diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/etc/nevis/k8s-nevisauth-ac27dd7daad0ca2b7229bfaf.yaml b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/etc/nevis/k8s-nevisauth-ac27dd7daad0ca2b7229bfaf.yaml
index 38ac436..007acd6 100644
--- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/etc/nevis/k8s-nevisauth-ac27dd7daad0ca2b7229bfaf.yaml
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/etc/nevis/k8s-nevisauth-ac27dd7daad0ca2b7229bfaf.yaml
@@ -46,7 +46,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-28d025621af8913de776f24a3d4921835e1af78e"
+    tag: "r-52cf67aa5ec5c56333d2605f507c60bb29159968"
     dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth"
     credentials: "git-credentials"
   keystores:
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/EncodeAndDisplayToken.groovy b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/EncodeAndDisplayToken.groovy
new file mode 100644
index 0000000..2679729
--- /dev/null
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/EncodeAndDisplayToken.groovy
@@ -0,0 +1,19 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+import ch.nevis.esauth.util.httpclient.api.HttpClient
+
+if (outargs['out.JWTToken']) {
+    // we have a token
+    def header = "Bearer ${outargs['out.JWTToken']}"
+    response.setNote('agov.test.token', header)
+    notes.setProperty('agov.test.token', header)
+    response.removeOutArg('out.JWTToken')
+}
+
+// if (!response.getNote('agov.test.token')) {
+//    response.setResult('newToken')
+//    return
+//}
+
+
+// show the GUI
+response.setResult('display')
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
index cc247ab..c5bdf4d 100644
--- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
@@ -105,7 +105,7 @@
     </SessionCoordinator>
     <!-- source: pattern://ac27dd7daad0ca2b7229bfaf -->
     <LocalOutOfContextDataStore reaperPeriod="60"/>
-    <!-- source: pattern://2787b678d9cce5310a335419, pattern://fd3912c7af7a88b6342a4c78, pattern://12c979b6af0f15f1328656a4, pattern://ac27dd7daad0ca2b7229bfaf, pattern://6df66943ca713eed2a25d935, pattern://6f9c9f982dcc7ef59a34f1f7, pattern://7518c6cc61e47eec6322ae17, pattern://ac27dd7daad0ca2b7229bfaf, pattern://6df66943ca713eed2a25d935, pattern://ac27dd7daad0ca2b7229bfaf, pattern://ac27dd7daad0ca2b7229bfaf -->
+    <!-- source: pattern://2787b678d9cce5310a335419, pattern://fd3912c7af7a88b6342a4c78, pattern://12c979b6af0f15f1328656a4, pattern://24cbc652d3166c8374eda3cd, pattern://56955e7b6b92c254d7d1aae1, pattern://ac27dd7daad0ca2b7229bfaf, pattern://6df66943ca713eed2a25d935, pattern://6f9c9f982dcc7ef59a34f1f7, pattern://7518c6cc61e47eec6322ae17, pattern://ac27dd7daad0ca2b7229bfaf, pattern://6df66943ca713eed2a25d935, pattern://ac27dd7daad0ca2b7229bfaf, pattern://ac27dd7daad0ca2b7229bfaf -->
     <AuthEngine useLiteralDictionary="true" literalDictionaryLanguages="en,de,fr,it" inputLanguageCookie="LANG" compatLevel="none" addAutheLevelToSecRoles="true" classPath="/opt/nevisidmcl/nevisauth/lib:/opt/nevisauth/plugin" propagateSession="false">
         <!-- source: pattern://3fd09bb6cfbd34874595c263 -->
         <Domain name="IDENT-AuthenticationRealm" default="false" inactiveInterval="60" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}">
@@ -131,11 +131,14 @@
         </Domain>
         <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
         <Domain name="SAML_SP_nevisidm_operations_Realm" default="false" inactiveInterval="1800" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}">
-            <Entry method="authenticate" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
-            <Entry method="logout" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
-            <Entry method="stepup" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
+            <Entry method="authenticate" state="SAML_SP_nevisidm_operations_Realm_CheckIsTokenGeneration"/>
+            <Entry method="authenticate" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer" selector="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/ACS/.*$:true}"/>
+            <Entry method="logout" state="SAML_SP_nevisidm_operations_Realm_CheckIsTokenGeneration"/>
+            <Entry method="stepup" state="SAML_SP_nevisidm_operations_Realm_CheckIsTokenGeneration"/>
+            <Entry method="stepup" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer" selector="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/ACS/.*$:true}"/>
+            <Entry method="stepup" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer" selector="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/stepup/.*$:true}"/>
             <Entry method="stepup" state="SAML_SP_nevisidm_operations_Realm_NEVIS_SecToken" selector="${request:requiredRoles:^token.NEVIS_SecToken$:true}"/>
-            <Entry method="unlock" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
+            <Entry method="unlock" state="SAML_SP_nevisidm_operations_Realm_CheckIsTokenGeneration"/>
         </Domain>
         <AuthState name="IDENT-AuthenticationRealm_IDENT-Process-and-Dispatch" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
             <!-- source: pattern://0f6977caedca600b17221f0a -->
@@ -362,7 +365,7 @@
         </AuthState>
         <AuthState name="SAML_SP_nevisidm_operations_Realm_Restore_Level" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
             <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
-            <ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_Prepare_Done"/>
+            <ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_set_userExtId_Groovy_Script_Step"/>
             <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
             <Response value="AUTH_ERROR">
                 <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
@@ -378,21 +381,222 @@
                 <Gui name="ContinueResponse"/>
             </Response>
         </AuthState>
+        <AuthState name="SAML_SP_nevisidm_operations_Realm_set_userExtId_Groovy_Script_Step" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
+            <!-- source: pattern://488949a743edb1f46f73f232 -->
+            <ResultCond name="error" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
+            <!-- source: pattern://488949a743edb1f46f73f232 -->
+            <ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step"/>
+            <!-- source: pattern://488949a743edb1f46f73f232 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://488949a743edb1f46f73f232 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://488949a743edb1f46f73f232 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/set_userextid_groovy_script_step.groovy"/>
+        </AuthState>
+        <AuthState name="SAML_SP_nevisidm_operations_Realm_Authentication_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
+            <!-- source: pattern://700ec185425d8645fea2caf5 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://700ec185425d8645fea2caf5 -->
+                <Gui name="Error">
+                    <!-- source: pattern://700ec185425d8645fea2caf5 -->
+                    <GuiElem name="info" type="error" label="error_99"/>
+                    <!-- source: pattern://700ec185425d8645fea2caf5 -->
+                    <GuiElem name="submit" type="button" label="continue.button.label"/>
+                </Gui>
+                <!-- source: pattern://700ec185425d8645fea2caf5 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+        </AuthState>
+        <AuthState name="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step" class="ch.nevis.idm.authstate.IdmUserVerifyState" final="false" resumeState="true">
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <ResultCond name="clientNotFound" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <ResultCond name="failed" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <ResultCond name="prospect" next="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step_selectProfile"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+                <Gui name="AuthFailDialog"/>
+            </Response>
+            <propertyRef name="nevisIDM_Connector"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="user.loginid" value="unknown"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="userExtId" value="${sess:operationsExtId}"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="client.name" value="OPERATIONS"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="detaillevel.user" value="HIGH"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="detaillevel.profile" value="HIGH"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="detaillevel.role" value="HIGH"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="detaillevel.authorization" value="HIGH"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="detaillevel.dataroom" value="HIGH"/>
+        </AuthState>
+        <AuthState name="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step_selectProfile" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <ResultCond name="error" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step_IdmGetPropertiesState"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <Response value="AUTH_CONTINUE">
+                <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+                <Gui name="op_idmlogin_select_profile">
+                    <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+                    <GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}" optional="true"/>
+                    <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+                    <GuiElem name="submit" type="button" label="submit.button.label" value="go"/>
+                </Gui>
+            </Response>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/selectIdmProfile.groovy"/>
+        </AuthState>
+        <AuthState name="nevisIDM_Connector" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="false">
+            <!-- source: pattern://12c979b6af0f15f1328656a4 -->
+            <property name="login.service.connection.0" value="https://idm:8989/nevisidm/services/v1/LoginService"/>
+            <!-- source: pattern://12c979b6af0f15f1328656a4 -->
+            <property name="admin.service.connection.0" value="https://idm:8989/nevisidm/services/v1/AdminService"/>
+        </AuthState>
+        <AuthState name="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step_IdmGetPropertiesState" class="ch.nevis.idm.authstate.IdmGetPropertiesState" final="false" resumeState="true">
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <ResultCond name="clientNotFound" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <ResultCond name="showGui" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <Response value="AUTH_ERROR"/>
+            <propertyRef name="nevisIDM_Connector"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="user.attributes" value="loginId,extId,firstName,name,email,language"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="chooseProfileFromSession" value="operationsProfileExtId"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="userExtId" value="${sess:operationsExtId}"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="client.name" value="OPERATIONS"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="detaillevel.user" value="HIGH"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="detaillevel.profile" value="HIGH"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="detaillevel.role" value="HIGH"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="detaillevel.authorization" value="HIGH"/>
+            <!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
+            <property name="detaillevel.dataroom" value="HIGH"/>
+        </AuthState>
+        <AuthState name="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="false">
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_Update"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <ResultCond name="emailaddressDidntChange,givennameDidntChange,surnameDidntChange,languageDidntChange" next="SAML_SP_nevisidm_operations_Realm_Prepare_Done"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <Response value="AUTH_ERROR"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="condition:emailaddressDidntChange" value="#{ !sess.containsKey('idp.email') or sess.get('idp.email').equals(sess.get('ch.nevis.idm.User.email')) }"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="condition:givennameDidntChange" value="#{ !sess.containsKey('idp.firstName') or sess.get('idp.firstName').equals(sess.get('ch.nevis.idm.User.firstName')) }"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="condition:surnameDidntChange" value="#{ !sess.containsKey('idp.lastName') or sess.get('idp.lastName').equals(sess.get('ch.nevis.idm.User.lastName')) }"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="condition:languageDidntChange" value="#{ !sess.containsKey('idp.language') or sess.get('idp.language').equals(sess.get('ch.nevis.idm.User.language')) }"/>
+        </AuthState>
+        <AuthState name="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_Update" class="ch.nevis.idm.authstate.IdmSetPropertiesState" final="false" resumeState="false">
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <ResultCond name="emailExists" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <ResultCond name="inputInvalid" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <ResultCond name="inputMissing" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <ResultCond name="loginIdExists" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditUpdate"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <ResultCond name="userIdExists" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <propertyRef name="nevisIDM_Connector"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="user.loginid" value="${sess:ch.adnovum.nevisidm.user.loginId}"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="client.name" value="${sess:ch.adnovum.nevisidm.clientName}"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="user.attributes.optional" value="email,firstName,name,language"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="user.attributes.mandatory" value="remarks"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="user.attribute.email" value="${notes|saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress}"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="user.attribute.firstName" value="${notes|saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname}"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="user.attribute.name" value="${notes|saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname}"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="user.attribute.language" value="${notes|saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance}"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="user.attribute.remarks" value="Updated based on assertion '${sess:ch.nevis.auth.saml.assertion.id}' (Request-ID: ${inctx:connection.HttpHeader.X-Request-ID})"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="user.attributes.overwrite" value="email,firstName,name,language,remarks"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="allowInvalidUserEmails" value="true"/>
+        </AuthState>
         <AuthState name="SAML_SP_nevisidm_operations_Realm_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
-            <!-- source: pattern://271d024334021208b71ac80a -->
-            <ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_Auth_Done"/>
-            <!-- source: pattern://271d024334021208b71ac80a -->
+            <!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
+            <ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_Redirect_RelayState"/>
+            <!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
             <Response value="AUTH_DONE">
-                <!-- source: pattern://271d024334021208b71ac80a -->
+                <!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
                 <Gui name="ContinueResponse"/>
             </Response>
-            <!-- source: pattern://271d024334021208b71ac80a -->
+            <!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
             <property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
         </AuthState>
-        <AuthState name="SAML_SP_nevisidm_operations_Realm_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
-            <!-- source: pattern://271d024334021208b71ac80a -->
+        <AuthState name="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="scriptTraceGroup" value="AGOVOP-ACCT"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="script" value="  def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'; def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'; def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'; LOG.error(&quot;Event='USERUPDATE', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', error='failed to update user in IDM', lasterrorinfo='${lasterrorinfo}'&quot;); response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_ERROR);   "/>
+        </AuthState>
+        <AuthState name="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditUpdate" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_Prepare_Done"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <Response value="AUTH_CONTINUE"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="scriptTraceGroup" value="AGOVOP-ACCT"/>
+            <!-- source: pattern://24cbc652d3166c8374eda3cd -->
+            <property name="script" value="  def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'; def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'; def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'; LOG.info(&quot;Event='USERUPDATE', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}'&quot;);   "/>
+        </AuthState>
+        <AuthState name="SAML_SP_nevisidm_operations_Realm_Redirect_RelayState" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
+            <ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_Auth_Done"/>
+            <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
             <Response value="AUTH_DONE">
-                <!-- source: pattern://271d024334021208b71ac80a -->
+                <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
+                <Gui name="ContinueResponse"/>
+            </Response>
+            <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/redirect_relay_state.groovy"/>
+        </AuthState>
+        <AuthState name="SAML_SP_nevisidm_operations_Realm_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
+            <!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
                 <Gui name="ContinueResponse"/>
             </Response>
         </AuthState>
@@ -598,12 +802,6 @@
             <!-- source: pattern://2787b678d9cce5310a335419 -->
             <property name="user.cred.saml_federation3.subjectNameId" value="true"/>
         </AuthState>
-        <AuthState name="nevisIDM_Connector" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="false">
-            <!-- source: pattern://12c979b6af0f15f1328656a4 -->
-            <property name="login.service.connection.0" value="https://idm:8989/nevisidm/services/v1/LoginService"/>
-            <!-- source: pattern://12c979b6af0f15f1328656a4 -->
-            <property name="admin.service.connection.0" value="https://idm:8989/nevisidm/services/v1/AdminService"/>
-        </AuthState>
         <AuthState name="OP-ONBRDNG-AuthenticationRealm_OP-ONBRDNG-PostProcessing_SamlFedCredential" class="ch.nevis.idm.authstate.IdmCreateCredentialState" final="false" resumeState="false">
             <!-- source: pattern://fd3912c7af7a88b6342a4c78 -->
             <ResultCond name="credentialExists" next="OP-ONBRDNG-AuthenticationRealm_OP-ONBRDNG-PostProcessing_SamlFedCredential_Failed"/>
@@ -1084,6 +1282,74 @@
             <!-- source: pattern://271d024334021208b71ac80a -->
             <property name="generateNow" value="true"/>
         </AuthState>
+        <AuthState name="SAML_SP_nevisidm_operations_Realm_CheckIsTokenGeneration" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
+            <!-- source: pattern://65330385b309bfe32943c8ad -->
+            <ResultCond name="generateToken" next="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration"/>
+            <!-- source: pattern://65330385b309bfe32943c8ad -->
+            <ResultCond name="nomatch" next="SAML_SP_nevisidm_operations_Realm_PreProcess_Done"/>
+            <!-- source: pattern://65330385b309bfe32943c8ad -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://65330385b309bfe32943c8ad -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://65330385b309bfe32943c8ad -->
+            <property name="condition:generateToken" value="${request:requiredRoles:generateToken}"/>
+        </AuthState>
+        <AuthState name="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration" class="ch.nevis.esauth.auth.states.jwt.JWTToken" final="false" resumeState="true">
+            <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+            <ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration_Prepare"/>
+            <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+            <Response value="AUTH_ERROR"/>
+            <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+            <property name="out.audience" value="https://op.agov-w.azure.adnovum.net/SAML2/ACS/"/>
+            <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+            <property name="out.issuer" value="https://op.agov-w.azure.adnovum.net/SAML2/ACS/"/>
+            <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+            <property name="token.header.includeType" value="true"/>
+            <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+            <property name="token.algorithm" value="RS512"/>
+            <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+            <property name="keystoreref" value="DefaultKeyStore"/>
+            <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+            <property name="keyobjectref" value="DefaultSigner"/>
+            <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+            <property name="out.subject" value="${request:userId}"/>
+            <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+            <property name="out.include.jwtId" value="true"/>
+            <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+            <property name="out.time_to_live" value="14400"/>
+        </AuthState>
+        <AuthState name="SAML_SP_nevisidm_operations_Realm_PreProcess_Done" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
+            <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
+            <ResultCond name="authenticate" next="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
+            <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
+            <ResultCond name="logout" next="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
+            <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
+            <ResultCond name="stepup" next="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
+            <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
+            <ResultCond name="unlock" next="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
+            <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
+            <property name="condition:authenticate" value="${request:method:^authenticate$:true}"/>
+            <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
+            <property name="condition:stepup" value="${request:method:^stepup$:true}"/>
+            <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
+            <property name="condition:unlock" value="${request:method:^unlock$:true}"/>
+            <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
+            <property name="condition:logout" value="${request:method:^logout$:true}"/>
+        </AuthState>
+        <AuthState name="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration_Prepare" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+            <ResultCond name="display" next="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration_DisplayMe"/>
+            <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+            <ResultCond name="newToken" next="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration"/>
+            <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/EncodeAndDisplayToken.groovy"/>
+        </AuthState>
         <AuthState name="SAML_SP_nevisidm_operations_Realm_Extract_Issuer" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
             <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
             <ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_IDP_Selection"/>
@@ -1095,6 +1361,16 @@
             <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
             <property name="script" value="file:///var/opt/nevisauth/default/conf/saml_sp_nevisidm_operations_realm_extract_issuer.groovy"/>
         </AuthState>
+        <AuthState name="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration_DisplayMe" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="false">
+            <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+            <Response value="AUTH_CONTINUE">
+                <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+                <Gui name="TestTokenDisplayDialog" label="test.token.title">
+                    <!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
+                    <GuiElem name="info" type="text" label="test.token.label" value="#{ notes.getProperty('agov.test.token', 'missing') }" optional="true"/>
+                </Gui>
+            </Response>
+        </AuthState>
         <AuthState name="SAML_SP_nevisidm_operations_Realm_IDP_Selection" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
             <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
             <ResultCond name="authenticate:https\u003A//trustbroker.agov-d.azure.adnovum.net_continuation" next="SAML_SP_nevisidm_operations_Realm_SAML_IDP_op_Connector_Connector"/>
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/selectIdmProfile.groovy b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/selectIdmProfile.groovy
new file mode 100644
index 0000000..4951a61
--- /dev/null
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/selectIdmProfile.groovy
@@ -0,0 +1,74 @@
+import groovy.xml.XmlSlurper
+
+def idmSeverityRoleMap = [
+    "EnterpriseRoleAdmin": [11, "op-idmlogin.role.accs-mgmt-idm"],
+    "ClientRoot": [12, "op-idmlogin.role.support-priv"], 
+    "AppAdmin": [20, "op-idmlogin.role.idmcfg-mgmt"],
+    "AppOwner": [5, "op-idmlogin.role.accs-mgmt-nonidm"],
+    "UserAndUnitAdmin": [7, "op-idmlogin.role.usr-unit-mgmt"],
+    "UserAdmin": [6, "op-idmlogin.role.usr-mgmt"],
+    "TemplateAdmin": [10, "op-idmlogin.role.support-basic"],
+    "Helpdesk": [1, "op-idmlogin.role.readonly-access" ]
+]
+
+try {
+  def dtoString = session['ch.adnovum.nevisidm.userDto']
+
+  def idmDto = new XmlSlurper().parseText(dtoString)
+  def idmPrfMap = idmDto.'**'.findAll 
+    { prf -> prf.name() == 'profiles' 
+      && prf.'**'.find 
+        { role -> role.name() == 'roles' 
+          && role.applicationName.text() == 'nevisIdm'
+        }
+    }.collectEntries { prf -> [ prf.extId.text(), 
+            prf.'**'.findAll 
+            { role -> role.name() == 'roles' 
+              && role.applicationName.text() == 'nevisIdm'
+            }.collect{ rolePrioEntry -> idmSeverityRoleMap[rolePrioEntry.name.text()] ?: [1000, "DO-NOT-USE(${rolePrioEntry.name.text()})"] 
+            }.sort { a, b -> a[0] <=> b[0] // sort by severity
+            }.last()[1] // take label of the ighest one
+    ] }
+
+  if ((inargs.getProperty('submit', '') == 'go') && idmPrfMap.containsKey(inargs.getProperty('profile_selection', 'missing'))) {
+
+    // user selected a profile which exists, we take it
+    def operationsProfileExtId = inargs.getProperty('profile_selection', 'missing')
+    LOG.info("User selected profile: ${operationsProfileExtId} '${idmPrfMap.get(operationsProfileExtId)}'")
+    response.setSessionAttribute('operationsProfileExtId', '' + operationsProfileExtId)
+    response.setResult('ok')
+    return
+
+  } else if (idmPrfMap.size() == 1) {
+
+    // we take the only profile, with an IDM role
+    def operationsProfileExtId = idmPrfMap.keySet().first()
+    LOG.info("taking the only profile with an idm role: ${operationsProfileExtId} '${idmPrfMap.get(operationsProfileExtId)}'")
+    response.setSessionAttribute('operationsProfileExtId', '' + operationsProfileExtId)
+    response.setResult('ok')
+    return
+
+  } else if (idmPrfMap.isEmpty()) {
+
+    // no profile with an IDM role, do nothing
+    response.setResult('ok')
+    return
+
+  } else {
+
+    // user should select a profile
+    response.setGuiName('op_idmlogin_select_profile')
+    idmPrfMap.each {
+      response.addRadioGuiField('profile_selection', it.value, it.key)
+    }
+    response.addButtonGuiField('submit', 'general.continue', 'go')
+
+    response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE)
+    return
+  }
+} catch (Exception e) {
+  def errorMsg = "Failed to process profile selection: ${e.getMessage()}"
+  LOG.error(errorMsg, e)
+  response.setError(9901, errorMsg)
+  response.setResult('error')
+}
\ No newline at end of file
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/set_userextid_groovy_script_step.groovy b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/set_userextid_groovy_script_step.groovy
new file mode 100644
index 0000000..1fdd29c
--- /dev/null
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/set_userextid_groovy_script_step.groovy
@@ -0,0 +1,59 @@
+try {
+  def s = request.getAuthSession(true)
+
+  LOG.debug("operationsExtId: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']}")
+  LOG.debug("operationsUserProfileExtIdList: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']}")
+
+  // set operation's account extId and profile extid
+  if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'] == null || notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'] == null) {
+    LOG.error("[OPACCESS] User ${notes['saml.assertion.subject']} tried to access without operations account or profile")
+    response.setResult('error');
+    return
+  }
+
+  response.setSessionAttribute('operationsExtId', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'])
+
+  // extract additional attributes from assertion in session
+  if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname']) {
+    response.setSessionAttribute('idp.firstName', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'])
+  }
+  if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname']) {
+    response.setSessionAttribute('idp.lastName', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'])
+  }
+  if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) {
+    response.setSessionAttribute('idp.email', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'])
+  }
+  if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance']) {
+    response.setSessionAttribute('idp.language', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance'])
+  }
+
+  // we take the first one, if there is no profile in the operations unit
+  def unitAndProfileExtidPar = notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']
+    .split(',').find{pairstr -> pairstr.split("\\\\")[1]  == "130274ee-7e24-4050-9b94-d5717ef52ade" } 
+    ?: notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].split(',')[0]
+
+  if (! unitAndProfileExtidPar.contains('130274ee-7e24-4050-9b94-d5717ef52ade') )
+  {
+    LOG.info("[OPACCESS] User ${notes['saml.assertion.subject']} with opaccount ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']} has no operations profile, we use the first one")
+  }
+  response.setSessionAttribute('operationsProfileExtId', unitAndProfileExtidPar.split("\\\\")[0])
+
+  // ad role based on agov aq level
+  def acrToRoleMap = [ 'urn:qa.agov.ch:names:tc:ac:classes:100':'AGOV-Loi.level100',
+    'urn:qa.agov.ch:names:tc:ac:classes:200':'AGOV-Loi.level200',
+    'urn:qa.agov.ch:names:tc:ac:classes:300':'AGOV-Loi.level300',
+    'urn:qa.agov.ch:names:tc:ac:classes:400':'AGOV-Loi.level400',
+    'urn:qa.agov.ch:names:tc:ac:classes:500':'AGOV-Loi.level500'
+  ]
+
+  if (acrToRoleMap[session['ch.nevis.auth.saml.assertion.authnContextClassRef']?='none']) {
+    response.addActualRole(acrToRoleMap[session['ch.nevis.auth.saml.assertion.authnContextClassRef']])
+  }
+
+
+  response.setResult('ok');  
+
+} catch(Exception ex) {
+   LOG.warn("Exception in selectProfile groovy script: " + ex)
+   response.setResult('error');
+}