diff --git a/backend/build.gradle b/backend/build.gradle
index 07669a2d9..9dec8da20 100644
--- a/backend/build.gradle
+++ b/backend/build.gradle
@@ -135,13 +135,13 @@ dependencies {
         compile "net.shibboleth.idp:${it}:${project.'shibbolethVersion'}"
     }
 
-    // Shib OIDC
-    ['metadata', 'profile', 'crypto'].each {
-        testCompile "net.shibboleth.oidc:oidc-common-${it}-api:2.1.0"
-        testCompile "net.shibboleth.oidc:oidc-common-${it}-impl:2.1.0"
-    }
+//    // Shib OIDC
+//    ['metadata', 'profile', 'crypto'].each {
+//        testCompile "net.shibboleth.oidc:oidc-common-${it}-api:${project.'shibOIDCVersion'}"
+//        testCompile "net.shibboleth.oidc:oidc-common-${it}-impl:${project.'shibOIDCVersion'}"
+//    }
 
-    implementation "net.shibboleth.oidc:oidc-common-saml-api:2.1.0"
+    implementation "net.shibboleth.oidc:oidc-common-saml-api:${project.'shibOIDCVersion'}"
 
     // hibernate deps
     ['hibernate-core'].each {
diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/DefaultAcrValue.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/DefaultAcrValue.java
new file mode 100644
index 000000000..b1a2542f9
--- /dev/null
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/DefaultAcrValue.java
@@ -0,0 +1,12 @@
+package edu.internet2.tier.shibboleth.admin.ui.domain.oidc;
+
+import lombok.EqualsAndHashCode;
+import org.hibernate.envers.Audited;
+
+import javax.persistence.Entity;
+
+@Entity
+@EqualsAndHashCode(callSuper = true)
+@Audited
+public class DefaultAcrValue extends AbstractValueXMLObject implements net.shibboleth.oidc.saml.xmlobject.DefaultAcrValue {
+}
\ No newline at end of file
diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/OAuthRPExtensions.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/OAuthRPExtensions.java
new file mode 100644
index 000000000..4b440b7ab
--- /dev/null
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/OAuthRPExtensions.java
@@ -0,0 +1,91 @@
+package edu.internet2.tier.shibboleth.admin.ui.domain.oidc;
+
+import edu.internet2.tier.shibboleth.admin.ui.domain.AbstractXMLObject;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import org.hibernate.envers.Audited;
+import org.opensaml.core.xml.XMLObject;
+import org.opensaml.core.xml.util.AttributeMap;
+
+import javax.annotation.Nonnull;
+import javax.persistence.CascadeType;
+import javax.persistence.Entity;
+import javax.persistence.OneToMany;
+import javax.persistence.OrderColumn;
+import javax.persistence.Transient;
+import javax.xml.namespace.QName;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.stream.Collectors;
+
+@Entity
+@Data
+@NoArgsConstructor
+@Audited
+public class OAuthRPExtensions extends AbstractXMLObject implements net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions {
+    @Transient
+    private final AttributeMap unknownAttributes = new AttributeMap(this);
+
+    private String applicationType;
+
+    private String clientUri;
+
+    @OneToMany(cascade = CascadeType.ALL)
+    private List<DefaultAcrValue> defaultAcrValues = new ArrayList<>();
+
+    private int defaultMaxAge;
+
+    private String grantTypes;
+
+    private String idTokenEncryptedResponseAlg;
+
+    private String idTokenEncryptedResponseEnc;
+
+    private String idTokenSignedResponseAlg;
+
+    private String initiateLoginUri;
+
+    @OneToMany(cascade = CascadeType.ALL)
+    private List<PostLogoutRedirectUri> postLogoutRedirectUris = new ArrayList<>();
+
+    private String requestObjectEncryptionAlg;
+
+    private String requestObjectEncryptionEnc;
+
+    private String requestObjectSigningAlg;
+
+    @OneToMany(cascade = CascadeType.ALL)
+    private List<RequestUri> requestUris = new ArrayList<>();
+
+    private boolean requireAuthTime;
+
+    private String responseTypes;
+
+    private String scopes;
+
+    private String sectorIdentifierUri;
+
+    private String softwareId;
+
+    private String softwareVersion;
+
+    private String tokenEndpointAuthMethod;
+
+    private String tokenEndpointAuthSigningAlg;
+
+    @OneToMany(cascade = CascadeType.ALL)
+    @OrderColumn
+    List<AbstractXMLObject> unknownXMLObjects = new ArrayList<>();
+
+    private String userInfoSignedResponseAlg;
+
+    private String userInfoEncryptedResponseAlg;
+
+    private String userInfoEncryptedResponseEnc;
+
+    @Nonnull
+    @Override
+    public List<XMLObject> getUnknownXMLObjects(@Nonnull QName typeOrName) {
+        return this.unknownXMLObjects.stream().filter(p -> p.getElementQName().equals(typeOrName) || p.getSchemaType().equals(typeOrName)).collect(Collectors.toList());
+    }
+}
\ No newline at end of file
diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/OAuthRPExtensionsMarshaller.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/OAuthRPExtensionsMarshaller.java
new file mode 100644
index 000000000..87f31fb41
--- /dev/null
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/OAuthRPExtensionsMarshaller.java
@@ -0,0 +1,127 @@
+package edu.internet2.tier.shibboleth.admin.ui.domain.oidc;
+
+import net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions;
+import org.opensaml.core.xml.XMLObject;
+import org.opensaml.core.xml.io.MarshallingException;
+import org.opensaml.saml.common.AbstractSAMLObjectMarshaller;
+import org.w3c.dom.Element;
+
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.APPLICATION_TYPE_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.CLIENT_URI_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.DEFAULT_MAX_AGE_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.GRANT_TYPES_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.ID_TOKEN_ENCRYPTED_RESPONSE_ALG_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.ID_TOKEN_ENCRYPTED_RESPONSE_ENC_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.ID_TOKEN_SIGNED_RESPONSE_ALG_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.INITIATE_LOGIN_URI_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.REQUEST_OBJECT_ENCRYPTION_ALG_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.REQUEST_OBJECT_ENCRYPTION_ENC_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.REQUEST_OBJECT_SIGNING_ALG_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.REQUIRE_AUTH_TIME_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.RESPONSE_TYPES_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.SCOPES_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.SECTOR_IDENTIFIER_URI_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.SOFTWARE_ID_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.SOFTWARE_VERSION_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.TOKEN_ENDPOINT_AUTH_METHOD_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.TOKEN_ENDPOINT_AUTH_SIGNING_ALG_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.USERINFO_ENCRYPTED_RESPONSE_ALG_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.USERINFO_ENCRYPTED_RESPONSE_ENC_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.USERINFO_SIGNED_RESPONSE_ALG_ATTRIB_NAME;
+
+public class OAuthRPExtensionsMarshaller extends AbstractSAMLObjectMarshaller {
+    @Override
+    protected void marshallAttributes(final XMLObject samlElement, final Element domElement) throws MarshallingException {
+        final OAuthRPExtensions extensions = (OAuthRPExtensions) samlElement;
+
+        if (extensions.getTokenEndpointAuthMethod() != null) {
+            domElement.setAttributeNS(null, TOKEN_ENDPOINT_AUTH_METHOD_ATTRIB_NAME, extensions.getTokenEndpointAuthMethod());
+        }
+
+        if (extensions.getGrantTypes() != null) {
+            domElement.setAttributeNS(null, GRANT_TYPES_ATTRIB_NAME, extensions.getGrantTypes());
+        }
+
+        if (extensions.getResponseTypes() != null) {
+            domElement.setAttributeNS(null, RESPONSE_TYPES_ATTRIB_NAME, extensions.getResponseTypes());
+        }
+
+        if (extensions.getApplicationType() != null) {
+            domElement.setAttributeNS(null, APPLICATION_TYPE_ATTRIB_NAME, extensions.getApplicationType());
+        }
+
+        if (extensions.getClientUri() != null) {
+            domElement.setAttributeNS(null, CLIENT_URI_ATTRIB_NAME, extensions.getClientUri());
+        }
+
+        if (extensions.getScopes() != null) {
+            domElement.setAttributeNS(null, SCOPES_ATTRIB_NAME, extensions.getScopes());
+        }
+
+        if (extensions.getSoftwareId() != null) {
+            domElement.setAttributeNS(null, SOFTWARE_ID_ATTRIB_NAME, extensions.getSoftwareId());
+        }
+
+        if (extensions.getSoftwareVersion() != null) {
+            domElement.setAttributeNS(null, SOFTWARE_VERSION_ATTRIB_NAME, extensions.getSoftwareVersion());
+        }
+
+        if (extensions.getSectorIdentifierUri() != null) {
+            domElement.setAttributeNS(null, SECTOR_IDENTIFIER_URI_ATTRIB_NAME, extensions.getSectorIdentifierUri());
+        }
+
+        if (extensions.getIdTokenSignedResponseAlg() != null) {
+            domElement.setAttributeNS(null, ID_TOKEN_SIGNED_RESPONSE_ALG_ATTRIB_NAME, extensions.getIdTokenSignedResponseAlg());
+        }
+
+        if (extensions.getIdTokenEncryptedResponseAlg() != null) {
+            domElement.setAttributeNS(null, ID_TOKEN_ENCRYPTED_RESPONSE_ALG_ATTRIB_NAME, extensions.getIdTokenEncryptedResponseAlg());
+        }
+
+        if (extensions.getIdTokenEncryptedResponseEnc() != null) {
+            domElement.setAttributeNS(null, ID_TOKEN_ENCRYPTED_RESPONSE_ENC_ATTRIB_NAME, extensions.getIdTokenEncryptedResponseEnc());
+        }
+
+        if (extensions.getUserInfoSignedResponseAlg() != null) {
+            domElement.setAttributeNS(null, USERINFO_SIGNED_RESPONSE_ALG_ATTRIB_NAME, extensions.getUserInfoSignedResponseAlg());
+        }
+
+        if (extensions.getUserInfoEncryptedResponseAlg() != null) {
+            domElement.setAttributeNS(null, USERINFO_ENCRYPTED_RESPONSE_ALG_ATTRIB_NAME, extensions.getUserInfoEncryptedResponseAlg());
+        }
+
+        if (extensions.getUserInfoEncryptedResponseEnc() != null) {
+            domElement.setAttributeNS(null, USERINFO_ENCRYPTED_RESPONSE_ENC_ATTRIB_NAME, extensions.getUserInfoEncryptedResponseEnc());
+        }
+
+        if (extensions.getRequestObjectSigningAlg() != null) {
+            domElement.setAttributeNS(null, REQUEST_OBJECT_SIGNING_ALG_ATTRIB_NAME, extensions.getRequestObjectSigningAlg());
+        }
+
+        if (extensions.getRequestObjectEncryptionAlg() != null) {
+            domElement.setAttributeNS(null, REQUEST_OBJECT_ENCRYPTION_ALG_ATTRIB_NAME, extensions.getRequestObjectEncryptionAlg());
+        }
+
+        if (extensions.getRequestObjectEncryptionEnc() != null) {
+            domElement.setAttributeNS(null, REQUEST_OBJECT_ENCRYPTION_ENC_ATTRIB_NAME, extensions.getRequestObjectEncryptionEnc());
+        }
+
+        if (extensions.getTokenEndpointAuthSigningAlg() != null) {
+            domElement.setAttributeNS(null, TOKEN_ENDPOINT_AUTH_SIGNING_ALG_ATTRIB_NAME, extensions.getTokenEndpointAuthSigningAlg());
+        }
+
+        if (extensions.getInitiateLoginUri() != null) {
+            domElement.setAttributeNS(null, INITIATE_LOGIN_URI_ATTRIB_NAME, extensions.getInitiateLoginUri());
+        }
+
+        if (extensions.getDefaultMaxAge() != 0) {
+            domElement.setAttributeNS(null, DEFAULT_MAX_AGE_ATTRIB_NAME, Integer.toString(extensions.getDefaultMaxAge()));
+        }
+
+        if (extensions.isRequireAuthTime()) {
+            domElement.setAttributeNS(null, REQUIRE_AUTH_TIME_ATTRIB_NAME, Boolean.toString(extensions.isRequireAuthTime()));
+        }
+
+        marshallUnknownAttributes(extensions, domElement);
+    }
+}
\ No newline at end of file
diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/OAuthRPExtensionsUnmarshaller.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/OAuthRPExtensionsUnmarshaller.java
new file mode 100644
index 000000000..012e96021
--- /dev/null
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/OAuthRPExtensionsUnmarshaller.java
@@ -0,0 +1,106 @@
+package edu.internet2.tier.shibboleth.admin.ui.domain.oidc;
+
+import net.shibboleth.oidc.saml.xmlobject.DefaultAcrValue;
+import net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions;
+import net.shibboleth.oidc.saml.xmlobject.PostLogoutRedirectUri;
+import net.shibboleth.oidc.saml.xmlobject.RequestUri;
+import org.apache.commons.lang3.StringUtils;
+import org.opensaml.core.xml.XMLObject;
+import org.opensaml.core.xml.io.UnmarshallingException;
+import org.opensaml.saml.common.AbstractSAMLObjectUnmarshaller;
+import org.w3c.dom.Attr;
+
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.APPLICATION_TYPE_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.CLIENT_URI_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.DEFAULT_MAX_AGE_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.GRANT_TYPES_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.ID_TOKEN_ENCRYPTED_RESPONSE_ALG_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.ID_TOKEN_ENCRYPTED_RESPONSE_ENC_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.ID_TOKEN_SIGNED_RESPONSE_ALG_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.INITIATE_LOGIN_URI_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.REQUEST_OBJECT_ENCRYPTION_ALG_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.REQUEST_OBJECT_ENCRYPTION_ENC_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.REQUEST_OBJECT_SIGNING_ALG_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.REQUIRE_AUTH_TIME_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.RESPONSE_TYPES_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.SCOPES_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.SECTOR_IDENTIFIER_URI_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.SOFTWARE_ID_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.SOFTWARE_VERSION_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.TOKEN_ENDPOINT_AUTH_METHOD_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.TOKEN_ENDPOINT_AUTH_SIGNING_ALG_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.USERINFO_ENCRYPTED_RESPONSE_ALG_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.USERINFO_ENCRYPTED_RESPONSE_ENC_ATTRIB_NAME;
+import static net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions.USERINFO_SIGNED_RESPONSE_ALG_ATTRIB_NAME;
+
+public class OAuthRPExtensionsUnmarshaller extends AbstractSAMLObjectUnmarshaller {
+    protected void processChildElement(final XMLObject parentSAMLObject, final XMLObject childSAMLObject) throws UnmarshallingException {
+        final OAuthRPExtensions extensions = (OAuthRPExtensions) parentSAMLObject;
+
+        if (childSAMLObject instanceof DefaultAcrValue) {
+            extensions.getDefaultAcrValues().add((DefaultAcrValue) childSAMLObject);
+        } else if (childSAMLObject instanceof RequestUri) {
+            extensions.getRequestUris().add((RequestUri) childSAMLObject);
+        } else if (childSAMLObject instanceof PostLogoutRedirectUri) {
+            extensions.getPostLogoutRedirectUris().add((PostLogoutRedirectUri) childSAMLObject);
+        } else {
+            extensions.getUnknownXMLObjects().add(childSAMLObject);
+        }
+    }
+    
+    protected void processAttribute(final XMLObject samlObject, final Attr attribute) throws UnmarshallingException {
+        final OAuthRPExtensions extensions = (OAuthRPExtensions) samlObject;
+
+        if (attribute.getNamespaceURI() == null) {
+            if (attribute.getLocalName().equals(DEFAULT_MAX_AGE_ATTRIB_NAME) && StringUtils.isNotEmpty(attribute.getValue())) {
+                extensions.setDefaultMaxAge(Integer.parseInt(attribute.getValue()));
+            } else if (attribute.getLocalName().equals(REQUIRE_AUTH_TIME_ATTRIB_NAME) && StringUtils.isNotEmpty(attribute.getValue())) {
+                extensions.setRequireAuthTime(Boolean.parseBoolean(attribute.getValue()));
+            } else if (attribute.getLocalName().equals(TOKEN_ENDPOINT_AUTH_METHOD_ATTRIB_NAME)) {
+                extensions.setTokenEndpointAuthMethod(attribute.getValue());
+            } else if (attribute.getLocalName().equals(GRANT_TYPES_ATTRIB_NAME)) {
+                extensions.setGrantTypes(attribute.getValue());
+            } else if (attribute.getLocalName().equals(RESPONSE_TYPES_ATTRIB_NAME)) {
+                extensions.setResponseTypes(attribute.getValue());
+            } else if (attribute.getLocalName().equals(APPLICATION_TYPE_ATTRIB_NAME)) {
+                extensions.setApplicationType(attribute.getValue());
+            } else if (attribute.getLocalName().equals(CLIENT_URI_ATTRIB_NAME)) {
+                extensions.setClientUri(attribute.getValue());
+            } else if (attribute.getLocalName().equals(SCOPES_ATTRIB_NAME)) {
+                extensions.setScopes(attribute.getValue());
+            } else if (attribute.getLocalName().equals(SOFTWARE_ID_ATTRIB_NAME)) {
+                extensions.setSoftwareId(attribute.getValue());
+            } else if (attribute.getLocalName().equals(SOFTWARE_VERSION_ATTRIB_NAME)) {
+                extensions.setSoftwareVersion(attribute.getValue());
+            } else if (attribute.getLocalName().equals(SECTOR_IDENTIFIER_URI_ATTRIB_NAME)) {
+                extensions.setSectorIdentifierUri(attribute.getValue());
+            } else if (attribute.getLocalName().equals(ID_TOKEN_SIGNED_RESPONSE_ALG_ATTRIB_NAME)) {
+                extensions.setIdTokenSignedResponseAlg(attribute.getValue());
+            } else if (attribute.getLocalName().equals(ID_TOKEN_ENCRYPTED_RESPONSE_ALG_ATTRIB_NAME)) {
+                extensions.setIdTokenEncryptedResponseAlg(attribute.getValue());
+            } else if (attribute.getLocalName().equals(ID_TOKEN_ENCRYPTED_RESPONSE_ENC_ATTRIB_NAME)) {
+                extensions.setIdTokenEncryptedResponseEnc(attribute.getValue());
+            } else if (attribute.getLocalName().equals(USERINFO_SIGNED_RESPONSE_ALG_ATTRIB_NAME)) {
+                extensions.setUserInfoSignedResponseAlg(attribute.getValue());
+            } else if (attribute.getLocalName().equals(USERINFO_ENCRYPTED_RESPONSE_ALG_ATTRIB_NAME)) {
+                extensions.setUserInfoEncryptedResponseAlg(attribute.getValue());
+            } else if (attribute.getLocalName().equals(USERINFO_ENCRYPTED_RESPONSE_ENC_ATTRIB_NAME)) {
+                extensions.setUserInfoEncryptedResponseEnc(attribute.getValue());
+            } else if (attribute.getLocalName().equals(REQUEST_OBJECT_SIGNING_ALG_ATTRIB_NAME)) {
+                extensions.setRequestObjectSigningAlg(attribute.getValue());
+            } else if (attribute.getLocalName().equals(REQUEST_OBJECT_ENCRYPTION_ALG_ATTRIB_NAME)) {
+                extensions.setRequestObjectEncryptionAlg(attribute.getValue());
+            } else if (attribute.getLocalName().equals(REQUEST_OBJECT_ENCRYPTION_ENC_ATTRIB_NAME)) {
+                extensions.setRequestObjectEncryptionEnc(attribute.getValue());
+            } else if (attribute.getLocalName().equals(TOKEN_ENDPOINT_AUTH_SIGNING_ALG_ATTRIB_NAME)) {
+                extensions.setTokenEndpointAuthSigningAlg(attribute.getValue());
+            } else if (attribute.getLocalName().equals(INITIATE_LOGIN_URI_ATTRIB_NAME)) {
+                extensions.setInitiateLoginUri(attribute.getValue());
+            } else {
+                super.processAttribute(samlObject, attribute);
+            }
+        } else {
+            processUnknownAttribute(extensions, attribute);
+        }
+    }
+}
\ No newline at end of file
diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/PostLogoutRedirectUri.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/PostLogoutRedirectUri.java
new file mode 100644
index 000000000..b6f2380cd
--- /dev/null
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/PostLogoutRedirectUri.java
@@ -0,0 +1,12 @@
+package edu.internet2.tier.shibboleth.admin.ui.domain.oidc;
+
+import lombok.EqualsAndHashCode;
+import org.hibernate.envers.Audited;
+
+import javax.persistence.Entity;
+
+@Entity
+@EqualsAndHashCode(callSuper = true)
+@Audited
+public class PostLogoutRedirectUri extends AbstractValueXMLObject implements net.shibboleth.oidc.saml.xmlobject.PostLogoutRedirectUri {
+}
\ No newline at end of file
diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/RequestUri.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/RequestUri.java
new file mode 100644
index 000000000..386c4e040
--- /dev/null
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/RequestUri.java
@@ -0,0 +1,12 @@
+package edu.internet2.tier.shibboleth.admin.ui.domain.oidc;
+
+import lombok.EqualsAndHashCode;
+import org.hibernate.envers.Audited;
+
+import javax.persistence.Entity;
+
+@Entity
+@EqualsAndHashCode(callSuper = true)
+@Audited
+public class RequestUri extends AbstractValueXMLObject implements net.shibboleth.oidc.saml.xmlobject.RequestUri {
+}
\ No newline at end of file
diff --git a/backend/src/main/resources/jpa-shib-oidc-config.xml b/backend/src/main/resources/jpa-shib-oidc-config.xml
index 2b850a271..7bf05eeb4 100644
--- a/backend/src/main/resources/jpa-shib-oidc-config.xml
+++ b/backend/src/main/resources/jpa-shib-oidc-config.xml
@@ -7,14 +7,20 @@
     <!-- Shibboleth v4.x Metadata Profiles for custom OIDC types -->
     <ObjectProviders>
 
-        <ObjectProvider qualifiedName="oidcmd:JwksUri">
-            <BuilderClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.JwksUriBuilder"/>
+        <ObjectProvider qualifiedName="oidcmd:default_acr_value">
+            <BuilderClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.DefaultAcrValueBuilder"/>
             <MarshallingClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.ValueXMLMarshaller"/>
             <UnmarshallingClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.ValueXMLUnmarshaller"/>
         </ObjectProvider>
 
-        <ObjectProvider qualifiedName="oidcmd:JwksData">
-            <BuilderClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.JwksDataBuilder"/>
+        <ObjectProvider qualifiedName="oidcmd:request_uri">
+            <BuilderClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.RequestUriBuilder"/>
+            <MarshallingClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.ValueXMLMarshaller"/>
+            <UnmarshallingClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.ValueXMLUnmarshaller"/>
+        </ObjectProvider>
+
+        <ObjectProvider qualifiedName="oidcmd:post_logout_redirect_uri">
+            <BuilderClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.PostLogoutRedirectUriBuilder"/>
             <MarshallingClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.ValueXMLMarshaller"/>
             <UnmarshallingClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.ValueXMLUnmarshaller"/>
         </ObjectProvider>
@@ -31,5 +37,23 @@
             <UnmarshallingClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.ValueXMLUnmarshaller"/>
         </ObjectProvider>
 
+        <ObjectProvider qualifiedName="oidcmd:JwksData">
+            <BuilderClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.JwksDataBuilder"/>
+            <MarshallingClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.ValueXMLMarshaller"/>
+            <UnmarshallingClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.ValueXMLUnmarshaller"/>
+        </ObjectProvider>
+
+        <ObjectProvider qualifiedName="oidcmd:JwksUri">
+            <BuilderClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.JwksUriBuilder"/>
+            <MarshallingClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.ValueXMLMarshaller"/>
+            <UnmarshallingClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.ValueXMLUnmarshaller"/>
+        </ObjectProvider>
+
+        <ObjectProvider qualifiedName="oidcmd:OAuthRPExtensions">
+            <BuilderClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.OAuthRPExtensionsBuilder"/>
+            <MarshallingClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.OAuthRPExtensionsMarshaller"/>
+            <UnmarshallingClass className="edu.internet2.tier.shibboleth.admin.ui.domain.oidc.OAuthRPExtensionsUnmarshaller"/>
+        </ObjectProvider>
+
     </ObjectProviders>
 </XMLTooling>
\ No newline at end of file
diff --git a/gradle.properties b/gradle.properties
index 8287440e0..395c835fc 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -13,6 +13,7 @@ opensamlVersion=4.2.0
 pac4JVersion=5.4.3
 pac4jSpringSecurityVersion=7.0.3
 shibbolethVersion=4.2.1
+shibOIDCVersion=2.1.0
 springbootVersion=2.7.0
 springSecurityVersion=5.7.1