diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
index c9296ad..fe0355d 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
@@ -45,7 +45,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-c7f7304e5441912a692611196c6e13ec89ee8c65"
+    tag: "r-a3e306d2c5cbd1ab8bde2a53d90c7c814c512a7f"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
     credentials: "git-credentials"
   keystores:
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
index 5e4f328..bb6cabd 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
@@ -2100,7 +2100,7 @@
             <!-- source: pattern://584964c837512845d7940809 -->
             <ResultCond name="notFullyRegistered" next="Auth_Realm_Recovery_Recovery_sendEmail031b"/>
             <!-- source: pattern://584964c837512845d7940809 -->
-            <ResultCond name="ok" next="Auth_Realm_Recovery_Recovery_authWithNewCredentials"/>
+            <ResultCond name="ok" next="Auth_Realm_Recovery_Recovery_Auth_prepareRedirect"/>
             <!-- source: pattern://584964c837512845d7940809 -->
             <Response value="AUTH_CONTINUE">
                 <!-- source: pattern://584964c837512845d7940809 -->
@@ -2231,26 +2231,17 @@
             <!-- source: pattern://584964c837512845d7940809 -->
             <property name="client.name" value="agov"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Recovery_Recovery_authWithNewCredentials" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="false">
-            <!-- source: pattern://c1c0941f54cc36340578ff5f -->
-            <ResultCond name="default" next="Auth_Realm_Recovery_Auth_Failed"/>
-            <!-- source: pattern://c1c0941f54cc36340578ff5f -->
-            <ResultCond name="loginWithFido2" next="Auth_Realm_Recovery_Recovery_fido2Login"/>
-            <!-- source: pattern://c1c0941f54cc36340578ff5f -->
-            <ResultCond name="loginWithFidoUAF" next="Auth_Realm_Recovery_Recovery_mobile_nless_auth"/>
-            <!-- source: pattern://c1c0941f54cc36340578ff5f -->
-            <ResultCond name="notNeeded" next="Auth_Realm_Recovery_Recovery_redirectAgovMe"/>
-            <!-- source: pattern://c1c0941f54cc36340578ff5f -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://c1c0941f54cc36340578ff5f -->
-                <Gui name="AuthErrorDialog"/>
-            </Response>
-            <!-- source: pattern://c1c0941f54cc36340578ff5f -->
-            <property name="condition:loginWithFido2" value="${sess:agov.recovery.newLoginFactor}==FIDO2"/>
-            <!-- source: pattern://c1c0941f54cc36340578ff5f -->
-            <property name="condition:loginWithFidoUAF" value="${sess:agov.recovery.newLoginFactor}==ACCESS_APP"/>
-            <!-- source: pattern://c1c0941f54cc36340578ff5f -->
-            <property name="condition:notNeeded" value="${sess:agov.recovery.newLoginFactor}==NONE"/>
+        <AuthState name="Auth_Realm_Recovery_Recovery_Auth_prepareRedirect" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://584964c837512845d7940809 -->
+            <ResultCond name="back" next="Auth_Realm_Recovery_Recovery_Auth_verifyUser"/>
+            <!-- source: pattern://584964c837512845d7940809 -->
+            <ResultCond name="redirect" next="Auth_Realm_Recovery_Recovery_authWithNewCredentials"/>
+            <!-- source: pattern://584964c837512845d7940809 -->
+            <Response value="AUTH_CONTINUE"/>
+            <!-- source: pattern://584964c837512845d7940809 -->
+            <property name="scriptTraceGroup" value="Recovery"/>
+            <!-- source: pattern://584964c837512845d7940809 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/recovery-prepareRedirect.groovy"/>
         </AuthState>
         <AuthState name="Auth_Realm_Recovery_Recovery_createURLTicket_logReason" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
             <!-- source: pattern://9a1d3c6052019748d3510261 -->
@@ -2329,7 +2320,7 @@
         </AuthState>
         <AuthState name="Auth_Realm_Recovery_Recovery_Auth_codeSkipped" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
             <!-- source: pattern://584964c837512845d7940809 -->
-            <ResultCond name="default" next="Auth_Realm_Recovery_Recovery_authWithNewCredentials"/>
+            <ResultCond name="default" next="Auth_Realm_Recovery_Recovery_Auth_prepareRedirect"/>
             <!-- source: pattern://584964c837512845d7940809 -->
             <Response value="AUTH_CONTINUE"/>
             <!-- source: pattern://584964c837512845d7940809 -->
@@ -2339,7 +2330,7 @@
         </AuthState>
         <AuthState name="Auth_Realm_Recovery_Recovery_Auth_codeVerified" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
             <!-- source: pattern://584964c837512845d7940809 -->
-            <ResultCond name="default" next="Auth_Realm_Recovery_Recovery_authWithNewCredentials"/>
+            <ResultCond name="default" next="Auth_Realm_Recovery_Recovery_Auth_prepareRedirect"/>
             <!-- source: pattern://584964c837512845d7940809 -->
             <Response value="AUTH_CONTINUE"/>
             <!-- source: pattern://584964c837512845d7940809 -->
@@ -2349,6 +2340,42 @@
             <!-- source: pattern://584964c837512845d7940809 -->
             <property name="sess:agov.recovery.codeDetailStatus" value="n/a"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Recovery_Recovery_authWithNewCredentials" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="false">
+            <!-- source: pattern://c1c0941f54cc36340578ff5f -->
+            <ResultCond name="default" next="Auth_Realm_Recovery_Auth_Failed"/>
+            <!-- source: pattern://c1c0941f54cc36340578ff5f -->
+            <ResultCond name="loginWithFido2" next="Auth_Realm_Recovery_Recovery_fido2Login"/>
+            <!-- source: pattern://c1c0941f54cc36340578ff5f -->
+            <ResultCond name="loginWithFidoUAF" next="Auth_Realm_Recovery_Recovery_mobile_nless_auth"/>
+            <!-- source: pattern://c1c0941f54cc36340578ff5f -->
+            <ResultCond name="notNeeded" next="Auth_Realm_Recovery_Recovery_redirectAgovMe"/>
+            <!-- source: pattern://c1c0941f54cc36340578ff5f -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://c1c0941f54cc36340578ff5f -->
+                <Gui name="AuthErrorDialog"/>
+            </Response>
+            <!-- source: pattern://c1c0941f54cc36340578ff5f -->
+            <property name="condition:loginWithFido2" value="${sess:agov.recovery.newLoginFactor}==FIDO2"/>
+            <!-- source: pattern://c1c0941f54cc36340578ff5f -->
+            <property name="condition:loginWithFidoUAF" value="${sess:agov.recovery.newLoginFactor}==ACCESS_APP"/>
+            <!-- source: pattern://c1c0941f54cc36340578ff5f -->
+            <property name="condition:notNeeded" value="${sess:agov.recovery.newLoginFactor}==NONE"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Recovery_Recovery_redirectAgovMe_Handle_Redirect" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
+            <!-- source: pattern://6061abea33a234fad73897b7 -->
+            <ResultCond name="ok" next="Auth_Realm_Recovery_Prepare_Done"/>
+            <!-- source: pattern://6061abea33a234fad73897b7 -->
+            <Response value="AUTH_CONTINUE">
+                <!-- source: pattern://6061abea33a234fad73897b7 -->
+                <Gui name="not_used"/>
+            </Response>
+            <!-- source: pattern://6061abea33a234fad73897b7 -->
+            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
+            <!-- source: pattern://6061abea33a234fad73897b7 -->
+            <property name="parameter.agovmedirecturl" value="https://ob.agov-w.azure.adnovum.net/mock-me/process"/>
+            <!-- source: pattern://6061abea33a234fad73897b7 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/handleRedirectRecovery.groovy"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Recovery_Recovery_fido2Login" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
             <!-- source: pattern://54c1b68431bc2e03b61edcaa -->
             <ResultCond name="cancel" next="Auth_Realm_Recovery_Auth_Failed"/>
@@ -2399,20 +2426,16 @@
             <!-- source: pattern://4bc453bf68139ee87966b0c7 -->
             <property name="parameter.recoveryurl" value="https://auth.agov-w.azure.adnovum.net/AUTH/RECOVERY/"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Recovery_Recovery_redirectAgovMe_Handle_Redirect" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
-            <!-- source: pattern://6061abea33a234fad73897b7 -->
-            <ResultCond name="ok" next="Auth_Realm_Recovery_Prepare_Done"/>
-            <!-- source: pattern://6061abea33a234fad73897b7 -->
-            <Response value="AUTH_CONTINUE">
-                <!-- source: pattern://6061abea33a234fad73897b7 -->
-                <Gui name="not_used"/>
+        <AuthState name="Auth_Realm_Recovery_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
+            <!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
+            <ResultCond name="default" next="Auth_Realm_Recovery_Auth_Done"/>
+            <!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
+                <Gui name="ContinueResponse"/>
             </Response>
-            <!-- source: pattern://6061abea33a234fad73897b7 -->
-            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
-            <!-- source: pattern://6061abea33a234fad73897b7 -->
-            <property name="parameter.agovmedirecturl" value="https://ob.agov-w.azure.adnovum.net/mock-me/process"/>
-            <!-- source: pattern://6061abea33a234fad73897b7 -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/handleRedirectRecovery.groovy"/>
+            <!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
         </AuthState>
         <AuthState name="Auth_Realm_Recovery_Recovery_mobile_nless_auth_Processing" class="ch.nevis.auth.fido.uaf.authstate.OutOfBandFidoUafAuthState" final="false" resumeState="false">
             <!-- source: pattern://4bc453bf68139ee87966b0c7 -->
@@ -2437,16 +2460,12 @@
             <!-- source: pattern://4bc453bf68139ee87966b0c7 -->
             <property name="dispatchTargetId" value="${sess:agov.recovery.accessapp.dispatchTargetId}"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Recovery_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
-            <!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
-            <ResultCond name="default" next="Auth_Realm_Recovery_Auth_Done"/>
+        <AuthState name="Auth_Realm_Recovery_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
             <!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
             <Response value="AUTH_DONE">
                 <!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
                 <Gui name="ContinueResponse"/>
             </Response>
-            <!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
         </AuthState>
         <AuthState name="Auth_Realm_Recovery_Recovery_mobile_nless_auth_PostProcessing" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
             <!-- source: pattern://4bc453bf68139ee87966b0c7 -->
@@ -2456,13 +2475,6 @@
             <!-- source: pattern://4bc453bf68139ee87966b0c7 -->
             <property name="sess:agov.recovery.authenticatedWith" value="urn:qa.agov.ch:names:tc:authfactor:accessapp"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Recovery_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
-            <!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
-            <Response value="AUTH_DONE">
-                <!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
-                <Gui name="ContinueResponse"/>
-            </Response>
-        </AuthState>
         <AuthState name="Auth_Realm_Recovery_Selector" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
             <!-- source: pattern://204c22beaccdfd22727af378 -->
             <ResultCond name="nomatch" next="Auth_Realm_Recovery_Recovery_Auth"/>
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-prepareRedirect.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-prepareRedirect.groovy
new file mode 100644
index 0000000..05e5327
--- /dev/null
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-prepareRedirect.groovy
@@ -0,0 +1,22 @@
+if (session['agov.recovery.redirectDone']) {
+  // user navigated back from AGOV.me, go again for the code
+
+  // clean up SAML state first, 
+  // IdentityProviderState sets session attributes as follows
+  //   <IDP-State-Name>-session-participants.<SAML-RP-ISSUER> = <ACS-URL>
+  // State name contains the name of the pattern 'Recovery_redirectAgovMe'
+  def s = request.getAuthSession(true)
+  def sessionKeySet = new HashSet(session.keySet()) 
+  sessionKeySet.each { key -> 
+    if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) {
+      LOG.debug("Deleted session attribute '${key}'")
+      s.removeAttribute(key)
+    }
+  }
+  s.removeAttribute('agov.recovery.redirectDone')
+  response.setResult('back')
+} else {
+  // redirect
+  response.setSessionAttribute('agov.recovery.redirectDone', 'true')
+  response.setResult('redirect')
+}
\ No newline at end of file
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_ongoing.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_ongoing.groovy
index 0fd022b..7b9ec8c 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_ongoing.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_ongoing.groovy
@@ -9,7 +9,7 @@ if (inargs['recovery'] != null && inargs['recovery'] == 'recovery' ) {
   def sessionKeySet = new HashSet(session.keySet()) 
   sessionKeySet.each { key -> 
     if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) {
-      LOG.info("Deleted session attribute '${key}'")
+      LOG.debug("Deleted session attribute '${key}'")
       s.removeAttribute(key)
     }
   }