define any custom beans needed globally. -->
+
+    <!-- Postgres configuration -->
+    <bean id="shibboleth.JPAStorageService"
+        class="org.opensaml.storage.impl.JPAStorageService"
+        p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}"
+        c:factory-ref="shibboleth.JPAStorageService.EntityManagerFactory" />
+ 
+    <bean id="shibboleth.JPAStorageService.EntityManagerFactory"
+        class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
+        <property name="persistenceUnitName" value="storageservice" />
+        <property name="packagesToScan" value="org.opensaml.storage.impl" />
+        <property name="dataSource" ref="shibboleth.JPAStorageService.DataSource" />
+        <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter" />
+        <property name="jpaDialect">
+            <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" />
+        </property>
+    </bean>
+
+    <bean id="shibboleth.JPAStorageService.JPAVendorAdapter"
+        class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
+        <property name="database" value="POSTGRESQL" />
+    </bean> 
+    <bean id="shibboleth.JPAStorageService.DataSource"
+        class="com.zaxxer.hikari.HikariDataSource" destroy-method="close" lazy-init="true"
+        p:driverClassName="org.postgresql.Driver"
+        p:jdbcUrl="jdbc:postgresql://database:5432/oidc_dynreg"
+        p:username="shibui"
+        p:password="shibui" />
+
+    <!--
+    Algorithm include/exclude sets that override or merge with library defaults. Normally you can leave these
+    empty or commented and use the system defaults, but you can override those defaults using these beans.
+    Each <value> element is an algorithm URI; you can also use <util:constant> elements in place of literal values.
+    -->
+    
+    <!--
+    <util:set id="shibboleth.IncludedSignatureAlgorithms">
+    </util:set>
+
+    <util:set id="shibboleth.ExcludedSignatureAlgorithms">
+    </util:set>
+
+    <util:set id="shibboleth.IncludedEncryptionAlgorithms">
+    </util:set>
+
+    <util:set id="shibboleth.ExcludedEncryptionAlgorithms">
+    </util:set>
+    -->
+
+    <!--
+    If you need to define and inject custom Java object(s) into the various views used throughout the
+    system (errors, login, logout, etc.), you can uncomment and define the bean below to be of any
+    type required. It will appear in the view scope as a variable named "custom".
+    
+    The example below defines the bean as a map, which allows you to inject multiple objects under
+    named keys to expand the feature to support multiple injected objects.
+    -->
+    
+    <!--
+    <util:map id="shibboleth.CustomViewContext">
+        <entry key="foo" value="bar"/>
+    </util:map>
+    -->
+    
+</beans>
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/idp.properties b/testbed/integration/shibboleth-idp/config/shib-idp/conf/idp.properties
index 50af60005..b356a4574 100644
--- a/testbed/integration/shibboleth-idp/config/shib-idp/conf/idp.properties
+++ b/testbed/integration/shibboleth-idp/config/shib-idp/conf/idp.properties
@@ -1,5 +1,5 @@
 # Load any additional property resources from a comma-delimited list
-idp.additionalProperties=/conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties, /credentials/secrets.properties
+idp.additionalProperties=/conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties, /credentials/secrets.properties, /conf/oidc.properties
 
 # In most cases (and unless noted in the surrounding comments) the
 # commented settings in the distributed files document default behavior.
@@ -224,3 +224,5 @@ idp.ui.fallbackLanguages=en,fr,de
 
 # Set false if you want SAML bindings "spelled out" in audit log
 idp.audit.shortenBindings=true
+
+#idp.loglevel.idp=DEBUG
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/oidc-attribute-filter.xml b/testbed/integration/shibboleth-idp/config/shib-idp/conf/oidc-attribute-filter.xml
new file mode 100644
index 000000000..e1c7e4aed
--- /dev/null
+++ b/testbed/integration/shibboleth-idp/config/shib-idp/conf/oidc-attribute-filter.xml
@@ -0,0 +1,142 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" xmlns="urn:mace:shibboleth:2.0:afp"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:oidc="urn:mace:shibboleth:2.0:afp:oidc"
+    xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd
+                        urn:mace:shibboleth:2.0:afp:oidc http://shibboleth.net/schema/oidc/shibboleth-afp-oidc.xsd">
+
+
+    <!--
+    The convention in the rules below is to use pre-existing attributeID defaults where appropriate
+    and to use OIDC claim names where no existing ID makes sense. You're free to adjust all this
+    as long as the resolver and/or registry rules match.
+    -->
+
+    <AttributeFilterPolicy id="OPENID_SCOPE">
+        <PolicyRequirementRule xsi:type="oidc:OIDCScope" value="openid" />
+        <!-- May adjust to taste depending on strategy used to produce sub claim. -->
+        <AttributeRule attributeID="subject">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="subject-public">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="subject-pairwise">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+    <!--
+    This demonstrates a rule that releases email claims in response to requests having the 'email' scope.
+    The requester needs to have that as a registered scope.
+    -->
+    <AttributeFilterPolicy id="OPENID_SCOPE_EMAIL">
+        <PolicyRequirementRule xsi:type="oidc:OIDCScope" value="email" />
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="email_verified">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+    <!--
+    This demonstrates a rule that releases address claim in response to requests having the 'address' scope.
+    The requester needs to have that as a registered scope.
+    -->
+    <AttributeFilterPolicy id="OPENID_SCOPE_ADDRESS">
+        <PolicyRequirementRule xsi:type="oidc:OIDCScope" value="address" />
+        <AttributeRule attributeID="address">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+    <!--
+    This demonstrates a rule that releases phone claims in response to requests having the 'phone' scope.
+    The requester needs to have that as a registered scope.
+    -->
+    <AttributeFilterPolicy id="OPENID_SCOPE_PHONE">
+        <PolicyRequirementRule xsi:type="oidc:OIDCScope" value="phone" />
+        <AttributeRule attributeID="telephoneNumber">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="phone_number_verified">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+    <!--
+    This demonstrates a rule that releases profile claims in response to requests having the 'profile' scope.
+    The requester needs to have that as a registered scope.
+    -->
+    <AttributeFilterPolicy id="OPENID_SCOPE_PROFILE">
+        <PolicyRequirementRule xsi:type="oidc:OIDCScope" value="profile" />
+        <AttributeRule attributeID="displayName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="sn">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="givenName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="preferredLanguage">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonNickname">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="uid">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="middle_name">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="profile">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="picture">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="website">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="gender">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="birthdate">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="zoneinfo">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="updated_at">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+
+    <!-- Example rules for honoring requested claims and splitting claims between ID and UserInfo tokens. -->
+    
+    <AttributeFilterPolicy id="REQUESTED_CLAIMS">
+        <PolicyRequirementRule xsi:type="ANY" />
+        <!-- Release picture if asked. -->
+        <AttributeRule attributeID="picture">
+            <PermitValueRule xsi:type="oidc:AttributeInOIDCRequestedClaims" />
+        </AttributeRule>
+        <!-- Release email in ID token if specifically asked for in ID token. -->
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="oidc:AttributeInOIDCRequestedClaims" matchOnlyIDToken="true" />
+        </AttributeRule>
+        <!-- Release phone_number in UserInfo token if specifically asked for in UserInfo token. -->
+        <AttributeRule attributeID="telephoneNumber">
+            <PermitValueRule xsi:type="oidc:AttributeInOIDCRequestedClaims" matchOnlyUserInfo="true" />
+        </AttributeRule>
+        <!-- Release name if specifically asked for in UserInfo token and flagged as essential. -->
+        <AttributeRule attributeID="displayName">
+            <PermitValueRule xsi:type="oidc:AttributeInOIDCRequestedClaims" matchOnlyUserInfo="true"
+                onlyIfEssential="true" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+</AttributeFilterPolicyGroup>
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/oidc-attribute-resolver.xml b/testbed/integration/shibboleth-idp/config/shib-idp/conf/oidc-attribute-resolver.xml
new file mode 100644
index 000000000..bab9f96ae
--- /dev/null
+++ b/testbed/integration/shibboleth-idp/config/shib-idp/conf/oidc-attribute-resolver.xml
@@ -0,0 +1,197 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:oidc="urn:mace:shibboleth:2.0:resolver:oidc"
+    xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
+                        urn:mace:shibboleth:2.0:resolver:oidc http://shibboleth.net/schema/oidc/shibboleth-attribute-encoder-oidc.xsd">
+
+    <!--
+    Some of the examples assume conf/attributes/oidc-claim-rules.xml is loaded
+    into the registry service.
+    -->
+
+    <!--
+    Exactly one attribute needs to supply the "sub" claim, but this can't be
+    fully standardized. There are suggested approaches below. Using the Scoped
+    definition is recommended to ensure intrinsic uniqueness.
+    -->
+    
+    <!--
+    These two examples use activation conditions and filter rules elsewhere to
+    allow for different public and pairwise behavior. This is a nice strategy
+    because using a "knowable" value for public sub claims is easier to support,
+    and allows provisioning by out of band systems.
+    
+    While these examples do expose "uid" as the value for public sub claims,
+    this is simply to provide a "working" out of the box example. Using something
+    more stable, managed by IDM infrastructure, is the advisable approach.
+    -->
+    <AttributeDefinition id="subject-public" xsi:type="Scoped" scope="%{idp.scope}"
+            activationConditionRef="shibboleth.oidc.Conditions.PublicRequired">
+        <InputAttributeDefinition ref="uid" />
+        <AttributeEncoder xsi:type="oidc:OIDCScopedString" name="sub" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="subject-pairwise" xsi:type="Scoped" scope="%{idp.scope}"
+            activationConditionRef="shibboleth.oidc.Conditions.PairwiseRequired">
+        <InputDataConnector ref="computedSubjectId" attributeNames="subjectId"/>
+        <AttributeEncoder xsi:type="oidc:OIDCScopedString" name="sub" />
+    </AttributeDefinition>
+
+    <!-- 
+    This example (the data connector in particular) will generate public or
+    pairwise values depending on client registration. The public values will
+    depend on, but not expose, an underlying value, which is again set to "uid"
+    for simplicity, but this is not a good strategy unless "uid" itself is a
+    stable, managed value.
+    -->
+    <!--
+    <AttributeDefinition id="subject" xsi:type="Scoped" scope="%{idp.scope}"
+            activationConditionRef="shibboleth.oidc.Conditions.SubjectRequired">
+        <InputDataConnector ref="computedSubjectId" attributeNames="subjectId"/>
+        <AttributeEncoder xsi:type="oidc:OIDCScopedString" name="sub" />
+    </AttributeDefinition>
+    -->
+    
+    <!--
+    The EPPN is the most common federated username in higher education.
+    For guidelines on the implementation of this attribute, refer to eduPerson
+    and/or federation documentation. Above all, do not expose a value for this
+    attribute without considering the long term implications.
+    -->
+    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}">
+        <InputAttributeDefinition ref="uid" />
+        <AttributeEncoder xsi:type="oidc:OIDCScopedString" name="eppn" />
+    </AttributeDefinition>
+
+    <!--
+    The uid is the closest thing to a "standard" LDAP attribute representing
+    a local username, but you should generally *never* expose uid to federated
+    services, as it is rarely globally unique. The default mapping for OIDC is
+    to preferred_username, which seems suitably meaningless.
+    -->
+    <AttributeDefinition id="uid" xsi:type="PrincipalName" />
+
+    <!-- This is just for illustrative purposes given that the connector is static.  -->
+    <AttributeDefinition id="mail" xsi:type="Template">
+        <InputAttributeDefinition ref="uid" />
+        <Template><![CDATA[
+               ${uid}@%{idp.scope}
+          ]]></Template>
+    </AttributeDefinition>
+
+    <!--
+    Start of static attributes. In actual deployment you would use a real source
+    for most of these attributes/claims.
+    -->
+
+    <AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}">
+        <InputDataConnector ref="staticAttributes" attributeNames="affiliation" />
+    </AttributeDefinition>
+
+    <!--
+    This demonstrates a complex claim constructed by forming a JSON structure.
+    The default transcoding rule for the address claim expects such a structure.
+    -->
+    <AttributeDefinition id="address" xsi:type="ScriptedAttribute">
+        <InputDataConnector ref="staticAttributes" attributeNames="street_address locality region postal_code country"/>
+        <Script>
+        <![CDATA[
+        address.addValue("{\"street_address\":\""+street_address.getValues().get(0) + "\","
+            +"\"locality\":\""+locality.getValues().get(0) + "\","
+            +"\"region\":\""+region.getValues().get(0) + "\","
+            +"\"postal_code\":\""+postal_code.getValues().get(0) + "\","
+            +"\"country\":\""+country.getValues().get(0) + "\"}");
+        ]]>
+        </Script>
+    </AttributeDefinition>
+
+    <!--
+    Data Connector for generating 'sub' claim. It may be used to generate both
+    public and pairwise subject values because it recognizes the OIDC sector_id
+    if used during client registration.
+    -->
+    <DataConnector id="computedSubjectId" xsi:type="ComputedId"
+            generatedAttributeID="subjectId"
+            salt="%{idp.oidc.subject.salt}"
+            algorithm="%{idp.oidc.subject.algorithm:SHA}"
+            encoding="BASE32">
+        <InputAttributeDefinition ref="%{idp.oidc.subject.sourceAttribute}"/>
+    </DataConnector>
+
+    <!--
+    Static example to populate default claims. Most of these are directly exposed and
+    handled by the default set of transcoding rules provided for optional inclusion.
+    -->
+    <DataConnector id="staticAttributes" xsi:type="Static"
+            exportAttributes="telephoneNumber phone_number_verified email_verified displayName sn givenName middle_name eduPersonNickname profile picture website gender birthdate zoneinfo preferredLanguage updated_at">
+        <Attribute id="affiliation">
+            <Value>member</Value>
+            <Value>staff</Value>
+        </Attribute>
+        <Attribute id="telephoneNumber">
+            <Value>+1 (604) 555-1234;ext=5678</Value>
+        </Attribute>
+        <Attribute id="phone_number_verified">
+            <Value>true</Value>
+        </Attribute>
+        <Attribute id="email_verified">
+            <Value>false</Value>
+        </Attribute>
+        <Attribute id="displayName">
+            <Value>Mr.Teppo Matias Testaaja</Value>
+        </Attribute>
+        <Attribute id="sn">
+            <Value>Testaaja</Value>
+        </Attribute>
+        <Attribute id="givenName">
+            <Value>Teppo Matias</Value>
+        </Attribute>
+        <Attribute id="middle_name">
+            <Value>Matias</Value>
+        </Attribute>
+        <Attribute id="eduPersonNickname">
+            <Value>TT</Value>
+        </Attribute>
+        <Attribute id="profile">
+            <Value>https://fi.wikipedia.org/wiki/Tom_Cruise</Value>
+        </Attribute>
+        <Attribute id="picture">
+            <Value>https://pixabay.com/fi/pentu-kissa-kukka-potin-tabby-pentu-2766820/</Value>
+        </Attribute>
+        <Attribute id="website">
+            <Value>https://www.facebook.com/officialtomcruise/</Value>
+        </Attribute>
+        <Attribute id="gender">
+            <Value>male</Value>
+        </Attribute>
+        <Attribute id="birthdate">
+            <Value>1969-07-20</Value>
+        </Attribute>
+        <Attribute id="zoneinfo">
+            <Value>America/Los_Angeles</Value>
+        </Attribute>
+        <Attribute id="preferredLanguage">
+            <Value>en-US</Value>
+        </Attribute>
+        <Attribute id="updated_at">
+            <Value>1509450347</Value>
+        </Attribute>
+        <Attribute id="street_address">
+            <Value>234 Hollywood Blvd.</Value>
+        </Attribute>
+        <Attribute id="locality">
+            <Value>Los Angeles</Value>
+        </Attribute>
+        <Attribute id="region">
+            <Value>CA</Value>
+        </Attribute>
+        <Attribute id="postal_code">
+            <Value>90210</Value>
+        </Attribute>
+        <Attribute id="country">
+            <Value>US</Value>
+        </Attribute>
+    </DataConnector>
+    
+</AttributeResolver>
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/oidc-clientinfo-resolvers.xml b/testbed/integration/shibboleth-idp/config/shib-idp/conf/oidc-clientinfo-resolvers.xml
new file mode 100644
index 000000000..35cc7d853
--- /dev/null
+++ b/testbed/integration/shibboleth-idp/config/shib-idp/conf/oidc-clientinfo-resolvers.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy"
+       default-lazy-init="true">
+
+    <!--
+    The following example contains two OIDC client information resolvers:
+        - first one reading a single client's information from a JSON file
+        - second one fetching client information from a configured StorageService
+    -->
+
+    <util:list id="shibboleth.oidc.ClientInformationResolvers">
+        <!-- <ref bean="ExampleFileResolver" /> -->
+        <ref bean="dynreg" />
+    </util:list>
+
+    <!--
+    <bean id="ExampleFileResolver" parent="shibboleth.oidc.FilesystemClientInformationResolver"
+        c:metadata="%{idp.home}/metadata/oidc-client.json" />
+    -->
+
+    <bean id="dynreg" parent="shibboleth.oidc.StorageClientInformationResolver"
+		    p:storageService-ref="shibboleth.JPAStorageService" />
+
+  <!--
+    <bean id="ExampleStorageClientInformationResolver" parent="shibboleth.oidc.StorageClientInformationResolver"
+        p:storageService-ref="#{'%{idp.oidc.dynreg.StorageService:shibboleth.StorageService}'.trim()}" />
+  -->  
+</beans>
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/oidc.properties b/testbed/integration/shibboleth-idp/config/shib-idp/conf/oidc.properties
new file mode 100644
index 000000000..09d6ebd60
--- /dev/null
+++ b/testbed/integration/shibboleth-idp/config/shib-idp/conf/oidc.properties
@@ -0,0 +1,146 @@
+# Set the Open ID Connect Issuer value 
+idp.oidc.issuer = https://idp.unicon.local
+
+#Dynamic registration properties
+idp.oidc.dynreg.StorageService=shibboleth.JPAStorageService
+
+# The validity of registration before a new one is required.
+#idp.oidc.dynreg.defaultRegistrationValidity = PT24H
+# The validity of client secret registered  
+#idp.oidc.dynreg.defaultSecretExpiration = P12M
+# The default scopes accepted in dynamic registration
+#idp.oidc.dynreg.defaultScope = openid profile email address phone offline_access
+# The default subject type if not set by client in request. Maybe set to pairwise or public.
+#idp.oidc.dynreg.defaultSubjectType = public
+# The acceptable client authentication methods when using dynamic registration
+#idp.oidc.dynreg.tokenEndpointAuthMethods = client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt
+# Regardless of what signing algorithms are configured, allow none for request object signing
+#idp.oidc.dynreg.allowNoneForRequestSigning = true
+# Bean to determine whether dynamic registration should validate the remote JWK set if it's defined in the request
+#idp.oidc.dynreg.validateRemoteJwks = shibboleth.Conditions.TRUE
+# Full path to the file containing default metadata policy used for dynamic client registration
+#idp.oidc.dynreg.defaultMetadataPolicyFile = 
+# Bean to determine the default metadata policy used for dynamic client registration
+#idp.oidc.dynreg.defaultMetadataPolicy = shibboleth.oidc.dynreg.DefaultMetadataPolicy
+
+# Storage for storing remote jwk sets.
+#idp.oidc.jwk.StorageService = shibboleth.StorageService
+
+#Authorization/Token endpoint properties
+# The acceptable client authentication methods
+#idp.oidc.tokenEndpointAuthMethods = client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt
+
+# Default lifetime of OIDC tokens (issued to the client or against the OP itself)
+#idp.oidc.authorizeCode.defaultLifetime = PT5M
+#idp.oidc.accessToken.defaultLifetime = PT10M
+#idp.oidc.refreshToken.defaultLifetime = PT2H
+#idp.oidc.idToken.defaultLifetime = PT1H
+
+# Lifetime of entries in revocation cache for authorize code
+#idp.oidc.revocationCache.authorizeCode.lifetime = PT6H
+# Storage for revocation cache. Requires server-side storage
+#idp.oidc.revocationCache.StorageService = shibboleth.StorageService
+
+# Signing keys for id tokens / userinfo response
+idp.signing.oidc.rs.key = %{idp.home}/credentials/idp-signing-rs.jwk
+idp.signing.oidc.es.key = %{idp.home}/credentials/idp-signing-es.jwk
+# Request object decryption key
+idp.signing.oidc.rsa.enc.key = %{idp.home}/credentials/idp-encryption-rsa.jwk
+
+# Set false to preclude issuing unencrypted ID/UserInfo tokens without specific overrides
+#idp.oidc.encryptionOptional = true
+
+#PKCE/AppAuth related properties
+#idp.oidc.forcePKCE = false
+#idp.oidc.allowPKCEPlain = false
+
+# Store user consent to authorization code & access/refresh tokens instead of exploiting consent storage
+#idp.oidc.encodeConsentInTokens = false
+
+# shibboleth.ClientInformationResolverService properties
+#idp.service.clientinfo.failFast = false
+#idp.service.clientinfo.checkInterval = PT0S
+#idp.service.clientinfo.resources = shibboleth.ClientInformationResolverResources
+
+# Special claim handling rules
+# "Encoded" attributes are encrypted and embedded into the access token
+#idp.oidc.encodedAttributes =
+# "Always included" attributes are forced into ID tokens for all response_types
+#idp.oidc.alwaysIncludedAttributes =
+# "Denied" attributes are omitted from the UserInfo token
+#idp.oidc.deniedUserInfoAttributes =
+
+# The source attribute used in generating the sub claim
+idp.oidc.subject.sourceAttribute = uid
+
+# The digest algorithm used in generating the sub claim
+#idp.oidc.subject.algorithm = SHA
+
+# The salt used in generating the subject
+# Do *NOT* share the salt with other people, it's like divulging your private key.
+# It is suggested you move this property into credentials/secrets.properties
+idp.oidc.subject.salt = eezien3iteit0gaiciiweayohxahmai6
+
+# Bean to determine whether SAML metadata should be exploited for trusted OIDC RP resolution
+#idp.oidc.metadata.saml = shibboleth.Conditions.TRUE
+
+# Upgrade interval to the remote JWKs
+#idp.oidc.jwksuri.fetchInterval = PT30M
+
+# Bounds on the next file refresh of the OP configuration resource
+#idp.oidc.config.minRefreshDelay = PT5M
+#idp.oidc.config.maxRefreshDelay = PT4H
+
+# Bean to configure additional response headers: none is added by default, but e.g. shibboleth.ResponseHeaderFilter
+# contains headers further configurable via other properties such as 'idp.hsts', 'idp.frameoptions' and 'idp.csp'.
+#idp.oidc.ResponseHeaderFilter = shibboleth.ResponseHeaderFilter
+
+# Bean used for extracting login_hint from the authentication request. The default function parses login_hint as is.
+#idp.oidc.LoginHintLookupStrategy = DefaultRequestLoginHintLookupFunction
+
+# Bean used for creating SPSessions needed for SLO. By default builds protocol-independent BasicSPSession, as SLO is not yet supported.
+#idp.oidc.SPSessionCreationStrategy = DefaultSPSessionCreationStrategy
+
+# Settings for issue-registration-access-token flow
+#idp.oidc.admin.registration.logging = IssueRegistrationAccessToken
+idp.oidc.admin.registration.nonBrowserSupported = true
+idp.oidc.admin.registration.authenticated = true
+#idp.oidc.admin.registration.resolveAttributes = false
+#idp.oidc.admin.registration.lookup.policy = shibboleth.oidc.admin.DefaultMetadataPolicyLookupStrategy
+#idp.oidc.admin.registration.defaultTokenLifetime = P1D
+idp.oidc.admin.registration.accessPolicy = AccessByAdminUser
+#idp.oidc.admin.registration.policyLocationPolicy = AccessByAdmin
+idp.oidc.admin.registration.policyIdPolicy = AccessByAdminUser
+#idp.oidc.admin.registration.clientIdPolicy = AccessByAdmin
+
+idp.oidc.admin.clients.authenticated = true
+idp.oidc.admin.clients.accessPolicy = AccessByAdminUser
+
+#
+# OAuth2 Settings - these typically involve generic OAuth 2.0 use cases
+#
+
+# Supported grant_type values for token requests
+#idp.oauth2.grantTypes = authorization_code,refresh_token
+
+# Default handling of generic OAuth tokens (for use against arbitrary resource servers)
+#idp.oauth2.accessToken.defaultLifetime = PT10M
+# Set to JWT if desired as a default.
+#idp.oauth2.accessToken.type =
+
+# Set false to preclude issuing unencrypted JWT access tokens without specific overrides
+#idp.oauth2.encryptionOptional = true
+
+# Default scope/audience values if you allow unverified clients without metadata.
+#idp.oauth2.defaultAllowedScope =
+#idp.oauth2.defaultAllowedAudience =
+
+# Regular expression matching OAuth login flows to enable.
+# For most deployments, the default is sufficient to accomodate a variety of methods
+#idp.oauth2.authn.flows = OAuth2Client
+
+# Set true to enforce refresh token rotation (defaults to false)
+#idp.oauth2.enforceRefreshTokenRotation = true
+
+# Revocation method: set to TOKEN to revoke single tokens (defaults to full chain (value = CHAIN))
+#idp.oauth2.revocationMethod = TOKEN
\ No newline at end of file
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/relying-party.xml b/testbed/integration/shibboleth-idp/config/shib-idp/conf/relying-party.xml
index 478731ac5..9227a1dfe 100644
--- a/testbed/integration/shibboleth-idp/config/shib-idp/conf/relying-party.xml
+++ b/testbed/integration/shibboleth-idp/config/shib-idp/conf/relying-party.xml
@@ -23,6 +23,8 @@
         <property name="profileConfigurations">
             <list>
                 <!-- <bean parent="SAML2.SSO" p:encryptAssertions="false" /> -->
+              <ref bean="OIDC.Keyset" />
+              <bean parent="OIDC.Configuration" />
             </list>
         </property>
     </bean>
@@ -51,6 +53,11 @@
                 <ref bean="CAS.LoginConfiguration" />
                 <ref bean="CAS.ProxyConfiguration" />
                 <ref bean="CAS.ValidateConfiguration" />
+                <ref bean="OIDC.SSO" />
+			          <ref bean="OIDC.UserInfo"/>
+			          <ref bean="OAUTH2.Revocation"/>
+			          <ref bean="OAUTH2.Introspection" />
+                <bean parent="OIDC.Registration" />
             </list>
         </property>
     </bean>
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/services.xml b/testbed/integration/shibboleth-idp/config/shib-idp/conf/services.xml
index c38ff2aa3..93d102727 100644
--- a/testbed/integration/shibboleth-idp/config/shib-idp/conf/services.xml
+++ b/testbed/integration/shibboleth-idp/config/shib-idp/conf/services.xml
@@ -26,6 +26,7 @@
 
     <util:list id ="shibboleth.AttributeResolverResources">
         <value>%{idp.home}/conf/attribute-resolver.xml</value>
+        <value>%{idp.home}/conf/oidc-attribute-resolver.xml</value>
     </util:list>
 
     <!--
@@ -37,10 +38,12 @@
         <value>%{idp.home}/system/conf/attribute-registry-system.xml</value>
         <value>%{idp.home}/conf/attributes/default-rules.xml</value>
         <value>%{idp.home}/conf/attribute-resolver.xml</value>
+        <value>%{idp.home}/conf/oidc-attribute-resolver.xml</value>
     </util:list>
 
     <util:list id ="shibboleth.AttributeFilterResources">
         <value>%{idp.home}/conf/attribute-filter.xml</value>
+        <value>%{idp.home}/conf/oidc-attribute-filter.xml</value>
     </util:list>
 
     <util:list id ="shibboleth.NameIdentifierGenerationResources">
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/static/openid-configuration.json b/testbed/integration/shibboleth-idp/config/shib-idp/static/openid-configuration.json
new file mode 100644
index 000000000..d33b4e784
--- /dev/null
+++ b/testbed/integration/shibboleth-idp/config/shib-idp/static/openid-configuration.json
@@ -0,0 +1,139 @@
+{
+   "issuer":"https://idp.unicon.local",
+   "authorization_endpoint":"https://idp.unicon.local/idp/profile/oidc/authorize",
+   "registration_endpoint":"https://idp.unicon.local/idp/profile/oidc/register",
+   "token_endpoint":"https://idp.unicon.local/idp/profile/oidc/token",
+   "userinfo_endpoint":"https://idp.unicon.local/idp/profile/oidc/userinfo",
+   "introspection_endpoint":"https://idp.unicon.local/idp/profile/oauth2/introspection",
+   "revocation_endpoint":"https://idp.unicon.local/idp/profile/oauth2/revocation",
+   "jwks_uri":"https://idp.unicon.local/idp/profile/oidc/keyset",
+   "response_types_supported":[
+      "code",
+      "id_token",
+      "token id_token",
+      "code id_token",
+      "code token",
+      "code token id_token"
+   ],
+   "subject_types_supported":[
+      "public",
+      "pairwise"
+   ],
+   "grant_types_supported":[
+      "authorization_code",
+      "implicit",
+      "refresh_token"
+   ],
+   "id_token_encryption_alg_values_supported":[
+      "RSA1_5",
+      "RSA-OAEP",
+      "RSA-OAEP-256",
+      "A128KW",
+      "A192KW",
+      "A256KW",
+      "A128GCMKW",
+      "A192GCMKW",
+      "A256GCMKW"
+   ],
+   "id_token_encryption_enc_values_supported":[
+      "A128CBC-HS256"
+   ],
+   "id_token_signing_alg_values_supported":[
+      "RS256",
+      "RS384",
+      "RS512",
+      "HS256",
+      "HS384",
+      "HS512",
+      "ES256"
+   ],
+   "userinfo_encryption_alg_values_supported":[
+      "RSA1_5",
+      "RSA-OAEP",
+      "RSA-OAEP-256",
+      "A128KW",
+      "A192KW",
+      "A256KW",
+      "A128GCMKW",
+      "A192GCMKW",
+      "A256GCMKW"
+   ],
+   "userinfo_encryption_enc_values_supported":[
+      "A128CBC-HS256"
+   ],
+   "userinfo_signing_alg_values_supported":[
+      "RS256",
+      "RS384",
+      "RS512",
+      "HS256",
+      "HS384",
+      "HS512",
+      "ES256"
+   ],
+   "request_object_signing_alg_values_supported":[
+      "none",
+      "RS256",
+      "RS384",
+      "RS512",
+      "HS256",
+      "HS384",
+      "HS512",
+      "ES256",
+      "ES384",
+      "ES512"
+   ],
+   "token_endpoint_auth_methods_supported":[
+      "client_secret_basic",
+      "client_secret_post",
+      "client_secret_jwt",
+      "private_key_jwt"
+   ],
+   "claims_parameter_supported":true,
+   "request_parameter_supported":true,
+   "request_uri_parameter_supported":true,
+   "require_request_uri_registration":true,
+   "display_values_supported":[
+      "page"
+   ],
+   "scopes_supported":[
+      "openid",
+      "profile",
+      "email",
+      "address",
+      "phone",
+      "offline_access"
+   ],
+   "response_modes_supported":[
+      "query",
+      "fragment",
+      "form_post"
+   ],
+   "claims_supported":[
+      "aud",
+      "iss",
+      "sub",
+      "iat",
+      "exp",
+      "acr",
+      "auth_time",
+      "email",
+      "email_verified",
+      "address",
+      "phone",
+      "phone_number_verified",
+      "name",
+      "family_name",
+      "given_name",
+      "middle_name",
+      "nickname",
+      "preferred_username",
+      "profile",
+      "picture",
+      "website",
+      "gender",
+      "birthdate",
+      "zoneinfo",
+      "locale",
+      "updated_at"
+   ]
+}
\ No newline at end of file
diff --git a/testbed/integration/shibboleth-idp/config/tomcat/rewrite.config b/testbed/integration/shibboleth-idp/config/tomcat/rewrite.config
new file mode 100644
index 000000000..804401494
--- /dev/null
+++ b/testbed/integration/shibboleth-idp/config/tomcat/rewrite.config
@@ -0,0 +1 @@
+RewriteRule   ^/.well-known/openid-configuration$ /idp/profile/oidc/configuration   [L]
\ No newline at end of file
diff --git a/testbed/integration/shibboleth-idp/config/tomcat/server.xml b/testbed/integration/shibboleth-idp/config/tomcat/server.xml
index f4b875bca..2b4b8ebfa 100644
--- a/testbed/integration/shibboleth-idp/config/tomcat/server.xml
+++ b/testbed/integration/shibboleth-idp/config/tomcat/server.xml
@@ -12,10 +12,12 @@
       <Host name="localhost"  appBase="webapps"
             unpackWARs="true" autoDeploy="true">
 
+        <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
         <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
                prefix="localhost_access_log." suffix=".txt"
                pattern="%h %l %u %t &quot;%r&quot; %s %b" />
 
+        
       </Host>
     </Engine>
   </Service>
diff --git a/testbed/integration/shibboleth-idp/credentials/shib-idp/net.shibboleth.idp.plugin.oidc.op/truststore.asc b/testbed/integration/shibboleth-idp/credentials/shib-idp/net.shibboleth.idp.plugin.oidc.op/truststore.asc
new file mode 100644
index 000000000..083158dc5
--- /dev/null
+++ b/testbed/integration/shibboleth-idp/credentials/shib-idp/net.shibboleth.idp.plugin.oidc.op/truststore.asc
@@ -0,0 +1,32 @@
+
+
Henri Mikkonen <henri.mikkonen@iki.fi>	id	9355EBCA
+
-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: BCPG v1.70
+
+mQINBF46zL0BEACUeQllAAViSlyL8uFBCjlCXdH12GpDL9y8fubm+N50ofonIloA
+YLbJtETVrqpxfeh+SDiERbEG5W02fbM1y3wdSjef0jzAEP3PoXydv/SdNKvomvBP
+U7I9eALgHJI4Nkqzf8ggTrOBHcWbRIRGbVXFRhOE1Z86akmVz3fe3aQzddvzAS7I
+YYX0RxbKiNt8iaxUXUo+P1LopD9Zo2I1NTY8u27RuhtxBr5tnHnsuf38mzjG/l6U
+RzJ8qhHJr6D4E+MLqRo9ndTREOT/d1TeJUvQddXC59VEL75TrYCEc2v/NZ5m9fD6
+yg0+oqgyrQHmZhPVOqoJiz0lkd3rl7lUqCH9yjREr1H5PUchiuhBKBOogwtirqw3
+NMKH6bs0Bu6qUy5fIJRqjxKVv+6fOEty/xnp0xN7xoBEUPEt1M/V3ewwH1zhOwTo
+g4cr4zhTT9RNno3eM0eenEQYapQZ8dFmrNVmhvx9VJlshYGyakrxPwrF3coyC3hh
+HjWE9SzmoyGmmbRgvJVt//SqoGpDyaM+d1hPys9tX2N/E1TlwZiD2brWAtjr2K49
+NC9Skizw4qHAbphq4EMGCKzrp9ksnBvwZAY9JjL0JvdjAabqkyRFVh2Mpm5xSxbw
+d+Twryh5hXaT/EQXsKMC1WlQnIDREjHpm1UOXTzcsFPa9tEW8XUftPWbQQARAQAB
+tCZIZW5yaSBNaWtrb25lbiA8aGVucmkubWlra29uZW5AaWtpLmZpPokCVAQTAQgA
+PhYhBG0Y/WNwj8ygebaMzgJmkYOTVevKBQJeOsy9AhsDBQkHhh+ABQsJCAcCBhUK
+CQgLAgQWAgMBAh4BAheAAAoJEAJmkYOTVevKwWcP+gLrjnrNxqwEx7/Ly/KdjkGD
+0W7aMiQc8acvC9oo74/XXpAD0W1jkK/BXyLH1q/o5Lyjymmm6w7VvEWLSY1Q0+gC
+l+hUOqccH572767UrGEeZeJV8+tNhziTU2S7NagK2A0BelHoA3hIhfGmWLJ+ooJe
+HZXFCov4ThZOpGzu5d04dEYoOv2jVaWwnrjOBzoKcgws9J6RLX+6gOFhZ3Dh5Rxs
+UGhl0ZJuEBQCDT7X9jI4mHsA0Ngo27inb3gxfeCm/ziZhHDV2gZtl777dKVc/sQN
+fqGaRGVi1p37La6KKpfIA3KHRjGf4jfg17AQ1Ix+ZgRIpbPXb7fXQHtBElhIbbn/
+VR2CG0Jdchdc4UozelKU6WNsNlcMn3kfTNFosW7+gTiYEGSxZQC9ylSSl1s9oIFM
+dvk70u4AgTY6w+27TrTRuEpdARoNZG4NhBTJ8g0BkiX6cHVyc5ir5IOVpmewsxN5
+yLg0ed6OwpcK5V8SwGT60hgkkJp71OeBsnLzyzO3/YoI5GVAIgcwtdzptRUt0iL8
+GUccO3mO6Hm4EfJAZHFWRbxX3ITTfCzw4blbXURlIXkPefprptAYX2+rn/z4iC1F
+mJUANl+4WilKuPoAimKGDNi6CvlbckQW2i2i5gsoM3iMxRMsExoZUnoMpfY70Trg
+ToF/jwURMQSCsJnZvyQD
+=g4uH
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testbed/integration/shibboleth-idp/credentials/shib-idp/net.shibboleth.oidc.common/truststore.asc b/testbed/integration/shibboleth-idp/credentials/shib-idp/net.shibboleth.oidc.common/truststore.asc
new file mode 100644
index 000000000..083158dc5
--- /dev/null
+++ b/testbed/integration/shibboleth-idp/credentials/shib-idp/net.shibboleth.oidc.common/truststore.asc
@@ -0,0 +1,32 @@
+
+
Henri Mikkonen <henri.mikkonen@iki.fi>	id	9355EBCA
+
-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: BCPG v1.70
+
+mQINBF46zL0BEACUeQllAAViSlyL8uFBCjlCXdH12GpDL9y8fubm+N50ofonIloA
+YLbJtETVrqpxfeh+SDiERbEG5W02fbM1y3wdSjef0jzAEP3PoXydv/SdNKvomvBP
+U7I9eALgHJI4Nkqzf8ggTrOBHcWbRIRGbVXFRhOE1Z86akmVz3fe3aQzddvzAS7I
+YYX0RxbKiNt8iaxUXUo+P1LopD9Zo2I1NTY8u27RuhtxBr5tnHnsuf38mzjG/l6U
+RzJ8qhHJr6D4E+MLqRo9ndTREOT/d1TeJUvQddXC59VEL75TrYCEc2v/NZ5m9fD6
+yg0+oqgyrQHmZhPVOqoJiz0lkd3rl7lUqCH9yjREr1H5PUchiuhBKBOogwtirqw3
+NMKH6bs0Bu6qUy5fIJRqjxKVv+6fOEty/xnp0xN7xoBEUPEt1M/V3ewwH1zhOwTo
+g4cr4zhTT9RNno3eM0eenEQYapQZ8dFmrNVmhvx9VJlshYGyakrxPwrF3coyC3hh
+HjWE9SzmoyGmmbRgvJVt//SqoGpDyaM+d1hPys9tX2N/E1TlwZiD2brWAtjr2K49
+NC9Skizw4qHAbphq4EMGCKzrp9ksnBvwZAY9JjL0JvdjAabqkyRFVh2Mpm5xSxbw
+d+Twryh5hXaT/EQXsKMC1WlQnIDREjHpm1UOXTzcsFPa9tEW8XUftPWbQQARAQAB
+tCZIZW5yaSBNaWtrb25lbiA8aGVucmkubWlra29uZW5AaWtpLmZpPokCVAQTAQgA
+PhYhBG0Y/WNwj8ygebaMzgJmkYOTVevKBQJeOsy9AhsDBQkHhh+ABQsJCAcCBhUK
+CQgLAgQWAgMBAh4BAheAAAoJEAJmkYOTVevKwWcP+gLrjnrNxqwEx7/Ly/KdjkGD
+0W7aMiQc8acvC9oo74/XXpAD0W1jkK/BXyLH1q/o5Lyjymmm6w7VvEWLSY1Q0+gC
+l+hUOqccH572767UrGEeZeJV8+tNhziTU2S7NagK2A0BelHoA3hIhfGmWLJ+ooJe
+HZXFCov4ThZOpGzu5d04dEYoOv2jVaWwnrjOBzoKcgws9J6RLX+6gOFhZ3Dh5Rxs
+UGhl0ZJuEBQCDT7X9jI4mHsA0Ngo27inb3gxfeCm/ziZhHDV2gZtl777dKVc/sQN
+fqGaRGVi1p37La6KKpfIA3KHRjGf4jfg17AQ1Ix+ZgRIpbPXb7fXQHtBElhIbbn/
+VR2CG0Jdchdc4UozelKU6WNsNlcMn3kfTNFosW7+gTiYEGSxZQC9ylSSl1s9oIFM
+dvk70u4AgTY6w+27TrTRuEpdARoNZG4NhBTJ8g0BkiX6cHVyc5ir5IOVpmewsxN5
+yLg0ed6OwpcK5V8SwGT60hgkkJp71OeBsnLzyzO3/YoI5GVAIgcwtdzptRUt0iL8
+GUccO3mO6Hm4EfJAZHFWRbxX3ITTfCzw4blbXURlIXkPefprptAYX2+rn/z4iC1F
+mJUANl+4WilKuPoAimKGDNi6CvlbckQW2i2i5gsoM3iMxRMsExoZUnoMpfY70Trg
+ToF/jwURMQSCsJnZvyQD
+=g4uH
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testbed/integration/shibboleth-idp/db/oidc_dynreg.sql b/testbed/integration/shibboleth-idp/db/oidc_dynreg.sql
new file mode 100644
index 000000000..ab60b941e
--- /dev/null
+++ b/testbed/integration/shibboleth-idp/db/oidc_dynreg.sql
@@ -0,0 +1,10 @@
+CREATE DATABASE oidc_dynreg;
+\c oidc_dynreg
+CREATE TABLE storagerecords (
+  context varchar(255) NOT NULL,
+  id varchar(255) NOT NULL,
+  expires bigint DEFAULT NULL,
+  value text NOT NULL,
+  version bigint NOT NULL,
+  PRIMARY KEY (context, id)
+);
diff --git a/testbed/smoke-test/docker-compose.yml b/testbed/smoke-test/docker-compose.yml
index 9e2ac5340..4332bfeed 100644
--- a/testbed/smoke-test/docker-compose.yml
+++ b/testbed/smoke-test/docker-compose.yml
@@ -45,6 +45,9 @@ services:
       POSTGRES_PASSWORD: shibui
       POSTGRES_USER: shibui
       POSTGRES_DB: shibui
+    volumes:
+      - database_data:/var/lib/postgresql/data
+      - ../integration/shibboleth-idp/db/oidc_dynreg.sql:/docker-entrypoint-initdb.d/oidc_dynreg.sql
   idp:
     build: ../integration/shibboleth-idp
     labels:
@@ -56,9 +59,11 @@ services:
     depends_on:
       - directory
       - reverse-proxy
+      - database
     networks:
       - reverse-proxy
       - idp
+      - backend
     volumes:
       - dynamic_metadata:/opt/shibboleth-idp/metadata/dynamic
       - dynamic_config:/opt/shibboleth-idp/conf/dynamic
diff --git a/testbed/smoke-test/shibboleth-idp/conf/access-control.xml b/testbed/smoke-test/shibboleth-idp/conf/access-control.xml
index 053bc22c7..37579c823 100644
--- a/testbed/smoke-test/shibboleth-idp/conf/access-control.xml
+++ b/testbed/smoke-test/shibboleth-idp/conf/access-control.xml
@@ -28,21 +28,20 @@
 
     <util:map id="shibboleth.AccessControlPolicies">
 
-        <entry key="AccessByIPAddress">
-            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
-                  p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.16.0.0/12', '192.168.0.0/12'} }" />
-        </entry>
-
-        <!--
         <entry key="AccessByAdminUser">
             <bean parent="shibboleth.PredicateAccessControl">
                 <constructor-arg>
-                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
+                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'banderson'}" />
                 </constructor-arg>
             </bean>
         </entry>
-        -->
 
+        <entry key="AccessByIPAddress">
+            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
+                  p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.16.0.0/12', '192.168.0.0/12'} }" />
+        </entry>
+
+        
         <!--
         <entry key="AccessByAttribute">
             <bean parent="shibboleth.PredicateAccessControl">