new configuration version

2024-07-17 07:28:52 +00:00 · 2024-07-17 07:28:52 +00:00 · 358f221d4f
commit 358f221d4f
747 changed files with 169829 additions and 0 deletions
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/k8s-auth-sts-default-default-signer-trust-4bad2fe3ccc54716cc87138f.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/k8s-auth-sts-default-default-signer-trust-4bad2fe3ccc54716cc87138f.yaml
@ -0,0 +1,14 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisTrustStore"
+metadata:
+  name: "auth-sts-default-default-signer-trust"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "auth-sts"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "4bad2fe3ccc54716cc87138f"
+spec:
+  keystores:
+  - name: "auth-sts-sh4r3d-internal-idp-auth-signer"
+    namespace: "adn-agov-nevisidm-01-uat"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/k8s-auth-sts-default-identity-4bad2fe3ccc54716cc87138f.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/k8s-auth-sts-default-identity-4bad2fe3ccc54716cc87138f.yaml
@ -0,0 +1,18 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisKeyStore"
+metadata:
+  name: "auth-sts-default-identity"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "auth-sts"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "4bad2fe3ccc54716cc87138f"
+spec:
+  cn: "auth-sts"
+  usage: "<reserved for future use>"
+  san:
+    dns:
+    - "auth-sts"
+    - "auth-sts.adn-agov-nevisidm-01-uat"
+    email: []
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/k8s-auth-sts-default-tls-trust-4bad2fe3ccc54716cc87138f.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/k8s-auth-sts-default-tls-trust-4bad2fe3ccc54716cc87138f.yaml
@ -0,0 +1,14 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisTrustStore"
+metadata:
+  name: "auth-sts-default-tls-trust"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "auth-sts"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "4bad2fe3ccc54716cc87138f"
+spec:
+  keystores:
+  - name: "idm-default-identity"
+    namespace: "adn-agov-nevisidm-01-uat"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/k8s-auth-sts-sh4r3d-internal-idp-auth-signer-4bad2fe3ccc54716cc87138f.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/k8s-auth-sts-sh4r3d-internal-idp-auth-signer-4bad2fe3ccc54716cc87138f.yaml
@ -0,0 +1,16 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisKeyStore"
+metadata:
+  name: "auth-sts-sh4r3d-internal-idp-auth-signer"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "auth-sts"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "4bad2fe3ccc54716cc87138f"
+spec:
+  cn: "signer"
+  usage: "signer"
+  san:
+    dns: []
+    email: []
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/k8s-auth-sts-technical-trust-store-4bad2fe3ccc54716cc87138f.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/k8s-auth-sts-technical-trust-store-4bad2fe3ccc54716cc87138f.yaml
@ -0,0 +1,14 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisTrustStore"
+metadata:
+  name: "auth-sts-technical-trust-store"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "auth-sts"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "4bad2fe3ccc54716cc87138f"
+spec:
+  keystores: []
+  extraCerts:
+  - "-----BEGIN CERTIFICATE-----\nMIIDsDCCApgCCQDu0TbPT3tIYDANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMC\nY2gxEDAOBgNVBAoMB2Fkbm92dW0xDTALBgNVBAsMBGFnb3YxLjAsBgNVBAMMJW5l\ndmlzYWRtaW4tZC5hZ292LWQuYXp1cmUuYWRub3Z1bS5uZXQxOTA3BgkqhkiG9w0B\nCQEWKmluZm9AbmV2aXNhZG1pbi1kLmFnb3YtZC5henVyZS5hZG5vdnVtLm5ldDAe\nFw0yMzAzMTQwODU3MjJaFw0yODAzMTIwODU3MjJaMIGZMQswCQYDVQQGEwJjaDEQ\nMA4GA1UECgwHYWRub3Z1bTENMAsGA1UECwwEYWdvdjEuMCwGA1UEAwwlbmV2aXNh\nZG1pbi1kLmFnb3YtZC5henVyZS5hZG5vdnVtLm5ldDE5MDcGCSqGSIb3DQEJARYq\naW5mb0BuZXZpc2FkbWluLWQuYWdvdi1kLmF6dXJlLmFkbm92dW0ubmV0MIIBIjAN\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxXmkdxlckq2BCEqSqFJ5GF3pe09R\n1fXZgqYw1C9a0/GpMLCZW6SppmNcLaxa6wy8iglfP3ftX7BWJUOoslXZztrVjrCb\nKYLI2THXWG+9+Xbq+X+BfTDyngClMLen0dNjT04n975r08C/LwuBwJHYGBGGT/W7\nUVbp8ZpBTne/tJ4bukwv2RQ3HcjSh7+cHZccDyCLxrhsQxxfrGWObwYO3pQ59EzK\nhDRpvAyP2OWTY2G+rauVZST16RKeyLGTG+yJTE321bka292RWx9NZKXALXEFN6LL\nshAYsVcoyjm//Rq2iZp+CVNClQoin6ME6gWwqqfOm2Ic6M6A+PTEcGZU8wIDAQAB\nMA0GCSqGSIb3DQEBCwUAA4IBAQBtzXVhHBcHEJWjIk1xgYtxWcp7A2cfextycrgi\nW091PagQSDPxvhXEu/53bAsVlRg6mlTEr2qtllzNGn/nF/3j3V99ISJuwu/YWOez\nTKEfascA7jmrNUXBqpp2ArYYuCYjd0bHIcmU4UXYHKW4U3F1JDsfZuHs0tur/xmU\nJ/7BRXOWm3njfwTS6VFyN9iFJxhh+54hE+fls7lsrXX92VHwby3lK6Q8Qki6hQoD\nH2DFEgRdVPwCKtDXWiXNPEZYDhnnNYKtBwulU+3Hp/J3wGaCpWHjJTlCxxm7DcTO\nkkoKfz+mVAF2sIOpguua8dGx23alkCmJ8r8/WWZMut259IZg\n-----END CERTIFICATE-----\n"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/k8s-nevisauth-sts-4bad2fe3ccc54716cc87138f.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/k8s-nevisauth-sts-4bad2fe3ccc54716cc87138f.yaml
@ -0,0 +1,56 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisComponent"
+metadata:
+  name: "auth-sts"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "auth-sts"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "4bad2fe3ccc54716cc87138f"
+spec:
+  type: "NevisAuth"
+  replicas: 1
+  version: "7.2402.1"
+  gitInitVersion: "1.3.0"
+  runAsNonRoot: true
+  ports:
+    management: 9000
+    soap: 8991
+  resources:
+    limits:
+      cpu: "2"
+      memory: "2000Mi"
+    requests:
+      cpu: "20m"
+      memory: "1000Mi"
+  livenessProbe:
+    soap:
+      tcpSocket: true
+      initialDelaySeconds: 40
+      periodSeconds: 20
+      timeoutSeconds: 4
+  readinessProbe:
+    management:
+      httpGet:
+        path: "/nevisauth/liveness"
+      initialDelaySeconds: 40
+      periodSeconds: 30
+      timeoutSeconds: 6
+  podDisruptionBudget:
+    maxUnavailable: "50%"
+  git:
+    tag: "r-779d33c24ccffc47e1cd1b39b93d065950aee10e"
+    dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts"
+    credentials: "git-credentials"
+  keystores:
+  - "auth-sts-default-identity"
+  - "auth-sts-sh4r3d-internal-idp-auth-signer"
+  truststores:
+  - "auth-sts-technical-trust-store"
+  - "auth-sts-default-default-signer-trust"
+  - "auth-sts-default-tls-trust"
+  podSecurity:
+    policy: "baseline"
+    automountServiceAccountToken: false
+  timeZone: "Europe/Zurich"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/nevisauth_default.yml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/nevisauth_default.yml
@ -0,0 +1,18 @@
+schemaVersion: 1.0
+instance:
+  type: "nevisauth"
+  name: "default"
+  directory: "/var/opt/nevisauth/default"
+  pid: "systemctl show nevisauth@default -p MainPID | cut -d '=' -f2"
+  source:
+    url: "/nevisadmin/#/projects/DEFAULT-ADN-AGOV-PROJECT/patterns/4bad2fe3ccc54716cc87138f"
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "4bad2fe3ccc54716cc87138f"
+    patternClass: "ch.nevis.admin.v4.plugin.nevisauth.patterns.NevisAuthDeployable"
+  resources:
+    ports:
+    - "0.0.0.0:8991"
+  control:
+    start: "systemctl restart nevisauth@default &"
+    stop: "systemctl stop nevisauth@default"
+    status: "systemctl status nevisauth@default"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/keys/trust/idp-pem-atb/keypass
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/keys/trust/idp-pem-atb/keypass
@ -0,0 +1,2 @@
+#!/bin/bash
+echo 'password'
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/keys/trust/idp-pem-atb/truststore.jks
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/keys/trust/idp-pem-atb/truststore.jks
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/keys/trust/idp-pem-atb/truststore.p12
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/keys/trust/idp-pem-atb/truststore.p12
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/keys/trust/idp-pem-atb/truststore.pem
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/keys/trust/idp-pem-atb/truststore.pem
@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwjCCAmigAwIBAgIBAjAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1zZWxmc2ln
+bmVkLWNhMB4XDTIzMDcyMDExMzkzN1oXDTI0MDcxOTExMzkzN1owIDEeMBwGA1UE
+AwwVYXRic2lnbmVyLnVhdC5hZ292LmNoMIIBojANBgkqhkiG9w0BAQEFAAOCAY8A
+MIIBigKCAYEAs8SITgXvwEBI+rmuBr6EkG5qeE9ctRBRLNP693MTpjkCi4rcqfzO
+//EU4ogDrtLwl99w6mazKuK+73DCfaVTWBdLIN3sqWiX/uU+2pPS3ldymsJcDRhi
+ERJAYUZKyw4JlQMAnZrt7DRdEXJH4VshOHRD6Q1TFQEsGVRIW2HakLatz8mxwNbD
+xKdBqQS88x5WJgkI0cMdfOVKf59fH+xa32NSE1c0MYwj98doSNrLIh8n47qk4R2p
+4bUyaGIx1ylXRjRMlx7b0ew/VfkSg8WtnR2DHj5sJ31uqrAXiMFY0slCiX0+Fu3O
+uiul/FH1v2xgT2rH0JhhLt+dCCCqfLLjwuLMSneco6AvcihDaN+AujWSn/aoTWPD
+BsB1ACKqkcaBBHt3giyEWb5T5J0QA5VfJEKYwBosvdFfUoPOgXTOQVGRnLMKfXSy
+AHUzKiR8Z1x3VwmHT8HJME6BaR8MZP58nFV8k/NpYw7gryNod9n8ZrsK84aLEzmV
+iYnPn1/V4fl9AgMBAAGjUDBOMAsGA1UdDwQEAwIDqDAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwIAYDVR0RBBkwF4IVYXRic2lnbmVyLnVhdC5hZ292LmNo
+MAoGCCqGSM49BAMCA0gAMEUCIQDIYEk1HuQxV83m1FQRfUuUgtOkX1gLDNlNEkCb
+UfWMMAIgd6HpbvTeur7LYGtqztc7FMADJHDNgYyBAOng+xkxHQw=
+-----END CERTIFICATE-----
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/LitDict.properties
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/LitDict.properties
@ -0,0 +1,80 @@
+
+accept.button.label=Accept
+cancel.button.label=Cancel
+continue.button.label=Continue
+deputy.profile.label=(Deputy Profile)
+error.saml.failed=Please close your browser and try again.
+error_1=Please check your input.
+error_10=Please select the correct user account.
+error_100=Certificate upload not possible. Certificate already exists. Please contact your helpdesk.
+error_101=The entered email address is not valid.
+error_11=Please use another certficate or login with another credential type.
+error_2=Please select another login name.
+error_3=Your account will be locked if next authentication fails.
+error_4=Your new password does not comply with the security policy. Please choose a different password.
+error_5=Error in password confirmation.
+error_50=The new password is too short.
+error_55=The new password has to differ from old passwords.
+error_6=Password change required.
+error_7=Change of login ID required.
+error_8=Your account has been locked due to repeated authentication failures.
+error_81=No access card found, access from internet denied.
+error_83=Your access card is no longer valid. Please contact your advisor to get a new access card.
+error_9=Session take over failed.
+error_97=You are not authorized to access this resource.
+error_98=Your account has been locked.
+error_99=System problems. Please try later.
+info.logout.confirmation=Please confirm that you want to log out.
+info.logout.reminder=Your session on this application has expired. Try again with a login.
+info.oauth.consent=Do you want to authorise this application to access your data?
+info.timeout.page=Your session on this application has expired. Try again with a login.
+login.button.label=Login
+logout.label=Logout
+logout.text=You have successfully logged out.
+method.certificate.label=Certificate
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=mTAN Code
+method.oath.label=OATH Authenticator App
+method.otp.label=OTP (One-Time Password)
+method.recovery.label=Recovery Codes
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+outarg.lastLogin.never=Never
+policyFailure.dictionary=&#9642; must not be taken from a dictionary.
+policyFailure.history.History=&#9642; must be different from previously selected passwords.
+policyFailure.regex.control=&#9642; cannot contain more than {0} control characters.
+policyFailure.regex.lower=&#9642; must contain at least {0} lower case characters.
+policyFailure.regex.maxCharacterRepetitions=&#9642; characters must not occur more than {0} time(s) consecutively.
+policyFailure.regex.maxLength=&#9642; must be at most {0} characters long.
+policyFailure.regex.minLength=&#9642; must be at least {0} characters long.
+policyFailure.regex.nonAlnum=&#9642; must contain at least {0} non-alphanumeric characters.
+policyFailure.regex.nonAscii=&#9642; cannot contain more than {0} non-ASCII characters.
+policyFailure.regex.nonGraph=&#9642; cannot contain more than {0} non-printable characters.
+policyFailure.regex.nonLetter=&#9642; must contain at least {0} non-letter characters.
+policyFailure.regex.numeric=&#9642; must contain at least {0} numeric characters.
+policyFailure.regex.upper=&#9642; must contain at least {0} upper case characters.
+policyInfo.dictionary=&#9642; must not be taken from a dictionary.
+policyInfo.history.History=&#9642; must be different from previously selected passwords.
+policyInfo.regex.control=&#9642; cannot contain more than {0} control characters.
+policyInfo.regex.lower=&#9642; must contain at least {0} lower case characters.
+policyInfo.regex.maxCharacterRepetitions=&#9642; characters must not occur more than {0} time(s) consecutively.
+policyInfo.regex.maxLength=&#9642; must be at most {0} characters long.
+policyInfo.regex.minLength=&#9642; must be at least {0} characters long.
+policyInfo.regex.nonAlnum=&#9642; must contain at least {0} non-alphanumeric characters.
+policyInfo.regex.nonAscii=&#9642; cannot contain more than {0} non-ASCII characters.
+policyInfo.regex.nonGraph=&#9642; cannot contain more than {0} non-printable characters.
+policyInfo.regex.nonLetter=&#9642; must contain at least {0} non-letter characters.
+policyInfo.regex.numeric=&#9642; must contain at least {0} numeric characters.
+policyInfo.regex.upper=&#9642; must contain at least {0} upper case characters.
+policyInfo.title=The password has to comply with the following password policy:
+reject.button.label=Deny
+submit.button.label=Submit
+tan.sent=Please enter the security code which has been sent to your mobile phone.
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Client Authorization
+title.saml.failed=Error
+title.timeout.page=Logout
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/LitDict_de.properties
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/LitDict_de.properties
@ -0,0 +1,80 @@
+
+accept.button.label=Akzeptieren
+cancel.button.label=Abbrechen
+continue.button.label=Weiter
+deputy.profile.label=(Profil Stellvertreter)
+error.saml.failed=Bitte schliessen Sie Ihren Browser und versuchen Sie es erneut.
+error_1=Bitte &uuml;berpr&uuml;fen Sie Ihre Eingabe.
+error_10=Bitte w&auml;hlen Sie den gew&uuml;nschten Benutzer.
+error_100=Zertifikat-Upload nicht m&ouml;glich. Zertifikat bereits vorhanden. Bitte kontaktieren Sie Ihren Helpdesk.
+error_101=Die angegebene E-Mail Adresse ist ung&uuml;ltig.
+error_11=Bitte verwenden Sie ein anderes Zertifikat oder ein alternatives Authentisierungsmittel.
+error_2=Bitte w&auml;hlen Sie einen anderen Login-Namen. 
+error_3=Falls Ihr n&auml;chster Login fehlschl&auml;gt, wird Ihr Konto gesperrt.
+error_4=Ihr neues Passwort wurde nicht akzeptiert. Bitte w&auml;hlen Sie eines, das den Passwortvorgaben entspricht.
+error_5=Die Eingabe zur Best&auml;tigung des Passwortes ist falsch.
+error_50=Das neue Passwort ist zu kurz.
+error_55=Das neue Passwort muss sich von alten Passw&ouml;rtern unterscheiden.
+error_6=Passwortwechsel erforderlich.
+error_7=Wechsel der Login-ID erforderlich.
+error_8=Ihr Konto wurde infolge wiederholt fehlgeschlagener Authentisierung gesperrt.
+error_81=Keine Rasterkarte gefunden, Zugang vom Internet verweigert.
+error_83=Ihre Rasterkarte ist aufgebraucht. Bitte kontaktieren Sie Ihren Berater, um eine neue zu erhalten.
+error_9=Die SSO-Session konnte nicht &uuml;bernommen werden.
+error_97=Sie verf&uuml;gen nicht &uuml;ber die f&uuml;r den Zugriff auf diese Ressource ben&ouml;tigte Berechtigung.
+error_98=Ihr Konto ist gesperrt.
+error_99=Systemfehler. Bitte versuchen Sie es sp&auml;ter.
+info.logout.confirmation=Bitte best&auml;tigen Sie, dass Sie sich abmelden m&ouml;chten.
+info.logout.reminder=Ihre Session ist auf dieser Applikation abgelaufen. Versuchen Sie es nochmals mit einem Login.
+info.oauth.consent=Wollen Sie der Anwendung den Zugriff erlauben?
+info.timeout.page=Ihre Session ist auf dieser Applikation abgelaufen. Versuchen Sie es nochmals mit einem Login.
+login.button.label=Login
+logout.label=Logout
+logout.text=Sie haben sich erfolgreich abgemeldet.
+method.certificate.label=Zertifikat
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=mTAN-Code
+method.oath.label=OATH Authenticator-App
+method.otp.label=OTP (One-Time Passwort)
+method.recovery.label=Wiederherstellungscodes
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+outarg.lastLogin.never=Nie
+policyFailure.dictionary=&#9642; darf nicht aus einem W&ouml;rterbuch stammen.
+policyFailure.history.History=&#9642; muss sich von vorhergehenden Passw&ouml;rtern unterscheiden.
+policyFailure.regex.control=&#9642; darf h&ouml;chstens {0} Kontrollzeichen enthalten.
+policyFailure.regex.lower=&#9642; muss {0} Kleinbuchstaben enthalten.
+policyFailure.regex.maxCharacterRepetitions=&#9642; darf nicht eine Sequenz l&auml;nger als {0} des gleichen Zeichens enthalten.
+policyFailure.regex.maxLength=L&auml;nge des Passwortes darf h&ouml;chstens {0} sein.
+policyFailure.regex.minLength=L&auml;nge des Passwortes muss mindestens {0} sein.
+policyFailure.regex.nonAlnum=&#9642; muss {0} nicht-alphanumerische Zeichen enthalten.
+policyFailure.regex.nonAscii=&#9642; darf h&ouml;chstens {0} Zeichen ausserhalb des ASCII-Zeichensatzes enthalten.
+policyFailure.regex.nonGraph=&#9642; darf h&ouml;chstens {0} nicht-druckende Zeichen enthalten.
+policyFailure.regex.nonLetter=&#9642; muss {0} Zeichen enthalten, die keine Buchstaben sind.
+policyFailure.regex.numeric=&#9642; muss {0} numerische Zeichen enthalten.
+policyFailure.regex.upper=&#9642; muss {0} Grossbuchstaben enthalten.
+policyInfo.dictionary=&#9642; darf nicht aus einem W&ouml;rterbuch stammen.
+policyInfo.history.History=&#9642; darf keines der zuletzt verwendeten Passw&ouml;rtern sein.
+policyInfo.regex.control=&#9642; darf h&ouml;chstens {0} Kontrollzeichen enthalten.
+policyInfo.regex.lower=&#9642; muss mindestens {0} Kleinbuchstaben enthalten.
+policyInfo.regex.maxCharacterRepetitions=&#9642; darf nicht eine Sequenz l&auml;nger als {0} des gleichen Zeichens enthalten.
+policyInfo.regex.maxLength=&#9642; darf h&ouml;chstens {0} Zeichen enthalten.
+policyInfo.regex.minLength=&#9642; muss mindestens {0} Zeichen enthalten.
+policyInfo.regex.nonAlnum=&#9642; muss mindestens {0} Zeichen enthalten, die nicht Alphanumerisch sind.
+policyInfo.regex.nonAscii=&#9642; darf h&ouml;chstens {0} Zeichen ausserhalb des ASCII-Zeichensatzes enthalten.
+policyInfo.regex.nonGraph=&#9642; darf h&ouml;chstens {0} nicht-druckende Zeichen enthalten.
+policyInfo.regex.nonLetter=&#9642; muss mindestens {0} Zeichen enthalten, die keine Buchstaben sind.
+policyInfo.regex.numeric=&#9642; muss mindestens {0} numerische Zeichen enthalten.
+policyInfo.regex.upper=&#9642; muss mindestens {0} Grossbuchstaben enthalten.
+policyInfo.title=Das Passwort muss den folgenden Passwort-Richtlinien entsprechen:
+reject.button.label=Ablehnen
+submit.button.label=Senden
+tan.sent=Bitte erfassen Sie den Sicherheitscode, welcher an Ihr Mobiltelefon gesendet wurde.
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Client Authorisierung
+title.saml.failed=Error
+title.timeout.page=Logout
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/LitDict_en.properties
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/LitDict_en.properties
@ -0,0 +1,80 @@
+
+accept.button.label=Accept
+cancel.button.label=Cancel
+continue.button.label=Continue
+deputy.profile.label=(Deputy Profile)
+error.saml.failed=Please close your browser and try again.
+error_1=Please check your input.
+error_10=Please select the correct user account.
+error_100=Certificate upload not possible. Certificate already exists. Please contact your helpdesk.
+error_101=The entered email address is not valid.
+error_11=Please use another certficate or login with another credential type.
+error_2=Please select another login name.
+error_3=Your account will be locked if next authentication fails.
+error_4=Your new password does not comply with the security policy. Please choose a different password.
+error_5=Error in password confirmation.
+error_50=The new password is too short.
+error_55=The new password has to differ from old passwords.
+error_6=Password change required.
+error_7=Change of login ID required.
+error_8=Your account has been locked due to repeated authentication failures.
+error_81=No access card found, access from internet denied.
+error_83=Your access card is no longer valid. Please contact your advisor to get a new access card.
+error_9=Session take over failed.
+error_97=You are not authorized to access this resource.
+error_98=Your account has been locked.
+error_99=System problems. Please try later.
+info.logout.confirmation=Please confirm that you want to log out.
+info.logout.reminder=Your session on this application has expired. Try again with a login.
+info.oauth.consent=Do you want to authorise this application to access your data?
+info.timeout.page=Your session on this application has expired. Try again with a login.
+login.button.label=Login
+logout.label=Logout
+logout.text=You have successfully logged out.
+method.certificate.label=Certificate
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=mTAN Code
+method.oath.label=OATH Authenticator App
+method.otp.label=OTP (One-Time Password)
+method.recovery.label=Recovery Codes
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+outarg.lastLogin.never=Never
+policyFailure.dictionary=&#9642; must not be taken from a dictionary.
+policyFailure.history.History=&#9642; must be different from previously selected passwords.
+policyFailure.regex.control=&#9642; cannot contain more than {0} control characters.
+policyFailure.regex.lower=&#9642; must contain at least {0} lower case characters.
+policyFailure.regex.maxCharacterRepetitions=&#9642; characters must not occur more than {0} time(s) consecutively.
+policyFailure.regex.maxLength=&#9642; must be at most {0} characters long.
+policyFailure.regex.minLength=&#9642; must be at least {0} characters long.
+policyFailure.regex.nonAlnum=&#9642; must contain at least {0} non-alphanumeric characters.
+policyFailure.regex.nonAscii=&#9642; cannot contain more than {0} non-ASCII characters.
+policyFailure.regex.nonGraph=&#9642; cannot contain more than {0} non-printable characters.
+policyFailure.regex.nonLetter=&#9642; must contain at least {0} non-letter characters.
+policyFailure.regex.numeric=&#9642; must contain at least {0} numeric characters.
+policyFailure.regex.upper=&#9642; must contain at least {0} upper case characters.
+policyInfo.dictionary=&#9642; must not be taken from a dictionary.
+policyInfo.history.History=&#9642; must be different from previously selected passwords.
+policyInfo.regex.control=&#9642; cannot contain more than {0} control characters.
+policyInfo.regex.lower=&#9642; must contain at least {0} lower case characters.
+policyInfo.regex.maxCharacterRepetitions=&#9642; characters must not occur more than {0} time(s) consecutively.
+policyInfo.regex.maxLength=&#9642; must be at most {0} characters long.
+policyInfo.regex.minLength=&#9642; must be at least {0} characters long.
+policyInfo.regex.nonAlnum=&#9642; must contain at least {0} non-alphanumeric characters.
+policyInfo.regex.nonAscii=&#9642; cannot contain more than {0} non-ASCII characters.
+policyInfo.regex.nonGraph=&#9642; cannot contain more than {0} non-printable characters.
+policyInfo.regex.nonLetter=&#9642; must contain at least {0} non-letter characters.
+policyInfo.regex.numeric=&#9642; must contain at least {0} numeric characters.
+policyInfo.regex.upper=&#9642; must contain at least {0} upper case characters.
+policyInfo.title=The password has to comply with the following password policy:
+reject.button.label=Deny
+submit.button.label=Submit
+tan.sent=Please enter the security code which has been sent to your mobile phone.
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Client Authorization
+title.saml.failed=Error
+title.timeout.page=Logout
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/LitDict_fr.properties
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/LitDict_fr.properties
@ -0,0 +1,80 @@
+
+accept.button.label=Accepter
+cancel.button.label=Abandonner
+continue.button.label=Continuer
+deputy.profile.label=(Profil du suppl&eacute;ant)
+error.saml.failed=Fermez votre navigateur et r;eacute;essayez.
+error_1=Veuillez v&eacute;rifier vos donn&eacute;es, s.v.p.
+error_10=Choisissez votre compte.
+error_100=T&eacute;l&eacute;chargement du certificat pas possible. Certificat existe d&eacute;j&agrave;. Veuillez contacter le helpdesk s.v.p.
+error_101=L&#39;adresse e-mail &eacute; n&#39;est pas valide.
+error_11=Choisissez un autre certificat, s.v.p.
+error_2=Choisissez un autre nom, s.v.p.
+error_3=Si l&#39;authentification ne r&eacute;ussit pas au prochain essai, votre compte sera bloqu&eacute;.
+error_4=Votre nouveau mot de passe ne conforme pas aux mesures de s&eacute;curit&eacute;
+error_5=Votre confirmation du mot de passe ne correspond pas au mot de passe donn&eacute;.
+error_50=Le nouveau mot de passe est trop court.
+error_55=Le nouveau mot de passe doit diff&eacute;rer de l&#39;ancien.
+error_6=Veuillez changer votre mot de passe, s.v.p.
+error_7=Veuillez changer votre login ID, s.v.p.
+error_8=Votre compte n&#39;est pas active.
+error_81=Pas d&#39;access card trouv&eacute;, l&#39;acc&egrave;s par l&#39;internet est refus&eacute;.
+error_83=Votre access card n&#39;est plus valable, veuillez contacter votre gestionnaire.
+error_9=Il n&#39;est pas possible de transmettre la session.
+error_97=Vous n&#39;avez pas les autorisations n&eacute;cessaires pour acc&eacute;der &agrave; cette ressource.
+error_98=Votre compte a &eacute;t&eacute; bloqu&eacute;.
+error_99=Probl&egrave;me technique. Veuillez essayer plus tard, s.v.p.
+info.logout.confirmation=Veuillez confirmer que vous souhaitez vous d&eacute;connecter.
+info.logout.reminder=Votre session sur cette application a expir&eacute;e. Essayez encore avec un login.
+info.oauth.consent=Voulez-vous autoriser l&#39;application?
+info.timeout.page=Votre session sur cette application a expir&eacute;e. Essayez encore avec un login.
+login.button.label=Login
+logout.label=Logout
+logout.text=Au revoir
+method.certificate.label=Certificat
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=Code mTAN
+method.oath.label=Application d'authentification OATH
+method.otp.label=OTP (One-Time Password)
+method.recovery.label=Codes de r&eacute;cup&eacute;ration
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+outarg.lastLogin.never=Jamais
+policyFailure.dictionary=&#9642; ne peut pas &ecirc;tre pris d&#39;un dictionnaire.
+policyFailure.history.History=&#9642; doit &ecirc;tre diff&eacute;rent des mots de passe pr&eacute;alablement s&eacute;lectionn&eacute;s.
+policyFailure.regex.control=&#9642; ne peut contenir plus de {0} caract&egrave;res de commande.
+policyFailure.regex.lower=&#9642; doit contenir au moins {0} caract&egrave;re(s) minuscule(s).
+policyFailure.regex.maxCharacterRepetitions=&#9642; ne peut contenir une s&eacute;quence de plus de {0} du m&ecirc;me caract&egrave;re.
+policyFailure.regex.maxLength=La longueur doit &ecirc;tre d&#39;au plus {0}.
+policyFailure.regex.minLength=La longueur doit &ecirc;tre d&#39;au moins {0}.
+policyFailure.regex.nonAlnum=&#9642; doit contenir au moins  {0} caract&egrave;res non alphanum&eacute;riques.
+policyFailure.regex.nonAscii=&#9642; ne peut contenir plus de {0} caract&egrave;res non ASCII ({1}).
+policyFailure.regex.nonGraph=&#9642; ne peut contenir plus de {0} caract&egrave;res non imprimables ({1}).
+policyFailure.regex.nonLetter=&#9642; doit contenir au moins {0} caract&egrave;res qui ne sont pas des lettres.
+policyFailure.regex.numeric=&#9642; doit comprendre {0} caract&#232;res num&#233;riques.
+policyFailure.regex.upper=&#9642; doit contenir au moins {0} caract&egrave;re(s) majuscule(s).
+policyInfo.dictionary=&#9642; ne peut pas &ecirc;tre pris d&#39;un dictionnaire.
+policyInfo.history.History=&#9642; ne peut pas &ecirc;tre l&#39; pr&eacute;c&eacute;demment choisis.
+policyInfo.regex.control=&#9642; ne peut contenir plus de {0} caract&egrave;res de commande.
+policyInfo.regex.lower=&#9642; doit contenir au moins {0} caract&egrave;re(s) minuscule(s).
+policyInfo.regex.maxCharacterRepetitions=&#9642; ne peut contenir une s&eacute;quence de plus de {0} du m&ecirc;me caract&egrave;re.
+policyInfo.regex.maxLength=&#9642; la longueur doit &ecirc;tre d&#39;au plus {0}.
+policyInfo.regex.minLength=&#9642; la longueur doit &ecirc;tre d&#39;au moins {0}.
+policyInfo.regex.nonAlnum=&#9642; doit contenir au moins  {0} caract&egrave;res non alphanum&eacute;riques.
+policyInfo.regex.nonAscii=&#9642; ne peut contenir plus de {0} caract&egrave;res non ASCII.
+policyInfo.regex.nonGraph=&#9642; ne peut contenir plus de {0} caract&egrave;res non imprimables.
+policyInfo.regex.nonLetter=&#9642; doit contenir au moins {0} caract&egrave;res qui ne sont pas des lettres.
+policyInfo.regex.numeric=&#9642; doit comprendre au minimum {0} caract&#232;res num&#233;riques.
+policyInfo.regex.upper=&#9642; doit contenir au moins {0} caract&egrave;re(s) majuscule(s).
+policyInfo.title=Le mot de passe doit respecter les r&egrave;gles suivantes:
+reject.button.label=Refuser
+submit.button.label=Envoyer
+tan.sent=Veuillez saisir le code de s&eacute;curit&eacute; que vous avez re&ccedil;u au votre t&eacute;l&eacute;phone mobile.
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Autorisation du client
+title.saml.failed=Error
+title.timeout.page=Logout
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/LitDict_it.properties
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/LitDict_it.properties
@ -0,0 +1,80 @@
+
+accept.button.label=Accettare
+cancel.button.label=Abortire
+continue.button.label=Continua
+deputy.profile.label=(profilo del delegato)
+error.saml.failed=Chiudi il browser e riprova.
+error_1=Verificare i dati immessi.
+error_10=Per favore selezionare il conto utente corretto.
+error_100=Impossibile caricare il certificato. Questo certificato esiste gi&agrave;. La preghiamo di contattare il Suo help desk.
+error_101=L&#39;indirizzo e-mail inserito non &egrave; valido.
+error_11=Scegliere un altro certificato.
+error_2=Per favore scegliere un altro nome.
+error_3=Il conto verr&agrave; bloccato se il prossimo login non andr&agrave; a buon fine.
+error_4=La nuova password non &egrave; stata accettata. Scegliere una password che sia conforme ai criteri di password.
+error_5=La conferma della password &egrave; errata.
+error_50=La nuova password &egrave; troppo corta.
+error_55=La nuova password deve essere diversa dalla vecchia.
+error_6=&Egrave; necessario modificare la password.
+error_7=Set up inizale dell&#39;account per il portale necessario.
+error_8=L&#39;account &egrave; stato bloccato. Rivolgersi al servizio assistenza oppure provare con un altro strumento di autenticazione.
+error_81=Nessuna carta di accesso trovata, accesso da internet rifiutato.
+error_83=La sua carta di accesso non &egrave; pi&ugrave; valida. Per favore contatti il suo assistente per ricevere una nuova carta di accesso.
+error_9=La sessione non pu&ograve; essere ripresa.
+error_97=Non si dispone delle autorizzazioni necessarie per accedere a questa risorsa.
+error_98=L&#39;account &egrave; stato bloccato.
+error_99=Errore di sistema. Riprovare.
+info.logout.confirmation=Si prega di confermare che si desidera disconnettersi.
+info.logout.reminder=La sessione su questa applicazione &#x26;egrave; scaduta. Prova ancora con un login.
+info.oauth.consent=Vuoi consentire all&#39;applicazione?
+info.timeout.page=La sessione su questa applicazione &#x26;egrave; scaduta. Prova ancora con un login.
+login.button.label=Login
+logout.label=Logout
+logout.text=&Egrave; uscito con successo.
+method.certificate.label=Certificato
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=Codice mTAN
+method.oath.label=App di autenticazione OATH
+method.otp.label=OTP (One-Time Password)
+method.recovery.label=Codici di ripristino
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+outarg.lastLogin.never=Mai
+policyFailure.dictionary=&#9642; non pu&ograve; essere presa da un dizionario.
+policyFailure.history.History=&#9642; deve essere diversa da password precedenti.
+policyFailure.regex.control=&#9642; non pu&ograve; contenere pi&ugrave; di {0} caratteri di controllo.
+policyFailure.regex.lower=&#9642; deve conenere almeno {0} caratteri minuscoli.
+policyFailure.regex.maxCharacterRepetitions=&#9642; non pu&ograve; contentere una sequenza pi&ugrave; lunga di {0} caratteri uguali.
+policyFailure.regex.maxLength=&#9642; deve contenere al massimo {0} caratteri.
+policyFailure.regex.minLength=&#9642; deve contenere almeno {0} caratteri.
+policyFailure.regex.nonAlnum=&#9642; deve conenere almeno {0} caratteri non alfanumerici.
+policyFailure.regex.nonAscii=&#9642; non pu&ograve; contenere pi&ugrave; di {0} caratteri non ASCII.
+policyFailure.regex.nonGraph=&#9642; non pu&ograve; contenere pi&ugrave; di {0} caratteri non stampabili.
+policyFailure.regex.nonLetter=&#9642; non pu&ograve; contenere pi&ugrave; di {0} numeri o caratteri speciali.
+policyFailure.regex.numeric=&#9642; deve contenere {0} caratteri numerici.
+policyFailure.regex.upper=&#9642; deve conenere almeno {0} caratteri maiuscoli.
+policyInfo.dictionary=&#9642; non pu&ograve; essere presa da un dizionario.
+policyInfo.history.History=&#9642; deve essere diversa dalle password precedenti.
+policyInfo.regex.control=&#9642; non pu&ograve; contenere pi&ugrave; di {0} carattere/i di controllo.
+policyInfo.regex.lower=&#9642; deve conenere almeno {0} carattere/i minuscolo/i.
+policyInfo.regex.maxCharacterRepetitions=&#9642; non pu&ograve; contentere una sequenza pi&ugrave; lunga di {0} caratteri uguali.
+policyInfo.regex.maxLength=&#9642; deve contenere al massimo {0} carattere/i.
+policyInfo.regex.minLength=&#9642; deve contenere almeno {0} carattere/i.
+policyInfo.regex.nonAlnum=&#9642; deve conenere almeno {0} carattere/i non alfanumerico/i.
+policyInfo.regex.nonAscii=&#9642; non pu&ograve; contenere pi&ugrave; di {0} carattere/i non ASCII.
+policyInfo.regex.nonGraph=&#9642; non pu&ograve; contenere pi&ugrave; di {0} carattere/i non stampabile/i.
+policyInfo.regex.nonLetter=&#9642; non pu&ograve; contenere pi&ugrave; di {0} numero/i o caratere/i speciale/i.
+policyInfo.regex.numeric=&#9642; deve contenere un minimo di {0} carattere/i numerico/i.
+policyInfo.regex.upper=&#9642; deve conenere almeno {0} carattere/i maiuscolo/i.
+policyInfo.title=La password deve rispettare le seguenti direttive:
+reject.button.label=Rifiuti
+submit.button.label=Continua
+tan.sent=Inserisci il codice di sicurezza che &egrave; stato inviato al tuo telefono cellulare.
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Autorizzazione del client
+title.saml.failed=Error
+title.timeout.page=Logout
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/bc.properties
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/bc.properties
@ -0,0 +1 @@
+bc.tracer.TraceIndentFactory=ch.nevis.bc.io.Log4jTraceIndentFactory
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/env.conf
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/env.conf
@ -0,0 +1,19 @@
+RTENV_SECURITY_CHECK=no_shell
+
+JAVA_OPTS=(
+    "-Dfile.encoding=UTF-8"
+    "-XX:+UseContainerSupport"
+    "-XX:MaxRAMPercentage=80.0"
+    "-Djava.net.preferIPv4Stack=true"
+    "-Djava.net.connectionTimeout=10000"
+    "-Djava.net.readTimeout=15000"
+    "-Dch.nevis.esauth.config=/var/opt/nevisauth/default/conf/esauth4.xml"
+    "-Djava.awt.headless=true"
+    "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
+    "-Dotel.javaagent.logging=application"
+    "-Dotel.javaagent.configuration-file=/var/opt/nevisauth/default/conf/otel.properties"
+    "-Dotel.resource.attributes=service.version=7.2402.1,service.instance.id=$HOSTNAME"
+    "-Djavax.net.ssl.trustStore=/var/opt/keys/trust/auth-sts-default-tls-trust/truststore.p12"
+    "-Djavax.net.ssl.trustStorePassword=\${exec:/var/opt/keys/trust/auth-sts-default-tls-trust/keypass}"
+)
+
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/esauth4.security
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/esauth4.security
@ -0,0 +1,2 @@
+# this file is generated by nevisAdmin 4
+security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/esauth4.xml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/esauth4.xml
@ -0,0 +1,334 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE esauth-server SYSTEM "/opt/nevisauth/dtd/esauth4.dtd">
+<esauth-server instance="auth-sts">
+    <!-- source: pattern://4bad2fe3ccc54716cc87138f, pattern://5d7dc3d51416356293a239f7 -->
+    <SessionCoordinator sessionInitialInactivityTimeout="30" sessionInactivityTimeout="3600" sessionMaxLifetime="3600" sessionIdPreGenerate="true">
+        <!-- source: pattern://4bad2fe3ccc54716cc87138f -->
+        <LocalSessionStore maxSessions="100000"/>
+        <!-- source: pattern://4bad2fe3ccc54716cc87138f -->
+        <TokenAssembler name="DefaultTokenAssembler">
+            <Selector default="true"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <TokenSpec ttl="3600">
+                <!-- source: pattern://4bad2fe3ccc54716cc87138f -->
+                <field src="session" key="ch.nevis.session.sessid" as="sessid"/>
+                <!-- source: pattern://4bad2fe3ccc54716cc87138f -->
+                <field src="session" key="ch.nevis.session.userid" as="userid"/>
+                <!-- source: pattern://4bad2fe3ccc54716cc87138f -->
+                <field src="session" key="ch.nevis.session.authlevel" as="authLevel"/>
+                <!-- source: pattern://4bad2fe3ccc54716cc87138f -->
+                <field src="session" key="ch.nevis.session.esauthid" as="esauthid"/>
+                <!-- source: pattern://4bad2fe3ccc54716cc87138f -->
+                <field src="session" key="ch.nevis.session.entryid" as="entryid"/>
+                <!-- source: pattern://4bad2fe3ccc54716cc87138f -->
+                <field src="session" key="ch.nevis.session.loginid" as="loginId"/>
+                <!-- source: pattern://4bad2fe3ccc54716cc87138f -->
+                <field src="session" key="ch.nevis.session.domain" as="domain"/>
+                <!-- source: pattern://4bad2fe3ccc54716cc87138f -->
+                <field src="session" key="ch.nevis.session.secroles" as="roles"/>
+            </TokenSpec>
+            <!-- source: pattern://4bad2fe3ccc54716cc87138f -->
+            <Signer key="DefaultSigner"/>
+        </TokenAssembler>
+        <!-- source: pattern://4bad2fe3ccc54716cc87138f -->
+        <KeyStore name="DefaultKeyStore">
+            <!-- source: pattern://4bad2fe3ccc54716cc87138f -->
+            <KeyObject name="DefaultSigner" certificate="/var/opt/keys/own/auth-sts-sh4r3d-internal-idp-auth-signer/cert.pem" privateKey="/var/opt/keys/own/auth-sts-sh4r3d-internal-idp-auth-signer/keystore.jks" passPhrase="pipe:///var/opt/keys/own/auth-sts-sh4r3d-internal-idp-auth-signer/keypass"/>
+            <!-- source: pattern://4bad2fe3ccc54716cc87138f -->
+            <KeyObject name="DefaultSignerTrust" certificate="/var/opt/keys/trust/auth-sts-default-default-signer-trust/truststore.jks"/>
+        </KeyStore>
+        <!-- source: pattern://632ae3e34c70513c4d5ae882 -->
+        <KeyStore name="Auth_Realm_Main_STS">
+            <!-- source: pattern://632ae3e34c70513c4d5ae882 -->
+            <KeyObject name="ATB_Key_Signer" certificate="/var/opt/keys/trust/idp-pem-atb/truststore.jks"/>
+        </KeyStore>
+    </SessionCoordinator>
+    <!-- source: pattern://4bad2fe3ccc54716cc87138f -->
+    <LocalOutOfContextDataStore reaperPeriod="60"/>
+    <!-- source: pattern://4bad2fe3ccc54716cc87138f, pattern://5d7dc3d51416356293a239f7, pattern://5d7dc3d51416356293a239f7, pattern://8d94681ba6da73f92618e32d, pattern://4bad2fe3ccc54716cc87138f -->
+    <AuthEngine useLiteralDictionary="true" literalDictionaryLanguages="en,de,fr,it" inputLanguageCookie="LANG" compatLevel="none" addAutheLevelToSecRoles="true" classPath="/opt/nevisidmcl/nevisauth/lib:/opt/nevisauth/plugin" propagateSession="false">
+        <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+        <Domain name="Auth_Realm_Main_STS" default="false" inactiveInterval="30" reauthInterval="0" statelessAuth="true" issueToken="true" resetAuthenticationCondition="${inargs:cancel}">
+            <Entry method="authenticate" state="Auth_Realm_Main_STS_Check_Trusted_Caller"/>
+            <Entry method="stepup" state="Auth_Realm_Main_STS_STS_Audit_Failure"/>
+        </Domain>
+        <AuthState name="Auth_Realm_Main_STS_Check_Trusted_Caller" class="ch.nevis.esauth.auth.states.cache.ReadFromCacheState" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="miss" next="Auth_Realm_Main_STS_Dispatcher_TokenType"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_STS_Dispatcher_TokenType"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_ERROR"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="cacheSpace" value="TechAuthCache"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="hashAlgorithm" value="SHA-512"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="sess:agov.techuser.extId" value="#{request.getActorCertAsString()}"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_Dispatcher_TokenType" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="SamlAssertion" next="Auth_Realm_Main_STS_Service_Provider_State"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="checkOblCode" next="Auth_Realm_Main_STS_Verify_Shadow_User"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="default" next="Auth_Realm_Main_STS_STS_Audit_Failure"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="usernameToken" next="Auth_Realm_Main_STS_Verify_User_extID"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="condition:SamlAssertion" value="${request:currentResource:/nevisauth/services/sts/saml:true}"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="condition:checkOblCode" value="${request:currentResource:/nevisauth/services/sts/check:true}"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="condition:usernameToken" value="${request:currentResource:/nevisauth/services/sts/username:true}"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_Service_Provider_State" class="ch.nevis.esauth.auth.states.saml.ServiceProviderState" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="default" next="Auth_Realm_Main_STS_STS_Audit_Failure"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_STS_Verify_User_extID" authLevel="auth.weak"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="consumerURL" value="https://me.agov-d.azure.adnovum.net/login/saml2/sso/agovidp"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="in.verify" value="Assertion"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="in.internalBindingSource" value="${inargs:SAMLAssertion}"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="in.binding" value="internal-assertion"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="in.max_age" value="30"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="in.audience" value="https://me.agov-d.azure.adnovum.net/account/api/saml2/service-provider-metadata/agovidpdirect"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="in.keystoreref" value="Auth_Realm_Main_STS"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="in.prospectVerification" value="SubjectConfirmation"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="out.sign" value="none"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="out.binding" value="none"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="out.ttl" value="30"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="out.issuer" value="not-used"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_Verify_Shadow_User" class="ch.nevis.idm.authstate.IdmPasswordVerifyState" final="false" resumeState="false">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="cancel" next="Auth_Realm_Main_STS_Verify_Shadow_User_Error"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="clientNotFound" next="Auth_Realm_Main_STS_Verify_Shadow_User_Error"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="disabled" next="Auth_Realm_Main_STS_Verify_Shadow_User_Error"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="failed" next="Auth_Realm_Main_STS_Verify_Shadow_User_Error"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="lockWarn" next="Auth_Realm_Main_STS_Verify_Shadow_User_Error"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="locked" next="Auth_Realm_Main_STS_Verify_Shadow_User_Error"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="nowLocked" next="Auth_Realm_Main_STS_Verify_Shadow_User_Error"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_STS_Verify_Shadow_User_DeleteCredential" authLevel="auth.weak"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="pwChange" next="Auth_Realm_Main_STS_Verify_Shadow_User_Error"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="tmpLocked" next="Auth_Realm_Main_STS_Verify_Shadow_User_Error"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                <Gui name="ErrorDialog" label="error">
+                    <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                    <GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
+                    <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                    <GuiElem name="isiwebpasswd" type="pw-text" label="not-used" value="just-ot-hide-it-in-logs" optional="true"/>
+                </Gui>
+            </Response>
+            <propertyRef name="nevisIDM_Connector"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="user.loginType" value="LOGINID"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="credential.type" value="contextPassword"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="credential.context" value="AGOV"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="client.name" value="AGOV-S"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="user.loginId" value="${inargs:isiwebuserid}"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="user.password" value="${inargs:isiwebpasswd}"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="detaillevel.user" value="MEDIUM"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="detaillevel.profile" value="LOW"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="detaillevel.property" value="MEDIUM"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="detaillevel.credential" value="MEDIUM"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="detaillevel.certificate" value="MEDIUM"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="detaillevel.default" value="EXCLUDE"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_STS_Audit_Failure" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="error" next="Auth_Realm_Main_STS_Authentication_Failed"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_STS_Authentication_Failed"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/sts_audit_failure.groovy"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_Verify_User_extID" class="ch.nevis.idm.authstate.IdmUserVerifyState" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="clientNotFound" next="Auth_Realm_Main_STS_STS_Audit_Failure"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="failed" next="Auth_Realm_Main_STS_STS_Audit_Failure"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="prospect" next="Auth_Realm_Main_STS_Verify_User_extID_IdmGetPropertiesState"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                <Gui name="AuthFailDialog"/>
+            </Response>
+            <propertyRef name="nevisIDM_Connector"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="userExtId" value="${inargs:UserID}"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="client.name" value="agov"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_Verify_Shadow_User_Error" class="ch.nevis.esauth.auth.states.standard.AuthLogout" final="true" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                <Gui name="ErrorDialog" label="error">
+                    <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                    <GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
+                </Gui>
+            </Response>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_Verify_Shadow_User_DeleteCredential" class="ch.nevis.idm.authstate.IdmDeleteCredentialState" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="failed" next="Auth_Realm_Main_STS_STS_Audit_Success"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="noCredential" next="Auth_Realm_Main_STS_STS_Audit_Success"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_STS_STS_Audit_Success"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_ERROR"/>
+            <propertyRef name="Auth_Realm_Main_STS_Verify_Shadow_User"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="cred.context" value="AGOV"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="cred.type" value="CONTEXT_PASSWORD"/>
+        </AuthState>
+        <AuthState name="nevisIDM_Connector" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="false">
+            <!-- source: pattern://8d94681ba6da73f92618e32d -->
+            <property name="login.service.connection.0" value="https://idm:8989/nevisidm/services/v1/LoginService"/>
+            <!-- source: pattern://8d94681ba6da73f92618e32d -->
+            <property name="admin.service.connection.0" value="https://idm:8989/nevisidm/services/v1/AdminService"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_Authentication_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                <Gui name="Error">
+                    <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                    <GuiElem name="info" type="error" label="error_99"/>
+                    <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                    <GuiElem name="submit" type="button" label="continue.button.label"/>
+                </Gui>
+            </Response>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_Verify_User_extID_IdmGetPropertiesState" class="ch.nevis.idm.authstate.IdmGetPropertiesState" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="SOAP:showGui" next="Auth_Realm_Main_STS_STS_Audit_Success"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="default" next="Auth_Realm_Main_STS_STS_Audit_Failure"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_STS_STS_Audit_Success"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_CONTINUE">
+                <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                <Gui name="AuthProfileSelectionDialog">
+                    <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                    <GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
+                </Gui>
+            </Response>
+            <propertyRef name="nevisIDM_Connector"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="user.attributes" value="loginId,extId,firstName,name,email,gender,birthDate,language,sex,addressLine1,postalCode,city,country,street,houseNumber,locality"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="chooseDefaultProfile" value="true"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_STS_Audit_Success" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="error" next="Auth_Realm_Main_STS_Authentication_Failed"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_STS_Auth_Done"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/sts_audit_success.groovy"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                <Gui name="ContinueResponse"/>
+            </Response>
+        </AuthState>
+    </AuthEngine>
+    <!-- source: pattern://b187f22206e44ee57ad18737 -->
+    <WebService name="SecurityTokenService-UNameToken" class="ch.nevis.esauth.auth.adapter.wstrust.SecurityTokenService" uri="/nevisauth/services/sts/username/" SSODomain="Auth_Realm_Certificate_STS">
+        <!-- source: pattern://b187f22206e44ee57ad18737 -->
+        <Mapping from="xpath://OnBehalfOf/UsernameToken/Username/text()" to="UserID" scope="inargs" optional="false"/>
+        <!-- source: pattern://b187f22206e44ee57ad18737 -->
+        <Method name="authenticate"/>
+        <!-- source: pattern://b187f22206e44ee57ad18737 -->
+        <property name="token:secToken" value="${response.signedTokenAsString}"/>
+        <!-- source: pattern://b187f22206e44ee57ad18737 -->
+        <property name="secToken.binary" value="true"/>
+    </WebService>
+    <!-- source: pattern://f07012a21144ec15f1f53117 -->
+    <WebService name="SecurityTokenService-SAML" class="ch.nevis.esauth.auth.adapter.wstrust.SecurityTokenService" uri="/nevisauth/services/sts/saml/" SSODomain="Auth_Realm_Certificate_STS">
+        <!-- source: pattern://f07012a21144ec15f1f53117 -->
+        <Mapping from="xpath://OnBehalfOf/Assertion" to="SAMLAssertion" scope="inargs" optional="false"/>
+        <!-- source: pattern://f07012a21144ec15f1f53117 -->
+        <Mapping from="xpath://OnBehalfOf/Assertion/Subject/NameID/text()" to="UserID" scope="inargs" optional="false"/>
+        <!-- source: pattern://f07012a21144ec15f1f53117 -->
+        <Method name="authenticate"/>
+        <!-- source: pattern://f07012a21144ec15f1f53117 -->
+        <property name="token:secToken" value="${response.signedTokenAsString}"/>
+        <!-- source: pattern://f07012a21144ec15f1f53117 -->
+        <property name="secToken.binary" value="true"/>
+    </WebService>
+    <!-- source: pattern://eaae1a7d4c4e0ce653074f22 -->
+    <WebService name="SecurityTokenService-CheckToken" class="ch.nevis.esauth.auth.adapter.wstrust.SecurityTokenService" uri="/nevisauth/services/sts/check/" SSODomain="Auth_Realm_Certificate_STS">
+        <!-- source: pattern://eaae1a7d4c4e0ce653074f22 -->
+        <Mapping from="xpath://OnBehalfOf/UsernameToken/Username/text()" to="isiwebuserid" scope="inargs" optional="false"/>
+        <!-- source: pattern://eaae1a7d4c4e0ce653074f22 -->
+        <Mapping from="xpath://OnBehalfOf/UsernameToken/Password/text()" to="isiwebpasswd" scope="inargs" optional="false"/>
+        <!-- source: pattern://eaae1a7d4c4e0ce653074f22 -->
+        <Method name="authenticate"/>
+        <!-- source: pattern://eaae1a7d4c4e0ce653074f22 -->
+        <property name="token:secToken" value="${response.signedTokenAsString}"/>
+        <!-- source: pattern://eaae1a7d4c4e0ce653074f22 -->
+        <property name="secToken.binary" value="true"/>
+    </WebService>
+</esauth-server>
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/logging.yml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/logging.yml
@ -0,0 +1,53 @@
+Configuration:
+  monitorInterval: 60
+  Appenders:
+    Console:
+    - name: "SERVER"
+      target: "SYSTEM_OUT"
+      PatternLayout:
+        pattern: "[esauth4sv.log] %d{ISO8601} %-15.15t %mdc{trace_id} %mdc{span_id} %-20.20c %-5.5p %m%n"
+      RegexFilter:
+        regex: ".*GET /nevisauth/liveness.*"
+        onMatch: "DENY"
+        onMismatch: "ACCEPT"
+  Loggers:
+    Logger:
+    - name: "EsAuthStart"
+      level: "INFO"
+    - name: "org.apache.catalina.loader.WebappClassLoader"
+      level: "FATAL"
+    - name: "org.apache.catalina.startup.HostConfig"
+      level: "ERROR"
+    - name: "ch.nevis.esauth.events"
+      level: "FATAL"
+    - name: "AGOV-ACCT"
+      level: "DEBUG"
+    - name: "AuthEngine"
+      level: "INFO"
+    - name: "AuthPerf"
+      level: "INFO"
+    - name: "IdmAuth"
+      level: "DEBUG"
+    - name: "OpTrace"
+      level: "DEBUG"
+    - name: "Recovery"
+      level: "INFO"
+    - name: "Script"
+      level: "DEBUG"
+    - name: "SessCoord"
+      level: "DEBUG"
+    - name: "StdStates"
+      level: "INFO"
+    - name: "Store"
+      level: "DEBUG"
+    - name: "Vars"
+      level: "INFO"
+    - name: "ch.nevis.idm.client.IdmRestClientImpl"
+      level: "DEBUG"
+    - name: "jcan.OpContent"
+      level: "DEBUG"
+    Root:
+      level: "WARN"
+      additivity: "false"
+      AppenderRef:
+      - ref: "SERVER"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/nevisauth.yml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/nevisauth.yml
@ -0,0 +1,16 @@
+server:
+  name: "default"
+  protocol: "https"
+  port: "8991"
+  host: "0.0.0.0"
+  tls:
+    keystore: "/var/opt/keys/own/auth-sts-default-identity/keystore.p12"
+    keystore-passphrase: "${exec:/var/opt/keys/own/auth-sts-default-identity/keypass}"
+    client-auth: "required"
+    truststore: "/var/opt/keys/trust/auth-sts-technical-trust-store/truststore.p12"
+    truststore-passphrase: "${exec:/var/opt/keys/trust/auth-sts-technical-trust-store/keypass}"
+management:
+  server:
+    port: "9000"
+  healthchecks:
+    enabled: "true"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/otel.properties
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/otel.properties
@ -0,0 +1,4 @@
+otel.service.name=auth-sts
+otel.traces.exporter=none
+otel.metrics.exporter=none
+otel.logs.exporter=none
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/sts_audit_failure.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/sts_audit_failure.groovy
@ -0,0 +1,17 @@
+try {
+  def user = inargs['UserID'] ?: session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+  def techuser = session['agov.techuser.extId'] ?: 'unknown'
+  def sourceIp = request.getTransportLayerInformation().getRemoteIP() ?: 'unknown'
+  def credentialType = request.getResource().replaceAll("\\/nevisauth\\/services\\/sts\\/(.+)\\/", "\$1").toUpperCase()
+  def lasterrorinfo = notes.getProperty('lasterrorinfo', '-')
+  def lasterror = notes.getProperty('lasterror', '-')
+
+  if (credentialType=='SAML') {
+    credentialType = 'PASSWORD'
+  }
+  LOG.warn("Event='TKNFAILED', Techuser=${techuser}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, lasterrorinfo='${lasterrorinfo}', lasterror=${lasterror}")
+} catch (Exception e) {
+  LOG.warn("Exception in Script: ${e}")
+} finally {
+  response.setResult('ok')
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/sts_audit_success.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/sts_audit_success.groovy
@ -0,0 +1,16 @@
+try {
+  def user = inargs['UserID'] ?: session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+  def techuser = session['agov.techuser.extId'] ?: 'unknown'
+  def sourceIp = request.getTransportLayerInformation().getRemoteIP() ?: 'unknown'
+  def credentialType = request.getResource().replaceAll("\\/nevisauth\\/services\\/sts\\/(.+)\\/", "\$1").toUpperCase()
+  
+  if (credentialType=='SAML') {
+    credentialType = 'PASSWORD'
+  }
+  LOG.info("Event='TKNISSUED', Techuser=${techuser}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}")
+  
+} catch (Exception e) {
+  LOG.warn("Exception in Script: ${e}")
+} finally {
+  response.setResult('ok')
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/log/.empty
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/log/.empty
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/plugin/.empty
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/plugin/.empty
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/run/.empty
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/run/.empty
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/status.sh
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/status.sh
@ -0,0 +1,79 @@
+#!/bin/bash
+#
+# NAME
+#     status.sh - Checks the status of the nevisAuth instance.
+#
+# SYNOPSIS
+#     status.sh
+#
+# DESCRIPTION
+#     Performs periodic checks until the instance is up or broken or timeout is reached.
+#     The script terminates when the process of the instance stops running.
+#     There are no arguments for this script.
+#
+# EXIT CODES
+#  0    Instance is up.
+#  1    Instance process is not running.
+#  2    Instance is broken.
+#  3    Timeout reached.
+
+# Defines how much we should sleep between checking if the instance is up.
+interval=1
+# Defines how much we should wait the instance to start up until we give up and exit.
+timeout=70
+((end_time=${SECONDS}+$timeout))
+
+# Checks if the process of the instance is still running.
+# Arguments:
+#   None
+# Returns:
+#   In case it is running, returns 0, otherwise non-zero (exit code of systemctl).
+isProcessRunning() {
+  systemctl is-active --quiet nevisauth@default
+  IS_RUNNING=$?
+  return $IS_RUNNING
+}
+
+# Checks if the instance is up. (Attempts connecting to the instance)
+# Arguments:
+#   None
+# Returns:
+#   If the connection was successful and the instance up (is not broken), returns 0.
+#   If the connection was not successful, returns 1.
+checkInstance() {
+  lsof -i :8991 -sTCP:LISTEN
+  EXIT_CODE=$?
+  return $EXIT_CODE
+}
+
+# This function encapsulates the logic of checking if the process is running and if the instance is up.
+# In case the process is not running, exits with exit code 1.
+# Arguments:
+#   None
+# Returns:
+#   If the instance process is running, returns the result of the instance check function.
+check() {
+ if isProcessRunning
+  then
+    checkInstance
+    CS=$?
+    return $CS
+  else
+    echo "Process is not running."
+    exit 1
+  fi
+}
+
+# Check the status of the instance periodically.
+while ((${SECONDS} < ${end_time}))
+do
+  sleep ${interval}
+  if check
+  then
+    echo "Instance is up."
+    exit 0
+  fi
+done
+
+echo "Exceeded check timeout (70s). Instance is down."
+exit 3
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/tmp/.empty
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/tmp/.empty
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-auth-realm-mobile-fido-uaf-tls-client-nevisfido-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-auth-realm-mobile-fido-uaf-tls-client-nevisfido-7022472ae407577ae604bbb8.yaml
@ -0,0 +1,18 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisKeyStore"
+metadata:
+  name: "auth-auth-realm-mobile-fido-uaf-tls-client-nevisfido"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "auth"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "7022472ae407577ae604bbb8"
+spec:
+  cn: "auth"
+  usage: "<reserved for future use>"
+  san:
+    dns:
+    - "auth"
+    - "auth.adn-agov-nevisidm-01-uat"
+    email: []
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-auth-realm-mobile-fido-uaf-tls-trust-nevisfido-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-auth-realm-mobile-fido-uaf-tls-trust-nevisfido-7022472ae407577ae604bbb8.yaml
@ -0,0 +1,14 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisTrustStore"
+metadata:
+  name: "auth-auth-realm-mobile-fido-uaf-tls-trust-nevisfido"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "auth"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "7022472ae407577ae604bbb8"
+spec:
+  keystores:
+  - name: "fido-uaf-default-server-identity"
+    namespace: "adn-agov-nevisidm-01-uat"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-default-default-signer-trust-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-default-default-signer-trust-7022472ae407577ae604bbb8.yaml
@ -0,0 +1,14 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisTrustStore"
+metadata:
+  name: "auth-default-default-signer-trust"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "auth"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "7022472ae407577ae604bbb8"
+spec:
+  keystores:
+  - name: "auth-sh4r3d-internal-idp-auth-signer"
+    namespace: "adn-agov-nevisidm-01-uat"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-default-identity-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-default-identity-7022472ae407577ae604bbb8.yaml
@ -0,0 +1,18 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisKeyStore"
+metadata:
+  name: "auth-default-identity"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "auth"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "7022472ae407577ae604bbb8"
+spec:
+  cn: "auth"
+  usage: "<reserved for future use>"
+  san:
+    dns:
+    - "auth"
+    - "auth.adn-agov-nevisidm-01-uat"
+    email: []
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-default-tls-trust-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-default-tls-trust-7022472ae407577ae604bbb8.yaml
@ -0,0 +1,14 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisTrustStore"
+metadata:
+  name: "auth-default-tls-trust"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "auth"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "7022472ae407577ae604bbb8"
+spec:
+  keystores:
+  - name: "idm-default-identity"
+    namespace: "adn-agov-nevisidm-01-uat"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-sh4r3d-internal-idp-auth-signer-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-sh4r3d-internal-idp-auth-signer-7022472ae407577ae604bbb8.yaml
@ -0,0 +1,16 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisKeyStore"
+metadata:
+  name: "auth-sh4r3d-internal-idp-auth-signer"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "auth"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "7022472ae407577ae604bbb8"
+spec:
+  cn: "signer"
+  usage: "signer"
+  san:
+    dns: []
+    email: []
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-technical-trust-store-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-technical-trust-store-7022472ae407577ae604bbb8.yaml
@ -0,0 +1,20 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisTrustStore"
+metadata:
+  name: "auth-technical-trust-store"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "auth"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "7022472ae407577ae604bbb8"
+spec:
+  keystores:
+  - name: "proxy-idp-notused-auth-realm-identity"
+    namespace: "adn-agov-nevisidm-01-uat"
+  - name: "proxy-idp-auth-realm-mobile-fido-uaf-identity"
+    namespace: "adn-agov-nevisidm-01-uat"
+  - name: "proxy-idp-auth-realm-recovery-identity"
+    namespace: "adn-agov-nevisidm-01-uat"
+  extraCerts:
+  - "-----BEGIN CERTIFICATE-----\nMIIDsDCCApgCCQDu0TbPT3tIYDANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMC\nY2gxEDAOBgNVBAoMB2Fkbm92dW0xDTALBgNVBAsMBGFnb3YxLjAsBgNVBAMMJW5l\ndmlzYWRtaW4tZC5hZ292LWQuYXp1cmUuYWRub3Z1bS5uZXQxOTA3BgkqhkiG9w0B\nCQEWKmluZm9AbmV2aXNhZG1pbi1kLmFnb3YtZC5henVyZS5hZG5vdnVtLm5ldDAe\nFw0yMzAzMTQwODU3MjJaFw0yODAzMTIwODU3MjJaMIGZMQswCQYDVQQGEwJjaDEQ\nMA4GA1UECgwHYWRub3Z1bTENMAsGA1UECwwEYWdvdjEuMCwGA1UEAwwlbmV2aXNh\nZG1pbi1kLmFnb3YtZC5henVyZS5hZG5vdnVtLm5ldDE5MDcGCSqGSIb3DQEJARYq\naW5mb0BuZXZpc2FkbWluLWQuYWdvdi1kLmF6dXJlLmFkbm92dW0ubmV0MIIBIjAN\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxXmkdxlckq2BCEqSqFJ5GF3pe09R\n1fXZgqYw1C9a0/GpMLCZW6SppmNcLaxa6wy8iglfP3ftX7BWJUOoslXZztrVjrCb\nKYLI2THXWG+9+Xbq+X+BfTDyngClMLen0dNjT04n975r08C/LwuBwJHYGBGGT/W7\nUVbp8ZpBTne/tJ4bukwv2RQ3HcjSh7+cHZccDyCLxrhsQxxfrGWObwYO3pQ59EzK\nhDRpvAyP2OWTY2G+rauVZST16RKeyLGTG+yJTE321bka292RWx9NZKXALXEFN6LL\nshAYsVcoyjm//Rq2iZp+CVNClQoin6ME6gWwqqfOm2Ic6M6A+PTEcGZU8wIDAQAB\nMA0GCSqGSIb3DQEBCwUAA4IBAQBtzXVhHBcHEJWjIk1xgYtxWcp7A2cfextycrgi\nW091PagQSDPxvhXEu/53bAsVlRg6mlTEr2qtllzNGn/nF/3j3V99ISJuwu/YWOez\nTKEfascA7jmrNUXBqpp2ArYYuCYjd0bHIcmU4UXYHKW4U3F1JDsfZuHs0tur/xmU\nJ/7BRXOWm3njfwTS6VFyN9iFJxhh+54hE+fls7lsrXX92VHwby3lK6Q8Qki6hQoD\nH2DFEgRdVPwCKtDXWiXNPEZYDhnnNYKtBwulU+3Hp/J3wGaCpWHjJTlCxxm7DcTO\nkkoKfz+mVAF2sIOpguua8dGx23alkCmJ8r8/WWZMut259IZg\n-----END CERTIFICATE-----\n"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
@ -0,0 +1,61 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisComponent"
+metadata:
+  name: "auth"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "auth"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "7022472ae407577ae604bbb8"
+spec:
+  type: "NevisAuth"
+  replicas: 1
+  version: "7.2402.1"
+  gitInitVersion: "1.3.0"
+  runAsNonRoot: true
+  ports:
+    management: 9000
+    soap: 8991
+  resources:
+    limits:
+      cpu: "2"
+      memory: "2000Mi"
+    requests:
+      cpu: "20m"
+      memory: "1000Mi"
+  livenessProbe:
+    soap:
+      tcpSocket: true
+      initialDelaySeconds: 40
+      periodSeconds: 20
+      timeoutSeconds: 4
+  readinessProbe:
+    management:
+      httpGet:
+        path: "/nevisauth/liveness"
+      initialDelaySeconds: 40
+      periodSeconds: 30
+      timeoutSeconds: 6
+  podDisruptionBudget:
+    maxUnavailable: "50%"
+  git:
+    tag: "r-779d33c24ccffc47e1cd1b39b93d065950aee10e"
+    dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
+    credentials: "git-credentials"
+  database:
+    name: "auth"
+    requiredVersion: "7.2402.0"
+  keystores:
+  - "auth-sh4r3d-internal-idp-auth-signer"
+  - "auth-auth-realm-mobile-fido-uaf-tls-client-nevisfido"
+  - "auth-default-identity"
+  truststores:
+  - "auth-default-tls-trust"
+  - "auth-auth-realm-mobile-fido-uaf-tls-trust-nevisfido"
+  - "auth-default-default-signer-trust"
+  - "auth-technical-trust-store"
+  podSecurity:
+    policy: "baseline"
+    automountServiceAccountToken: false
+  timeZone: "Europe/Zurich"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-database-b7b59e97b3fd18bb60178573.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-database-b7b59e97b3fd18bb60178573.yaml
@ -0,0 +1,26 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisDatabase"
+metadata:
+  name: "auth"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "auth"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "b7b59e97b3fd18bb60178573"
+spec:
+  type: "NevisAuth"
+  databaseType: "MariaDB"
+  version: "7.2402.0"
+  url: "mariadb-agov-dev-gp.mariadb.database.azure.com"
+  port: 3306
+  database: "nevisauth"
+  bootstrap: true
+  migrate: true
+  rootCredentials:
+    name: "root-adn-agov-nevisidm-01-dev-idm"
+    namespace: "adn-agov-nevisidm-01-dev-idm"
+  podSecurity:
+    policy: "baseline"
+    automountServiceAccountToken: false
+  timeZone: "Europe/Zurich"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/nevisauth_default.yml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/nevisauth_default.yml
@ -0,0 +1,18 @@
+schemaVersion: 1.0
+instance:
+  type: "nevisauth"
+  name: "default"
+  directory: "/var/opt/nevisauth/default"
+  pid: "systemctl show nevisauth@default -p MainPID | cut -d '=' -f2"
+  source:
+    url: "/nevisadmin/#/projects/DEFAULT-ADN-AGOV-PROJECT/patterns/7022472ae407577ae604bbb8"
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "7022472ae407577ae604bbb8"
+    patternClass: "ch.nevis.admin.v4.plugin.nevisauth.patterns.NevisAuthDeployable"
+  resources:
+    ports:
+    - "0.0.0.0:8991"
+  control:
+    start: "systemctl restart nevisauth@default &"
+    stop: "systemctl stop nevisauth@default"
+    status: "systemctl status nevisauth@default"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/cert.pem
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/cert.pem
@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwzCCAmigAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1zZWxmc2ln
+bmVkLWNhMB4XDTIzMDcyMDExMzcyNloXDTI0MDcxOTExMzcyNlowIDEeMBwGA1UE
+AwwVaWRwc2lnbmVyLnVhdC5hZ292LmNoMIIBojANBgkqhkiG9w0BAQEFAAOCAY8A
+MIIBigKCAYEA28fXdfRLtrzS0F5Hp5zEzPFfpNXKpIrbJaWdqwiuY6VIrzAJW0Wo
+FMuV2IHnU7sO8+B05Z20wq3x5JAbgYlBFnfdub/CYmyykAf0Rxz9irc9qbXBmX0A
+G+JhQLxLcfyqlmFyLsjaxT3nUrytP+604LtzesnC3N7gfGtmSKgclym1s2ZVWkAK
+4VXAZsM5HBnW1feHxSv3UTzvorW7PWkbmy4LU8SDoSraHgB/pBaiJRG8SMTjBHho
+TTdFLPmH/N9dt5N1oJginnY9GvRJD8Qj1lrsTZOtv8ttKhnQkmymly+NCt7+wGIa
+7HQQawqBIvflGG+R1OdQx7Q20/y5EfO4V3zJgq3p+gz9AziGPHEy+2s+i5LME1AI
+D6vLfDN8cnTCdgqZGhAkRMBHtOydJd3dpJ0tgjnrdUpla2PoWp1B/v/Plneb9L5v
+aMNqtuQA852dR14lP7+EeRLe9vJvzm9eBdF0JrDUm1K2Xy66i5gdzOoJngnRpl5J
+nNSweT+A8dn9AgMBAAGjUDBOMAsGA1UdDwQEAwIDqDAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwIAYDVR0RBBkwF4IVaWRwc2lnbmVyLnVhdC5hZ292LmNo
+MAoGCCqGSM49BAMCA0kAMEYCIQCarOXKlJ0DVxVPGyj3oPMHWCJB+Xyee+j7k1gu
+OC93CQIhAICIzY/yCbST5V502Bt3vRCZMCmzhzXIGTol2PEoby6H
+-----END CERTIFICATE-----
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/key.pem
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/key.pem
@ -0,0 +1,42 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIHazBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQUXJ4RUaby0ltJyJMX
+fUO+2LAlu7cCAggAMB0GCWCGSAFlAwQBKgQQ0YfRZzwcjphTKuPQxktTuASCBxCG
+b55W3IEKc/Yqf+zIRHBgvCY+w+l7vSMQqtDYOtiUBdxZWewy+IoV4Pw0X/ORT6k
+Jk8RXTG7hXb4GtuRmgVJeyxsf+8vhrtVpyelLLYkTalAjjvtT2YAukltALLpFMQm
+Zm42rW0HrVRtn6k7osbe5zL4whyhikohXamPJpTTrImP8fMzYyxfiHx2Y7Tnc66N
+SMxBaQ3m2HClE6+6rkcPv/oC9V74GGYpCk0EcH7gsRLQFj3IlJTVxQoCP44ldzhq
+fyWYe1DneH6IJLXID3Igca26ZXU9rTcfqAsBmVACq0GKdgXAFSUAhF6onqXjzpGQ
+/m7Vl3JbNPvrcgxzKBJsj9Z/Hv4qKz2yVpe3OMchTdxpI5k383y1F4rw8i4GSWIL
+A+t5M26WJw2uHx/k2RL1jyeXH2gR3IA72AffDU+f3jqd9pOqxXKSIhGq/KOK5Vk
+SiJ4IesVz26bfwjXEKcQk5qIpDBGjfSkYgMXxlQwOwTIoRn+1FM7Txox6tsVj4/v
+RnaorVayq5W1fk3t5EfNLprSFDO9T6OxFKvfzKMghdrKFNa5a3oqr3RDZSCE0tca
+m9jQ9bp1ooD8/EUWsBxG4eJxe9B+yG3QAkudOoklJYTE9ysHBl2cPOIOksqrD76G
+agezGRazfqFVCmOtlye7bzQXv/AgDa/ve5E1f9jjueop2OwbvoEzCsrSYCWh3uiM
+C2IkvtSI6gW+9C8H1ofElKtDlRft/lMuviLCb3u7xsu2r7v/va2aYy4Lh6B5xARt
+G7A4ZX0cxoI2N/T2FgHwJ8p7lTXJ8KuTGv0jrno9MBdKqo+HBtRTbFoi63qZ7EtL
+MJS63MK4kSXcwyJ4+pnH0bI1wXf5qK7TVoWG6ZAWw385xaohXZZ6JK/z1WNbpfCU
+hlvjjdLxmNE5R/kmiKjp6zPhfR6+z73QXX9s3ZZv9fAV1mZcLwcucNnMRdJcYSVU
+bNwAqnxhIoIZZB5H0c+jLfpaGyzVeAUzI3ljCekUlvutXFNSur6TI2ZmViiwIhuw
+82A084eZ9qOBA+z64Xo9VJqWgdj99b45JNExcsmvbXG1REB8QAKzzGzadtwnc6VV
+iWuK9SPbIqOp2Sa6FEa/VxbgDOUiv20G5irs5Kp0iU+yRKerG/ejvBAn4o3M94wv
+hDwSmn80uu5NJtHuta+9u2jM6yyNl4ghXLxTl9gfbnpzI4wuX+4xhhdNm6HCNqcG
+IzPUFS207YKR0QTaHB5x3ItVpp6Rjpb5lOtEpmff7qO/69ljtNLRe+VEdqLrQoK7
+9IsIaXqBp719nyG3z90KwBigRGl1ljDF3plT1slERdfMsdVdT8duwHc8mevR/H+t
+VG0DkUmGAamyr2plyZiDtzfly/qhG9de4WCRLckVJvMkzwrpmtN+DIB26a1mQwrA
+OuKaCBrQj/1G7EnHuNDWOFOtbHUqitQ9OukNCTi5/7JMp6FY2bIyE58Hoj88m4Hy
+wMMzkFYkh5NJ82ysUdewX99vTJjgD0qKFoDBqB1REEOWi8J14vdGmejhq0A5rq0q
+2tBAyVSbK8gFfY7pQCGpHSerlR8YGpS01KBDct+MlkIout6SrvWxUhwnx9Lmi09f
+Kk/170DJXXhWlkTu8mylAF7A9vEzsST3GZgnaWkXIeFDKiXUD1w+io1K2ziZbiZZ
+Im3dSe6dxsWZkYF+wjpnTjS7op3Q6gOJ3mkkGpBWOtOzGiFNIP/7epSr3eVInHdo
+F4HgET5h2VknsXMKdzU0YDcXsDdWwwwyHqKIM9b37mqA6c3bMwTB1+ykrznudnAP
+8jpqPz6mUqvwzqPoi3e2bNxPwnYgguFrUIqYgiydfZQ3AZsQGTVTq6Jjp/+7K9xv
+yCuwjpuEtz5ZNchcwrJoj8Yet9saYSGBaUu10Ks0/PGIHKbznVQJHCBofAmE6WQb
+cIveRYphfVjbIa+VxpLJRaMj5ymZSViBtHx6Gwjsnq2NR5H1qBt79qXWzRk7ulJy
+cpVasv7Gi3W8SIEbcDvlWUgc8jJOXPmhQ63BS4+eyYNgrSxFY4XYhUZ2Cwi8wXvm
+w1MUisDiIIdTapE/rux+bjB5MnEJC/IICvk8NAH5PuSODm/DE34MdlxA/nUP7Cm4
+ssLvI9IK2hzhASqt71gxoOJUnEptPzabMOYm5hIOksfz+0vjO0grgrVXV4UgTmpz
+T3gvIRwg13vkvKxEfpvGJG5aEkCsZS15/MTsF9FPYiYPYeKOOdIGNzYoRbmqGjIg
+5KyeELDKiulsilGFeRnxM97xpVI3DtezQHTr/N37wsJBeCZyOxGa6j/1rf4ZvgGi
+lkHVmCZYqHYlow6qOS8/lIKpHdhBaEmr6ciZ8fiIA4GeYU0GwzdAd8YuNYqF0dxF
+zWupzSNScKSE1nmu0NIdbanhs78Z2q9vqm/B5ueFCQ==
+-----END ENCRYPTED PRIVATE KEY-----
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/keypass
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/keypass
@ -0,0 +1,2 @@
+#!/bin/bash
+echo '04d50XMDMUm03PYViVRR5E9iteWM7+7O+AHTAhvL8A='
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/keystore.jks
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/keystore.jks
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/keystore.p12
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/keystore.p12
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/keystore.pem
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/keystore.pem
@ -0,0 +1,60 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIHazBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQUXJ4RUaby0ltJyJMX
+fUO+2LAlu7cCAggAMB0GCWCGSAFlAwQBKgQQ0YfRZzwcjphTKuPQxktTuASCBxCG
+b55W3IEKc/Yqf+zIRHBgvCY+w+l7vSMQqtDYOtiUBdxZWewy+IoV4Pw0X/ORT6k
+Jk8RXTG7hXb4GtuRmgVJeyxsf+8vhrtVpyelLLYkTalAjjvtT2YAukltALLpFMQm
+Zm42rW0HrVRtn6k7osbe5zL4whyhikohXamPJpTTrImP8fMzYyxfiHx2Y7Tnc66N
+SMxBaQ3m2HClE6+6rkcPv/oC9V74GGYpCk0EcH7gsRLQFj3IlJTVxQoCP44ldzhq
+fyWYe1DneH6IJLXID3Igca26ZXU9rTcfqAsBmVACq0GKdgXAFSUAhF6onqXjzpGQ
+/m7Vl3JbNPvrcgxzKBJsj9Z/Hv4qKz2yVpe3OMchTdxpI5k383y1F4rw8i4GSWIL
+A+t5M26WJw2uHx/k2RL1jyeXH2gR3IA72AffDU+f3jqd9pOqxXKSIhGq/KOK5Vk
+SiJ4IesVz26bfwjXEKcQk5qIpDBGjfSkYgMXxlQwOwTIoRn+1FM7Txox6tsVj4/v
+RnaorVayq5W1fk3t5EfNLprSFDO9T6OxFKvfzKMghdrKFNa5a3oqr3RDZSCE0tca
+m9jQ9bp1ooD8/EUWsBxG4eJxe9B+yG3QAkudOoklJYTE9ysHBl2cPOIOksqrD76G
+agezGRazfqFVCmOtlye7bzQXv/AgDa/ve5E1f9jjueop2OwbvoEzCsrSYCWh3uiM
+C2IkvtSI6gW+9C8H1ofElKtDlRft/lMuviLCb3u7xsu2r7v/va2aYy4Lh6B5xARt
+G7A4ZX0cxoI2N/T2FgHwJ8p7lTXJ8KuTGv0jrno9MBdKqo+HBtRTbFoi63qZ7EtL
+MJS63MK4kSXcwyJ4+pnH0bI1wXf5qK7TVoWG6ZAWw385xaohXZZ6JK/z1WNbpfCU
+hlvjjdLxmNE5R/kmiKjp6zPhfR6+z73QXX9s3ZZv9fAV1mZcLwcucNnMRdJcYSVU
+bNwAqnxhIoIZZB5H0c+jLfpaGyzVeAUzI3ljCekUlvutXFNSur6TI2ZmViiwIhuw
+82A084eZ9qOBA+z64Xo9VJqWgdj99b45JNExcsmvbXG1REB8QAKzzGzadtwnc6VV
+iWuK9SPbIqOp2Sa6FEa/VxbgDOUiv20G5irs5Kp0iU+yRKerG/ejvBAn4o3M94wv
+hDwSmn80uu5NJtHuta+9u2jM6yyNl4ghXLxTl9gfbnpzI4wuX+4xhhdNm6HCNqcG
+IzPUFS207YKR0QTaHB5x3ItVpp6Rjpb5lOtEpmff7qO/69ljtNLRe+VEdqLrQoK7
+9IsIaXqBp719nyG3z90KwBigRGl1ljDF3plT1slERdfMsdVdT8duwHc8mevR/H+t
+VG0DkUmGAamyr2plyZiDtzfly/qhG9de4WCRLckVJvMkzwrpmtN+DIB26a1mQwrA
+OuKaCBrQj/1G7EnHuNDWOFOtbHUqitQ9OukNCTi5/7JMp6FY2bIyE58Hoj88m4Hy
+wMMzkFYkh5NJ82ysUdewX99vTJjgD0qKFoDBqB1REEOWi8J14vdGmejhq0A5rq0q
+2tBAyVSbK8gFfY7pQCGpHSerlR8YGpS01KBDct+MlkIout6SrvWxUhwnx9Lmi09f
+Kk/170DJXXhWlkTu8mylAF7A9vEzsST3GZgnaWkXIeFDKiXUD1w+io1K2ziZbiZZ
+Im3dSe6dxsWZkYF+wjpnTjS7op3Q6gOJ3mkkGpBWOtOzGiFNIP/7epSr3eVInHdo
+F4HgET5h2VknsXMKdzU0YDcXsDdWwwwyHqKIM9b37mqA6c3bMwTB1+ykrznudnAP
+8jpqPz6mUqvwzqPoi3e2bNxPwnYgguFrUIqYgiydfZQ3AZsQGTVTq6Jjp/+7K9xv
+yCuwjpuEtz5ZNchcwrJoj8Yet9saYSGBaUu10Ks0/PGIHKbznVQJHCBofAmE6WQb
+cIveRYphfVjbIa+VxpLJRaMj5ymZSViBtHx6Gwjsnq2NR5H1qBt79qXWzRk7ulJy
+cpVasv7Gi3W8SIEbcDvlWUgc8jJOXPmhQ63BS4+eyYNgrSxFY4XYhUZ2Cwi8wXvm
+w1MUisDiIIdTapE/rux+bjB5MnEJC/IICvk8NAH5PuSODm/DE34MdlxA/nUP7Cm4
+ssLvI9IK2hzhASqt71gxoOJUnEptPzabMOYm5hIOksfz+0vjO0grgrVXV4UgTmpz
+T3gvIRwg13vkvKxEfpvGJG5aEkCsZS15/MTsF9FPYiYPYeKOOdIGNzYoRbmqGjIg
+5KyeELDKiulsilGFeRnxM97xpVI3DtezQHTr/N37wsJBeCZyOxGa6j/1rf4ZvgGi
+lkHVmCZYqHYlow6qOS8/lIKpHdhBaEmr6ciZ8fiIA4GeYU0GwzdAd8YuNYqF0dxF
+zWupzSNScKSE1nmu0NIdbanhs78Z2q9vqm/B5ueFCQ==
+-----END ENCRYPTED PRIVATE KEY-----
+
+-----BEGIN CERTIFICATE-----
+MIICwzCCAmigAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1zZWxmc2ln
+bmVkLWNhMB4XDTIzMDcyMDExMzcyNloXDTI0MDcxOTExMzcyNlowIDEeMBwGA1UE
+AwwVaWRwc2lnbmVyLnVhdC5hZ292LmNoMIIBojANBgkqhkiG9w0BAQEFAAOCAY8A
+MIIBigKCAYEA28fXdfRLtrzS0F5Hp5zEzPFfpNXKpIrbJaWdqwiuY6VIrzAJW0Wo
+FMuV2IHnU7sO8+B05Z20wq3x5JAbgYlBFnfdub/CYmyykAf0Rxz9irc9qbXBmX0A
+G+JhQLxLcfyqlmFyLsjaxT3nUrytP+604LtzesnC3N7gfGtmSKgclym1s2ZVWkAK
+4VXAZsM5HBnW1feHxSv3UTzvorW7PWkbmy4LU8SDoSraHgB/pBaiJRG8SMTjBHho
+TTdFLPmH/N9dt5N1oJginnY9GvRJD8Qj1lrsTZOtv8ttKhnQkmymly+NCt7+wGIa
+7HQQawqBIvflGG+R1OdQx7Q20/y5EfO4V3zJgq3p+gz9AziGPHEy+2s+i5LME1AI
+D6vLfDN8cnTCdgqZGhAkRMBHtOydJd3dpJ0tgjnrdUpla2PoWp1B/v/Plneb9L5v
+aMNqtuQA852dR14lP7+EeRLe9vJvzm9eBdF0JrDUm1K2Xy66i5gdzOoJngnRpl5J
+nNSweT+A8dn9AgMBAAGjUDBOMAsGA1UdDwQEAwIDqDAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwIAYDVR0RBBkwF4IVaWRwc2lnbmVyLnVhdC5hZ292LmNo
+MAoGCCqGSM49BAMCA0kAMEYCIQCarOXKlJ0DVxVPGyj3oPMHWCJB+Xyee+j7k1gu
+OC93CQIhAICIzY/yCbST5V502Bt3vRCZMCmzhzXIGTol2PEoby6H
+-----END CERTIFICATE-----
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/env-ca/keypass
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/env-ca/keypass
@ -0,0 +1,2 @@
+#!/bin/bash
+echo 'password'
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/env-ca/truststore.jks
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/env-ca/truststore.jks
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/env-ca/truststore.p12
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/env-ca/truststore.p12
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/env-ca/truststore.pem
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/env-ca/truststore.pem
@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBcTCCARagAwIBAgIQWRl1eifIt8yohQYzh6yr/jAKBggqhkjOPQQDAjAYMRYw
+FAYDVQQDEw1zZWxmc2lnbmVkLWNhMB4XDTIzMDYyODE0MzI0MFoXDTQzMDYyODE0
+MzI0MFowGDEWMBQGA1UEAxMNc2VsZnNpZ25lZC1jYTBZMBMGByqGSM49AgEGCCqG
+SM49AwEHA0IABEwcjsIhSyyh0i9zP1G7ReOkFt/djzlGoUtSd5v3ZEk5QoZYjfl9
+04HdaZzrmveB2aRppbXgW7//s2Ma8wTd5uejQjBAMA4GA1UdDwEB/wQEAwICpDAP
+BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBT7YRoWIjHwkvFicwvk0Tx/yA4uUTAK
+BggqhkjOPQQDAgNJADBGAiEAgyg9t0qgb+czuscs07pNGI+12BedrD+y71psIlqx
+t2UCIQC/85UXyjYI9zg7Mg7rROTbGNCU3Jq/KIC3VzbbD+68VA==
+-----END CERTIFICATE-----
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/idp-pem-atb/keypass
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/idp-pem-atb/keypass
@ -0,0 +1,2 @@
+#!/bin/bash
+echo 'password'
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/idp-pem-atb/truststore.jks
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/idp-pem-atb/truststore.jks
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/idp-pem-atb/truststore.p12
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/idp-pem-atb/truststore.p12
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/idp-pem-atb/truststore.pem
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/idp-pem-atb/truststore.pem
@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwjCCAmigAwIBAgIBAjAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1zZWxmc2ln
+bmVkLWNhMB4XDTIzMDcyMDExMzkzN1oXDTI0MDcxOTExMzkzN1owIDEeMBwGA1UE
+AwwVYXRic2lnbmVyLnVhdC5hZ292LmNoMIIBojANBgkqhkiG9w0BAQEFAAOCAY8A
+MIIBigKCAYEAs8SITgXvwEBI+rmuBr6EkG5qeE9ctRBRLNP693MTpjkCi4rcqfzO
+//EU4ogDrtLwl99w6mazKuK+73DCfaVTWBdLIN3sqWiX/uU+2pPS3ldymsJcDRhi
+ERJAYUZKyw4JlQMAnZrt7DRdEXJH4VshOHRD6Q1TFQEsGVRIW2HakLatz8mxwNbD
+xKdBqQS88x5WJgkI0cMdfOVKf59fH+xa32NSE1c0MYwj98doSNrLIh8n47qk4R2p
+4bUyaGIx1ylXRjRMlx7b0ew/VfkSg8WtnR2DHj5sJ31uqrAXiMFY0slCiX0+Fu3O
+uiul/FH1v2xgT2rH0JhhLt+dCCCqfLLjwuLMSneco6AvcihDaN+AujWSn/aoTWPD
+BsB1ACKqkcaBBHt3giyEWb5T5J0QA5VfJEKYwBosvdFfUoPOgXTOQVGRnLMKfXSy
+AHUzKiR8Z1x3VwmHT8HJME6BaR8MZP58nFV8k/NpYw7gryNod9n8ZrsK84aLEzmV
+iYnPn1/V4fl9AgMBAAGjUDBOMAsGA1UdDwQEAwIDqDAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwIAYDVR0RBBkwF4IVYXRic2lnbmVyLnVhdC5hZ292LmNo
+MAoGCCqGSM49BAMCA0gAMEUCIQDIYEk1HuQxV83m1FQRfUuUgtOkX1gLDNlNEkCb
+UfWMMAIgd6HpbvTeur7LYGtqztc7FMADJHDNgYyBAOng+xkxHQw=
+-----END CERTIFICATE-----
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict.properties
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict.properties
@ -0,0 +1,268 @@
+
+accept.button.label=Accept
+button.submit=Submit
+cancel.button.label=Cancel
+continue.button.label=Continue
+darkModeSwitch.aria.label=Dark mode toggle
+deputy.profile.label=(Deputy Profile)
+error.policy.failed=The new password does not comply with the policy.
+error.saml.failed=Please close your browser and try again.
+error_1=Please check your input.
+error_10=Please select the correct user account.
+error_100=Certificate upload not possible. Certificate already exists. Please contact your helpdesk.
+error_101=The entered email address is not valid.
+error_11=Please use another certficate or login with another credential type.
+error_2=Please select another login name.
+error_3=Your account will be locked if next authentication fails.
+error_4=Your new password does not comply with the security policy. Please choose a different password.
+error_5=Error in password confirmation.
+error_50=The new password is too short.
+error_55=The new password has to differ from old passwords.
+error_6=Password change required.
+error_7=Change of login ID required.
+error_8=Your account has been locked due to repeated authentication failures.
+error_81=No access card found, access from internet denied.
+error_83=Your access card is no longer valid. Please contact your advisor to get a new access card.
+error_9=Session take over failed.
+error_97=You are not authorized to access this resource.
+error_98=Your account has been locked.
+error_99=System problems. Please try later.
+error_9901=You need a valid on-boarding link to access this page.
+error_9902=The email used for authentication doesn't match the expected one in operations. Please ask for a new on-boarding link.
+error_9903=The used IdP didn't send us a valid assertion. Please make sure, you use the correct IdP. Ask the support for a new on-boarding link.
+error_9904=Your link is not valid anymore. Please make sure, that you are using the latest Link received from operations. Ask for a new link, if the problem persists.
+error_9905=There is a problem with your operations account. Please contact the support.
+error_9909=An internal error occured. Please ask the support for a new on-boarding link.
+errors.duplicateValue=Your account is already linked with another operations access.
+fido2_auth.cancel.fido=The security key authentication was interrupted. Please ensure your FIDO key is registered and your email is correct, then follow the steps below.
+fido2_auth.instruction1=Click on "Continue"
+fido2_auth.instruction2=An authentication window will appear
+fido2_auth.instruction3=Follow the instructions
+fido2_auth.skipInstructions=Skip instructions next time
+fido2_auth.switchLogin=SWITCH TO LOGIN WITH
+footer.link=https://agov.ch/?c=contact&l=en
+footer.link.label=Contact
+footer.text=Authentication service of Swiss authorities AGOV - a collaboration between cantons, their municipalities, and the federal administration. -
+general.AGOVAccessApp=AGOV access app
+general.accessApp=AGOV access app
+general.authenticate=Authenticate
+general.back=Back
+general.cancel=Cancel
+general.confirm=Confirm
+general.contactSupport=Contact Support
+general.continue=Continue
+general.edit=Edit
+general.email=Email
+general.email.address=Email address
+general.entryCode=Code entry
+general.getStarted=Get started
+general.goAGOVHelp=Go to AGOV help
+general.goAccessApp=Login with AGOV access
+general.help=Help
+general.help.link=https://agov.ch/pages/help_en.html
+general.login=Login
+general.loginSecurityKey=Start Security key login
+general.or=OR
+general.otherOptions=OTHER OPTIONS
+general.recovery=Recovery
+general.recoveryOngoing=Ongoing recovery
+general.register=Register
+general.registerNow=Register now!
+general.registration=Registration
+general.securityKey=Security key
+general.skip.content=Skip to main content
+generic.auth.error.message=There was a service interruption. We are working on it.
+generic.auth.error.next.steps=Please try again later. Please consult AGOV help if the problem persists.
+generic.auth.error.subtitle=Something went wrong
+generic.auth.error.title=Error
+info.login=Please enter your authentication information.
+info.logout.confirmation=Please confirm that you want to log out.
+info.logout.reminder=Your session on this application has expired. Try again with a login.
+info.oauth.consent=Do you want to authorise this application to access your data?
+info.timeout.page=Your session on this application has expired. Try again with a login.
+language.de=Deutsch
+language.en=English
+language.fr=Fran&ccedil;ais
+language.it=Italiano
+languageDropdown.aria.label=Select language
+loainfo.description.200=To access the application, we need to verify your data. The process can take up to 2 - 3 days.
+loainfo.description.300=To access the application we need to verify your data through one of two processes. You can choose your preferred process in the next step.
+loainfo.description.400=To access the application we need you to add your AHV Number (Swiss Social Security number).
+loainfo.helper=Your data needs to be verified!
+loainfo.later=Later
+loainfo.startNow=Do you want to start the process now?
+loainfo.startVerification=Start verification
+loainfo.title=Verify your data
+login.button.label=Login
+logout.label=Logout
+logout.text=You have successfully logged out.
+mauth_usernameless.EID=Continue with CH E-ID
+mauth_usernameless.banner.error=Authentication interrupted.<br>Please try again when the page reloads.
+mauth_usernameless.banner.info=Scan successful.<br>Please continue in the AGOV access app.
+mauth_usernameless.banner.success=Authentication successful!<br>Please wait to be logged in.
+mauth_usernameless.cannotLogin=Lost access to your app / security key?
+mauth_usernameless.hideQR=Hide QR code
+mauth_usernameless.instructions=Log in by scanning the QR code with your AGOV access app
+mauth_usernameless.noAccount=Don't have an AGOV-Login yet?
+mauth_usernameless.showQR=Show QR code
+mauth_usernameless.startRecovery=Start account recovery
+mauth_usernameless.useSecurityKey=Use a security key to log in
+mauth_usernameless.useSecurityKeyInfo=A physical security key offers a secure way to login without having to use a phone.
+method.certificate.label=Certificate
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=mTAN Code
+method.oath.label=OATH Authenticator App
+method.otp.label=OTP (One-Time Password)
+method.recovery.label=Recovery Codes
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+op-admin.login=AGOV op admin
+op-admin.login.intro.message=Login with your username and password
+op-admin.login.loginid=LoginId
+op-admin.login.password=Passwort
+op-admin.login.title=Login
+op-admin.logout=AGOV op admin
+op-admin.logout.message=You have successfully logged out.
+op-admin.logout.title=Logout
+op-admin.pwchange.intro.message=Password change required
+op-admin.pwchange.newpassword=New password
+op-admin.pwchange.newpassword2=Repeat new password
+op-admin.pwchange.password=Current password
+op-admin.pwchange.title=Password Change
+op-idmlogin.role.accs-mgmt-idm=IDM accessrights management
+op-idmlogin.role.accs-mgmt-nonidm=Accessrights management
+op-idmlogin.role.idmcfg-mgmt=IDM set-up
+op-idmlogin.role.readonly-access=Default access (readonly)
+op-idmlogin.role.support-basic=Support cases (recovery, ...)
+op-idmlogin.role.support-priv=3rd level support (archiving, off-boarding)
+op-idmlogin.role.usr-mgmt=User management (operations)
+op-idmlogin.role.usr-unit-mgmt=User and organization management (operations)
+op-idmlogin.select=AGOV idm
+op-idmlogin.select.intro=Please select one of the profiles below...
+op-idmlogin.select.note=Profiles marked with a * should only be used if required for a specific support or release tasks.
+op-idmlogin.select.title=Profile selection
+op-onboarding.done.message=On-boarding was successfull. You can now use your AGOV operations access. Please close the browser, before accessing on of the operations application.
+op-onboarding.done.title=DONE
+op-onboarding.failed.title=ERROR
+op-onboarding.intro.message1=To complete your on-boarding for your AGOV operations access, you need either an AGOV or a FED-LOGIN account.
+op-onboarding.intro.message2=After clicking on "Continue", you will be redirected for authentication.
+op-onboarding.intro.message3=If you are using AGOV, and your account doesn't meet yet the required AGOVaq level, you will be given the possibility to start the required ID verification.
+op-onboarding.intro.title=START
+op-onboarding.onboarding=AGOV op on-boarding
+op-onboarding.process.message=During the processing something went wrong. Please contact AGOV support if necessary and ask also for a new on-boarding link.
+outarg.lastLogin.never=Never
+policyFailure.dictionary=&#9642; must not be taken from a dictionary.
+policyFailure.history.History=&#9642; must be different from previously selected passwords.
+policyFailure.regex.control=&#9642; cannot contain more than {0} control characters.
+policyFailure.regex.lower=&#9642; must contain at least {0} lower case characters.
+policyFailure.regex.maxCharacterRepetitions=&#9642; characters must not occur more than {0} time(s) consecutively.
+policyFailure.regex.maxLength=&#9642; must be at most {0} characters long.
+policyFailure.regex.minLength=&#9642; must be at least {0} characters long.
+policyFailure.regex.nonAlnum=&#9642; must contain at least {0} non-alphanumeric characters.
+policyFailure.regex.nonAscii=&#9642; cannot contain more than {0} non-ASCII characters.
+policyFailure.regex.nonGraph=&#9642; cannot contain more than {0} non-printable characters.
+policyFailure.regex.nonLetter=&#9642; must contain at least {0} non-letter characters.
+policyFailure.regex.numeric=&#9642; must contain at least {0} numeric characters.
+policyFailure.regex.upper=&#9642; must contain at least {0} upper case characters.
+policyInfo.dictionary=&#9642; must not be taken from a dictionary.
+policyInfo.history.History=&#9642; must be different from previously selected passwords.
+policyInfo.regex.control=&#9642; cannot contain more than {0} control characters.
+policyInfo.regex.lower=&#9642; must contain at least {0} lower case characters.
+policyInfo.regex.maxCharacterRepetitions=&#9642; characters must not occur more than {0} time(s) consecutively.
+policyInfo.regex.maxLength=&#9642; must be at most {0} characters long.
+policyInfo.regex.minLength=&#9642; must be at least {0} characters long.
+policyInfo.regex.nonAlnum=&#9642; must contain at least {0} non-alphanumeric characters.
+policyInfo.regex.nonAscii=&#9642; cannot contain more than {0} non-ASCII characters.
+policyInfo.regex.nonGraph=&#9642; cannot contain more than {0} non-printable characters.
+policyInfo.regex.nonLetter=&#9642; must contain at least {0} non-letter characters.
+policyInfo.regex.numeric=&#9642; must contain at least {0} numeric characters.
+policyInfo.regex.upper=&#9642; must contain at least {0} upper case characters.
+policyInfo.title=The password has to comply with the following password policy:
+prompt.client=Client
+prompt.newpassword=New Password
+prompt.newpassword.confirm=Confirm Password
+prompt.password=Password
+prompt.userid=User-ID
+pwreset.done.info=Your password was successfully changed. Please click on continue to log in.
+pwreset.email.sent=If your user ID exists, an email to reset your password has been sent to you.
+pwreset.info.linktext=Password forgotten
+pwreset.noticket=Your password reset link is no longer valid. Please generate a new one.
+recovery_accessapp_auth.accessAppRegistered=AGOV access app already registered
+recovery_accessapp_auth.instruction1=You have already registered a new AGOV access app !!!ACCESS_APP_NAME!!! as part of the recovery process.
+recovery_accessapp_auth.instruction2=Please use !!!ACCESS_APP_NAME!!! to identify you.
+recovery_check_code.codeIncorrect=Code entered is incorrect. Please try again.
+recovery_check_code.enterRecoveryCode=Enter recovery code
+recovery_check_code.instruction=Please enter below your personal 12-digit recovery code. You will have received the recovery code as a PDF file during registration or in AGOV me.
+recovery_check_code.invalid.code=The code is invalid
+recovery_check_code.invalid.code.required=Code required
+recovery_check_code.invalid.code.tooLong=The code is too long
+recovery_check_code.noAccess=I do not have access to my code
+recovery_check_code.noCodeAccess=Are you sure you don't have access to your recovery code?
+recovery_check_code.noCodeAccessInstructions=If you have lost access to your recovery code please go to AGOV help in order to contact a AGOV support agent. They will be able to help you with the recovery process.
+recovery_check_noCode.banner.error=Too many attempts or your recovery code has expired.
+recovery_check_noCode.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
+recovery_check_noCode.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
+recovery_code.banner.error=Please reveal your new code to be able to continue.
+recovery_code.instruction=Recovery codes help you gain access to your account in case you lost all of your login factors. Please store the recovery code in a safe place.
+recovery_code.newRecoveryCode=Introducing Recovery Code
+recovery_code.validUntil=Valid until:
+recovery_fidokey_auth.button=Start key authentication
+recovery_fidokey_auth.fidoInstruction=Click on "Start key authentication"
+recovery_fidokey_auth.instruction1=You have already registered a new security key !!!SECURITY_KEY_NAME!!! as part of the recovery process.
+recovery_fidokey_auth.instruction2=Please use !!!SECURITY_KEY_NAME!!! to follow the steps below to identify you.
+recovery_fidokey_auth.keyRegistered=Security key already registered
+recovery_intro_email.banner.error=The link you used has expired. Please enter your email address to receive a new link.
+recovery_intro_email.banner.info=Please enter your email address, so we can send you a link to start the recovery process.
+recovery_intro_email.captchaUnchecked=Please tick the captcha field
+recovery_intro_email.important=Important:
+recovery_intro_email.process=The recovery process should only be used if you have lost access to your login factors (deleted AGOV access app, lost security key, lost phone, etc.).
+recovery_intro_email.siteProtectedWithRecaptcha=This site is protected by reCAPTCHA and the <a class='link' href='https://policies.google.com/privacy' target='_blank'>Google Privacy Policy</a> and <a class='link' href='https://policies.google.com/terms' target='_blank'>Terms of Service</a> apply.
+recovery_intro_email_sent.banner.button=Didn't receive the email?
+recovery_intro_email_sent.banner.success=Thank you! You will receive an email with a recovery link and instructions shortly.
+recovery_on_going.finishRecovery=Finish recovery
+recovery_on_going.instruction=You have an ongoing recovery process. Part of the recovery process can include an identity verification. To access applications with your AGOV-Login you need to finish the identity verification as well.
+recovery_on_going.title=Please finish your recovery process.
+recovery_questionnaire_instructions.banner.info=Please note that in certain cases you need access to your recovery code for a successful recovery.
+recovery_questionnaire_instructions.explanation=Based on your answers an AGOV-Login recovery seems to be necessary. Please click on continue and follow the instructions on the screen.
+recovery_questionnaire_instructions.instruction1=Provide your account email address so we can send you a link to begin the recovery process
+recovery_questionnaire_instructions.instruction2=Follow steps to recover your account (steps will vary depending on your account verification level)
+recovery_questionnaire_loginfactor.banner.error=Please select an answer.
+recovery_questionnaire_loginfactor.no=No
+recovery_questionnaire_loginfactor.question=Have you registered more than one login factor (AGOV access app or security key) to your account?
+recovery_questionnaire_loginfactor.yes=Yes
+recovery_questionnaire_no_recovery.explanation1=Based on your answers, the AGOV recovery option does not seem necessary right now.
+recovery_questionnaire_no_recovery.explanation2=Should you need further information, please visit <a class='link' href='www.agov.ch/help' target='_blank'>www.agov.ch/help</a> for support articles.
+recovery_questionnaire_no_recovery.instruction1=If you have issues logging in to an application, please visit <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> and test if you can log in successfully.
+recovery_questionnaire_no_recovery.instruction2=If you have several login factors registered but lost access to one of them, please visit <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> to remove the one you have lost access to.
+recovery_questionnaire_reason_selection.answer1=I have trouble logging in, even though I have my app / security key
+recovery_questionnaire_reason_selection.answer10=I lost one of my login factors (AGOV access app or security key)
+recovery_questionnaire_reason_selection.answer2=I was unable to finish my registration
+recovery_questionnaire_reason_selection.answer3=I have deleted or reset my AGOV access app
+recovery_questionnaire_reason_selection.answer4=I have lost my phone / security key
+recovery_questionnaire_reason_selection.answer5=I have a new phone and forgot to transfer my AGOV access app
+recovery_questionnaire_reason_selection.answer6=I forgot my PIN for the AGOV access app
+recovery_questionnaire_reason_selection.answer7=I have my security keys or apps but had trouble logging in
+recovery_questionnaire_reason_selection.answer8=I lost access to all my security keys and AGOV access apps
+recovery_questionnaire_reason_selection.answer9=I have issues with one of my login factors (deleted, reset, forgotten PIN)
+recovery_questionnaire_reason_selection.banner.error=Please select a reason.
+recovery_questionnaire_reason_selection.instruction=Please select the reason you are starting the recovery process:
+recovery_start_info.banner.warning=You will not be able to use your account until the recovery process has been concluded.
+recovery_start_info.instruction=During the recovery process you will register a new login factor. If  your account contains any verified information you might also have to go through a verification process to finish the recovery.
+recovery_start_info.title=You are about to start the recovery process
+reject.button.label=Deny
+submit.button.label=Submit
+tan.sent=Please enter the security code which has been sent to your mobile phone.
+title.login=Login
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Client Authorization
+title.pwchange.label=Password Change
+title.pwreset=Password Forgotten
+title.saml.failed=Error
+title.timeout.page=Logout
+user_input.invalid.email=Please enter a valid email address
+user_input.invalid.email.required=Field required
+user_input.invalid.email.tooLong=Input is too long
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_de.properties
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_de.properties
@ -0,0 +1,268 @@
+
+accept.button.label=Akzeptieren
+button.submit=Senden
+cancel.button.label=Abbrechen
+continue.button.label=Weiter
+darkModeSwitch.aria.label=Dark-Mode-Schalter
+deputy.profile.label=(Profil Stellvertreter)
+error.policy.failed=Das neue Passwort stimmt nicht mit der Richtlinie &uuml;berein.
+error.saml.failed=Bitte schliessen Sie Ihren Browser und versuchen Sie es erneut.
+error_1=Bitte &uuml;berpr&uuml;fen Sie Ihre Eingaben.
+error_10=Bitte w&auml;hlen Sie das richtige Benutzerkonto aus.
+error_100=Zertifikat-Upload nicht m&ouml;glich. Das Zertifikat existiert bereits. Wenden Sie sich an Ihr Helpdesk.
+error_101=Die eingegebene E-Mail-Adresse ist ung&uuml;ltig.
+error_11=Bitte verwenden Sie ein anderes Zertifikat oder melden Sie sich mit einer anderen Art von Credential an.
+error_2=Bitte w&auml;hlen Sie einen anderen Login-Namen.
+error_3=Wenn die n&auml;chste Authentifizierung fehlschl&auml;gt, wird Ihr Konto gesperrt.
+error_4=Ihr neues Passwort verst&ouml;sst gegen die Sicherheitsrichtlinien. Bitte w&auml;hlen Sie ein anderes Passwort.
+error_5=Fehler bei der Passwortbest&auml;tigung.
+error_50=Das neue Passwort ist zu kurz.
+error_55=Das neue Passwort muss sich von alten Passw&ouml;rtern unterscheiden.
+error_6=Passwort&auml;nderung erforderlich.
+error_7=&Auml;nderung der Login-ID erforderlich.
+error_8=Ihr Konto wurde aufgrund wiederholter fehlgeschlagener Authentifizierungsversuche gesperrt.
+error_81=Keine Zugangskarte gefunden, Zugang &uuml;ber das Internet verweigert.
+error_83=Ihre Zugangskarte ist nicht mehr g&uuml;ltig. Bitte wenden Sie sich an Ihre Beratungsperson, um eine neue Zugangskarte zu erhalten.
+error_9=&Uuml;bernahme der Sitzung fehlgeschlagen.
+error_97=Sie sind nicht berechtigt, auf diese Ressource zuzugreifen.
+error_98=Ihr Konto wurde gesperrt.
+error_99=Systemprobleme: Bitte versuchen Sie es sp&auml;ter noch einmal.
+error_9901=Sie ben&ouml;tigen einen g&uuml;ltigen Onboarding-Link, um auf diese Seite zuzugreifen.
+error_9902=Die f&uuml;r die Authentifizierung verwendete E-Mail-Adresse stimmt nicht mit der erwarteten E-Mail-Adresse in Operations &uuml;berein. Bitte fordern Sie einen neuen Onboarding-Link an.
+error_9903=Der verwendete IdP hat uns keine g&uuml;ltige Assertion gesendet. Bitte stellen Sie sicher, dass Sie den richtigen IdP verwenden. Fordern Sie beim Support einen neuen Onboarding-Link an.
+error_9904=Ihr Link ist nicht mehr g&uuml;ltig. Bitte stellen Sie sicher, dass Sie den neuesten Link verwenden, den Sie von Operations erhalten haben. Fordern Sie einen neuen Link an, falls das Problem weiterhin besteht.
+error_9905=Es gibt ein Problem mit Ihrem Operations-Konto. Kontaktieren Sie bitte den Support.
+error_9909=Es ist ein interner Fehler aufgetreten. Bitten Sie den Support um einen neuen Onboarding-Link.
+errors.duplicateValue=Ihr Konto ist bereits mit einem anderen Operations-Zugang verkn&uuml;pft.
+fido2_auth.cancel.fido=Die Authentifizierung mit dem Sicherheitsschl&uuml;ssel wurde unterbrochen. Bitte vergewissern Sie sich, dass Ihr FIDO-Schl&uuml;ssel registriert ist und Ihre E-Mail korrekt ist.
+fido2_auth.instruction1=Klicken Sie auf "Weiter"
+fido2_auth.instruction2=Ein Authentifizierungsfenster wird erscheinen
+fido2_auth.instruction3=Folgen Sie den Anweisungen
+fido2_auth.skipInstructions=Anweisungen n&auml;chstes Mal &uuml;berspringen
+fido2_auth.switchLogin=WECHSEL ZU LOGIN MIT
+footer.link=https://agov.ch/?c=contact&l=de
+footer.link.label=Kontakt
+footer.text=Authentifizierungsdienst der Schweizer Beh&ouml;rden AGOV &ndash; eine Zusammenarbeit zwischen den Kantonen, deren Gemeinden und der Bundesverwaltung. -
+general.AGOVAccessApp=AGOV access App
+general.accessApp=AGOV access App
+general.authenticate=Authentifizieren
+general.back=Zur&uuml;ck
+general.cancel=Abbrechen
+general.confirm=Best&auml;tigen
+general.contactSupport=Support kontaktieren
+general.continue=Weiter
+general.edit=&Auml;ndern
+general.email=E-Mail
+general.email.address=E-Mailadresse
+general.entryCode=Code-Eingabe
+general.getStarted=Get started
+general.goAGOVHelp=Weiter zur AGOV help
+general.goAccessApp=Login mit AGOV access
+general.help=Hilfe
+general.help.link=https://agov.ch/pages/help_de.html
+general.login=Login
+general.loginSecurityKey=Sicherheitsschl&uuml;ssel-Login starten
+general.or=ODER
+general.otherOptions=WEITERE OPTIONEN
+general.recovery=Wiederherstellung
+general.recoveryOngoing=Wiederherstellung nicht abgeschlossen
+general.register=Registrieren
+general.registerNow=Jetzt registrieren!
+general.registration=Registrierung
+general.securityKey=Sicherheitsschl&uuml;ssel
+general.skip.content=Direkt zum Hauptteil
+generic.auth.error.message=Es gab eine Service-Unterbrechung. Wir arbeiten daran.
+generic.auth.error.next.steps=Versuchen Sie es bitte sp&auml;ter noch einmal. Bitte besuchen Sie die AGOV-Hilfe, wenn das Problem weiterhin besteht.
+generic.auth.error.subtitle=Etwas ist schiefgegangen
+generic.auth.error.title=Fehler
+info.login=Bitte geben Sie Ihre pers&ouml;nlichen Zugangsdaten ein.
+info.logout.confirmation=Bitte best&auml;tigen Sie, dass Sie sich abmelden m&ouml;chten.
+info.logout.reminder=Ihre Session ist auf dieser Applikation abgelaufen. Versuchen Sie es nochmals mit einem Login.
+info.oauth.consent=Wollen Sie der Anwendung den Zugriff erlauben?
+info.timeout.page=Ihre Session ist auf dieser Applikation abgelaufen. Versuchen Sie es nochmals mit einem Login.
+language.de=Deutsch
+language.en=English
+language.fr=Fran&ccedil;ais
+language.it=Italiano
+languageDropdown.aria.label=Sprache w&auml;hlen
+loainfo.description.200=Um auf diese Applikation zuzugreifen, m&uuml;ssen wir Ihre Angaben verifizieren. Der Vorgang kann bis zu 2 - 3 Tage dauern.
+loainfo.description.300=Um auf diese Applikation zuzugreifen, m&uuml;ssen wir Ihre Angaben durch einen von zwei Vorg&auml;ngen verifizieren. Sie k&ouml;nnen die bevorzugte Methode im n&auml;chsten Schritt ausw&auml;hlen.
+loainfo.description.400=F&uuml;r den Zugang zu dieser Anwendung m&uuml;ssen Sie Ihre AHV-Nummer angeben.
+loainfo.helper=Ihre pers&ouml;nlichen Daten m&uuml;ssen &uuml;berpr&uuml;ft werden!
+loainfo.later=Sp&auml;ter
+loainfo.startNow=M&ouml;chten Sie den Prozess jetzt starten?
+loainfo.startVerification=Verifikation starten
+loainfo.title=Verifizieren Sie Ihre Daten
+login.button.label=Login
+logout.label=Logout
+logout.text=Sie haben sich erfolgreich abgemeldet.
+mauth_usernameless.EID=Mit Schweizer E-ID fortfahren
+mauth_usernameless.banner.error=Authentifizierung unterbrochen.<br>Bitte versuchen Sie es erneut, nachdem die Seite neu geladen wurde.
+mauth_usernameless.banner.info=Scan erfolgreich.<br>Bitte fahren Sie in der AGOV access App fort.
+mauth_usernameless.banner.success=Authentifizierung erfolgreich!<br>Bitte warten Sie, bis Sie eingeloggt werden.
+mauth_usernameless.cannotLogin=Zugriff auf App / Sicherheitsschl&uuml;ssel verloren?
+mauth_usernameless.hideQR=QR-Code ausblenden
+mauth_usernameless.instructions=Melden Sie sich an, indem Sie den QR-Code mit Ihrer AGOV access App scannen
+mauth_usernameless.noAccount=Haben Sie noch kein AGOV-Login?
+mauth_usernameless.showQR=QR-Code anzeigen
+mauth_usernameless.startRecovery=Kontowiederherstellung starten
+mauth_usernameless.useSecurityKey=Verwenden Sie einen Sicherheitsschl&uuml;ssel, um sich anzumelden
+mauth_usernameless.useSecurityKeyInfo=Ein physischer Sicherheitsschl&uuml;ssel bietet eine sichere M&ouml;glichkeit, sich ohne Telefon anzumelden.
+method.certificate.label=Zertifikat
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=mTAN-Code
+method.oath.label=OATH Authenticator-App
+method.otp.label=OTP (One-Time Passwort)
+method.recovery.label=Wiederherstellungscodes
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+op-admin.login=AGOV-op-Admin
+op-admin.login.intro.message=Login mit Ihrem Benutzernamen und Passwort
+op-admin.login.loginid=LoginID
+op-admin.login.password=Passwort
+op-admin.login.title=Login
+op-admin.logout=AGOV-op-Admin
+op-admin.logout.message=Sie haben sich erfolgreich ausgeloggt.
+op-admin.logout.title=Logout
+op-admin.pwchange.intro.message=Passwort&auml;nderung erforderlich
+op-admin.pwchange.newpassword=Neues Passwort
+op-admin.pwchange.newpassword2=Neues Passwort wiederholen
+op-admin.pwchange.password=Aktuelles Passwort
+op-admin.pwchange.title=&Auml;nderung des Passworts
+op-idmlogin.role.accs-mgmt-idm=IDM accessrights management
+op-idmlogin.role.accs-mgmt-nonidm=Accessrights management
+op-idmlogin.role.idmcfg-mgmt=IDM set-up
+op-idmlogin.role.readonly-access=Standardzugriff (Nur Leseberechtigung)
+op-idmlogin.role.support-basic=Supportf&auml;lle (Wiederherstellung, ...)
+op-idmlogin.role.support-priv=3rd Level Support (Archivierung, Abmeldungen, ...)
+op-idmlogin.role.usr-mgmt=Benutzerverwaltung (Betrieb)
+op-idmlogin.role.usr-unit-mgmt=Benutzer- und Organisationsverwaltung (Betrieb)
+op-idmlogin.select=AGOV idm
+op-idmlogin.select.intro=Bitte w&auml;hlen Sie ein Profil aus...
+op-idmlogin.select.note=Mit * markierte Profile sollten nur f&uuml;r bestimmte Support oder Release Aufgaben genutzt werden.
+op-idmlogin.select.title=Profilauswahl
+op-onboarding.done.message=Das Onboarding war erfolgreich. Sie k&ouml;nnen nun Ihren AGOV-Operations-Zugang verwenden. Bitte schliessen Sie den Browser, bevor Sie auf eine der Operations-Applikationen zugreifen.
+op-onboarding.done.title=FERTIG
+op-onboarding.failed.title=FEHLER
+op-onboarding.intro.message1=Um das Onboarding f&uuml;r Ihren AGOV-Operations-Zugang abzuschliessen, ben&ouml;tigen Sie entweder ein AGOV- oder ein FED-LOGIN-Konto.
+op-onboarding.intro.message2=Wenn Sie auf &laquo;Weiter&raquo; klicken, werden Sie zur Authentifizierung weitergeleitet.
+op-onboarding.intro.message3=Wenn Sie AGOV verwenden und Ihr Konto noch nicht der erforderlichen AGOVaq-Stufe entspricht, erhalten Sie die M&ouml;glichkeit, die erforderliche Identit&auml;tspr&uuml;fung zu starten.
+op-onboarding.intro.title=START
+op-onboarding.onboarding=AGOV-op-Onboarding
+op-onboarding.process.message=Bei der Bearbeitung ist etwas schiefgegangen. Wenden Sie sich wenn n&ouml;tig an den AGOV-Support und fordern Sie einen neuen Onboarding-Link an.
+outarg.lastLogin.never=Nie
+policyFailure.dictionary=&#9642; darf nicht aus einem W&ouml;rterbuch stammen.
+policyFailure.history.History=&#9642; muss sich von vorhergehenden Passw&ouml;rtern unterscheiden.
+policyFailure.regex.control=&#9642; darf h&ouml;chstens {0} Kontrollzeichen enthalten.
+policyFailure.regex.lower=&#9642; muss {0} Kleinbuchstaben enthalten.
+policyFailure.regex.maxCharacterRepetitions=&#9642; darf nicht eine Sequenz l&auml;nger als {0} des gleichen Zeichens enthalten.
+policyFailure.regex.maxLength=L&auml;nge des Passwortes darf h&ouml;chstens {0} sein.
+policyFailure.regex.minLength=L&auml;nge des Passwortes muss mindestens {0} sein.
+policyFailure.regex.nonAlnum=&#9642; muss {0} nicht-alphanumerische Zeichen enthalten.
+policyFailure.regex.nonAscii=&#9642; darf h&ouml;chstens {0} Zeichen ausserhalb des ASCII-Zeichensatzes enthalten.
+policyFailure.regex.nonGraph=&#9642; darf h&ouml;chstens {0} nicht-druckende Zeichen enthalten.
+policyFailure.regex.nonLetter=&#9642; muss {0} Zeichen enthalten, die keine Buchstaben sind.
+policyFailure.regex.numeric=&#9642; muss {0} numerische Zeichen enthalten.
+policyFailure.regex.upper=&#9642; muss {0} Grossbuchstaben enthalten.
+policyInfo.dictionary=&#9642; darf nicht aus einem W&ouml;rterbuch stammen.
+policyInfo.history.History=&#9642; darf keines der zuletzt verwendeten Passw&ouml;rtern sein.
+policyInfo.regex.control=&#9642; darf h&ouml;chstens {0} Kontrollzeichen enthalten.
+policyInfo.regex.lower=&#9642; muss mindestens {0} Kleinbuchstaben enthalten.
+policyInfo.regex.maxCharacterRepetitions=&#9642; darf nicht eine Sequenz l&auml;nger als {0} des gleichen Zeichens enthalten.
+policyInfo.regex.maxLength=&#9642; darf h&ouml;chstens {0} Zeichen enthalten.
+policyInfo.regex.minLength=&#9642; muss mindestens {0} Zeichen enthalten.
+policyInfo.regex.nonAlnum=&#9642; muss mindestens {0} Zeichen enthalten, die nicht Alphanumerisch sind.
+policyInfo.regex.nonAscii=&#9642; darf h&ouml;chstens {0} Zeichen ausserhalb des ASCII-Zeichensatzes enthalten.
+policyInfo.regex.nonGraph=&#9642; darf h&ouml;chstens {0} nicht-druckende Zeichen enthalten.
+policyInfo.regex.nonLetter=&#9642; muss mindestens {0} Zeichen enthalten, die keine Buchstaben sind.
+policyInfo.regex.numeric=&#9642; muss mindestens {0} numerische Zeichen enthalten.
+policyInfo.regex.upper=&#9642; muss mindestens {0} Grossbuchstaben enthalten.
+policyInfo.title=Das Passwort muss den folgenden Passwort-Richtlinien entsprechen:
+prompt.client=Mandant
+prompt.newpassword=Neues Passwort
+prompt.newpassword.confirm=Passwort best&auml;tigen
+prompt.password=Passwort
+prompt.userid=Benutzer-ID
+pwreset.done.info=Ihr Passwort wurde erfolgreich ge&auml;ndert. Bitte klicken Sie auf Weiter, um sich einzuloggen.
+pwreset.email.sent=Wenn Ihre Benutzer-ID existiert, haben Sie eine E-Mail erhalten, um Ihr Passwort zurückzusetzen..
+pwreset.info.linktext=Passwort vergessen
+pwreset.noticket=Ihr Link ist nicht mehr g&uuml;ltig. Bitte generieren Sie ein Neuen.
+recovery_accessapp_auth.accessAppRegistered=AGOV access app schon registriert
+recovery_accessapp_auth.instruction1=Sie haben bereits eine neue AGOV access App !!!ACCESS_APP_NAME!!! im Rahmen des Wiederherstellungsprozesses registriert.
+recovery_accessapp_auth.instruction2=Verwenden Sie !!!ACCESS_APP_NAME!!! um Sie zu identifizieren.
+recovery_check_code.codeIncorrect=Der eingegebene Code ist nicht korrekt. Bitte versuchen Sie es erneut.
+recovery_check_code.enterRecoveryCode=Wiederherstellungscode eingeben
+recovery_check_code.instruction=Bitte geben Sie unten Ihren pers&ouml;nlichen 12-stelligen Wiederherstellungscode ein. Sie haben den Wiederherstellungscode in einer PDF-Datei bei der Registrierung oder in AGOV me erhalten.
+recovery_check_code.invalid.code=Code ist ung&uuml;ltig
+recovery_check_code.invalid.code.required=Code erforderlich
+recovery_check_code.invalid.code.tooLong=Eingegebener Code ist zu lang
+recovery_check_code.noAccess=Ich kann auf meinen Code nicht zugreifen
+recovery_check_code.noCodeAccess=Sind Sie sicher, dass Sie auf Ihren Wiederherstellungscode nicht zugreifen k&ouml;nnen?
+recovery_check_code.noCodeAccessInstructions=Wenn Sie auf Ihren Wiederherstellungscode nicht mehr zugreifen k&ouml;nnen, gehen Sie bitte zur AGOV-Hilfe, um jemanden vom AGOV-Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterst&uuml;tzen.
+recovery_check_noCode.banner.error=Zu viele Versuche oder Ihr Wiederherstellungscode ist abgelaufen.
+recovery_check_noCode.instruction1=Der von Ihnen eingegebene Wiederherstellungscode ist m&ouml;glicherweise abgelaufen oder Sie haben zu oft versucht, einen Code einzugeben.
+recovery_check_noCode.instruction2=Gehen Sie bitte zur AGOV-Hilfe, um jemanden vom Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterst&uuml;tzen.
+recovery_code.banner.error=Bitte enth&uuml;llen Sie den Code, um fortfahren zu k&ouml;nnen.
+recovery_code.instruction=Der Wiederherstellungscode hilft Ihnen, Zugriff auf Ihr AGOV-Login zu erhalten, falls Sie alle Ihre Login-Faktoren verloren haben. Bitte bewahren Sie den Wiederherstellungscode an einem sicheren Ort auf.
+recovery_code.newRecoveryCode=Einf&uuml;hrung von Wiederherstellungscode
+recovery_code.validUntil=G&uuml;ltig bis:
+recovery_fidokey_auth.button=Schl&uuml;sselauthentifizierung starten
+recovery_fidokey_auth.fidoInstruction=Klicken Sie auf "Schl&uuml;sselauthentifizierung starten"
+recovery_fidokey_auth.instruction1=Sie haben bereits einen neuen Sicherheitsschl&uuml;ssel !!!SECURITY_KEY_NAME!!! im Rahmen des Wiederherstellungsprozesses registriert.
+recovery_fidokey_auth.instruction2=Bitte verwenden Sie !!!SECURITY_KEY_NAME!!! und befolgen Sie die untenstehenden Schritte, um Sie zu identifizieren.
+recovery_fidokey_auth.keyRegistered=Sicherheitsschl&uuml;ssel schon registriert
+recovery_intro_email.banner.error=Der von Ihnen verwendete Link ist abgelaufen. Bitte geben Sie Ihre E-Mail-Adresse ein, um einen neuen Link zu erhalten.
+recovery_intro_email.banner.info=Bitte geben Sie Ihre E-Mail-Adresse ein, damit wir Ihnen einen Link schicken k&ouml;nnen, mit dem Sie den Wiederherstellungsprozess starten.
+recovery_intro_email.captchaUnchecked=Bitte kreuzen Sie das Captcha-Feld an
+recovery_intro_email.important=Wichtig:
+recovery_intro_email.process=Der Wiederherstellungsprozess sollte nur verwendet werden, wenn Sie den Zugriff auf Ihre Login-Faktoren verloren haben (gel&ouml;schte AGOV access App, verlorener Sicherheitsschl&uuml;ssel, verlorenes Telefon usw.).
+recovery_intro_email.siteProtectedWithRecaptcha=Diese Seite ist durch reCAPTCHA gesch&uuml;tzt, und es gelten die <a class='link' href='https://policies.google.com/privacy' target='_blank'>Datenschutzerkl&auml;rung</a> sowie die <a class='link' href='https://policies.google.com/terms' target='_blank'>Nutzungsbedingungen</a> von Google.
+recovery_intro_email_sent.banner.button=Keine E-Mail erhalten?
+recovery_intro_email_sent.banner.success=Vielen Dank! Sie werden in K&uuml;rze eine E-Mail mit einem Wiederherstellungslink und Anweisungen erhalten.
+recovery_on_going.finishRecovery=Wiederherstellung abschliessen
+recovery_on_going.instruction=Sie haben einen laufenden Wiederherstellungsprozess. Der Wiederherstellungsprozess kann eine Identit&auml;tspr&uuml;fung umfassen. Um mit Ihrem AGOV-Login auf Applikationen zugreifen zu k&ouml;nnen, m&uuml;ssen Sie auch die Identit&auml;tspr&uuml;fung abschliessen.
+recovery_on_going.title=Bitte schliessen Sie Ihren Wiederherstellungsprozess ab.
+recovery_questionnaire_instructions.banner.info=Bitte beachten Sie, dass Sie in bestimmten F&auml;llen f&uuml;r eine erfolgreiche Wiederherstellung Zugang zu Ihrem Wiederherstellungscode ben&ouml;tigen.
+recovery_questionnaire_instructions.explanation=Aufgrund Ihrer Antworten scheint eine Wiederherstellung Ihres AGOV-Logins erforderlich zu sein. Bitte klicken Sie auf Weiter und folgen Sie den Anweisungen auf dem Bildschirm.
+recovery_questionnaire_instructions.instruction1=Geben Sie die E-Mail-Adresse Ihres AGOV-Logins an, damit wir Ihnen einen Link senden k&ouml;nnen, um den Wiederherstellungsprozess zu beginnen
+recovery_questionnaire_instructions.instruction2=Folgen Sie den Schritten zur Wiederherstellung Ihres Kontos (die Schritte variieren je nach Verifizierungsstufe Ihres Kontos)
+recovery_questionnaire_loginfactor.banner.error=Bitte w&auml;hlen Sie eine Antwort.
+recovery_questionnaire_loginfactor.no=Nein
+recovery_questionnaire_loginfactor.question=Haben Sie mehr als einen Loginfaktor (AGOV Access App oder Sicherheitsschl&uuml;ssel) f&uuml;r Ihren AGOV-Login registriert?
+recovery_questionnaire_loginfactor.yes=Ja
+recovery_questionnaire_no_recovery.explanation1=Ausgehend von Ihren Antworten scheint eine Wiederherstellung Ihres AGOV-Logins im Moment nicht notwendig zu sein.
+recovery_questionnaire_no_recovery.explanation2=Falls Sie weitere Informationen ben&ouml;tigen, besuchen Sie bitte <a class='link' href='www.agov.ch/help' target='_blank'>www.agov.ch/help</a> f&uuml;r Support-Artikel.
+recovery_questionnaire_no_recovery.instruction1=Wenn Sie Probleme haben, sich bei einer Anwendung anzumelden, besuchen Sie bitte <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> und testen Sie, ob Sie sich erfolgreich anmelden k&ouml;nnen.
+recovery_questionnaire_no_recovery.instruction2=Wenn Sie mehrere Loginfaktoren registriert haben, aber den Zugriff zu einem von ihnen verloren haben, besuchen Sie bitte <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a>, um den verlorenen Loginfaktor zu entfernen.
+recovery_questionnaire_reason_selection.answer1=Ich habe Probleme mich anzumelden, obwohl ich meine App / meinen Sicherheitsschl&uuml;ssel habe
+recovery_questionnaire_reason_selection.answer10=Ich habe einen meiner Loginfaktoren verloren (AGOV access App oder Sicherheitsschl&uuml;ssel)
+recovery_questionnaire_reason_selection.answer2=Ich konnte meine Registrierung nicht abschliessen
+recovery_questionnaire_reason_selection.answer3=Ich habe meine AGOV access App gel&ouml;scht oder zur&uuml;ckgesetzt
+recovery_questionnaire_reason_selection.answer4=Ich habe mein Telefon / Sicherheitsschl&uuml;ssel verloren
+recovery_questionnaire_reason_selection.answer5=Ich habe ein neues Telefon und habe vergessen, meine AGOV access App zu &uuml;bertragen
+recovery_questionnaire_reason_selection.answer6=Ich habe die PIN f&uuml;r meine AGOV access App vergessen
+recovery_questionnaire_reason_selection.answer7=Ich habe meine Sicherheitsschl&uuml;ssel oder AGOV access Apps, hatte aber Probleme beim Einloggen
+recovery_questionnaire_reason_selection.answer8=Ich habe den Zugriff auf alle meine Sicherheitsschl&uuml;ssel und Apps verloren
+recovery_questionnaire_reason_selection.answer9=Ich habe Probleme mit einem meiner Loginfaktoren (gel&ouml;scht, zur&uuml;ckgesetzt, vergessene PIN)
+recovery_questionnaire_reason_selection.banner.error=Bitte w&auml;hlen Sie einen Grund aus.
+recovery_questionnaire_reason_selection.instruction=Bitte w&auml;hlen Sie einen Grund wieso Sie den AGOV recovery Prozess starten:
+recovery_start_info.banner.warning=Sie k&ouml;nnen Ihr Konto nicht nutzen, bis der Wiederherstellungsprozess abgeschlossen ist.
+recovery_start_info.instruction=W&auml;hrend des Wiederherstellungsprozesses werden Sie einen neuen Login-Faktor registrieren. Wenn Ihr Konto verifizierte Informationen enth&auml;lt, m&uuml;ssen Sie zum Abschluss des Wiederherstellungsprozesses m&ouml;glicherweise auch einen Verifikationsprozess durchlaufen.
+recovery_start_info.title=Sie sind dabei, den Wiederherstellungsprozess zu starten
+reject.button.label=Ablehnen
+submit.button.label=Senden
+tan.sent=Bitte erfassen Sie den Sicherheitscode, welcher an Ihr Mobiltelefon gesendet wurde.
+title.login=Login
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Client Authorisierung
+title.pwchange.label=Passwort &auml;ndern
+title.pwreset=Passwort Vergesssen
+title.saml.failed=Error
+title.timeout.page=Logout
+user_input.invalid.email=Bitte geben Sie eine g&uuml;ltige E-Mail ein
+user_input.invalid.email.required=Erforderliches Feld
+user_input.invalid.email.tooLong=Eingabe zu lang
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_en.properties
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_en.properties
@ -0,0 +1,268 @@
+
+accept.button.label=Accept
+button.submit=Submit
+cancel.button.label=Cancel
+continue.button.label=Continue
+darkModeSwitch.aria.label=Dark mode toggle
+deputy.profile.label=(Deputy Profile)
+error.policy.failed=The new password does not comply with the policy.
+error.saml.failed=Please close your browser and try again.
+error_1=Please check your input.
+error_10=Please select the correct user account.
+error_100=Certificate upload not possible. Certificate already exists. Please contact your helpdesk.
+error_101=The entered email address is not valid.
+error_11=Please use another certficate or login with another credential type.
+error_2=Please select another login name.
+error_3=Your account will be locked if next authentication fails.
+error_4=Your new password does not comply with the security policy. Please choose a different password.
+error_5=Error in password confirmation.
+error_50=The new password is too short.
+error_55=The new password has to differ from old passwords.
+error_6=Password change required.
+error_7=Change of login ID required.
+error_8=Your account has been locked due to repeated authentication failures.
+error_81=No access card found, access from internet denied.
+error_83=Your access card is no longer valid. Please contact your advisor to get a new access card.
+error_9=Session take over failed.
+error_97=You are not authorized to access this resource.
+error_98=Your account has been locked.
+error_99=System problems. Please try later.
+error_9901=You need a valid on-boarding link to access this page.
+error_9902=The email used for authentication doesn't match the expected one in operations. Please ask for a new on-boarding link.
+error_9903=The used IdP didn't send us a valid assertion. Please make sure, you use the correct IdP. Ask the support for a new on-boarding link.
+error_9904=Your link is not valid anymore. Please make sure, that you are using the latest Link received from operations. Ask for a new link, if the problem persists.
+error_9905=There is a problem with your operations account. Please contact the support.
+error_9909=An internal error occured. Please ask the support for a new on-boarding link.
+errors.duplicateValue=Your account is already linked with another operations access.
+fido2_auth.cancel.fido=The security key authentication was interrupted. Please ensure your FIDO key is registered and your email is correct, then follow the steps below.
+fido2_auth.instruction1=Click on "Continue"
+fido2_auth.instruction2=An authentication window will appear
+fido2_auth.instruction3=Follow the instructions
+fido2_auth.skipInstructions=Skip instructions next time
+fido2_auth.switchLogin=SWITCH TO LOGIN WITH
+footer.link=https://agov.ch/?c=contact&l=en
+footer.link.label=Contact
+footer.text=Authentication service of Swiss authorities AGOV - a collaboration between cantons, their municipalities, and the federal administration. -
+general.AGOVAccessApp=AGOV access app
+general.accessApp=AGOV access app
+general.authenticate=Authenticate
+general.back=Back
+general.cancel=Cancel
+general.confirm=Confirm
+general.contactSupport=Contact Support
+general.continue=Continue
+general.edit=Edit
+general.email=Email
+general.email.address=Email address
+general.entryCode=Code entry
+general.getStarted=Get started
+general.goAGOVHelp=Go to AGOV help
+general.goAccessApp=Login with AGOV access
+general.help=Help
+general.help.link=https://agov.ch/pages/help_en.html
+general.login=Login
+general.loginSecurityKey=Start Security key login
+general.or=OR
+general.otherOptions=OTHER OPTIONS
+general.recovery=Recovery
+general.recoveryOngoing=Ongoing recovery
+general.register=Register
+general.registerNow=Register now!
+general.registration=Registration
+general.securityKey=Security key
+general.skip.content=Skip to main content
+generic.auth.error.message=There was a service interruption. We are working on it.
+generic.auth.error.next.steps=Please try again later. Please consult AGOV help if the problem persists.
+generic.auth.error.subtitle=Something went wrong
+generic.auth.error.title=Error
+info.login=Please enter your authentication information.
+info.logout.confirmation=Please confirm that you want to log out.
+info.logout.reminder=Your session on this application has expired. Try again with a login.
+info.oauth.consent=Do you want to authorise this application to access your data?
+info.timeout.page=Your session on this application has expired. Try again with a login.
+language.de=Deutsch
+language.en=English
+language.fr=Fran&ccedil;ais
+language.it=Italiano
+languageDropdown.aria.label=Select language
+loainfo.description.200=To access the application, we need to verify your data. The process can take up to 2 - 3 days.
+loainfo.description.300=To access the application we need to verify your data through one of two processes. You can choose your preferred process in the next step.
+loainfo.description.400=To access the application we need you to add your AHV Number (Swiss Social Security number).
+loainfo.helper=Your data needs to be verified!
+loainfo.later=Later
+loainfo.startNow=Do you want to start the process now?
+loainfo.startVerification=Start verification
+loainfo.title=Verify your data
+login.button.label=Login
+logout.label=Logout
+logout.text=You have successfully logged out.
+mauth_usernameless.EID=Continue with CH E-ID
+mauth_usernameless.banner.error=Authentication interrupted.<br>Please try again when the page reloads.
+mauth_usernameless.banner.info=Scan successful.<br>Please continue in the AGOV access app.
+mauth_usernameless.banner.success=Authentication successful!<br>Please wait to be logged in.
+mauth_usernameless.cannotLogin=Lost access to your app / security key?
+mauth_usernameless.hideQR=Hide QR code
+mauth_usernameless.instructions=Log in by scanning the QR code with your AGOV access app
+mauth_usernameless.noAccount=Don't have an AGOV-Login yet?
+mauth_usernameless.showQR=Show QR code
+mauth_usernameless.startRecovery=Start account recovery
+mauth_usernameless.useSecurityKey=Use a security key to log in
+mauth_usernameless.useSecurityKeyInfo=A physical security key offers a secure way to login without having to use a phone.
+method.certificate.label=Certificate
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=mTAN Code
+method.oath.label=OATH Authenticator App
+method.otp.label=OTP (One-Time Password)
+method.recovery.label=Recovery Codes
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+op-admin.login=AGOV op admin
+op-admin.login.intro.message=Login with your username and password
+op-admin.login.loginid=LoginId
+op-admin.login.password=Passwort
+op-admin.login.title=Login
+op-admin.logout=AGOV op admin
+op-admin.logout.message=You have successfully logged out.
+op-admin.logout.title=Logout
+op-admin.pwchange.intro.message=Password change required
+op-admin.pwchange.newpassword=New password
+op-admin.pwchange.newpassword2=Repeat new password
+op-admin.pwchange.password=Current password
+op-admin.pwchange.title=Password Change
+op-idmlogin.role.accs-mgmt-idm=IDM accessrights management
+op-idmlogin.role.accs-mgmt-nonidm=Accessrights management
+op-idmlogin.role.idmcfg-mgmt=IDM set-up
+op-idmlogin.role.readonly-access=Default access (readonly)
+op-idmlogin.role.support-basic=Support cases (recovery, ...)
+op-idmlogin.role.support-priv=3rd level support (archiving, off-boarding)
+op-idmlogin.role.usr-mgmt=User management (operations)
+op-idmlogin.role.usr-unit-mgmt=User and organization management (operations)
+op-idmlogin.select=AGOV idm
+op-idmlogin.select.intro=Please select one of the profiles below...
+op-idmlogin.select.note=Profiles marked with a * should only be used if required for a specific support or release tasks.
+op-idmlogin.select.title=Profile selection
+op-onboarding.done.message=On-boarding was successfull. You can now use your AGOV operations access. Please close the browser, before accessing on of the operations application.
+op-onboarding.done.title=DONE
+op-onboarding.failed.title=ERROR
+op-onboarding.intro.message1=To complete your on-boarding for your AGOV operations access, you need either an AGOV or a FED-LOGIN account.
+op-onboarding.intro.message2=After clicking on "Continue", you will be redirected for authentication.
+op-onboarding.intro.message3=If you are using AGOV, and your account doesn't meet yet the required AGOVaq level, you will be given the possibility to start the required ID verification.
+op-onboarding.intro.title=START
+op-onboarding.onboarding=AGOV op on-boarding
+op-onboarding.process.message=During the processing something went wrong. Please contact AGOV support if necessary and ask also for a new on-boarding link.
+outarg.lastLogin.never=Never
+policyFailure.dictionary=&#9642; must not be taken from a dictionary.
+policyFailure.history.History=&#9642; must be different from previously selected passwords.
+policyFailure.regex.control=&#9642; cannot contain more than {0} control characters.
+policyFailure.regex.lower=&#9642; must contain at least {0} lower case characters.
+policyFailure.regex.maxCharacterRepetitions=&#9642; characters must not occur more than {0} time(s) consecutively.
+policyFailure.regex.maxLength=&#9642; must be at most {0} characters long.
+policyFailure.regex.minLength=&#9642; must be at least {0} characters long.
+policyFailure.regex.nonAlnum=&#9642; must contain at least {0} non-alphanumeric characters.
+policyFailure.regex.nonAscii=&#9642; cannot contain more than {0} non-ASCII characters.
+policyFailure.regex.nonGraph=&#9642; cannot contain more than {0} non-printable characters.
+policyFailure.regex.nonLetter=&#9642; must contain at least {0} non-letter characters.
+policyFailure.regex.numeric=&#9642; must contain at least {0} numeric characters.
+policyFailure.regex.upper=&#9642; must contain at least {0} upper case characters.
+policyInfo.dictionary=&#9642; must not be taken from a dictionary.
+policyInfo.history.History=&#9642; must be different from previously selected passwords.
+policyInfo.regex.control=&#9642; cannot contain more than {0} control characters.
+policyInfo.regex.lower=&#9642; must contain at least {0} lower case characters.
+policyInfo.regex.maxCharacterRepetitions=&#9642; characters must not occur more than {0} time(s) consecutively.
+policyInfo.regex.maxLength=&#9642; must be at most {0} characters long.
+policyInfo.regex.minLength=&#9642; must be at least {0} characters long.
+policyInfo.regex.nonAlnum=&#9642; must contain at least {0} non-alphanumeric characters.
+policyInfo.regex.nonAscii=&#9642; cannot contain more than {0} non-ASCII characters.
+policyInfo.regex.nonGraph=&#9642; cannot contain more than {0} non-printable characters.
+policyInfo.regex.nonLetter=&#9642; must contain at least {0} non-letter characters.
+policyInfo.regex.numeric=&#9642; must contain at least {0} numeric characters.
+policyInfo.regex.upper=&#9642; must contain at least {0} upper case characters.
+policyInfo.title=The password has to comply with the following password policy:
+prompt.client=Client
+prompt.newpassword=New Password
+prompt.newpassword.confirm=Confirm Password
+prompt.password=Password
+prompt.userid=User-ID
+pwreset.done.info=Your password was successfully changed. Please click on continue to log in.
+pwreset.email.sent=If your user ID exists, an email to reset your password has been sent to you.
+pwreset.info.linktext=Password forgotten
+pwreset.noticket=Your password reset link is no longer valid. Please generate a new one.
+recovery_accessapp_auth.accessAppRegistered=AGOV access app already registered
+recovery_accessapp_auth.instruction1=You have already registered a new AGOV access app !!!ACCESS_APP_NAME!!! as part of the recovery process.
+recovery_accessapp_auth.instruction2=Please use !!!ACCESS_APP_NAME!!! to identify you.
+recovery_check_code.codeIncorrect=Code entered is incorrect. Please try again.
+recovery_check_code.enterRecoveryCode=Enter recovery code
+recovery_check_code.instruction=Please enter below your personal 12-digit recovery code. You will have received the recovery code as a PDF file during registration or in AGOV me.
+recovery_check_code.invalid.code=The code is invalid
+recovery_check_code.invalid.code.required=Code required
+recovery_check_code.invalid.code.tooLong=The code is too long
+recovery_check_code.noAccess=I do not have access to my code
+recovery_check_code.noCodeAccess=Are you sure you don't have access to your recovery code?
+recovery_check_code.noCodeAccessInstructions=If you have lost access to your recovery code please go to AGOV help in order to contact a AGOV support agent. They will be able to help you with the recovery process.
+recovery_check_noCode.banner.error=Too many attempts or your recovery code has expired.
+recovery_check_noCode.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
+recovery_check_noCode.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
+recovery_code.banner.error=Please reveal your new code to be able to continue.
+recovery_code.instruction=Recovery codes help you gain access to your account in case you lost all of your login factors. Please store the recovery code in a safe place.
+recovery_code.newRecoveryCode=Introducing Recovery Code
+recovery_code.validUntil=Valid until:
+recovery_fidokey_auth.button=Start key authentication
+recovery_fidokey_auth.fidoInstruction=Click on "Start key authentication"
+recovery_fidokey_auth.instruction1=You have already registered a new security key !!!SECURITY_KEY_NAME!!! as part of the recovery process.
+recovery_fidokey_auth.instruction2=Please use !!!SECURITY_KEY_NAME!!! to follow the steps below to identify you.
+recovery_fidokey_auth.keyRegistered=Security key already registered
+recovery_intro_email.banner.error=The link you used has expired. Please enter your email address to receive a new link.
+recovery_intro_email.banner.info=Please enter your email address, so we can send you a link to start the recovery process.
+recovery_intro_email.captchaUnchecked=Please tick the captcha field
+recovery_intro_email.important=Important:
+recovery_intro_email.process=The recovery process should only be used if you have lost access to your login factors (deleted AGOV access app, lost security key, lost phone, etc.).
+recovery_intro_email.siteProtectedWithRecaptcha=This site is protected by reCAPTCHA and the <a class='link' href='https://policies.google.com/privacy' target='_blank'>Google Privacy Policy</a> and <a class='link' href='https://policies.google.com/terms' target='_blank'>Terms of Service</a> apply.
+recovery_intro_email_sent.banner.button=Didn't receive the email?
+recovery_intro_email_sent.banner.success=Thank you! You will receive an email with a recovery link and instructions shortly.
+recovery_on_going.finishRecovery=Finish recovery
+recovery_on_going.instruction=You have an ongoing recovery process. Part of the recovery process can include an identity verification. To access applications with your AGOV-Login you need to finish the identity verification as well.
+recovery_on_going.title=Please finish your recovery process.
+recovery_questionnaire_instructions.banner.info=Please note that in certain cases you need access to your recovery code for a successful recovery.
+recovery_questionnaire_instructions.explanation=Based on your answers an AGOV-Login recovery seems to be necessary. Please click on continue and follow the instructions on the screen.
+recovery_questionnaire_instructions.instruction1=Provide your account email address so we can send you a link to begin the recovery process
+recovery_questionnaire_instructions.instruction2=Follow steps to recover your account (steps will vary depending on your account verification level)
+recovery_questionnaire_loginfactor.banner.error=Please select an answer.
+recovery_questionnaire_loginfactor.no=No
+recovery_questionnaire_loginfactor.question=Have you registered more than one login factor (AGOV access app or security key) to your account?
+recovery_questionnaire_loginfactor.yes=Yes
+recovery_questionnaire_no_recovery.explanation1=Based on your answers, the AGOV recovery option does not seem necessary right now.
+recovery_questionnaire_no_recovery.explanation2=Should you need further information, please visit <a class='link' href='www.agov.ch/help' target='_blank'>www.agov.ch/help</a> for support articles.
+recovery_questionnaire_no_recovery.instruction1=If you have issues logging in to an application, please visit <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> and test if you can log in successfully.
+recovery_questionnaire_no_recovery.instruction2=If you have several login factors registered but lost access to one of them, please visit <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> to remove the one you have lost access to.
+recovery_questionnaire_reason_selection.answer1=I have trouble logging in, even though I have my app / security key
+recovery_questionnaire_reason_selection.answer10=I lost one of my login factors (AGOV access app or security key)
+recovery_questionnaire_reason_selection.answer2=I was unable to finish my registration
+recovery_questionnaire_reason_selection.answer3=I have deleted or reset my AGOV access app
+recovery_questionnaire_reason_selection.answer4=I have lost my phone / security key
+recovery_questionnaire_reason_selection.answer5=I have a new phone and forgot to transfer my AGOV access app
+recovery_questionnaire_reason_selection.answer6=I forgot my PIN for the AGOV access app
+recovery_questionnaire_reason_selection.answer7=I have my security keys or apps but had trouble logging in
+recovery_questionnaire_reason_selection.answer8=I lost access to all my security keys and AGOV access apps
+recovery_questionnaire_reason_selection.answer9=I have issues with one of my login factors (deleted, reset, forgotten PIN)
+recovery_questionnaire_reason_selection.banner.error=Please select a reason.
+recovery_questionnaire_reason_selection.instruction=Please select the reason you are starting the recovery process:
+recovery_start_info.banner.warning=You will not be able to use your account until the recovery process has been concluded.
+recovery_start_info.instruction=During the recovery process you will register a new login factor. If  your account contains any verified information you might also have to go through a verification process to finish the recovery.
+recovery_start_info.title=You are about to start the recovery process
+reject.button.label=Deny
+submit.button.label=Submit
+tan.sent=Please enter the security code which has been sent to your mobile phone.
+title.login=Login
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Client Authorization
+title.pwchange.label=Password Change
+title.pwreset=Password Forgotten
+title.saml.failed=Error
+title.timeout.page=Logout
+user_input.invalid.email=Please enter a valid email address
+user_input.invalid.email.required=Field required
+user_input.invalid.email.tooLong=Input is too long
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_fr.properties
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_fr.properties
@ -0,0 +1,268 @@
+
+accept.button.label=Accepter
+button.submit=Envoyer
+cancel.button.label=Abandonner
+continue.button.label=Continuer
+darkModeSwitch.aria.label=Activer l'apparence sombre
+deputy.profile.label=(Profil du suppl&eacute;ant)
+error.policy.failed=Votre nouveau mot de passe ne conforme pas aux mesures de s&eacute;curit&eacute;
+error.saml.failed=Fermez votre navigateur et r;eacute;essayez.
+error_1=Veuillez v&eacute;rifier votre saisie.
+error_10=Veuillez s&eacute;lectionner le compte d&rsquo;utilisateur correct.
+error_100=Le t&eacute;l&eacute;chargement du certificat est impossible. Le certificat existe d&eacute;j&agrave;. Veuillez contacter votre service d&rsquo;assistance.
+error_101=L&rsquo;adresse e-mail saisie n&rsquo;est pas valable.
+error_11=Veuillez utiliser un autre certificat ou vous connecter au moyen d&rsquo;un autre type de facteur d&rsquo;authentification.
+error_2=Veuillez s&eacute;lectionner un autre nom d&rsquo;utilisateur.
+error_3=Votre compte sera bloqu&eacute; si la prochaine tentative d&rsquo;authentification &eacute;choue.
+error_4=Votre nouveau mot de passe n&rsquo;est pas conforme &agrave; la politique de s&eacute;curit&eacute;. Veuillez choisir un autre mot de passe.
+error_5=Erreur de confirmation du mot de passe
+error_50=Le nouveau mot de passe est trop court.
+error_55=Le nouveau mot de passe doit &ecirc;tre diff&eacute;rent des pr&eacute;c&eacute;dents.
+error_6=Changement de mot de passe requis.
+error_7=Changement d&rsquo;identifiant de connexion requis.
+error_8=Votre compte a &eacute;t&eacute; bloqu&eacute; en raison de plusieurs &eacute;checs d&rsquo;authentification.
+error_81=Aucune carte d&rsquo;acc&egrave;s n&rsquo;a &eacute;t&eacute; trouv&eacute;e, l&rsquo;acc&egrave;s depuis Internet est refus&eacute;.
+error_83=Votre carte d&rsquo;acc&egrave;s n&rsquo;est plus valable. Veuillez contacter votre conseiller pour obtenir une nouvelle carte d&rsquo;acc&egrave;s.
+error_9=La reprise de session a &eacute;chou&eacute;.
+error_97=Vous n&rsquo;&ecirc;tes pas autoris&eacute; &agrave; acc&eacute;der &agrave; cette ressource.
+error_98=Votre compte a &eacute;t&eacute; bloqu&eacute;.
+error_99=Probl&egrave;mes de syst&egrave;me. Veuillez r&eacute;essayer plus tard.
+error_9901=Vous devez disposer d&rsquo;un lien d&rsquo;enregistrement valable pour acc&eacute;der &agrave; cette page.
+error_9902=L&rsquo;adresse e-mail utilis&eacute;e pour l&rsquo;authentification ne correspond pas &agrave; celle qui est renseign&eacute;e dans AGOV operations. Veuillez demander un nouveau lien d&rsquo;enregistrement.
+error_9903=Le fournisseur d&rsquo;identit&eacute; utilis&eacute; ne nous a pas envoy&eacute; d&rsquo;assertion valide. Assurez-vous d&rsquo;utiliser le bon fournisseur d&rsquo;identit&eacute;. Demandez un nouveau lien d&rsquo;enregistrement au service d&rsquo;assistance.
+error_9904=Le lien que vous avez suivi n&rsquo;est plus valable. Veuillez vous assurer que vous utilisez le dernier lien que vous avez re&ccedil;u d&rsquo;AGOV operations. Demandez un nouveau lien si le probl&egrave;me persiste.
+error_9905=Il y a un probl&egrave;me avec votre compte AGOV operations. Veuillez contacter le service d&rsquo;assistance.
+error_9909=Un probl&egrave;me interne s&rsquo;est produit. Veuillez demander un nouveau lien d&rsquo;enregistrement au service d&rsquo;assistance.
+errors.duplicateValue=Votre compte est d&eacute;j&agrave; li&eacute; &agrave; un autre acc&egrave;s &agrave; AGOV operations.
+fido2_auth.cancel.fido=L'authentification avec la cl&eacute; de s&eacute;curit&eacute; a &eacute;t&eacute; interrompue. Veuillez vous assurer que votre cl&eacute; FIDO est enregistr&eacute;e et que votre adresse e-mail est correcte, puis suivez les &eacute;tapes ci-dessous.
+fido2_auth.instruction1=Cliquez sur "Continuer"
+fido2_auth.instruction2=Une fen&ecirc;tre d'authentification s'affichera
+fido2_auth.instruction3=Suivez les instructions
+fido2_auth.skipInstructions=Passer les instructions la fois suivante
+fido2_auth.switchLogin=S'AUTHENTIFIER AVEC
+footer.link=https://agov.ch/?c=contact&l=fr
+footer.link.label=Contact
+footer.text=Service d'authentification des autorit&eacute;s suisses AGOV - une collaboration entre les cantons, leurs communes et l'administration f&eacute;d&eacute;rale. -
+general.AGOVAccessApp=Application AGOV access
+general.accessApp=Application AGOV access
+general.authenticate=Authentification
+general.back=Retour
+general.cancel=Annuler
+general.confirm=Confirmer
+general.contactSupport=Contacter le service d'assistance
+general.continue=Continuer
+general.edit=Editer
+general.email=E-mail
+general.email.address=Adresse e-mail
+general.entryCode=Entrer le code
+general.getStarted=D&eacute;marrer
+general.goAGOVHelp=Rendez-vous sur AGOV help
+general.goAccessApp=Login avec AGOV access
+general.help=Aide
+general.help.link=https://agov.ch/pages/help_fr.html
+general.login=Login
+general.loginSecurityKey=D&eacute;marrer la connexion avec la cl&eacute; de s&eacute;curit&eacute;
+general.or=OU
+general.otherOptions=AUTRES OPTIONS
+general.recovery=R&eacute;cup&eacute;ration
+general.recoveryOngoing=R&eacute;cup&eacute;ration en cours
+general.register=Cr&eacute;er un compte
+general.registerNow=Enregistrez-vous d&egrave;s maintenant!
+general.registration=Enregistrement
+general.securityKey=Cl&eacute; de s&eacute;curit&eacute;
+general.skip.content=Passer au contenu principal
+generic.auth.error.message=Une interruption de service s&rsquo;est produite. Nous nous employons &agrave; r&eacute;soudre le probl&egrave;me.
+generic.auth.error.next.steps=Veuillez r&eacute;essayer plus tard. Veuillez vous rendre sur AGOV help si le probl&egrave;me persiste.
+generic.auth.error.subtitle=Un probl&egrave;me s&rsquo;est produit
+generic.auth.error.title=Erreur
+info.login=Veuillez entrer vos &eacute;l&eacute;ments de s&eacute;curit&eacute; ci-apr&egrave;s.
+info.logout.confirmation=Veuillez confirmer que vous souhaitez vous d&eacute;connecter.
+info.logout.reminder=Votre session sur cette application a expir&eacute;e. Essayez encore avec un login.
+info.oauth.consent=Voulez-vous autoriser l&#39;application?
+info.timeout.page=Votre session sur cette application a expir&eacute;e. Essayez encore avec un login.
+language.de=Deutsch
+language.en=English
+language.fr=Fran&ccedil;ais
+language.it=Italiano
+languageDropdown.aria.label=S&eacute;lectionner la langue
+loainfo.description.200=Pour acc&eacute;der &agrave; l'application, nous devons v&eacute;rifier vos donn&eacute;es. Ce processus peut prendre jusqu'&agrave; 2 ou 3 jours.
+loainfo.description.300=Pour acc&eacute;der &agrave; l'application, nous devons v&eacute;rifier vos donn&eacute;es par le biais de l'une des deux proc&eacute;dures suivantes. Vous pouvez choisir la proc&eacute;dure que vous pr&eacute;f&eacute;rez &agrave; l'&eacute;tape suivante.
+loainfo.description.400=Pour acc&eacute;der &agrave; l'application, vous devez ajouter votre num&eacute;ro AVS.
+loainfo.helper=Vos donn&eacute;es doivent &ecirc;tre v&eacute;rifi&eacute;es!
+loainfo.later=Plus tard
+loainfo.startNow=Voulez-vous commencer le processus maintenant?
+loainfo.startVerification=D&eacute;marrer la v&eacute;rification
+loainfo.title=V&eacute;rifiez vos donn&eacute;es
+login.button.label=Login
+logout.label=Logout
+logout.text=Au revoir
+mauth_usernameless.EID=Continuer avec l'e-ID suisse
+mauth_usernameless.banner.error=Authentification interrompue.<br>Veuillez r&eacute;essayer lorsque la page sera recharg&eacute;e.
+mauth_usernameless.banner.info=Scan r&eacute;ussi!<br> Veuillez continuer dans l'application AGOV access.
+mauth_usernameless.banner.success=Authentification r&eacute;ussie!<br>Veuillez attendre d'&ecirc;tre connect&eacute;.
+mauth_usernameless.cannotLogin=Avez-vous perdu l'acc&egrave;s &agrave; votre application / votre cl&eacute; de s&eacute;curit&eacute; ?
+mauth_usernameless.hideQR=Cacher le code QR
+mauth_usernameless.instructions=Connectez-vous en scannant le code QR avec l'application AGOV access
+mauth_usernameless.noAccount=Vous n'avez pas encore d'AGOV-Login ?
+mauth_usernameless.showQR=Afficher le code QR
+mauth_usernameless.startRecovery=Commencer la r&eacute;cup&eacute;ration du compte
+mauth_usernameless.useSecurityKey=Utiliser une cl&eacute; de s&eacute;curit&eacute; pour se connecter
+mauth_usernameless.useSecurityKeyInfo=Une cl&eacute; de s&eacute;curit&eacute; physique offre un moyen s&ucirc;r de se connecter sans devoir utiliser son t&eacute;l&eacute;phone.
+method.certificate.label=Certificat
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=Code mTAN
+method.oath.label=Application d'authentification OATH
+method.otp.label=OTP (One-Time Password)
+method.recovery.label=Codes de r&eacute;cup&eacute;ration
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+op-admin.login=Administration de l&rsquo;acc&egrave;s &agrave; AGOV op
+op-admin.login.intro.message=Connectez-vous avec votre nom d&rsquo;utilisateur et votre mot de passe
+op-admin.login.loginid=Identifiant de connexion
+op-admin.login.password=Mot de passe
+op-admin.login.title=Connexion
+op-admin.logout=Administration de l&rsquo;acc&egrave;s &agrave; AGOV op
+op-admin.logout.message=Vous vous &ecirc;tes d&eacute;connect&eacute; avec succ&egrave;s.
+op-admin.logout.title=D&eacute;connexion
+op-admin.pwchange.intro.message=Changement de mot de passe requis
+op-admin.pwchange.newpassword=Nouveau mot de passe
+op-admin.pwchange.newpassword2=R&eacute;p&eacute;ter le nouveau mot de passe
+op-admin.pwchange.password=Mot de passe actuel
+op-admin.pwchange.title=Changer de mot de passe
+op-idmlogin.role.accs-mgmt-idm=Gestion des droits d'acc&egrave;s IDM
+op-idmlogin.role.accs-mgmt-nonidm=Gestion des droits d'acc&egrave;s
+op-idmlogin.role.idmcfg-mgmt=Mise en place de l'IDM
+op-idmlogin.role.readonly-access=Acc&egrave;s par d&eacute;faut (lecture seule)
+op-idmlogin.role.support-basic=Cas de support (r&eacute;cup&eacute;ration, ...)
+op-idmlogin.role.support-priv=Support de 3&egrave;me niveau (archivage, d&eacute;sinscription)
+op-idmlogin.role.usr-mgmt=Gestion des utilisateurs (op&eacute;rations)
+op-idmlogin.role.usr-unit-mgmt=Gestion des utilisateurs et des organisations (op&eacute;rations)
+op-idmlogin.select=AGOV idm
+op-idmlogin.select.intro=Veuillez s&eacute;lectionner l&rsquo;un des profils ci-dessous...
+op-idmlogin.select.note=Les profils marqu&eacute;s d'un * ne doivent &ecirc;tre utilis&eacute;s que s'ils sont n&eacute;cessaires pour des t&acirc;ches sp&eacute;cifiques de support ou de mise en production.
+op-idmlogin.select.title=S&eacute;l&eacute;ction du profil
+op-onboarding.done.message=L&rsquo;enregistrement a &eacute;t&eacute; effectu&eacute; avec succ&egrave;s. Vous disposez maintenant d&rsquo;un acc&egrave;s &agrave; AGOV operations. Veuillez fermer le navigateur avant d&rsquo;acc&eacute;der &agrave; AGOV operations.
+op-onboarding.done.title=TERMIN&Eacute;
+op-onboarding.failed.title=ERREUR
+op-onboarding.intro.message1=Pour terminer l&rsquo;enregistrement de votre acc&egrave;s &agrave; AGOV operations, vous devez disposer d&rsquo;un compte AGOV ou d&rsquo;un compte FED-LOGIN.
+op-onboarding.intro.message2=Apr&egrave;s avoir cliqu&eacute; sur "Continuer", vous serez redirig&eacute; vers l&rsquo;authentification.
+op-onboarding.intro.message3=Si vous utilisez AGOV et que votre compte n&rsquo;a pas encore atteint le niveau de qualit&eacute; d&rsquo;authentification requis, vous aurez la possibilit&eacute; de d&eacute;marrer la v&eacute;rification d&rsquo;identit&eacute; n&eacute;cessaire pour l&rsquo;atteindre.
+op-onboarding.intro.title=D&Eacute;MARRER
+op-onboarding.onboarding=Enregistrement de l&rsquo;acc&egrave;s &agrave; AGOV op
+op-onboarding.process.message=Un probl&egrave;me s&rsquo;est produit. Veuillez contacter le service d&rsquo;assistance AGOV afin de demander un nouveau lien d&rsquo;enregistrement.
+outarg.lastLogin.never=Jamais
+policyFailure.dictionary=&#9642; ne peut pas &ecirc;tre pris d&#39;un dictionnaire.
+policyFailure.history.History=&#9642; doit &ecirc;tre diff&eacute;rent des mots de passe pr&eacute;alablement s&eacute;lectionn&eacute;s.
+policyFailure.regex.control=&#9642; ne peut contenir plus de {0} caract&egrave;res de commande.
+policyFailure.regex.lower=&#9642; doit contenir au moins {0} caract&egrave;re(s) minuscule(s).
+policyFailure.regex.maxCharacterRepetitions=&#9642; ne peut contenir une s&eacute;quence de plus de {0} du m&ecirc;me caract&egrave;re.
+policyFailure.regex.maxLength=La longueur doit &ecirc;tre d&#39;au plus {0}.
+policyFailure.regex.minLength=La longueur doit &ecirc;tre d&#39;au moins {0}.
+policyFailure.regex.nonAlnum=&#9642; doit contenir au moins  {0} caract&egrave;res non alphanum&eacute;riques.
+policyFailure.regex.nonAscii=&#9642; ne peut contenir plus de {0} caract&egrave;res non ASCII ({1}).
+policyFailure.regex.nonGraph=&#9642; ne peut contenir plus de {0} caract&egrave;res non imprimables ({1}).
+policyFailure.regex.nonLetter=&#9642; doit contenir au moins {0} caract&egrave;res qui ne sont pas des lettres.
+policyFailure.regex.numeric=&#9642; doit comprendre {0} caract&#232;res num&#233;riques.
+policyFailure.regex.upper=&#9642; doit contenir au moins {0} caract&egrave;re(s) majuscule(s).
+policyInfo.dictionary=&#9642; ne peut pas &ecirc;tre pris d&#39;un dictionnaire.
+policyInfo.history.History=&#9642; ne peut pas &ecirc;tre l&#39; pr&eacute;c&eacute;demment choisis.
+policyInfo.regex.control=&#9642; ne peut contenir plus de {0} caract&egrave;res de commande.
+policyInfo.regex.lower=&#9642; doit contenir au moins {0} caract&egrave;re(s) minuscule(s).
+policyInfo.regex.maxCharacterRepetitions=&#9642; ne peut contenir une s&eacute;quence de plus de {0} du m&ecirc;me caract&egrave;re.
+policyInfo.regex.maxLength=&#9642; la longueur doit &ecirc;tre d&#39;au plus {0}.
+policyInfo.regex.minLength=&#9642; la longueur doit &ecirc;tre d&#39;au moins {0}.
+policyInfo.regex.nonAlnum=&#9642; doit contenir au moins  {0} caract&egrave;res non alphanum&eacute;riques.
+policyInfo.regex.nonAscii=&#9642; ne peut contenir plus de {0} caract&egrave;res non ASCII.
+policyInfo.regex.nonGraph=&#9642; ne peut contenir plus de {0} caract&egrave;res non imprimables.
+policyInfo.regex.nonLetter=&#9642; doit contenir au moins {0} caract&egrave;res qui ne sont pas des lettres.
+policyInfo.regex.numeric=&#9642; doit comprendre au minimum {0} caract&#232;res num&#233;riques.
+policyInfo.regex.upper=&#9642; doit contenir au moins {0} caract&egrave;re(s) majuscule(s).
+policyInfo.title=Le mot de passe doit respecter les r&egrave;gles suivantes:
+prompt.client=Client
+prompt.newpassword=Nouveau mot de passe
+prompt.newpassword.confirm=Confirmez le mot de passe
+prompt.password=Mot de passe
+prompt.userid=ID de l&#39;utilisateur
+pwreset.done.info=Votre mot de passe a &eacute;t&eacute; chang&eacute avec succ&egrave;s. Veuillez cliquer sur continuer pour vous connecter.
+pwreset.email.sent=Si votre identifiant n'existe pas, vous avez reçu un courriel pour réinitialiser votre mot de passe.
+pwreset.info.linktext=Mot de passe oublié
+pwreset.noticket=Votre lien n&apos;est plus valide. Veuillez en g&eacute;n&eacute;rer un nouveau.
+recovery_accessapp_auth.accessAppRegistered=L'application AGOV access est d&eacute;j&agrave; enregistr&eacute;e
+recovery_accessapp_auth.instruction1=Vous avez d&eacute;j&agrave; enregistr&eacute; une nouvelle AGOV access app !!!ACCESS_APP_NAME!!! dans le cadre du processus de r&eacute;cup&eacute;ration.
+recovery_accessapp_auth.instruction2=Veuillez utiliser !!!ACCESS_APP_NAME!!! pour vous identifier.
+recovery_check_code.codeIncorrect=Le code saisi est incorrect. Veuillez r&eacute;essayer.
+recovery_check_code.enterRecoveryCode=Saisir le code de r&eacute;cup&eacute;ration
+recovery_check_code.instruction=Veuillez saisir votre code de r&eacute;cup&eacute;ration &agrave; douze chiffres. Lors de votre inscription, vous avez re&ccedil;u le code de r&eacute;cup&eacute;ration sous la forme d&rsquo;un fichier PDF ou dans AGOV me.
+recovery_check_code.invalid.code=Le code est invalide
+recovery_check_code.invalid.code.required=Code requis
+recovery_check_code.invalid.code.tooLong=Le code est trop long
+recovery_check_code.noAccess=Je n&rsquo;ai pas acc&egrave;s &agrave; mon code de r&eacute;cup&eacute;ration
+recovery_check_code.noCodeAccess=&Ecirc;tes-vous s&ucirc;r de ne pas avoir acc&egrave;s &agrave; votre code de r&eacute;cup&eacute;ration ?
+recovery_check_code.noCodeAccessInstructions=En cas de perte de votre code de r&eacute;cup&eacute;ration, veuillez vous rendre sur AGOV help et contacter le service d&rsquo;assistance AGOV. Un agent pourra vous aider dans le processus de r&eacute;cup&eacute;ration.
+recovery_check_noCode.banner.error=Trop de tentatives ou expiration de votre code de r&eacute;cup&eacute;ration.
+recovery_check_noCode.instruction1=Le code de r&eacute;cup&eacute;ration que vous avez saisi a peut-&ecirc;tre expir&eacute; ou vous avez peut-&ecirc;tre essay&eacute; de le saisir trop de fois.
+recovery_check_noCode.instruction2=Veuillez vous rendre sur AGOV help et contacter le service d&rsquo;assistance. Un agent pourra vous aider dans le processus de r&eacute;cup&eacute;ration.
+recovery_code.banner.error=Veuillez indiquer votre nouveau code pour pouvoir continuer.
+recovery_code.instruction=Les codes de r&eacute;cup&eacute;ration vous permettent d'acc&eacute;der &agrave; votre compte au cas o&ugrave; vous auriez perdu tous vos identifiants. Conservez le code de r&eacute;cup&eacute;ration en lieu s&ucirc;r.
+recovery_code.newRecoveryCode=Introduction du code de r&eacute;cup&eacute;ration
+recovery_code.validUntil=Valable jusqu'au:
+recovery_fidokey_auth.button=D&eacute;marrer l'authentification par cl&eacute; de s&eacute;curit&eacute;
+recovery_fidokey_auth.fidoInstruction=Cliquez sur "D&eacute;marrer l'enregistrement de la cl&eacute;"
+recovery_fidokey_auth.instruction1=Vous avez d&eacute;j&agrave; enregistr&eacute; une nouvelle cl&eacute; de s&eacute;curit&eacute; !!!SECURITY_KEY_NAME!!! dans le cadre du processus de r&eacute;cup&eacute;ration.
+recovery_fidokey_auth.instruction2=Veuillez utiliser !!!SECURITY_KEY_NAME!!! pour suivre les &eacute;tapes ci-dessous afin de vous identifier.
+recovery_fidokey_auth.keyRegistered=Cl&eacute; de s&eacute;curit&eacute; d&eacute;j&agrave; enregistr&eacute;e
+recovery_intro_email.banner.error=Le lien que vous avez utilis&eacute; a expir&eacute;. Veuillez saisir votre adresse e-mail pour recevoir un nouveau lien.
+recovery_intro_email.banner.info=Veuillez saisir votre adresse e-mail. Nous vous enverrons un e-mail vous permettant de d&eacute;marrer le processus de r&eacute;cup&eacute;ration.
+recovery_intro_email.captchaUnchecked=Veuillez cocher la case captcha
+recovery_intro_email.important=Important:
+recovery_intro_email.process=Le processus de r&eacute;cup&eacute;ration ne doit &ecirc;tre utilis&eacute; que si vous avez perdu l'acc&egrave;s &agrave; vos facteurs de connexion (application AGOV access supprim&eacute;e, cl&eacute; de s&eacute;curit&eacute; perdue, t&eacute;l&eacute;phone perdu, etc.).
+recovery_intro_email.siteProtectedWithRecaptcha=Ce site est prot&eacute;g&eacute; par reCAPTCHA: les <a class=&rsquo;link&rsquo; href=&rsquo;https://policies.google.com/privacy&rsquo; target=&rsquo;_blank&rsquo;>r&egrave;gles de confidentialit&eacute;</a> et <a class=&rsquo;link&rsquo; href=&rsquo;https://policies.google.com/terms&rsquo; target=&rsquo;_blank&rsquo;>conditions d&rsquo;utilisation</a> de Google s&rsquo;appliquent.
+recovery_intro_email_sent.banner.button=Vous n&rsquo;avez pas re&ccedil;u l'email?
+recovery_intro_email_sent.banner.success=Merci! Vous recevrez dans un instant un e-mail contenant un lien de r&eacute;cup&eacute;ration et des instructions.
+recovery_on_going.finishRecovery=Terminer la r&eacute;cup&eacute;ration
+recovery_on_going.instruction=Vous n&rsquo;avez pas encore termin&eacute; le processus de r&eacute;cup&eacute;ration. Dans le cadre du processus de r&eacute;cup&eacute;ration, votre identit&eacute; peut faire l&rsquo;objet d&rsquo;une v&eacute;rification. Pour acc&eacute;der &agrave; des applications au moyen de votre identifiant AGOV, vous devez terminer la v&eacute;rification d&rsquo;identit&eacute;.
+recovery_on_going.title=Veuillez terminer le processus de r&eacute;cup&eacute;ration.
+recovery_questionnaire_instructions.banner.info=Veuillez noter que dans certains cas, vous devez avoir acc&egrave;s &agrave; votre code de r&eacute;cup&eacute;ration pour que la r&eacute;cup&eacute;ration soit r&eacute;ussie.
+recovery_questionnaire_instructions.explanation=D'apr&egrave;s vos r&eacute;ponses, une r&eacute;cup&eacute;ration de l'identifiant AGOV-Login semble n&eacute;cessaire. Veuillez cliquer sur continuer et suivre les instructions &agrave; l'&eacute;cran.
+recovery_questionnaire_instructions.instruction1=Fournissez l'adresse &eacute;lectronique de votre compte afin que nous puissions vous envoyer un lien pour commencer le processus de r&eacute;cup&eacute;ration
+recovery_questionnaire_instructions.instruction2=Suivez les &eacute;tapes pour r&eacute;cup&eacute;rer votre compte (les &eacute;tapes varient en fonction du niveau de v&eacute;rification de votre compte)
+recovery_questionnaire_loginfactor.banner.error=Veuillez choisir une r&eacute;ponse.
+recovery_questionnaire_loginfactor.no=Non
+recovery_questionnaire_loginfactor.question=Avez-vous enregistr&eacute; plus d'un facteur d'authentification (application AGOV access ou cl&eacute; de s&eacute;curit&eacute;) sur votre compte ?
+recovery_questionnaire_loginfactor.yes=Oui
+recovery_questionnaire_no_recovery.explanation1=D'apr&egrave;s vos r&eacute;ponses, l'option de r&eacute;cup&eacute;ration d'AGOV ne semble pas n&eacute;cessaire pour l'instant.
+recovery_questionnaire_no_recovery.explanation2=Si vous avez besoin de plus amples informations, veuillez consulter <a class='link' href='www.agov.ch/help' target='_blank'>www.agov.ch/help</a> pour obtenir des articles de soutien.
+recovery_questionnaire_no_recovery.instruction1=Si vous rencontrez des difficult&eacute;s pour vous connecter &agrave; une application, visitez <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> et v&eacute;rifiez si vous pouvez vous connecter avec succ&egrave;s.
+recovery_questionnaire_no_recovery.instruction2=Si vous avez enregistr&eacute; plusieurs facteurs de connexion mais que vous avez perdu l'acc&egrave;s &agrave; l'un d'entre eux, veuillez consulter <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> pour supprimer celui auquel vous avez perdu l'acc&egrave;s.
+recovery_questionnaire_reason_selection.answer1=Je n'arrive pas &agrave; me connecter, m&ecirc;me si j'ai mon application / ma cl&eacute; de s&eacute;curit&eacute;
+recovery_questionnaire_reason_selection.answer10=J'ai perdu l'un de mes facteurs d'authentification (application AGOV access ou cl&eacute; de s&eacute;curit&eacute;)
+recovery_questionnaire_reason_selection.answer2=Je n'ai pas pu terminer mon inscription
+recovery_questionnaire_reason_selection.answer3=J'ai supprim&eacute; ou r&eacute;initialis&eacute; mon application AGOV access
+recovery_questionnaire_reason_selection.answer4=J'ai perdu mon t&eacute;l&eacute;phone / cl&eacute; de s&eacute;curit&eacute;
+recovery_questionnaire_reason_selection.answer5=J'ai un nouveau t&eacute;l&eacute;phone et j'ai oubli&eacute; de transf&eacute;rer mon application AGOV access
+recovery_questionnaire_reason_selection.answer6=J'ai oubli&eacute; mon PIN pour l'application AGOV access
+recovery_questionnaire_reason_selection.answer7=J'ai mes cl&eacute;s de s&eacute;curit&eacute; ou mes applications, mais j'ai du mal &agrave; me connecter
+recovery_questionnaire_reason_selection.answer8=J'ai perdu l'acc&egrave;s &agrave; toutes mes cl&eacute;s de s&eacute;curit&eacute; et aux applications AGOV access
+recovery_questionnaire_reason_selection.answer9=J'ai des probl&egrave;mes avec l'un de mes facteurs d'authentification (effac&eacute;, r&eacute;initialis&eacute;, PIN oubli&eacute;)
+recovery_questionnaire_reason_selection.banner.error=Veuillez s&eacute;lectionner un motif.
+recovery_questionnaire_reason_selection.instruction=Veuillez s&eacute;lectionner la raison pour laquelle vous entamez le processus de r&eacute;cup&eacute;ration :
+recovery_start_info.banner.warning=Vous ne pourrez pas utiliser votre compte tant que le processus de r&eacute;cup&eacute;ration n'aura pas &eacute;t&eacute; termin&eacute;.
+recovery_start_info.instruction=Le processus de r&eacute;cup&eacute;ration n&eacute;cessitera l&rsquo;enregistrement d&rsquo;un nouveau facteur d&rsquo;authentification. Si votre compte contient des informations ayant d&eacute;j&agrave; &eacute;t&eacute; v&eacute;rifi&eacute;es, il se peut que vous deviez les faire v&eacute;rifier &agrave; nouveau pour terminer la r&eacute;cup&eacute;ration.
+recovery_start_info.title=Vous &ecirc;tes sur le point de d&eacute;marrer le processus de r&eacute;cup&eacute;ration.
+reject.button.label=Refuser
+submit.button.label=Envoyer
+tan.sent=Veuillez saisir le code de s&eacute;curit&eacute; que vous avez re&ccedil;u au votre t&eacute;l&eacute;phone mobile.
+title.login=Login
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Autorisation du client
+title.pwchange.label=Changer mot de passe
+title.pwreset=Mot de Passe Oubli&eacute;
+title.saml.failed=Error
+title.timeout.page=Logout
+user_input.invalid.email=Veuillez saisir un e-mail valable.
+user_input.invalid.email.required=Champ requis
+user_input.invalid.email.tooLong=La saisie est trop longue
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_it.properties
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_it.properties
@ -0,0 +1,268 @@
+
+accept.button.label=Accettare
+button.submit=Continua
+cancel.button.label=Abortire
+continue.button.label=Continua
+darkModeSwitch.aria.label=Attivare la modalit&agrave; scura 
+deputy.profile.label=(profilo del delegato)
+error.policy.failed=La nuova password non &egrave; stata accettata. Scegliere una password che sia conforme ai criteri di password.
+error.saml.failed=Chiudi il browser e riprova.
+error_1=Verificare i dati inseriti.
+error_10=Scegliere l&rsquo;account utente corretto.
+error_100=Impossibile caricare il certificato. Il certificato esiste gi&agrave;. Contattare l&rsquo;help desk. 
+error_101=L&rsquo;e-mail inserita non &egrave; valida. 
+error_11=Utilizzare un altro certificato o accedere con altre credenziali.
+error_2=Selezionare un altro nome di accesso.
+error_3=Se la prossima autenticazione fallisce, l&rsquo;account sar&agrave; bloccato. 
+error_4=La nuova password non rispetta le norme di sicurezza. Scegliere un&rsquo;altra password. 
+error_5=Errore nella conferma della password.
+error_50=La nuova password &egrave; troppo corta. 
+error_55=La nuova password deve differire da quelle precedenti.
+error_6=&Egrave; richiesta la modifica della password. 
+error_7=&Egrave; richiesta la modifica dell&rsquo;ID di accesso. 
+error_8=A causa dei ripetuti tentativi di autenticazione falliti, l&rsquo;account &egrave; stato bloccato. 
+error_81=Non &egrave; stata trovata alcuna carta di accesso; l&rsquo;accesso da Internet &egrave; negato. 
+error_83=La carta di accesso non &egrave; pi&ugrave; valida. Per richiedere una nuova carta di accesso, contattare il responsabile. 
+error_9=Takeover di sessione fallito.
+error_97=Accesso non autorizzato a questa risorsa.
+error_98=L&rsquo;account &egrave; stato bloccato. 
+error_99=Ci sono problemi di sistema. Riprovare pi&ugrave; tardi. 
+error_9901=Per accedere a questa pagina, &egrave; necessario un link di registrazione valido. 
+error_9902=L&rsquo;e-mail utilizzata per l&rsquo;autenticazione non corrisponde a quella di AGOV operations. Richiedere un nuovo link di registrazione. 
+error_9903=L&rsquo;IdP utilizzato non ha inviato un&rsquo;asserzione valida. Assicurarsi di utilizzare l&rsquo;IdP corretto. Richiedere al supporto un nuovo link di registrazione. 
+error_9904=Il link non &egrave; pi&ugrave; valido. Assicurarsi di utilizzare il link pi&ugrave; recente ricevuto in AGOV operations. Se il problema persiste, richiedere un nuovo link. 
+error_9905=Si &egrave; verificato un problema con l&rsquo;account AGOV operations. Contattare il supporto. 
+error_9909=Si &egrave; verificato un errore interno. Richiedere al supporto un nuovo link di registrazione. 
+errors.duplicateValue=Il suo account &egrave; gi&agrave; collegato ad un altro accesso operativo.
+fido2_auth.cancel.fido=L'autenticazione con la chiave di sicurezza &egrave; stata interrotta. Assicurarsi che la chiave FIDO sia registrata e che l'indirizzo e-mail sia corretto, poi seguire le istruzioni. 
+fido2_auth.instruction1=Cliccare su "Continua"
+fido2_auth.instruction2=A breve si aprir&agrave; una finestra per l'autenticazione. 
+fido2_auth.instruction3=Seguire le istruzioni.
+fido2_auth.skipInstructions=Non mostrare pi&ugrave; le istruzioni
+fido2_auth.switchLogin=ACCEDERE CON
+footer.link=https://agov.ch/?c=contact&l=it
+footer.link.label=Contatto
+footer.text=Servizio di autenticazione delle autorit&agrave; Svizzere AGOV - una collaborazione tra Cantoni, Comuni e l'Amministrazione federale. -
+general.AGOVAccessApp=App AGOV access
+general.accessApp=App AGOV access
+general.authenticate=Autentifica
+general.back=Indietro
+general.cancel=Annullare
+general.confirm=Confermare
+general.contactSupport=Contattare il supporto
+general.continue=Continuare
+general.edit=Modificare
+general.email=e-mail
+general.email.address=Indirizzo e-mail
+general.entryCode=Codice
+general.getStarted=Iniziare
+general.goAGOVHelp=Vai ad AGOV help
+general.goAccessApp=Login con AGOV access
+general.help=Aiuto
+general.help.link=https://agov.ch/pages/help_it.html
+general.login=Accedere
+general.loginSecurityKey=Iniziare il login con la chiave di sicurezza
+general.or=O
+general.otherOptions=ALTRE OPZIONI
+general.recovery=Ripristino
+general.recoveryOngoing=Ripristino in corso
+general.register=Registrarsi
+general.registerNow=Si registri ora!
+general.registration=Registrazione
+general.securityKey=Chiave di sicurezza
+general.skip.content=Vai al contenuto principale
+generic.auth.error.message=Si &egrave; verificata un&rsquo;interruzione. Stiamo lavorando per ripristinare l&rsquo;esercizio. 
+generic.auth.error.next.steps=Riprovare pi&ugrave; tardi. Se il problema persiste, consultare AGOV help.
+generic.auth.error.subtitle=Qualcosa non ha funzionato.
+generic.auth.error.title=Errore
+info.login=Per favore inserisca i suoi dati di accesso.
+info.logout.confirmation=Si prega di confermare che si desidera disconnettersi.
+info.logout.reminder=La sessione su questa applicazione &#x26;egrave; scaduta. Prova ancora con un login.
+info.oauth.consent=Vuoi consentire all&#39;applicazione?
+info.timeout.page=La sessione su questa applicazione &#x26;egrave; scaduta. Prova ancora con un login.
+language.de=Deutsch
+language.en=English
+language.fr=Fran&ccedil;ais
+language.it=Italiano
+languageDropdown.aria.label=Selezionare la lingua
+loainfo.description.200=Per accedere all'app &egrave; necessaria una verifica dei dati. La procedura pu&ograve; richiedere fino a 2&ndash;3 giorni lavorativi. 
+loainfo.description.300=Per accedere all'app dobbiamo verificare i suoi dati tramite uno dei due processi. Al prossimo passaggio, pu&ograve; selezionare la procedura di verifica desiderata.
+loainfo.description.400=Per acceddere all'applicazione deve inserire il numero AVS.
+loainfo.helper=I dati devono essere verificati!
+loainfo.later=Pi&ugrave; tardi 
+loainfo.startNow=Iniziare la procedura?
+loainfo.startVerification=Iniziare la verifica
+loainfo.title=Verificare i dati.
+login.button.label=Login
+logout.label=Logout
+logout.text=&Egrave; uscito con successo.
+mauth_usernameless.EID=Continuare con CH e-ID
+mauth_usernameless.banner.error=Autenticazione interrotta.<br>Riprovare dopo che la pagina si sar&agrave; ricaricata. 
+mauth_usernameless.banner.info=La scansione &egrave; stata eseguita.<br>Continuare nell'app AGOV access. 
+mauth_usernameless.banner.success=Autenticazione riuscita!<br>Aspettare di essere connessi.
+mauth_usernameless.cannotLogin=Ha perso l'accesso alla sua app/chiave di sicurezza?
+mauth_usernameless.hideQR=Nascondi il codice QR
+mauth_usernameless.instructions=Per accedere, scansionare il codice QR con l'app AGOV access.
+mauth_usernameless.noAccount=Non ha ancora un AGOV-Login ?
+mauth_usernameless.showQR=Visualizza il codice QR
+mauth_usernameless.startRecovery=Inizia il recupero dell'account
+mauth_usernameless.useSecurityKey=Accedere utilizzando una chiave di sicurezza.
+mauth_usernameless.useSecurityKeyInfo=Una chiave di sicurezza fisica permette di accedere in modo sicuro senza utilizzare un telefono.
+method.certificate.label=Certificato
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=Codice mTAN
+method.oath.label=App di autenticazione OATH
+method.otp.label=OTP (One-Time Password)
+method.recovery.label=Codici di ripristino
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+op-admin.login=AGOV op admin
+op-admin.login.intro.message=Accedere con nome utente e password
+op-admin.login.loginid=ID di accesso
+op-admin.login.password=Password
+op-admin.login.title=Accedere
+op-admin.logout=AGOV op admin
+op-admin.logout.message=La sessione &egrave; terminata. 
+op-admin.logout.title=Disconnessione
+op-admin.pwchange.intro.message=&Egrave; richiesta la modifica della password. 
+op-admin.pwchange.newpassword=Nuova password
+op-admin.pwchange.newpassword2=Ripetere la nuova password
+op-admin.pwchange.password=Password attuale
+op-admin.pwchange.title=Modificare password
+op-idmlogin.role.accs-mgmt-idm=Gestione dei diritti di accesso IDM
+op-idmlogin.role.accs-mgmt-nonidm=Gestione dei diritti di accesso
+op-idmlogin.role.idmcfg-mgmt=Configurazione dell'IDM
+op-idmlogin.role.readonly-access=Accesso predefinito (sola lettura)
+op-idmlogin.role.support-basic=Casi di supporto (ripristino, ...)
+op-idmlogin.role.support-priv=Supporto di terzo livello (archiviazione, off-boarding)
+op-idmlogin.role.usr-mgmt=Gestione utenti (operazioni)
+op-idmlogin.role.usr-unit-mgmt=Gestione utenti e organizzazione (operazioni)
+op-idmlogin.select=AGOV idm
+op-idmlogin.select.intro=Si prega di selezionare uno dei seguenti profili...
+op-idmlogin.select.note=I profili contrassegnati con * devono essere utilizzati solo se richiesti per attivit&agrave; di supporto o rilascio specifiche.
+op-idmlogin.select.title=Selezione del profilo
+op-onboarding.done.message=La registrazione &egrave; riuscita. Ora l&rsquo;accesso AGOV operations &egrave; pronto. Prima di accedere ad AGOV operations, chiudere il browser.
+op-onboarding.done.title=FINITO
+op-onboarding.failed.title=ERRORE
+op-onboarding.intro.message1=Per completare la registrazione per l'accesso AGOV operations, &egrave; necessario avere un account AGOV o FED-LOGIN.
+op-onboarding.intro.message2=Dopo aver cliccato su "Continua", si &egrave; reindirizzati al servizio di autenticazione.
+op-onboarding.intro.message3=Se utilizza AGOV e l&rsquo;account non soddisfa ancora il livello richiesto AGOVaq, potr&agrave; avviare la verifica dell&rsquo;identit&agrave; richiesta. 
+op-onboarding.intro.title=INIZIARE
+op-onboarding.onboarding=Registrazione AGOV op
+op-onboarding.process.message=Qualcosa non ha funzionato. Contattare il supporto AGOV e, se necessario, richiedere un nuovo link di registrazione.
+outarg.lastLogin.never=Mai
+policyFailure.dictionary=&#9642; non pu&ograve; essere presa da un dizionario.
+policyFailure.history.History=&#9642; deve essere diversa da password precedenti.
+policyFailure.regex.control=&#9642; non pu&ograve; contenere pi&ugrave; di {0} caratteri di controllo.
+policyFailure.regex.lower=&#9642; deve conenere almeno {0} caratteri minuscoli.
+policyFailure.regex.maxCharacterRepetitions=&#9642; non pu&ograve; contentere una sequenza pi&ugrave; lunga di {0} caratteri uguali.
+policyFailure.regex.maxLength=&#9642; deve contenere al massimo {0} caratteri.
+policyFailure.regex.minLength=&#9642; deve contenere almeno {0} caratteri.
+policyFailure.regex.nonAlnum=&#9642; deve conenere almeno {0} caratteri non alfanumerici.
+policyFailure.regex.nonAscii=&#9642; non pu&ograve; contenere pi&ugrave; di {0} caratteri non ASCII.
+policyFailure.regex.nonGraph=&#9642; non pu&ograve; contenere pi&ugrave; di {0} caratteri non stampabili.
+policyFailure.regex.nonLetter=&#9642; non pu&ograve; contenere pi&ugrave; di {0} numeri o caratteri speciali.
+policyFailure.regex.numeric=&#9642; deve contenere {0} caratteri numerici.
+policyFailure.regex.upper=&#9642; deve conenere almeno {0} caratteri maiuscoli.
+policyInfo.dictionary=&#9642; non pu&ograve; essere presa da un dizionario.
+policyInfo.history.History=&#9642; deve essere diversa dalle password precedenti.
+policyInfo.regex.control=&#9642; non pu&ograve; contenere pi&ugrave; di {0} carattere/i di controllo.
+policyInfo.regex.lower=&#9642; deve conenere almeno {0} carattere/i minuscolo/i.
+policyInfo.regex.maxCharacterRepetitions=&#9642; non pu&ograve; contentere una sequenza pi&ugrave; lunga di {0} caratteri uguali.
+policyInfo.regex.maxLength=&#9642; deve contenere al massimo {0} carattere/i.
+policyInfo.regex.minLength=&#9642; deve contenere almeno {0} carattere/i.
+policyInfo.regex.nonAlnum=&#9642; deve conenere almeno {0} carattere/i non alfanumerico/i.
+policyInfo.regex.nonAscii=&#9642; non pu&ograve; contenere pi&ugrave; di {0} carattere/i non ASCII.
+policyInfo.regex.nonGraph=&#9642; non pu&ograve; contenere pi&ugrave; di {0} carattere/i non stampabile/i.
+policyInfo.regex.nonLetter=&#9642; non pu&ograve; contenere pi&ugrave; di {0} numero/i o caratere/i speciale/i.
+policyInfo.regex.numeric=&#9642; deve contenere un minimo di {0} carattere/i numerico/i.
+policyInfo.regex.upper=&#9642; deve conenere almeno {0} carattere/i maiuscolo/i.
+policyInfo.title=La password deve rispettare le seguenti direttive:
+prompt.client=Mandator
+prompt.newpassword=Nuova Password
+prompt.newpassword.confirm=Conferma password
+prompt.password=Password
+prompt.userid=Nome utente
+pwreset.done.info=Your password was successfully changed. Please click on continue to log in.
+pwreset.email.sent=Se il vostro ID utente esiste, vi è stata inviata un'e-mail per reimpostare la password.
+pwreset.info.linktext=Password forgotten
+pwreset.noticket=Your password reset ticket is no longer valid. Please generate a new one.
+recovery_accessapp_auth.accessAppRegistered=App di accesso AGOV gi&agrave; registrata 
+recovery_accessapp_auth.instruction1=Ha gi&agrave; registrato una nuova app di accesso AGOV !!!SECURITY_KEY_NAME!!! come parte del processo di recupero. 
+recovery_accessapp_auth.instruction2=Si prega di usare !!!ACCESS_APP_NAME!!! per l'identificazione.
+recovery_check_code.codeIncorrect=Il codice inserito non &egrave; corretto. Riprovare. 
+recovery_check_code.enterRecoveryCode=Inserisca il codice di recupero
+recovery_check_code.instruction=Inserire qui sotto il codice di ripristino a 12 caratteri alfanumerici. Ha ricevuto questo codice in un file PDF al momento della registration o in AGOV me.
+recovery_check_code.invalid.code=Il codice non &egrave; valido 
+recovery_check_code.invalid.code.required=Codice richiesto
+recovery_check_code.invalid.code.tooLong=Il codice &egrave; troppo lungo 
+recovery_check_code.noAccess=Non ho il mio codice.
+recovery_check_code.noCodeAccess=Conferma di non avere il codice di ripristino?
+recovery_check_code.noCodeAccessInstructions=Se non ha pi&ugrave; il codice di ripristino, acceda ad AGOV help per contattare il supporto AGOV, che la assister&agrave; nel processo di ripristino.
+recovery_check_noCode.banner.error=Troppi tentativi o codice di ripristino scaduto
+recovery_check_noCode.instruction1=Il codice di ripristino inserito pu&ograve; essere scaduto o &egrave; stato inserito troppe volte. 
+recovery_check_noCode.instruction2=Si prega di andare alla guida di AGOV aiuto per contattare un agente dell'assistenza. Saranno in grado di aiutarla con il processo di recupero.
+recovery_code.banner.error=Per procedere, inserire il nuovo codice.
+recovery_code.instruction=Il codice di ripristino le aiuta ad accedere al suo conto in caso in cui lei abbia perso le credentiali di accesso. Per favore, conservi il codice di ripristino in un luogo sicuro.
+recovery_code.newRecoveryCode=Introduzione del codice di ripristino
+recovery_code.validUntil=Valido fino a:
+recovery_fidokey_auth.button=Iniziare l'authenticazione della chiave
+recovery_fidokey_auth.fidoInstruction=Cliccare su "Iniziare l'authenticazione della chiave"
+recovery_fidokey_auth.instruction1=Ha gi&agrave; registrato una nuova chiave di sicurezza !!!SECURITY_KEY_NAME!!! come parte del processo di recupero. 
+recovery_fidokey_auth.instruction2=Si prega di usare !!!SECURITY_KEY_NAME!!! per poter seguire i passaggi seguenti per identificarti.
+recovery_fidokey_auth.keyRegistered=Chiave di sicurezza gi&agrave; registrata 
+recovery_intro_email.banner.error=Il link utilizzato &egrave; scaduto. Per ricevere un nuovo link, inserire l&rsquo;indirizzo e-mail. 
+recovery_intro_email.banner.info=Per ricevere il link e avviare il processo di ripristino, inserire l&rsquo;indirizzo e-mail. 
+recovery_intro_email.captchaUnchecked=Per favore selezioni il campo captcha
+recovery_intro_email.important=Importante:
+recovery_intro_email.process=Il processo di ripristino deve essere utilizzato solo se ha perso l'accesso ai suoi fattori di accesso (app di accesso AGOV eliminata, chiave di sicurezza persa, telefono smarrito, ecc.).
+recovery_intro_email.siteProtectedWithRecaptcha=Questo sito &egrave; protetto da reCAPTCHA. Si applicano le <a class='link' href='https://policies.google.com/privacy' target='_blank'>norme sulla privacy</a> e i <a class='link' href='https://policies.google.com/terms' target='_blank'>termini di servizio di Google</a>. 
+recovery_intro_email_sent.banner.button=Non avete ricevuto l'e-mail?
+recovery_intro_email_sent.banner.success=Grazie! &Egrave; stata inviata un&rsquo;e-mail contenente il codice di ripristino e le istruzioni. 
+recovery_on_going.finishRecovery=Completare il ripristino
+recovery_on_going.instruction=&Egrave; in corso un processo di ripristino. Il processo di ripristino pu&ograve; includere una verifica dell&rsquo;identit&agrave;. Per accedere alle applicazioni con il proprio AGOV-Login, &egrave; necessario completare la verifica dell&rsquo;identit&agrave;. 
+recovery_on_going.title=Completare il processo di ripristino.
+recovery_questionnaire_instructions.banner.info=Tenga presente che in alcuni casi &egrave; necessario utilizzare il codice di ripristino per un ripristino riuscito.
+recovery_questionnaire_instructions.explanation=In base alle sue risposte sembra essere necessario un ripristino AGOV-Login. Fare clic su Continua e seguire le istruzioni visualizzate sullo schermo.
+recovery_questionnaire_instructions.instruction1=Si prega di fornire l'indirizzo email del suo account in modo di poter inviarle un link per iniziare il processo di recupero
+recovery_questionnaire_instructions.instruction2=Si prega di seguire i passaggi per recuperare il suo account (i passaggi varieranno a seconda del livello di verifica dell'account)
+recovery_questionnaire_loginfactor.banner.error=Si prega di selezionare una risposta.
+recovery_questionnaire_loginfactor.no=No
+recovery_questionnaire_loginfactor.question=Ha registrato pi&ugrave; di un fattore di accesso (app di accesso AGOV o chiave di sicurezza) al suo account?
+recovery_questionnaire_loginfactor.yes=Si
+recovery_questionnaire_no_recovery.explanation1=In base alle sue risposte, l'opzione di ripristino AGOV non sembra necessaria al momento.
+recovery_questionnaire_no_recovery.explanation2=Se ha bisogno di ulteriori informazioni, visiti <a class='link' href='www.agov.ch/help' target='_blank'>www.agov.ch/help</a> per articoli di supporto.
+recovery_questionnaire_no_recovery.instruction1=Se riscontra problemi di accesso a un'applicazione, visiti <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> e verifichi se pu&ograve; accedere con successo.
+recovery_questionnaire_no_recovery.instruction2=Se ha registrato pi&ugrave; fattori di accesso ma ha perso l'accesso a uno di essi, visit <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> per rimuovere quello a cui ha perso l'accesso.
+recovery_questionnaire_reason_selection.answer1=Ho problemi ad accedere, anche se ho la mia app/chiave di sicurezza
+recovery_questionnaire_reason_selection.answer10=Ho perso uno dei miei fattori di accesso (app di accesso AGOV o chiave di sicurezza)
+recovery_questionnaire_reason_selection.answer2=Non sono riuscito a completare la registrazione
+recovery_questionnaire_reason_selection.answer3=Ho eliminato o reimpostato la mia app di accesso AGOV
+recovery_questionnaire_reason_selection.answer4=Ho perso il telefono/la chiave di sicurezza
+recovery_questionnaire_reason_selection.answer5=Ho un nuovo telefono e ho dimenticato di trasferire la mia app di accesso AGOV
+recovery_questionnaire_reason_selection.answer6=Ho dimenticato il PIN dell'app di accesso AGOV
+recovery_questionnaire_reason_selection.answer7=Ho i miei token di sicurezza o le mie app, ma ho avuto problemi ad accedere
+recovery_questionnaire_reason_selection.answer8=Ho perso l'accesso a tutte le mie chiavi di sicurezza e alle app di accesso AGOV
+recovery_questionnaire_reason_selection.answer9=Ho problemi con uno dei miei fattori di accesso (PIN cancellato, reimpostato, dimenticato)
+recovery_questionnaire_reason_selection.banner.error=Si prega di selezionare il motivo.
+recovery_questionnaire_reason_selection.instruction=Si prega di selezionare il motivo per cui sta avviando il processo di recupero:
+recovery_start_info.banner.warning=Non &egrave; possibile utilizzare l&rsquo;account finch&eacute; il processo di ripristino non sar&agrave; concluso. 
+recovery_start_info.instruction=Durante il processo di ripristino sar&agrave; registrato un nuovo fattore di accesso. Se l&rsquo;account contiene informazioni verificate, potrebbe essere necessario avviare un processo di verifica per completare il ripristino. 
+recovery_start_info.title=Il processo di ripristino sta per iniziare.
+reject.button.label=Rifiuti
+submit.button.label=Continua
+tan.sent=Inserisci il codice di sicurezza che &egrave; stato inviato al tuo telefono cellulare.
+title.login=Login
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Autorizzazione del client
+title.pwchange.label=Cambiare Password
+title.pwreset=Password Forgotten
+title.saml.failed=Error
+title.timeout.page=Logout
+user_input.invalid.email=Inserire un'e-mail valida.
+user_input.invalid.email.required=Campo obbligatorio
+user_input.invalid.email.tooLong=Il testo inserito &egrave; troppo lungo. 
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/Recovery_getCredentials.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/Recovery_getCredentials.groovy
@ -0,0 +1,62 @@
+import ch.nevis.idm.client.IdmRestClient
+import ch.nevis.idm.client.IdmRestClientFactory
+import groovy.json.JsonSlurper
+import java.time.ZonedDateTime
+import java.time.format.DateTimeFormatter
+import java.time.ZoneId
+import ch.nevis.esauth.auth.engine.AuthResponse
+import groovy.xml.XmlSlurper
+
+IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
+
+String baseUrl = parameters.get('baseUrl')
+String clientExtId = session.get('ch.adnovum.nevisidm.user.clientExtId')
+String userExtId = session.get('ch.adnovum.nevisidm.user.extId')
+String endPoint = "$baseUrl/api/core/v1/$clientExtId/users/$userExtId/fido2"
+String endPointFidoUAF = "$baseUrl/api/core/v1/$clientExtId/users/$userExtId/generic-credentials"
+
+def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto'])
+def hasRecoveryRole = userDto.'**'.find { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-AccountStatus' && node.name.text() == 'recovery' }
+if (hasRecoveryRole != null) {
+  String result
+  try {
+     result = idmRestClient.get(endPoint)
+     resultFidoUAF = idmRestClient.get(endPointFidoUAF)
+
+  def json = new JsonSlurper().parseText(result)
+LOG.info('Result fido2: ' + json)
+
+    def login=false
+    json['items'].each {
+     if ("active".equals(it.stateName)) {
+         response.setSessionAttribute('agov.recovery.securityKey', it.userFriendlyName)
+         response.setResult('loginWithFido2')
+         login=true
+         return
+      }
+
+   }
+   if (login) {
+     return
+   }
+   def jsonFidoUAF = new JsonSlurper().parseText(resultFidoUAF)
+   LOG.info('Result fidoUAF: ' + jsonFidoUAF)
+      jsonFidoUAF['items'].each {
+        if ("active".equals(it.stateName)) {
+          response.setSessionAttribute('agov.recovery.accessapp', it.properties.fidouaf_name)
+          response.setResult('loginWithFidoUAF')
+          login=true
+          return
+        }
+     }
+     if (login) {
+       return
+     }
+  } catch(Exception e) {
+    LOG.error(e.toString())
+    response.setResult('failed')
+   return
+  }
+
+}
+response.setResult('ok')
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/Recovery_mobile_nless_auth.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/Recovery_mobile_nless_auth.groovy
@ -0,0 +1,52 @@
+import groovy.json.JsonBuilder
+import ch.nevis.esauth.auth.engine.AuthResponse
+
+
+def getHeader(String name) {
+    def inctx = request.getLoginContext()
+    // case-insensitive lookup of HTTP headers
+    def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
+    map.putAll(inctx)
+    return map['connection.HttpHeader.' + name]
+}
+
+def clearFidoUAFSession() {
+    def s = request.getAuthSession(true)
+    s.removeAttribute('ch.nevis.auth.fido.uaf.fidouafsessionid')
+    inargs.remove('fallback')
+}
+
+
+// dispatch AJAX calls and form POST when operation is done
+if (inargs['fidoUafDone'] == 'true' ||
+    inargs.containsKey('o.fidoUafSessionId.v') ||
+    getHeader('Content-Type') == 'application/json') {
+
+  if (inargs.containsKey('o.fidoUafSessionId.v') && (inargs['o.fidoUafSessionId.v'] != session['ch.nevis.auth.fido.uaf.fidouafsessionid'])) {
+      // received polling for wrong fido session; make sure, that stops
+      LOG.debug("received polling for wrong fido session ${inargs['o.fidoUafSessionId.v']} (correct: ${session['ch.nevis.auth.fido.uaf.fidouafsessionid']})")
+      def json = new JsonBuilder()
+      json {
+          "status" "unknown"
+          "timestamp" org.joda.time.DateTime.now().toString()
+      }
+      String body = json.toString()
+
+      response.setContent(body)
+      response.setContentType('application/json')
+      response.setHttpStatusCode(200)
+      response.setIsDirectResponse(true)
+      response.setStatus(AuthResponse.AUTH_CONTINUE)
+      return
+  }
+
+  // continue with OutOfBandFidoUafAuthState
+  response.setResult('ok')
+}
+
+
+// dispatch form post with onReload input field : refresh QR-code FIDO UAF
+if (inargs.containsKey('onReload')) {
+    clearFidoUAFSession()
+    response.setResult('default')
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy
@ -0,0 +1,19 @@
+// Accounting
+def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def credentialType = session['authenticatedWith'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+def tAuth = System.currentTimeMillis() - (request.getSession(true).getCreationTime().getEpochSecond() * 1000)
+
+LOG.info("Event='AUTHENTICATION', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', tAuth=${tAuth}ms, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+
+
+// delete the login cookie
+def agovLoginCookie = "agovLogin=deleted; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=0; SameSite=Strict; Secure; HttpOnly"
+response.setHeader('Set-Cookie', agovLoginCookie)
+
+response.setResult('ok')
+return
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/SendSamlResponseWithError.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/SendSamlResponseWithError.groovy
@ -0,0 +1,24 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+
+// Accounting
+def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def credentialType = session['authenticatedWith'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+def tAuth = System.currentTimeMillis() - (request.getSession(true).getCreationTime().getEpochSecond() * 1000)
+
+def errorCode = notes['saml.errorCode'] ?: 'unknown'
+def errorMessage = notes['saml.errorMessage'] ?: 'unknown'
+
+LOG.info("Event='SAMLERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', tAuth=${tAuth}ms, errorCode='${errorCode}', errorMessage='${errorMessage}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+
+
+// delete the login cookie
+def agovLoginCookie = "agovLogin=deleted; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=0; SameSite=Strict; Secure; HttpOnly"
+response.setHeader('Set-Cookie', agovLoginCookie)
+
+response.setStatus(AuthResponse.AUTH_ERROR)
+return
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/bc.properties
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/bc.properties
@ -0,0 +1 @@
+bc.tracer.TraceIndentFactory=ch.nevis.bc.io.Log4jTraceIndentFactory
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkInsufficientLoa.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkInsufficientLoa.groovy
@ -0,0 +1,133 @@
+import groovy.xml.XmlSlurper
+
+def getUserAGOVLoiRoles() {
+  // set attibutes from DTO: -> AGOVaq
+  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  return list.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-Loi' }.collect({ node -> node.name.text() })
+}
+
+def getUserAGOVLoiIdVerification() {
+  // set attibutes from DTO: -> idVerification
+  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  return list.'**'.findAll {node -> node.name() == 'properties' && node.name.text() == 'idVerification' }.collect({ node -> node.value.text()})
+}
+
+def getUserAGOVLoiValidFrom(level) {
+  // set attibutes from DTO: -> validFrom
+  def payload = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  return payload.'**'.find {node -> node.name() == 'authorizations' && node.role.name.text() == level}.getProperty("validFrom")
+}
+
+def getUserAGOVLoiValidTo(level) {
+  // set attibutes from DTO: -> validTo
+  def payload = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  return payload.'**'.find {node -> node.name() == 'authorizations' && node.role.name.text() == level}.getProperty("validTo")
+}
+
+// Accounting
+def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def credentialType = session['authenticatedWith'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+try {
+  // beef
+  def session = request.getAuthSession(true)
+  def highestRoleLevelNumber = 0
+  def requestedRoleLevelNumber = session.get('agov.requestedRoleLevel').toInteger()
+  def hasValidatedAddress = Arrays.stream(response.getActualRoles()).filter(s -> s == 'AGOV-Loi.level200').findAny().isPresent()
+
+  LOG.debug('Requested role level '+ requestedRoleLevelNumber)
+  LOG.debug('idVerification: ' + getUserAGOVLoiIdVerification())
+  LOG.debug('hasValidatedAddress : ' + hasValidatedAddress)
+
+  session.setAttribute('idVerification', getUserAGOVLoiIdVerification().last())
+  session.setAttribute('agov.hasValidatedAddress', '' + hasValidatedAddress)
+
+
+  if (requestedRoleLevelNumber == 0) {
+    // AuthnFailed_Zero_RoleLvl
+    response.setResult('noRoleLevel');
+    return
+  }
+
+  if (session.get('ch.adnovum.nevisidm.profileExtId') == '') {
+    LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='Account without Profile', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+
+    session.setAttribute('contextClassRefToSet', 'urn:qa.agov.ch:names:tc:ac:classes:100')
+    response.setResult('ok')
+    return
+  }
+
+  // Transform sex to number
+  if(session.get('ch.nevis.idm.User.gender') == 'MALE'){
+          session.setAttribute('ch.nevis.idm.User.gender', '1')
+  }
+  if(session.get('ch.nevis.idm.User.gender') == 'FEMALE'){
+          session.setAttribute('ch.nevis.idm.User.gender', '2')
+  }
+  if(session.get('ch.nevis.idm.User.gender') == 'OTHER'){
+          session.setAttribute('ch.nevis.idm.User.gender', '3')
+  }
+
+
+  for (String role : getUserAGOVLoiRoles()) {
+  if (role.startsWith('level')) {
+    def roleLevel = role.substring(5)
+    int roleLevelNumber = Integer.parseInt(roleLevel)
+    if (highestRoleLevelNumber == 0) {
+      highestRoleLevelNumber = roleLevelNumber
+    }
+    if (highestRoleLevelNumber< roleLevelNumber) { 
+      highestRoleLevelNumber=roleLevelNumber 
+    } 
+  } 
+  } 
+  LOG.debug('Highest role Level' + highestRoleLevelNumber.toString() +' contextclassref' + requestedRoleLevelNumber.toString()) 
+  LOG.debug(' Compare' + (highestRoleLevelNumber>=requestedRoleLevelNumber)) 
+
+  //set attribute Actual Role Level
+  session.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
+  LOG.info('actual role level (agov) '+ highestRoleLevelNumber)
+
+  if (highestRoleLevelNumber > 0) {
+    // set attribute contextClassRefToSet
+    session.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:' .concat(highestRoleLevelNumber.toString()))
+  } else {
+    // by default 100
+    session.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:100' ) 
+  }
+
+  if (highestRoleLevelNumber>=requestedRoleLevelNumber) { 
+
+    // set attribute ValidFrom and ValidTo (only for higher than 100)
+    if (highestRoleLevelNumber > 100) {
+      def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString()))
+      def validTo = getUserAGOVLoiValidTo('level'.concat(highestRoleLevelNumber.toString()))
+
+      LOG.debug('ValidFrom :' + validFrom)
+      LOG.debug('ValidTo :' + validTo)
+
+      if(validFrom != '') {
+        session.setAttribute('ValidFrom', '' + validFrom) 
+      }
+      if(validTo != '') {
+        session.setAttribute('ValidTo', '' + validTo) 
+      }
+    }
+    response.setResult('ok')
+    return; 
+  } else { 
+    // Insufficient_LoaInfo
+    response.setResult('insufficientLoa'); 
+    return; 
+  }
+} catch (Exception ex) {
+  LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='exception occured: ${ex}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+  // AuthnFailed_Zero_RoleLvl
+  response.setResult('noRoleLevel');
+  return;
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy
@ -0,0 +1,230 @@
+import org.codehaus.groovy.runtime.StackTraceUtils
+import groovy.xml.XmlSlurper
+
+def getUserAGOVLoiRoles() {
+  // set attibutes from DTO: -> AGOVaq
+  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  return list.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-Loi' }.collect({ node -> node.name.text() })
+}
+
+def getUserAGOVRecoveryRoles() {
+  // set attibutes from DTO: -> AGOV
+  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  return list.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-AccountStatus' }.collect({ node -> node.name.text() })
+}
+
+def getUserAGOVLoiIdVerification() {
+  // set attibutes from DTO: -> idVerification
+  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  return list.'**'.findAll {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text().contains('AGOV-Loi,')}.collect({ node -> node.value.text()})
+}
+
+def getUserAGOVLoiIdVerification(level) {
+  // set attibutes from DTO: -> idVerification
+  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  return list.'**'.findAll {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-Loi,level' + level}.collect({ node -> node.value.text()})
+} 
+
+def getUserAGOVLoiValidFrom(level) {
+  // set attibutes from DTO: -> validFrom
+  def payload = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  return payload.'**'.find {node -> node.name() == 'authorizations' && node.role.name.text() == level}?.validFrom?.text()
+}
+
+def getUserAGOVLoiValidTo(level) {
+  // set attibutes from DTO: -> validTo
+  def payload = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  return payload.'**'.find {node -> node.name() == 'authorizations' && node.role.name.text() == level}?.validTo?.text()
+}
+
+def getUserIdVerificationForRecovery() {
+  // application is AGOV-AccountStatus
+  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  def result = list.'**'.find {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-AccountStatus,mustRecover'}?.value?.text()
+
+  if (!result) {
+    // fallback if not explicitly set
+    def currentLoaRole = getUserAGOVLoiRoles()?.sort()?.last() ?: 'level100'
+    def chDomicile = list.country.text() == 'ch'
+    def lastIdVerification = list.'**'.find {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-Loi,' + currentLoaRole}?.value?.text()
+    switch (currentLoaRole) {
+      case 'level100':
+        result = chDomicile ? 'SimpleLetter' : 'Video'
+        break
+      case 'level200':
+        result = chDomicile ? 'Bmid' : 'Video'
+        break
+      case 'level300':
+      case 'level400':
+        result = chDomicile ? lastIdVerification : 'Video'
+        break
+      default:
+        LOG.warn("unexpected loa on account: ${currentLoaRole}")
+        // safest default, should work in any case
+        result = 'Video'
+    }
+    LOG.warn("Recovery method not set, choosing ${result} (based on currentLoad: ${currentLoaRole}, CH-domicile: ${chDomicile}, last verification method: ${lastIdVerification})")
+  }
+  return result
+}
+
+def getUserMustRecoverValidFrom() {
+  // set attibutes from DTO: -> validFrom
+  def payload = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  def authzNode = payload.'**'.find {node -> node.name() == 'authorizations' && node.role.name.text() == 'mustRecover'}
+  return (authzNode) ? ((authzNode.validFrom && !authzNode.validFrom.text().isEmpty()) ? authzNode.validFrom?.text() : authzNode.ctlCreDat?.text()) : ''
+}
+
+// Accounting
+def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def credentialType = session['authenticatedWith'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+try {
+  // beef
+  def session = request.getAuthSession(true)
+  def highestRoleLevelNumber = 0
+  def requestedRoleLevelNumber = session.get('agov.requestedRoleLevel').toInteger()
+  def adressVerificationList = getUserAGOVLoiIdVerification('200')
+  def adressVerification = 'None'
+  if (adressVerificationList && !adressVerificationList.isEmpty()) {
+    adressVerification = adressVerificationList[0]
+  }
+
+  LOG.debug('Requested role level '+ requestedRoleLevelNumber)
+  LOG.debug('idVerification: ' + getUserAGOVLoiIdVerification())
+  LOG.debug('adressVerification : ' + adressVerification)
+
+  def idVerificationMethodList = getUserAGOVLoiIdVerification()
+
+  session.setAttribute('idVerification', idVerificationMethodList.isEmpty() ? 'None' : idVerificationMethodList.last())
+  session.setAttribute('agov.adressVerification', '' + adressVerification)
+
+
+  if (requestedRoleLevelNumber == 0) {
+    // AuthnFailed_Zero_RoleLvl
+    response.setResult('error');
+    return
+  }
+
+  if (session.get('ch.adnovum.nevisidm.profileExtId') == '') {
+    LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='Account without Profile', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+
+    session.setAttribute('contextClassRefToSet', 'urn:qa.agov.ch:names:tc:ac:classes:100')
+    response.setResult('ok')
+    return
+  }
+
+  // Transform sex to number
+  if(session.get('ch.nevis.idm.User.gender') == 'MALE'){
+          session.setAttribute('ch.nevis.idm.User.gender', '1')
+  }
+  if(session.get('ch.nevis.idm.User.gender') == 'FEMALE'){
+          session.setAttribute('ch.nevis.idm.User.gender', '2')
+  }
+  if(session.get('ch.nevis.idm.User.gender') == 'OTHER'){
+          session.setAttribute('ch.nevis.idm.User.gender', '3')
+  }
+
+
+  for (String role : getUserAGOVLoiRoles()) {
+  if (role.startsWith('level')) {
+    def roleLevel = role.substring(5)
+    int roleLevelNumber = Integer.parseInt(roleLevel)
+    if (highestRoleLevelNumber == 0) {
+      highestRoleLevelNumber = roleLevelNumber
+    }
+    if (highestRoleLevelNumber< roleLevelNumber) { 
+      highestRoleLevelNumber=roleLevelNumber 
+    } 
+  } 
+  } 
+  LOG.debug('Highest role Level' + highestRoleLevelNumber.toString() +' contextclassref' + requestedRoleLevelNumber.toString()) 
+  LOG.debug(' Compare' + (highestRoleLevelNumber>=requestedRoleLevelNumber)) 
+
+  //set attribute Actual Role Level
+  session.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
+  LOG.debug('actual role level (agov) '+ highestRoleLevelNumber)
+
+  if (highestRoleLevelNumber > 0) {
+    // set attribute contextClassRefToSet
+    session.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:' .concat(highestRoleLevelNumber.toString()))
+  } else {
+    // by default 100
+    session.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:100' ) 
+  }
+
+  // no login for users with a recovery role
+  for (String role : getUserAGOVRecoveryRoles()) {
+    if (role == 'mustRecover') {
+      session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
+      session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown' ) 
+
+      def origIdVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()) ?: 'None'
+      if (highestRoleLevelNumber < 300) {
+        // plus 100, if mustRecover
+        highestRoleLevelNumber += 100
+      }
+      session.setAttribute('agov.recovery.currentAgovAq', 'urn:qa.agov.ch:names:tc:ac:classes:'.concat(highestRoleLevelNumber.toString()) )
+
+      def idVerification = getUserIdVerificationForRecovery() ?: origIdVerification
+      session.setAttribute('agov.recovery.currentIdVerification', '' + idVerification )
+
+      def validFrom = getUserMustRecoverValidFrom() ?: ''
+      session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + validFrom ) 
+
+      response.setResult('exit.2')
+      return
+
+    } else if (role == 'recovery') {
+      session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
+      session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown') 
+      session.setAttribute('agov.recovery.currentAgovAq', session.getAttribute('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
+      LOG.debug('idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
+      def idVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString())
+      session.setAttribute('agov.recovery.currentIdVerification', (idVerification.isEmpty() ? 'None' : idVerification.first()))
+      def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString())) ?: ''
+      session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', validFrom) 
+
+      response.setResult('exit.2')
+      return
+    } 
+  }
+
+  if (highestRoleLevelNumber>=requestedRoleLevelNumber) { 
+
+    // set attribute ValidFrom and ValidTo (only for higher than 100)
+    if (highestRoleLevelNumber > 100) {
+      def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString()))
+      def validTo = getUserAGOVLoiValidTo('level'.concat(highestRoleLevelNumber.toString()))
+
+      LOG.debug('ValidFrom :' + validFrom)
+      LOG.debug('ValidTo :' + validTo)
+
+      if(validFrom != '') {
+        session.setAttribute('ValidFrom', '' + validFrom) 
+      }
+      if(validTo != '') {
+        session.setAttribute('ValidTo', '' + validTo) 
+      }
+    }
+    response.setResult('ok')
+    return; 
+  } else { 
+    // Insufficient_LoaInfo
+    response.setResult('exit.1'); 
+    return; 
+  }
+} catch (Exception ex) {
+  LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='exception occured: ${ex}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+  ex = StackTraceUtils.sanitize(ex)
+  def affectedLines = ex.stackTrace.findAll { it.className.startsWith('Script') }.collect { "${it.methodName}:${it.lineNumber}" }
+  LOG.error("FATAL: Script failure (at lines: ${affectedLines})", ex)
+  // AuthnFailed_Zero_RoleLvl
+  response.setResult('error');
+  return;
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/countries.xml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/countries.xml
@ -0,0 +1,250 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<country-names>
+	<country code="af" en="Afghanistan" de="Afghanistan" fr="Afghanistan" it="Afghanistan"/>
+	<country code="al" en="Albania" de="Albanien" fr="Albanie" it="Albania"/>
+	<country code="dz" en="Algeria" de="Algerien" fr="Algérie" it="Algeria"/>
+	<country code="as" en="American Samoa" de="Amerikanisch-Samoa" fr="Samoa américaines" it="Samoa Americane"/>
+	<country code="ad" en="Andorra" de="Andorra" fr="Andorre" it="Andorra"/>
+	<country code="ao" en="Angola" de="Angola" fr="Angola" it="Angola"/>
+	<country code="ai" en="Anguilla" de="Anguilla" fr="Anguilla" it="Anguilla"/>
+	<country code="aq" en="Antarctica" de="Antarktis" fr="Antarctique" it="Antartide"/>
+	<country code="ag" en="Antigua and Barbuda" de="Antigua und Barbuda" fr="Antigua-et-Barbuda" it="Antigua e Barbuda"/>
+	<country code="ar" en="Argentina" de="Argentinien" fr="Argentine" it="Argentina"/>
+	<country code="am" en="Armenia" de="Armenien" fr="Arménie" it="Armenia"/>
+	<country code="aw" en="Aruba" de="Aruba" fr="Aruba" it="Aruba"/>
+	<country code="au" en="Australia" de="Australien" fr="Australie" it="Australia"/>
+	<country code="at" en="Austria" de="Österreich" fr="Autriche" it="Austria"/>
+	<country code="az" en="Azerbaijan" de="Aserbaidschan" fr="Azerbaïdjan" it="Azerbaigian"/>
+	<country code="bs" en="Bahamas" de="Bahamas" fr="Bahamas" it="Bahamas"/>
+	<country code="bh" en="Bahrain" de="Bahrain" fr="Bahreïn" it="Bahrein"/>
+	<country code="bd" en="Bangladesh" de="Bangladesch" fr="Bangladesh" it="Bangladesh"/>
+	<country code="bb" en="Barbados" de="Barbados" fr="Barbade" it="Barbados"/>
+	<country code="by" en="Belarus" de="Belarus" fr="Bélarus" it="Bielorussia"/>
+	<country code="be" en="Belgium" de="Belgien" fr="Belgique" it="Belgio"/>
+	<country code="bz" en="Belize" de="Belize" fr="Belize" it="Belize"/>
+	<country code="bj" en="Benin" de="Benin" fr="Bénin" it="Benin"/>
+	<country code="bm" en="Bermuda" de="Bermudas" fr="Bermudes" it="Bermuda"/>
+	<country code="bt" en="Bhutan" de="Bhutan" fr="Bhoutan" it="Bhutan"/>
+	<country code="bo" en="Bolivia" de="Bolivien" fr="Bolivie" it="Bolivia"/>
+	<country code="ba" en="Bosnia-Herzegovina" de="Bosnien-Herzegowina" fr="Bosnie et Herzégovine" it="Bosnia ed Erzegovina"/>
+	<country code="bw" en="Botswana" de="Botsuana" fr="Botswana" it="Botswana"/>
+	<country code="bv" en="Bouvet Island" de="Bouvetinsel" fr="Île Bouvet" it="Isola Bouvet"/>
+	<country code="br" en="Brazil" de="Brasilien" fr="Brésil" it="Brasile"/>
+	<country code="io" en="British Indian Ocean Territory" de="Britisches Territorium im Indischen Ozean" fr="Territoire britannique de l’océan Indien" it="Territorio Britannico dell’Oceano Indiano"/>
+	<country code="bn" en="Brunei" de="Brunei" fr="Brunei" it="Brunei"/>
+	<country code="bg" en="Bulgaria" de="Bulgarien" fr="Bulgarie" it="Bulgaria"/>
+	<country code="bf" en="Burkina Faso" de="Burkina Faso" fr="Burkina Faso " it="Burkina Faso"/>
+	<country code="bi" en="Burundi" de="Burundi" fr="Burundi" it="Burundi"/>
+	<country code="kh" en="Cambodia" de="Kambodscha" fr="Cambodge" it="Cambogia"/>
+	<country code="cm" en="Cameroon" de="Kamerun" fr="Cameroun" it="Camerun"/>
+	<country code="ca" en="Canada" de="Kanada" fr="Canada" it="Canada"/>
+	<country code="cv" en="Cape Verde" de="Cabo Verde" fr="Cabo Verde" it="Capo Verde"/>
+	<country code="ky" en="Cayman Islands" de="Kaiman-Inseln" fr="Îles Caïmans" it="Isole Cayman"/>
+	<country code="cf" en="Central African Republic" de="Zentralafrikanische Republik" fr="République centrafricaine" it="Repubblica Centrafricana"/>
+	<country code="td" en="Chad" de="Tschad" fr="Tchad" it="Ciad"/>
+	<country code="cl" en="Chile" de="Chile" fr="Chili" it="Cile"/>
+	<country code="cn" en="China (People's Republic OF)" de="China (Volksrepublik)" fr="Chine (République populaire de Chine)" it="Cina, Repubblica popolare cinese"/>
+	<country code="cx" en="Christmas Island (Indian Ocean)" de="Weihnachtsinsel (Indischer Ozean)" fr="Île Christmas (océan Indien)" it="Isola di Natale"/>
+	<country code="cc" en="Cocos (Keeling) Island" de="Kokosinseln (Keeling)" fr="Îles Cocos" it="Isole Cocos (Keeling)"/>
+	<country code="co" en="Colombia" de="Kolumbien" fr="Colombie" it="Colombia"/>
+	<country code="km" en="Comoros" de="Komoren" fr="Comores" it="Comore"/>
+	<country code="cg" en="Congo (Republic)" de="Kongo (Republik)" fr="République du Congo" it="Repubblica del Congo"/>
+	<country code="cd" en="Congo, Democratic Republic" de="Kongo, Demokratische Republik" fr="République démocratique du Congo" it="Repubblica democratica del Congo"/>
+	<country code="ck" en="Cook Islands" de="Cookinseln" fr="Îles Cook" it="Isole Cook"/>
+	<country code="cr" en="Costa Rica" de="Costa Rica" fr="Costa Rica" it="Costa Rica"/>
+	<country code="hr" en="Croatia" de="Kroatien" fr="Croatie" it="Croazia"/>
+	<country code="cu" en="Cuba" de="Kuba" fr="Cuba" it="Cuba"/>
+	<country code="cw" en="Curaçao" de="Curaçao" fr="Curaçao" it="Curaçao"/>
+	<country code="cy" en="Cyprus" de="Zypern" fr="Chypre" it="Cipro"/>
+	<country code="cz" en="Czech Republic" de="Tschechische Republik" fr="Tchéquie" it="Repubblica Ceca"/>
+	<country code="dk" en="Denmark" de="Dänemark" fr="Danemark" it="Danimarca"/>
+	<country code="dj" en="Djibouti" de="Dschibuti" fr="Djibouti" it="Gibuti"/>
+	<country code="dm" en="Dominica" de="Dominica" fr="Dominique" it="Dominica"/>
+	<country code="do" en="Dominican Republic" de="Dominikanische Republik" fr="République dominicaine" it="Repubblica Dominicana"/>
+	<country code="ec" en="Ecuador" de="Ecuador" fr="Équateur" it="Ecuador"/>
+	<country code="eg" en="Egypt" de="Ägypten" fr="Égypte" it="Egitto"/>
+	<country code="sv" en="El Salvador" de="El Salvador" fr="El Salvador" it="El Salvador"/>
+	<country code="gq" en="Equatorial Guinea" de="Äquatorialguinea" fr="Guinée équatoriale" it="Guinea equatoriale"/>
+	<country code="er" en="Eritrea" de="Eritrea" fr="Érythrée" it="Eritrea"/>
+	<country code="ee" en="Estonia" de="Estland" fr="Estonie" it="Estonia"/>
+	<country code="et" en="Ethiopia" de="Äthiopien" fr="Éthiopie" it="Etiopia"/>
+	<country code="fk" en="Falkland Islands" de="Falklandinseln" fr="Îles Falkland" it="Isole Falkland"/>
+	<country code="fo" en="Faroe Islands" de="Färöerinseln" fr="Îles Féroé" it="Isole Faroe"/>
+	<country code="fj" en="Fiji" de="Fidschi" fr="Fidji" it="Figi"/>
+	<country code="fi" en="Finland" de="Finnland" fr="Finlande" it="Finlandia"/>
+	<country code="fr" en="France" de="Frankreich" fr="France" it="Francia"/>
+	<country code="gf" en="French Guiana" de="Französisch-Guayana" fr="Guyane française" it="Guyana francese"/>
+	<country code="pf" en="French Polynesia" de="Französisch-Polynesien" fr="Polynésie française" it="Polinesia francese"/>
+	<country code="ga" en="Gabon" de="Gabun" fr="Gabon" it="Gabon"/>
+	<country code="gm" en="Gambia" de="Gambia" fr="Gambie" it="Gambia"/>
+	<country code="ge" en="Georgia" de="Georgien" fr="Géorgie" it="Georgia"/>
+	<country code="de" en="Germany" de="Deutschland" fr="Allemagne" it="Germania"/>
+	<country code="gh" en="Ghana" de="Ghana" fr="Ghana" it="Ghana"/>
+	<country code="gi" en="Gibraltar" de="Gibraltar" fr="Gibraltar" it="Gibilterra"/>
+	<country code="gb" en="Great Britain and Northern Ireland" de="Grossbritannien und Nordirland" fr="Royaume-Uni" it="Regno Unito"/>
+	<country code="gr" en="Greece" de="Griechenland" fr="Grèce" it="Grecia"/>
+	<country code="gl" en="Greenland" de="Grönland" fr="Groenland" it="Groenlandia"/>
+	<country code="gd" en="Grenada" de="Grenada" fr="Grenade" it="Grenada"/>
+	<country code="gp" en="Guadeloupe" de="Guadeloupe" fr="Guadeloupe" it="Guadalupa"/>
+	<country code="gu" en="Guam" de="Guam" fr="Guam" it="Guam"/>
+	<country code="gt" en="Guatemala" de="Guatemala" fr="Guatemala" it="Guatemala"/>
+	<country code="gg" en="Guernsey" de="Guernsey" fr="Guernesey" it="Guernsey"/>
+	<country code="gn" en="Guinea (Republic)" de="Guinea (Republik)" fr="République de Guinée" it="Guinea"/>
+	<country code="gw" en="Guinea-Bissau" de="Guinea-Bissau" fr="Guinée-Bissau" it="Guinea-Bissau"/>
+	<country code="gy" en="Guyana" de="Guyana" fr="Guyana" it="Guyana"/>
+	<country code="ht" en="Haiti" de="Haiti" fr="Haïti" it="Haiti"/>
+	<country code="hm" en="Heard AND McDonald Islands" de="Heard- und McDonald-Inseln" fr="Îles Heard et McDonald" it="Isola Heard e Isole McDonald"/>
+	<country code="hn" en="Honduras" de="Honduras" fr="Honduras" it="Honduras"/>
+	<country code="hk" en="Hong Kong" de="Hongkong" fr="Hong Kong" it="Hong Kong"/>
+	<country code="hu" en="Hungary" de="Ungarn" fr="Hongrie" it="Ungheria"/>
+	<country code="is" en="Iceland" de="Island" fr="Islande" it="Islanda"/>
+	<country code="in" en="India" de="Indien" fr="Inde" it="India"/>
+	<country code="id" en="Indonesia" de="Indonesien" fr="Indonésie" it="Indonesia"/>
+	<country code="ir" en="Iran" de="Iran" fr="Iran" it="Iran"/>
+	<country code="iq" en="Iraq" de="Irak" fr="Irak" it="Iraq"/>
+	<country code="ie" en="Ireland" de="Irland" fr="Irlande" it="Irlanda"/>
+	<country code="im" en="Island OF Man" de="Isle of Man" fr="Île de Man" it="Isola di Man"/>
+	<country code="il" en="Israel" de="Israel" fr="Israël" it="Israele"/>
+	<country code="it" en="Italy" de="Italien" fr="Italie" it="Italia"/>
+	<country code="ci" en="Ivory Coast" de="Côte d'Ivoire" fr="Côte d’Ivoire" it="Costa d’Avorio"/>
+	<country code="jm" en="Jamaica" de="Jamaika" fr="Jamaïque" it="Giamaica"/>
+	<country code="jp" en="Japan" de="Japan" fr="Japon" it="Giappone"/>
+	<country code="je" en="Jersey" de="Jersey" fr="Jersey" it="Jersey"/>
+	<country code="jo" en="Jordan" de="Jordanien" fr="Jordanie" it="Giordania"/>
+	<country code="kz" en="Kazakhstan" de="Kasachstan" fr="Kazakhstan" it="Kazakstan"/>
+	<country code="ke" en="Kenya" de="Kenia" fr="Kenya" it="Kenya"/>
+	<country code="ki" en="Kiribati" de="Kiribati" fr="Kiribati" it="Kiribati"/>
+	<country code="kp" en="Korea, Democratic People's Republic of (North Korea)" de="Korea, Demokratische Volksrepublik (Nordkorea)" fr="République populaire démocratique de Corée (Corée du Nord)" it="Repubblica popolare democratica di Corea (Corea del Nord)"/>
+	<country code="kr" en="Korea, Republic of (South Korea)" de="Korea, Republik (Südkorea)" fr="République de Corée (Corée du Sud)" it="Repubblica di Corea (Corea del Sud)"/>
+	<country code="xk" en="Kosovo / Unmik" de="Kosovo / UNMIK" fr="Kosovo" it="Kosovo / UNMIK"/>
+	<country code="kw" en="Kuwait" de="Kuwait" fr="Koweït" it="Kuwait"/>
+	<country code="kg" en="Kyrgyzstan" de="Kirgisistan" fr="Kirghizistan" it="Kirghizistan"/>
+	<country code="la" en="Laos" de="Laos" fr="Laos" it="Laos"/>
+	<country code="lv" en="Latvia" de="Lettland" fr="Lettonie" it="Lettonia"/>
+	<country code="lb" en="Lebanon" de="Libanon" fr="Liban" it="Libano"/>
+	<country code="ls" en="Lesotho" de="Lesotho" fr="Lesotho" it="Lesotho"/>
+	<country code="lr" en="Liberia" de="Liberia" fr="Libéria" it="Liberia"/>
+	<country code="ly" en="Libya" de="Libyen" fr="Libye" it="Libia"/>
+	<country code="li" en="Liechtenstein" de="Liechtenstein" fr="Liechtenstein" it="Liechtenstein"/>
+	<country code="lt" en="Lithuania" de="Litauen" fr="Lituanie" it="Lituania"/>
+	<country code="lu" en="Luxembourg" de="Luxemburg" fr="Luxembourg" it="Lussemburgo"/>
+	<country code="mo" en="Macao" de="Macao" fr="Macao" it="Macao"/>
+	<country code="mk" en="Macedonia, the Former Yugoslav Republic of" de="Mazedonien, ehemalige jugoslawische Republik" fr="Macédoine du Nord" it="Macedonia del Nord"/>
+	<country code="mg" en="Madagascar" de="Madagaskar" fr="Madagascar" it="Madagascar"/>
+	<country code="mw" en="Malawi" de="Malawi" fr="Malawi" it="Malawi"/>
+	<country code="my" en="Malaysia" de="Malaysia" fr="Malaisie" it="Malaysia"/>
+	<country code="mv" en="Maldives" de="Malediven" fr="Maldives" it="Maldive"/>
+	<country code="ml" en="Mali" de="Mali" fr="Mali" it="Mali"/>
+	<country code="mt" en="Malta" de="Malta" fr="Malte" it="Malta"/>
+	<country code="mp" en="Mariana Islands" de="Marianen" fr="Îles Mariannes" it="Isole Marianne"/>
+	<country code="mh" en="Marshall Islands" de="Marshallinseln" fr="Îles Marshall" it="Isole Marshall"/>
+	<country code="mq" en="Martinique" de="Martinique" fr="Martinique" it="Martinica"/>
+	<country code="mr" en="Mauritania" de="Mauretanien" fr="Mauritanie" it="Mauritania"/>
+	<country code="mu" en="Mauritius Island" de="Mauritius" fr="Île Maurice" it="Maurizio"/>
+	<country code="yt" en="Mayotte" de="Mayotte" fr="Mayotte" it="Mayotte"/>
+	<country code="mx" en="Mexico" de="Mexiko" fr="Mexique" it="Messico"/>
+	<country code="fm" en="Micronesia (Federated States OF)" de="Mikronesien (Föderierte Staaten von)" fr="États fédérés de Micronésie" it="Stati Federati di Micronesia"/>
+	<country code="md" en="Moldova" de="Moldau" fr="Moldavie" it="Moldova"/>
+	<country code="mc" en="Monaco" de="Monaco" fr="Monaco" it="Monaco"/>
+	<country code="mn" en="Mongolia" de="Mongolei" fr="Mongolie" it="Mongolia"/>
+	<country code="me" en="Montenegro, Republic" de="Montenegro, Republik" fr="Monténégro" it="Montenegro"/>
+	<country code="ms" en="Montserrat" de="Montserrat" fr="Montserrat" it="Montserrat"/>
+	<country code="ma" en="Morocco" de="Marokko" fr="Maroc" it="Marocco"/>
+	<country code="mz" en="Mozambique" de="Mosambik" fr="Mozambique" it="Mozambico"/>
+	<country code="mm" en="Myanmar (Union of)" de="Myanmar (Union)" fr="Myanmar" it="Myanmar"/>
+	<country code="na" en="Namibia" de="Namibia" fr="Namibie" it="Namibia"/>
+	<country code="nr" en="Nauru" de="Nauru" fr="Nauru" it="Nauru"/>
+	<country code="np" en="Nepal" de="Nepal" fr="Népal" it="Nepal"/>
+	<country code="nl" en="Netherlands" de="Niederlande" fr="Pays-Bas" it="Paesi Bassi"/>
+	<country code="nc" en="New Caledonia" de="Neukaledonien" fr="Nouvelle-Calédonie" it="Nuova Caledonia"/>
+	<country code="nz" en="New Zealand" de="Neuseeland" fr="Nouvelle-Zélande" it="Nuova Zelanda"/>
+	<country code="ni" en="Nicaragua" de="Nicaragua" fr="Nicaragua" it="Nicaragua"/>
+	<country code="ne" en="Niger" de="Niger" fr="Niger" it="Niger"/>
+	<country code="ng" en="Nigeria" de="Nigeria" fr="Nigéria" it="Nigeria"/>
+	<country code="nu" en="Niua" de="Niue" fr="Nioué" it="Isole Niua"/>
+	<country code="nf" en="Norfolk Island" de="Norfolkinsel" fr="Île Norfolk" it="Isola Norfolk"/>
+	<country code="no" en="Norway" de="Norwegen" fr="Norvège" it="Norvegia"/>
+	<country code="om" en="Oman" de="Oman" fr="Oman" it="Oman"/>
+	<country code="pk" en="Pakistan" de="Pakistan" fr="Pakistan" it="Pakistan"/>
+	<country code="pw" en="Palau" de="Palau" fr="Palaos" it="Palau"/>
+	<country code="ps" en="Palestine" de="Palästina" fr="Palestine" it="Palestina"/>
+	<country code="pa" en="Panama" de="Panama" fr="Panama" it="Panama"/>
+	<country code="pg" en="Papua New Guinea" de="Papua-Neuguinea" fr="Papouasie-Nouvelle-Guinée" it="Papua Nuova Guinea"/>
+	<country code="py" en="Paraguay" de="Paraguay" fr="Paraguay" it="Paraguay"/>
+	<country code="pe" en="Peru" de="Peru" fr="Pérou" it="Perù"/>
+	<country code="ph" en="Philippines" de="Philippinen" fr="Philippines" it="Filippine"/>
+	<country code="pn" en="Pitcairn" de="Pitcairn" fr="Îles Pitcairn" it="Isole Pitcairn"/>
+	<country code="pl" en="Poland" de="Polen" fr="Pologne" it="Polonia"/>
+	<country code="pt" en="Portugal" de="Portugal" fr="Portugal" it="Portogallo"/>
+	<country code="pr" en="Puerto Rico" de="Puerto Rico" fr="Porto Rico" it="Porto Rico"/>
+	<country code="qa" en="Qatar" de="Katar" fr="Qatar" it="Qatar"/>
+	<country code="re" en="Réunion" de="Réunion" fr="La Réunion" it="Isola della Riunione"/>
+	<country code="ro" en="Romania" de="Rumänien" fr="Roumanie" it="Romania"/>
+	<country code="ru" en="Russian Federation" de="Russische Föderation" fr="Russie" it="Russia"/>
+	<country code="rw" en="Rwanda" de="Ruanda" fr="Rwanda" it="Ruanda"/>
+	<country code="sb" en="Salomon Islands" de="Salomoninseln" fr="Îles Salomon" it="Isole Salomone"/>
+	<country code="sm" en="San Marino" de="San Marino" fr="Saint-Marin" it="San Marino"/>
+	<country code="sa" en="Saudi Arabia" de="Saudi-Arabien" fr="Arabie saoudite" it="Arabia Saudita"/>
+	<country code="sn" en="Senegal" de="Senegal" fr="Sénégal" it="Senegal"/>
+	<country code="rs" en="Serbia, Republic" de="Serbien, Republik" fr="Serbie" it="Serbia"/>
+	<country code="sc" en="Seychelles" de="Seychellen" fr="Seychelles" it="Seychelles"/>
+	<country code="sl" en="Sierra Leone" de="Sierra Leone" fr="Sierra Leone" it="Sierra Leone"/>
+	<country code="sg" en="Singapore" de="Singapur" fr="Singapour" it="Singapore"/>
+	<country code="sk" en="Slovak Republic" de="Slowakei" fr="Slovaquie" it="Slovacchia"/>
+	<country code="si" en="Slovenia" de="Slowenien" fr="Slovénie" it="Slovenia"/>
+	<country code="so" en="Somalia" de="Somalia" fr="Somalie" it="Somalia"/>
+	<country code="za" en="South Africa" de="Südafrika" fr="Afrique du Sud" it="Sudafrica"/>
+	<country code="gs" en="South Georgia AND the south Sandwich Islands" de="Südgeorgien und die Südlichen Sandwichinseln" fr="Îles Géorgie du Sud et Sandwich du Sud" it="Georgia del Sud e Sandwich Australi"/>
+	<country code="ss" en="South Sudan" de="Südsudan" fr="Soudan du Sud" it="Sudan del Sud"/>
+	<country code="es" en="Spain" de="Spanien" fr="Espagne" it="Spagna"/>
+	<country code="lk" en="Sri Lanka" de="Sri Lanka" fr="Sri Lanka" it="Sri Lanka"/>
+	<country code="bl" en="St. Barthélemy" de="St. Barthélemy" fr="Saint-Barthélemy" it="Saint Barthélemy"/>
+	<country code="kn" en="St. Christopher (St. Kitts) and Nevis" de="St. Kitts und Nevis" fr="Saint-Christophe-et-Niévès" it="Saint Kitts e Nevis"/>
+	<country code="sh" en="St. Helena, Ascension and Tristan da Cunha" de="St. Helena, Ascension und Tristan da Cunha" fr="Sainte-Hélène, Ascension et Tristan da Cunha" it="Sant’Elena, Ascensione e Tristan da Cunha"/>
+	<country code="lc" en="St. Lucia" de="St. Lucia" fr="Sainte-Lucie" it="Santa Lucia"/>
+	<country code="sx" en="St. Maarten" de="Sint Maarten" fr="Sint-Maarten" it="Sint Maarten"/>
+	<country code="mf" en="St. Martin" de="St. Martin" fr="Saint-Martin" it="Saint Martin"/>
+	<country code="pm" en="St. Pierre and Miquelon" de="St. Pierre und Miquelon" fr="Saint-Pierre-et-Miquelon" it="Saint-Pierre e Miquelon"/>
+	<country code="st" en="St. Tome and Principe" de="São Tomé und Príncipe" fr="Sao Tomé-et-Principe" it="São Tomé e Príncipe"/>
+	<country code="vc" en="St. Vincent and the Grenadines" de="St. Vincent und die Grenadinen" fr="Saint-Vincent-et-les-Grenadines" it="Saint Vincent e Grenadine"/>
+	<country code="sd" en="Sudan" de="Sudan" fr="Soudan" it="Sudan"/>
+	<country code="sr" en="Suriname" de="Suriname" fr="Suriname" it="Suriname"/>
+	<country code="sj" en="Svalbard and Jan Mayen Island" de="Svalbard und Jan Mayen-Insel" fr="Svalbard et Jan Mayen" it="Svalbard e Jan Mayen"/>
+	<country code="sz" en="Swaziland" de="Eswatini" fr="Swaziland" it="Eswatini"/>
+	<country code="se" en="Sweden" de="Schweden" fr="Suède" it="Svezia"/>
+	<country code="ch" en="Switzerland" de="Schweiz" fr="Suisse" it="Svizzera"/>
+	<country code="sy" en="Syria" de="Syrien" fr="Syrie" it="Siria"/>
+	<country code="tw" en="Taiwan (Chinese Taipei)" de="Taiwan (Chinesisches Taipei)" fr="Taïwan (Taipei chinois)" it="Taiwan (Taipei cinese)"/>
+	<country code="tj" en="Tajikistan" de="Tadschikistan" fr="Tadjikistan" it="Tagikistan"/>
+	<country code="tz" en="Tanzania" de="Tansania" fr="Tanzanie" it="Tanzania"/>
+	<country code="th" en="Thailand" de="Thailand" fr="Thaïlande" it="Thailandia"/>
+	<country code="tl" en="Timor-Leste" de="Timor-Leste" fr="Timor-Leste" it="Timor-Leste"/>
+	<country code="tg" en="Togo" de="Togo" fr="Togo" it="Togo"/>
+	<country code="tk" en="Tokelau" de="Tokelau" fr="Tokélaou" it="Tokelau"/>
+	<country code="to" en="Tonga" de="Tonga" fr="Tonga" it="Tonga"/>
+	<country code="tt" en="Trinidad and Tobago" de="Trinidad und Tobago" fr="Trinité-et-Tobago" it="Trinidad e Tobago"/>
+	<country code="tn" en="Tunisia" de="Tunesien" fr="Tunisie" it="Tunisia"/>
+	<country code="tr" en="Turkey" de="Türkiye" fr="Turquie" it="Turchia"/>
+	<country code="tm" en="Turkmenistan" de="Turkmenistan" fr="Turkménistan" it="Turkmenistan"/>
+	<country code="tc" en="Turks and Caicos" de="Turks- und Caicosinseln" fr="Turks-et-Caïcos" it="Isole Turks e Caicos"/>
+	<country code="tv" en="Tuvalu" de="Tuvalu" fr="Tuvalu" it="Tuvalu"/>
+	<country code="ug" en="Uganda" de="Uganda" fr="Ouganda" it="Uganda"/>
+	<country code="ua" en="Ukraine" de="Ukraine" fr="Ukraine" it="Ucraina"/>
+	<country code="ae" en="United Arab Emirates" de="Vereinigte Arabische Emirate" fr="Émirats arabes unis" it="Emirati Arabi Uniti"/>
+	<country code="um" en="United States Minor Outlying Islands" de="United States Minor Outlying Islands" fr="Îles mineures éloignées des États-Unis" it="Isole Minori Esterne degli Stati Uniti"/>
+	<country code="us" en="United States of America" de="Vereinigte Staaten von Amerika" fr="États-Unis d’Amérique" it="Stati Uniti"/>
+	<country code="uy" en="Uruguay" de="Uruguay" fr="Uruguay" it="Uruguay"/>
+	<country code="uz" en="Uzbekistan" de="Usbekistan" fr="Ouzbékistan" it="Uzbekistan"/>
+	<country code="vu" en="Vanuatu" de="Vanuatu" fr="Vanuatu" it="Vanuatu"/>
+	<country code="va" en="Vatican City State" de="Vatikanstadt" fr="Saint-Siège (Cité du Vatican)" it="Città del Vaticano"/>
+	<country code="ve" en="Venezuela" de="Venezuela" fr="Venezuela" it="Venezuela"/>
+	<country code="vn" en="Vietnam" de="Vietnam" fr="Vietnam" it="Vietnam"/>
+	<country code="vi" en="Virgin Islands (USA)" de="Jungferninseln (USA)" fr="Îles Vierges américaines" it="Isole Vergini"/>
+	<country code="vg" en="Virgin Islands, British (Tortola)" de="British Virgin Islands (Tortola)" fr="Îles Vierges britanniques (Tortola)" it="Isole Vergini britanniche"/>
+	<country code="wf" en="Wallis and Futuna Islands" de="Wallis und Futuna" fr="Îles Wallis-et-Futuna" it="Wallis e Futuna"/>
+	<country code="eh" en="Western Sahara" de="Westsahara" fr="Sahara occidental" it="Sahara occidentale"/>
+	<country code="ws" en="Western Samoa" de="Samoa" fr="Samoa" it="Samoa occidentale"/>
+	<country code="ye" en="Yemen" de="Jemen" fr="Yémen" it="Yemen"/>
+	<country code="zm" en="Zambia" de="Sambia" fr="Zambie" it="Zambia"/>
+	<country code="zw" en="Zimbabwe" de="Simbabwe" fr="Zimbabwe" it="Zimbabwe" />
+</country-names>
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/createuuid.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/createuuid.groovy
@ -0,0 +1,6 @@
+def session = request.getAuthSession(true)
+String uuidString = UUID.randomUUID().toString()
+
+session.setAttribute('agov.subjectUUID', '' + uuidString)
+response.setResult('ok')
+return
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/ensureAccountState.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/ensureAccountState.groovy
@ -0,0 +1,125 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+import ch.nevis.idm.client.IdmRestClient
+import ch.nevis.idm.client.IdmRestClientFactory
+import ch.nevis.idm.client.HTTPRequestWrapper
+
+import groovy.json.JsonSlurper
+
+// Accounting
+def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def credentialType = session['authenticatedWith'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
+
+String clientExtId = session.get('ch.adnovum.nevisidm.user.clientExtId')
+String userExtId = session.get('ch.adnovum.nevisidm.user.extId')
+String loginId = session.get('ch.adnovum.nevisidm.user.loginId')
+String profileExtId = session.get('ch.adnovum.nevisidm.profileExtId')
+
+String unitExtid= parameters.get('unitExtid')
+String level100RoleExtid = parameters.get('level100.roleExtid')
+
+String baseUrl = "${parameters.get('idm.baseUrl')}/core/v1/$clientExtId"
+boolean audited = false
+String agovAq100AuthEndpoint = null
+String endpoint = null
+
+// 1) create the profile if needed
+if (profileExtId == null || profileExtId.isEmpty()) {
+
+	endpoint = "${baseUrl}/users/${userExtId}/profiles"
+	profileExtId = UUID.randomUUID().toString()
+
+	def postRequest = new HTTPRequestWrapper()
+	postRequest.addToHeaders('Content-Type',  ['application/json'])
+
+	def dto = "{\"extId\":\"${profileExtId}\",\"unitExtId\":\"${unitExtid}\",\"profileState\":\"active\",\"name\":\"Profile-${loginId}\",\"isDefaultProfile\":true,\"modificationComment\":\"Repaired for request ${requestId}\"}"
+	postRequest.setPayLoad(dto.getBytes('UTF-8'))
+
+	def result = idmRestClient.postWithResponse(endpoint, postRequest)
+	if (result.getStatusCode() != 201) {
+		LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to create the missing profile (http status code ${result.getStatusCode()})'")
+
+		response.setNote('saml.errorCode', 'Responder')
+		response.setNote('saml.errorMessage', "account of the user with agovId ${userExtId} is in a corrupt state, should contact agov help")
+
+		response.setResult('failed')
+		return
+	} else {
+		LOG.warn("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='created missing profile'")
+		audited = true
+	}
+}
+
+
+// 2) add level 100 role if needed
+if (!Arrays.stream(response.getActualRoles()).filter( r -> r.contains('AGOV-Loi.level100')).findAny().isPresent()) {
+	endpoint = "${baseUrl}/profiles/${profileExtId}/authorizations"
+	def postRequest = new HTTPRequestWrapper()
+	postRequest.addToHeaders('Content-Type',  ['application/json'])
+
+	def dto = "{\"extId\":\"${UUID.randomUUID().toString()}\",\"roleExtId\":\"${level100RoleExtid}\"}"
+	postRequest.setPayLoad(dto.getBytes('UTF-8'))
+
+	def result = idmRestClient.postWithResponse(endpoint, postRequest)
+	if (result.getStatusCode() != 201) {
+		LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to create the missing AGOVaq 100 role (http status code ${result.getStatusCode()})'")
+
+		response.setNote('saml.errorCode', 'Responder')
+		response.setNote('saml.errorMessage', "account of the user with agovId ${userExtId} is in a corrupt state, should contact agov help")
+
+		response.setResult('failed')
+		return
+	} else if (!audited) {
+		LOG.warn("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='created missing AGOVaq 100 role'")
+		audited = true
+	}
+	agovAq100AuthEndpoint = result.getLocation()
+}
+
+
+// 3) set the AQ level 100 verification to None
+if (!session['ch.adnovum.nevisidm.userDto'].contains("<properties><name>idVerification</name><value>None</value><scopeName>AGOV-Loi,level100</scopeName></properties>")) {
+
+	if (agovAq100AuthEndpoint == null) {
+		endpoint = "${baseUrl}/profiles/${profileExtId}/authorizations"
+
+		def result = idmRestClient.get(endpoint)
+		def json = new JsonSlurper().parseText(result)
+
+		json['items'].eachWithIndex { az, i ->
+			if (az.roleExtId == level100RoleExtid) {
+				agovAq100AuthEndpoint = "${endpoint}/${az.extId}"
+			}
+		}
+	}
+
+	endpoint = "${agovAq100AuthEndpoint}/properties"
+
+	def patchRequest = new HTTPRequestWrapper()
+	patchRequest.addToHeaders('Content-Type',  ['application/json'])
+
+	patchRequest.setPayLoad('{"idVerification":"None"}'.getBytes('UTF-8'))
+
+	def result = idmRestClient.patchWithResponse(endpoint, patchRequest)
+
+	if (result.getStatusCode() != 200) {
+		LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to patch the AGOVaq 100 role (http status code ${result.getStatusCode()})'")
+
+	} else if (!audited) {
+		LOG.warn("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='patched AGOVaq 100 role with idVerification'")
+		audited = true
+	}
+}
+
+
+if (audited) {
+	response.setResult('reload')
+} else {
+	response.setResult('done')
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/ensureRecoveryCode.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/ensureRecoveryCode.groovy
@ -0,0 +1,101 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+import ch.nevis.idm.client.IdmRestClient
+import ch.nevis.idm.client.IdmRestClientFactory
+import ch.nevis.idm.client.HTTPRequestWrapper
+
+import groovy.json.JsonSlurper
+
+// Accounting
+def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def credentialType = session['authenticatedWith'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+
+
+
+
+IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
+
+String clientExtId = session.get('ch.adnovum.nevisidm.user.clientExtId')
+String userExtId = session.get('ch.adnovum.nevisidm.user.extId')
+String sessionId = session.get('ch.nevis.session.conversationId')
+
+String endPoint = "${parameters.get('utility-service.baseUrl')}/api/v1/recovery/code"
+
+// 1a) check if user has a credential
+if (session['ch.nevis.idm.User.cred.context_password1.state'] == 'ACTIVE' ) {
+	LOG.debug("Account '${user}' has an active recovery code, no need to create new code")
+	response.setResult('done')
+	return
+}
+
+// 1b) check if a recovery is ongoing (nothing to do)
+if (Arrays.stream(response.getActualRoles()).filter( r -> r.contains('AGOV-AccountStatus.recovery')).findAny().isPresent()) {
+	LOG.debug("Account '${user}' is in recovery, no need to create new code")
+	response.setResult('done')
+	return
+}
+
+
+// 2) set cookie for recoveryCode
+if (outargs.containsKey('out.JWTToken')) {
+  def token = outargs.getProperty('out.JWTToken').bytes.encodeBase64().toString()
+  def agovRecoveryCodeCookie = "agovRecoveryCode=${token }; Domain=${parameters.get('cookie.domain')}; Path=/; SameSite=Strict; Secure; HttpOnly"
+  response.setHeader('Set-Cookie', agovRecoveryCodeCookie)
+  outargs.remove('out.JWTToken')
+}
+
+// 3) generate code if not yet done
+if (!session['agov.new.recovery.code.generated']) {
+	inargs.remove('submit')
+	try {
+		def postRequest = new HTTPRequestWrapper()
+		postRequest.addToHeaders('Content-Type',  ['application/json'])
+
+		postRequest.setPayLoad("{\"userExtId\":\"$userExtId\",\"userSessionId\": \"$sessionId\"}".getBytes('UTF-8'))
+		
+        def result = idmRestClient.postWithResponse(endPoint, postRequest)
+		if (result.getStatusCode() != 200) {
+            LOG.debug("Payload: ${new String(postRequest.getPayLoad())}")
+            LOG.debug("Result: ${result}")
+			LOG.warn("Event='RCVRY-CODE', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to create code (http status code ${result.getStatusCode()})")
+			response.setResult('failed')
+			return
+		}
+
+		def json = new JsonSlurper().parseText(new String(result.getPayLoad(), 'UTF-8'))
+
+		notes.setProperty('agov.new.recovery.code', json['recoveryCode']['code'].replaceAll('^(....)(....)(.*)$', '$1-$2-$3'))
+		LOG.debug("agov.new.recovery.code: ${notes['agov.new.recovery.code']}")
+
+		response.setSessionAttribute('agov.new.recovery.code.generated', 'true')
+		def validTil = "${json['recoveryCode']['validUntil'][2]}.${json['recoveryCode']['validUntil'][1]}.${json['recoveryCode']['validUntil'][0]}"
+		response.setSessionAttribute('agov.new.recovery.code.validTil', validTil)
+		response.setSessionAttribute('agov.new.recovery.code.pdfAuthToken', json['authToken'])
+
+		LOG.info("Event='RCVRY-CODE', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+
+	} catch(Exception e) {
+		LOG.warn("Event='RCVRY-CODE', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to create code (http status code ${e.getMessage()})")
+		LOG.error("Recoverycode processing failed: $e")
+		response.setResult('failed')
+		return
+	}
+
+	response.setResult('encryptCode')
+	return
+}
+
+if (inargs['submit']) {
+	def agovRecoveryCodeCookie = "agovRecoveryCode=deleted; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=0; SameSite=Strict; Secure; HttpOnly"
+	response.setHeader('Set-Cookie', agovRecoveryCodeCookie)
+	response.setResult('done')
+	return
+}
+
+// show the GUI
+response.setStatus(AuthResponse.AUTH_CONTINUE)
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/env.conf
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/env.conf
@ -0,0 +1,19 @@
+RTENV_SECURITY_CHECK=no_shell
+
+JAVA_OPTS=(
+    "-Dfile.encoding=UTF-8"
+    "-XX:+UseContainerSupport"
+    "-XX:MaxRAMPercentage=80.0"
+    "-Djava.net.preferIPv4Stack=true"
+    "-Djava.net.connectionTimeout=10000"
+    "-Djava.net.readTimeout=15000"
+    "-Dch.nevis.esauth.config=/var/opt/nevisauth/default/conf/esauth4.xml"
+    "-Djava.awt.headless=true"
+    "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
+    "-Dotel.javaagent.logging=application"
+    "-Dotel.javaagent.configuration-file=/var/opt/nevisauth/default/conf/otel.properties"
+    "-Dotel.resource.attributes=service.version=7.2402.1,service.instance.id=$HOSTNAME"
+    "-Djavax.net.ssl.trustStore=/var/opt/keys/trust/auth-default-tls-trust/truststore.p12"
+    "-Djavax.net.ssl.trustStorePassword=\${exec:/var/opt/keys/trust/auth-default-tls-trust/keypass}"
+)
+
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.security
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.security
@ -0,0 +1,2 @@
+# this file is generated by nevisAdmin 4
+security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/fido2_auth.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/fido2_auth.groovy
@ -0,0 +1,202 @@
+import groovy.json.JsonBuilder
+import groovy.json.JsonSlurper
+import java.util.UUID
+
+if (inargs.containsKey('cancel_fido2')) {
+    response.setResult('cancel')
+    LOG.debug("Fido2Auth: authentication cancelled by user")
+    return
+}
+
+def base64url(uuid) {
+  def msb = uuid.getMostSignificantBits()
+  def lsb = uuid.getLeastSignificantBits()
+  return new byte[] {
+       (byte) msb,
+       (byte) (msb >> 8),
+       (byte) (msb >> 16),
+       (byte) (msb >> 24),
+       (byte) (msb >> 32),
+       (byte) (msb >> 40),
+       (byte) (msb >> 48),
+       (byte) (msb >> 56),
+       (byte) lsb,
+       (byte) (lsb >> 8),
+       (byte) (lsb >> 16),
+       (byte) (lsb >> 24),
+       (byte) (lsb >> 32),
+       (byte) (lsb >> 40),
+       (byte) (lsb >> 48),
+       (byte) (lsb >> 56)
+    }.encodeBase64Url().toString()
+}
+
+def showGui() {
+    response.setGuiName('fido2_auth') // name is the trigger for including the JS
+    response.setGuiLabel('title.login.fido2')
+    response.addInfoGuiField('info', 'info.login.fido2', null)
+    response.addHiddenGuiField('authRequestId', 'not used', session['ch.nevis.auth.saml.request.id'])
+    response.addTextGuiField('email', 'email', session['ch.nevis.idm.User.email'])
+    if (notes.containsKey('lasterrorinfo') || notes.containsKey('lasterror')) {
+        response.addErrorGuiField('lasterror', notes['lasterrorinfo'], notes['lasterror'])
+    }
+    if (parameters.containsKey('cancel')) {
+        response.addButtonGuiField('cancel_fido2', 'cancel.login.fido2.button.label', 'true')
+    }
+}
+
+def getPath() {
+    if (inargs.containsKey('path')) { // form POST
+        return inargs['path']
+    }
+    if (inargs.containsKey('o.path.v')) { // AJAX POST
+        return inargs['o.path.v']
+    }
+    return null
+}
+
+def post(connection, json) {
+    connection.setRequestMethod("POST")
+    connection.setRequestProperty("Content-Type", "application/json")
+    connection.setDoOutput(true) // required to write body
+    String body = json.toString()
+    LOG.debug("Fido2Auth: ==> Request: '${body}'")
+    connection.getOutputStream().write(body.getBytes())
+}
+
+String userExtId = session['ch.adnovum.nevisidm.user.extId'] ?: session['ch.nevis.idm.User.extId'] ?: request.getUserId() ?: notes['userid']
+if (userExtId == null) {
+    LOG.error("Fido2Auth: missing extId of nevisIDM user. check your authentication flow.")
+}
+// without the user extId this script won't work and we can fail with a System Error
+Objects.requireNonNull(userExtId)
+
+def path = getPath()
+if (path == null) {
+    showGui() // POST from JavaScript not received
+    return
+}
+
+def connection = null
+try {
+  def fullPath = "https://${parameters.get('fido')}${path}"
+  LOG.debug("Fido2Auth: opening connection to '${fullPath}'")
+  connection = new URL(fullPath).openConnection()
+} catch (Exception e) {
+  LOG.error("Fido2Auth: opening connection failed", e)
+  notes.setProperty('lasterrorinfo', 'FIDO2 authentication failed')
+  response.setResult('error')
+  return
+}
+
+def json = new JsonBuilder()
+
+if (path == '/nevisfido/fido2/attestation/options') {
+    json {
+        "username" userExtId
+        "userVerification" "required"
+    }
+    post(connection, json)
+    def responseCode = connection.responseCode
+
+    // non existing account, or account without FIDO2 key case
+    if (responseCode == 404 || responseCode == 400) {
+
+      LOG.debug("Fido2Auth: <== Response: ${responseCode}")
+
+      // Accounting
+      def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+      def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+      def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+      def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+      def credentialType = session['authenticatedWith'] ?: 'unknown'
+      def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+      def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+      def tAuth = System.currentTimeMillis() - (request.getSession(true).getCreationTime().getEpochSecond() * 1000)
+      
+      LOG.info("Event='NOACCOUNT', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${session['ch.nevis.idm.User.email']}, CredentialType='${credentialType}', tAuth=${tAuth}ms, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+      // returning a fake options structure, which shouldn't leak whether the user account exists or not
+      // keyId is unique per environment and email, fido2SessionId and challenge are renewed each time
+      def keyId = UUID.nameUUIDFromBytes("${parameters['rpId']}.${session['ch.nevis.idm.User.email']}".getBytes())
+      def responseText = """{"status": "ok",
+                             "errorMessage": "",
+                             "fido2SessionId": "${UUID.randomUUID()}",
+                             "challenge": "${base64url(UUID.randomUUID())}",
+                             "timeout": 300000,
+                             "rpId": "${parameters['rpId']}",
+                             "allowCredentials": [
+                             {
+                                "type": "public-key",
+                                "id": "${base64url(keyId)}",
+                                "transports": []
+                             }
+                                                 ],
+                             "userVerification": "required"}"""
+
+      response.setContent(responseText) // return response from nevisFIDO "as-is"
+      response.setContentType('application/json')
+      response.setHttpStatusCode(200)
+      response.setIsDirectResponse(true)
+      return
+    }
+
+    def responseText = connection.inputStream.text
+    LOG.debug("Fido2Auth: <== Response: ${responseCode} : ${responseText}")
+    response.setContent(responseText) // return response from nevisFIDO "as-is"
+    response.setContentType('application/json')
+    response.setHttpStatusCode(200)
+    response.setIsDirectResponse(true)
+    return
+}
+
+if (path == '/nevisfido/fido2/assertion/result') {
+
+  if (inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])) {
+    // wrong request, "force" a timeout
+    LOG.debug('Fido2Auth: authentication timeout enforced, due to concurrent requests')
+
+    response.setIsDirectResponse(true)
+    response.setContentType('text/html; charset=UTF-8')
+    response.setContent('Timeout')
+    response.setHttpStatusCode(205)
+    response.setHeader('IDP-AUTH', 'Timeout')
+
+    // CONTINUE to keep the other request beeing processed
+    response.setStatus(AuthResponse.AUTH_CONTINUE)
+    return
+  }
+
+    def userHandleValue = userExtId.getBytes().encodeBase64Url().toString()
+    LOG.debug("Fido2Auth: encoded userHandle: ${userHandleValue}")
+    json {
+        "id" inargs['id']
+        "type" inargs['type']
+        response {
+            "clientDataJSON" inargs['response.clientDataJSON']
+            "authenticatorData" inargs['response.authenticatorData']
+            "signature" inargs['response.signature']
+            "userHandle" userHandleValue
+        }
+    }
+    post(connection, json)
+    def responseCode = connection.responseCode
+    // test if credentials exist
+    if (responseCode != 400) {
+        def responseText = connection.inputStream.text
+        LOG.debug("Fido2Auth: <== Response: ${responseCode} : ${responseText}")
+        if (responseCode == 200 && new JsonSlurper().parseText(responseText).status == 'ok') {
+            response.setResult('ok')
+            return
+        }
+    }
+    //response.setHttpStatusCode(400)
+    //response.setIsDirectResponse(true)
+    // DEFINE how to handel error
+    notes.setProperty('lasterror', '1')
+    notes.setProperty('lasterrorinfo', 'FIDO2 authentication failed')
+    response.setResult('error')
+    return
+}
+
+response.setError(1, "FIDO2 authentication failed")
+showGui()
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/fido2_fetchcaptchainfos.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/fido2_fetchcaptchainfos.groovy
@ -0,0 +1,37 @@
+import groovy.json.JsonSlurper
+
+def url = parameters.get('url')
+
+try {
+  session.remove('agov.fido2.X-ReCAPTCHA-Integration')
+  def jsonSlurper = new JsonSlurper()
+  def httpClient = HttpClients.create(parameters)
+  def httpResponse = Http.get().url(url).build().send(httpClient)
+  LOG.info('Response Message: ' + httpResponse.reasonPhrase())
+  LOG.info('Response Status Code: ' + httpResponse.code())
+  LOG.info('Response: ' + httpResponse.bodyAsString())
+
+  if (httpResponse.code() == 200) {
+    def json = jsonSlurper.parseText(httpResponse.bodyAsString())
+    response.setSessionAttribute('agov.fido2.json.accountUrl', json.accountUrl)
+    response.setSessionAttribute('agov.fido2.json.registrationUrl', json.registrationUrl)
+    response.setSessionAttribute('agov.fido2.json.captchaSettings.enabled', String.valueOf(json.captchaSettings.enabled))
+    response.setSessionAttribute('agov.fido2.json.captchaSettings.reCaptchaInvisibleSiteKey', json.captchaSettings.reCaptchaInvisibleSiteKey)
+    response.setSessionAttribute('agov.fido2.json.captchaSettings.reCaptchaVisibleSiteKey', json.captchaSettings.reCaptchaVisibleSiteKey)
+    if (session.get('agov.fido2.X-ReCAPTCHA-Integration') == null) {
+      response.setSessionAttribute('agov.fido2.X-ReCAPTCHA-Integration', 'INVISIBLE')
+    } else {
+      response.setSessionAttribute('agov.fido2.X-ReCAPTCHA-Integration', 'VISIBLE')
+    }
+    response.setResult('ok')
+  } else {
+    LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
+    response.setResult('error')
+    response.setError(1, 'Unexpected HTTP reponse')
+  }
+} catch (all) {
+  // Handle exception and set the transition
+  LOG.error('error: ' + all, all)
+  response.setResult('error')
+  response.setError(1, 'Exception during HTTP call')
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/fido2_fetchcaptcharesult.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/fido2_fetchcaptcharesult.groovy
@ -0,0 +1,53 @@
+
+def url = parameters.get('url')
+def email = inargs['email']
+def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+def payload = '{ "email": "' + inargs['userInputValue_prompt.email'] + '", "action": "LOGIN", "userIp": "' + ip + '", "userAgent": "' + userAgent + '"}'
+
+LOG.info('Token: ' + inargs['recaptcha_response'])
+LOG.info('Integration: ' + session['agov.fido2.X-ReCAPTCHA-Integration'])
+LOG.info('Payload: ' + payload)
+
+try {
+
+  def httpClient = HttpClients.create(parameters)
+  def httpResponse = Http.post()
+          .url(url)
+          .header("Accept", "application/json")
+          .header("X-ReCAPTCHA-Token", inargs['recaptcha_response'])
+          .header("X-ReCAPTCHA-Integration", session['agov.fido2.X-ReCAPTCHA-Integration'])
+          .entity(Http.entity()
+                  .content(payload)
+                  .contentType("application/json")
+               //   .charSet("utf-8")
+                  .build())
+          .build()
+          .send(httpClient)
+
+  LOG.info('Response Message: ' + httpResponse.reasonPhrase())
+  LOG.info('Response Status Code: ' + httpResponse.code())
+  LOG.info('Response: ' + httpResponse.bodyAsString())
+
+  if (httpResponse.code() == 200) {
+      if (httpResponse.bodyAsString().contains('SUCCESSFUL')) {
+          response.setResult('ok')
+          return
+       } else {
+
+       response.setSessionAttribute('agov.fido2.X-ReCAPTCHA-Integration', 'VISIBLE')
+       response.setResult('exit.1')
+       return      
+     }
+  } else {
+    LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
+    response.setResult('error')
+    response.setError(1, 'Unexpected HTTP reponse')
+  }
+} catch (all) {
+  // Handle exception and set the transition
+  LOG.error('error: ' + all, all)
+  response.setResult('error')
+  response.setError(1, 'Exception during HTTP call')
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/handleRedirect.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/handleRedirect.groovy
@ -0,0 +1,26 @@
+if(outargs.containsKey('saml.SAMLResponse')) {
+     // Accounting
+     def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+     def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+     def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+     def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+     def credentialType = session['authenticatedWith'] ?: 'unknown'
+     def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+     def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+     LOG.info("Event='GOTOVERIFY', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+
+     // Redirect
+     response.addOutArg('nevis.transfer.destination', parameters.get('agovmedirecturl'))
+     response.addOutArg('nevis.transfer.field.SAMLResponse', outargs.getProperty('saml.SAMLResponse').bytes.encodeBase64().toString())
+     response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE) 
+     response.setIsRedirectTransfer(false)
+
+     response.removeOutArg('saml.SAMLResponse')
+}
+else {
+    response.setResult('ok')
+}
+
+
+
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/handleRedirectRecovery.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/handleRedirectRecovery.groovy
@ -0,0 +1,23 @@
+if(outargs.containsKey('saml.SAMLResponse')) {
+     // Accounting
+     def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+     def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+     def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+     def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+     def credentialType = session['authenticatedWith'] ?: 'unknown'
+     def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+     def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+     LOG.info("Event='GOTORECOVERY', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+
+     // Redirect
+     response.addOutArg('nevis.transfer.destination', parameters.get('agovmedirecturl'))
+     response.addOutArg('nevis.transfer.field.SAMLResponse', outargs.getProperty('saml.SAMLResponse').bytes.encodeBase64().toString())
+     response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE) 
+     response.setIsRedirectTransfer(false)
+
+     response.removeOutArg('saml.SAMLResponse')
+}
+else {
+    response.setResult('ok')
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/handleRedirectRegistration.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/handleRedirectRegistration.groovy
@ -0,0 +1,26 @@
+if(outargs.containsKey('saml.SAMLResponse')) {
+     // Accounting
+     def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+     def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+     def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+     def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+     def credentialType = session['authenticatedWith'] ?: 'unknown'
+     def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+     def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+     LOG.info("Event='GOTOREGISTER', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+
+     // Redirect
+     response.addOutArg('nevis.transfer.destination', parameters.get('agovmedirecturl'))
+     response.addOutArg('nevis.transfer.field.SAMLResponse', outargs.getProperty('saml.SAMLResponse').bytes.encodeBase64().toString())
+     response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE) 
+     response.setIsRedirectTransfer(false)
+
+     response.removeOutArg('saml.SAMLResponse')
+}
+else {
+    response.setResult('ok')
+}
+
+
+
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_status_check.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_status_check.groovy
@ -0,0 +1,145 @@
+import groovy.json.JsonBuilder
+import java.security.MessageDigest
+import java.util.HashSet
+import ch.nevis.esauth.auth.engine.AuthResponse
+
+def getHeader(String name) {
+    def inctx = request.getLoginContext()
+    // case-insensitive lookup of HTTP headers
+    def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
+    map.putAll(inctx)
+    return map['connection.HttpHeader.' + name]
+}
+
+def sha256(String input) {
+  // we do not catch NoSuchAlgorithmException, as every implementation of the Java platform is required to support SHA-256
+  def digestBytes = MessageDigest.getInstance('SHA-256').digest(input.getBytes())
+  return digestBytes.encodeBase64().toString()
+}
+
+
+def clearCurrentAuthenticationSession() {
+
+  // clean up session attributes
+  def s = request.getAuthSession(true)
+  def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+
+  // we backup the replaced requestId
+  if (requestId != 'unknown') {
+    s.setAttribute('agov.replacedRequestId', '' + requestId)
+  }
+
+  // fido
+  s.removeAttribute('ch.nevis.auth.fido.uaf.fidouafsessionid')
+  // SAML
+  s.removeAttribute('finisherState-DeferredResponse')
+  s.removeAttribute('saml.idp.result')
+  s.removeAttribute('saml.inbound.issuer')
+
+  def sessionKeySet = new HashSet(session.keySet()) 
+  sessionKeySet.each { key -> 
+    if ( key ==~ /ch.nevis.auth.saml.request.*/ ) {
+      s.removeAttribute(key)
+    }
+  }
+  // agov
+  s.removeAttribute('agov.requestedRoleLevel')
+
+}
+
+
+// context: script is executed, thus we are in the initial dispatching of the state engine
+// due to the resetAuthenticationCondition it will be called for sure after each SAMLRequest received
+if (inargs['SAMLRequest'] != null) {
+
+  if (session['ch.nevis.auth.saml.request.id'] != null) {
+
+    // Accounting
+    def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+    def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+    def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+    def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+    def credentialType = session['authenticatedWith'] ?: 'unknown'
+    def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+    def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+    // check if we receive a repost of the ongoing request
+    if (session['agov.currentSamlRequestHash'] != null && session['agov.currentSamlRequestHash'] == sha256(inargs['SAMLRequest'])) {
+      LOG.info("Event='AUTHCONTINUE', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+
+      request.getInArgs().remove('SAMLRequest')
+      request.getInArgs().remove('RelayState')
+
+      // restore the finisher again (was removed by resetAuthenticationCondition) 
+      def s = request.getAuthSession(true)
+      s.setAttribute('ch.nevis.session.finishers', '' + session['agov.backup.finishers'])
+
+      // process it the same way, as if frontend triggered a reload
+      request.getInArgs().setProperty('onReload', 'now')
+
+      response.setResult('continueAfterRepost')
+      return
+    }
+    // else, the new replaces the on-going one
+    LOG.info("Event='AUTHREPL', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+    clearCurrentAuthenticationSession()
+  }
+
+  // we track the SAML Request we received
+  def s = request.getAuthSession(true)
+  s.setAttribute('agov.currentSamlRequestHash', '' + sha256(inargs['SAMLRequest']))
+
+  // we set/update a login Cookie
+  def agovLoginCookie = "agovLogin=${System.currentTimeMillis()}; Domain=${parameters.get('cookie.domain')}; Path=/; SameSite=Strict; Secure; HttpOnly"
+  response.setHeader('Set-Cookie', agovLoginCookie)
+  response.setResult('ok')
+  return
+}
+
+
+// from here on, corner cases //
+// =============================
+def json = new JsonBuilder()
+
+if (inargs.containsKey('o.fidoUafSessionId.v')) {
+
+    // timeout, and script in login page is still polling -> send fake response
+    LOG.debug('authentication timeout reached, login script is still polling access app status')
+    json {
+        "status" "unknown"
+        "timestamp" org.joda.time.DateTime.now().toString()
+    }
+    String body = json.toString()
+
+    response.setContent(body)
+    response.setContentType('application/json')
+    response.setHttpStatusCode(200)
+    response.setIsDirectResponse(true)
+    response.setStatus(AuthResponse.AUTH_CONTINUE)
+    return
+}
+else {     
+    // authentication timeout reached, or SSO-Endpoint bookmarked -> return a 404
+    def agovLoginCookie = 'missing'
+
+    if (getHeader('cookie') != null) {
+        def cookies = getHeader('cookie')
+        if (cookies.matches('^.*agovLogin=([^;]+).*$')) {
+            agovLoginCookie = cookies.replaceAll('^.*agovLogin=([^;]+).*$', '$1')
+        }
+    }
+    LOG.debug("agovLoginCookie: ${agovLoginCookie}") 
+    if (agovLoginCookie == 'missing' || agovLoginCookie == 'deleted') {
+        LOG.debug('SSO-Endpoint bookmarked -> return a 404')
+        response.setHttpStatusCode(404)
+        response.setIsDirectResponse(true)
+        response.setStatus(AuthResponse.AUTH_ERROR)
+    }
+    else {
+        LOG.debug('authentication timeout reached -> return a 408')
+        response.setHttpStatusCode(408)
+        response.setIsDirectResponse(true)
+        response.setStatus(AuthResponse.AUTH_ERROR)
+    }
+    return
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/initializeRecovery.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/initializeRecovery.groovy
@ -0,0 +1,33 @@
+if (inargs['authRequestId'] && (!session['ch.nevis.auth.saml.request.id'] || inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])) {
+    // make sure we start from scratch
+    def mInargs = request.getInArgs()
+    mInargs.remove('email')
+    mInargs.remove('recaptcha_sitekey')
+    mInargs.remove('recaptcha_response')
+    mInargs.remove('continue')
+    mInargs.remove('authRequestId')
+    mInargs.remove('cancel')
+}
+
+if (inargs['cd'] && session['agov.recovery.code']) {
+  // we are called with a new URL --> make sure we start from scratch
+  def s = request.getAuthSession(true)
+  def sessionKeySet = new HashSet(session.keySet()) 
+  sessionKeySet.each { key -> 
+    if ( key ==~ /ch.nevis.idm.*/ || key ==~ /ch.adnovum.nevisidm.*/ || key ==~ /agov.recovery.*/ ) {
+      s.removeAttribute(key)
+    }
+  }
+}
+
+if (!session['ch.nevis.auth.saml.request.id']) {
+    response.setSessionAttribute('ch.nevis.auth.saml.request.id', java.util.UUID.randomUUID().toString())
+}
+
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+response.setSessionAttribute('agov.recovery.ip', '' + sourceIp)
+response.setSessionAttribute('agov.recovery.userAgent', '' + userAgent)
+
+response.setResult('default')
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/logging.yml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/logging.yml
@ -0,0 +1,53 @@
+Configuration:
+  monitorInterval: 60
+  Appenders:
+    Console:
+    - name: "SERVER"
+      target: "SYSTEM_OUT"
+      PatternLayout:
+        pattern: "[esauth4sv.log] %d{ISO8601} %-15.15t %mdc{trace_id} %mdc{span_id} %-20.20c %-5.5p %m%n"
+      RegexFilter:
+        regex: ".*GET /nevisauth/liveness.*"
+        onMatch: "DENY"
+        onMismatch: "ACCEPT"
+  Loggers:
+    Logger:
+    - name: "EsAuthStart"
+      level: "INFO"
+    - name: "org.apache.catalina.loader.WebappClassLoader"
+      level: "FATAL"
+    - name: "org.apache.catalina.startup.HostConfig"
+      level: "ERROR"
+    - name: "ch.nevis.esauth.events"
+      level: "FATAL"
+    - name: "AGOV-ACCT"
+      level: "DEBUG"
+    - name: "AuthEngine"
+      level: "INFO"
+    - name: "AuthPerf"
+      level: "INFO"
+    - name: "IdmAuth"
+      level: "DEBUG"
+    - name: "OpTrace"
+      level: "DEBUG"
+    - name: "Recovery"
+      level: "INFO"
+    - name: "Script"
+      level: "DEBUG"
+    - name: "SessCoord"
+      level: "DEBUG"
+    - name: "StdStates"
+      level: "INFO"
+    - name: "Store"
+      level: "DEBUG"
+    - name: "Vars"
+      level: "INFO"
+    - name: "ch.nevis.idm.client.IdmRestClientImpl"
+      level: "DEBUG"
+    - name: "jcan.OpContent"
+      level: "DEBUG"
+    Root:
+      level: "WARN"
+      additivity: "false"
+      AppenderRef:
+      - ref: "SERVER"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/mobile_nless_auth.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/mobile_nless_auth.groovy
@ -0,0 +1,105 @@
+import groovy.json.JsonBuilder
+import ch.nevis.esauth.auth.engine.AuthResponse
+
+
+def getHeader(String name) {
+    def inctx = request.getLoginContext()
+    // case-insensitive lookup of HTTP headers
+    def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
+    map.putAll(inctx)
+    return map['connection.HttpHeader.' + name]
+}
+
+def clearFidoUAFSession() {
+    LOG.debug("start new FIDO UAF session (skipping ${session['ch.nevis.auth.fido.uaf.fidouafsessionid']}")
+    def s = request.getAuthSession(true)
+    s.removeAttribute('ch.nevis.auth.fido.uaf.fidouafsessionid')
+    inargs.remove('fallback')
+}
+
+
+def clearIdmSessionAttributes() {
+  def s = request.getAuthSession(true)
+  def sessionKeySet = new HashSet(session.keySet()) 
+  sessionKeySet.each { key -> 
+    if ( key ==~ /ch.nevis.idm.*/ || key ==~ /ch.adnovum.nevisidm.*/ ) {
+      s.removeAttribute(key)
+    }
+  }
+}
+
+
+// check, whether we are still processing the correct AuthnRequest
+if (inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])) {
+    // wrong request, "force" a timeout
+    LOG.debug('authentication timeout enforced, due to concurrent requests -> return a 408')
+
+    response.setIsDirectResponse(true)
+    response.setContentType('text/html; charset=UTF-8')
+    response.setContent('Timeout')
+    response.setHttpStatusCode(205)
+    response.setHeader('IDP-AUTH', 'Timeout')
+
+    // CONTINUE to keep the other request beeing processed
+    response.setStatus(AuthResponse.AUTH_CONTINUE)
+    return
+}
+
+// dispatch AJAX calls and form POST when operation is done
+if (inargs['fidoUafDone'] == 'true' ||
+    inargs.containsKey('o.fidoUafSessionId.v') ||
+    getHeader('Content-Type') == 'application/json') {
+
+    if (inargs.containsKey('o.fidoUafSessionId.v') && (inargs['o.fidoUafSessionId.v'] != session['ch.nevis.auth.fido.uaf.fidouafsessionid'])) {
+        // received polling for wrong fido session; make sure, that stops
+        LOG.debug("received polling for wrong fido session ${inargs['o.fidoUafSessionId.v']} (correct: ${session['ch.nevis.auth.fido.uaf.fidouafsessionid']})")
+        def json = new JsonBuilder()
+        json {
+            "status" "unknown"
+            "timestamp" org.joda.time.DateTime.now().toString()
+        }
+        String body = json.toString()
+
+        response.setContent(body)
+        response.setContentType('application/json')
+        response.setHttpStatusCode(200)
+        response.setIsDirectResponse(true)
+        response.setStatus(AuthResponse.AUTH_CONTINUE)
+        return
+    }
+
+  if (inargs['fidoUafDone'] == 'true') {
+    // get clean state, before validating user in IDM
+    LOG.debug("clear IDM session attributes")
+    clearIdmSessionAttributes()
+  }
+
+    // continue with OutOfBandFidoUafAuthState
+    response.setResult('ok')
+}
+
+// dispatch form post with fallback input field : transition to FIDO Token authentication
+if (inargs['fallback'] == 'fallback') {
+    response.setResult('fido2')
+}
+    // dispatch to recovery
+    if (inargs['fallback'] == 'recovery') {
+    response.addOutArg('nevis.transfer.destination', parameters.get('recoveryurl'))
+    response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE) 
+    response.setIsRedirectTransfer(true)
+    // Remove existing cookies before redirecting to RECOVERY
+    def agovRecoveryCookie = "agovRecovery=deleted; Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Strict; Secure; HttpOnly"
+    response.setHeader('Set-Cookie', agovRecoveryCookie)
+    return
+}
+
+// dispatch form post with onReload input field : refresh QR-code FIDO UAF
+if (inargs.containsKey('onReload')) {
+    clearFidoUAFSession()
+    response.setResult('default')
+}
+
+// dispatch form post with fallback input field : go to registration with right loa
+if (inargs['fallback'] == 'register') {
+   response.setResult('registration')
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/nevisauth.yml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/nevisauth.yml
@ -0,0 +1,16 @@
+server:
+  name: "default"
+  protocol: "https"
+  port: "8991"
+  host: "0.0.0.0"
+  tls:
+    keystore: "/var/opt/keys/own/auth-default-identity/keystore.p12"
+    keystore-passphrase: "${exec:/var/opt/keys/own/auth-default-identity/keypass}"
+    client-auth: "required"
+    truststore: "/var/opt/keys/trust/auth-technical-trust-store/truststore.p12"
+    truststore-passphrase: "${exec:/var/opt/keys/trust/auth-technical-trust-store/keypass}"
+management:
+  server:
+    port: "9000"
+  healthchecks:
+    enabled: "true"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/otel.properties
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/otel.properties
@ -0,0 +1,4 @@
+otel.service.name=auth
+otel.traces.exporter=none
+otel.metrics.exporter=none
+otel.logs.exporter=none
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/prepare_done.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/prepare_done.groovy
@ -0,0 +1,23 @@
+// nevisProxy replaces the entire AUTH: scope when new outargs are returned by nevisAuth.
+// Thus, we have to store tokens in the session (as a String) and restore them on subsequent step-ups.
+
+// restore tokens
+session.each { key, value ->
+    if (key.startsWith('outarg.token.')) {
+        def name = key.substring(7)
+        if (outargs.containsKey(name)) {
+            LOG.debug("not restoring token (outarg: $name) from session: outarg already set")
+        }
+        else {
+            LOG.debug("restoring token (outarg: $name) from session")
+            outargs.put(name, value)
+        }
+    }
+}
+
+// store tokens
+outargs.each { name, value ->
+    if (name.startsWith('token.')) {
+        session.put('outarg.' + name, value)
+    }
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-checkAccount.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-checkAccount.groovy
@ -0,0 +1,79 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+import groovy.xml.XmlSlurper
+
+
+// AGOVaq conversion
+def maxLoiRoleToCtxClssConvertorMap = [
+    "level100": "urn:qa.agov.ch:names:tc:ac:classes:100",
+    "level200": "urn:qa.agov.ch:names:tc:ac:classes:200",
+    "level300": "urn:qa.agov.ch:names:tc:ac:classes:300",
+    "level400": "urn:qa.agov.ch:names:tc:ac:classes:400",
+    "level500": "urn:qa.agov.ch:names:tc:ac:classes:500"
+]
+
+def cleanSession() {
+  def s = request.getAuthSession(true)
+
+  s.removeAttribute('agov.op.onboarding.ctxClass')
+  s.removeAttribute('agov.op.onboarding.minLoi')
+  s.removeAttribute('agov.op.onboarding.homeName')
+  s.removeAttribute('agov.op.onboarding.subject')
+  s.removeAttribute('agov.op.onboarding.process.state')
+  s.removeAttribute('ch.adnovum.nevisidm.userDto')
+  s.removeAttribute('saml.response.statusCode')
+  if (response.getActualRoles().length > 0) {
+    def actualRoles = Arrays.copyOf(response.getActualRoles(), response.getActualRoles().length)
+    actualRoles.each{ role -> response.removeActualRole(role) }
+  }
+}
+
+// for autditing
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: 'unknown'
+def maxLoi = 'unknown'
+
+
+// new
+if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null) {
+  try {
+    def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto'])
+    def userState = userDto.state
+    LOG.debug("Recovery: Dto is '${userDto}")
+    LOG.debug("Recovery: state is '${userState}")
+    if (userState == 'ACTIVE') {
+      def maxLoiList =   userDto.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-Loi' }.collect({ node -> node.name.text() })
+      maxLoi = (maxLoiList == null || maxLoiList.isEmpty()) ? null : maxLoiList.sort().last()
+      def accountStatusRoles = userDto.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-AccountStatus' }.collect({ node -> node.name.text() })
+      def hasRecoveryRole = accountStatusRoles.isEmpty() ? null : accountStatusRoles.sort().first()
+      LOG.debug("Recovery: MaxLoi is '${maxLoi}'")
+      LOG.debug("Recovery: hasRecoveryRole is '${hasRecoveryRole}'")
+      if (maxLoi != null && maxLoiRoleToCtxClssConvertorMap.containsKey(maxLoi)) {       
+              response.setResult('ok')
+              return
+      } else {
+        LOG.debug("Recovery: no 'AGOV-Loi'-role assigned to user ${user}")
+              response.setResult('notFullyRegistered')
+              return
+      }
+    } else {
+      // state != ACTIVE and no lasterror should not happen
+      LOG.error("Recovery: state='${userState}' but not lasterror set")
+      response.setNote('lasterror', '9909')
+      response.setNote('lasterrorinfo', 'internal error')
+      response.setResult('error')
+      return
+    }
+  } catch (Exception e) {
+    LOG.error("Recovery processing failed: Exception " + e)
+    response.setNote('lasterror', '9909')
+    response.setNote('lasterrorinfo', 'internal error')
+      response.setResult('error')
+      return
+  }
+}
+
+              response.setResult('error')
+              return
+
+// new
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-preprocessing.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-preprocessing.groovy
@ -0,0 +1,175 @@
+import org.codehaus.groovy.runtime.StackTraceUtils
+import groovy.xml.XmlSlurper
+
+
+// AGOVaq conversion
+def maxLoiRoleToCtxClssConvertorMap = [
+    "level100": "urn:qa.agov.ch:names:tc:ac:classes:100",
+    "level200": "urn:qa.agov.ch:names:tc:ac:classes:200",
+    "level300": "urn:qa.agov.ch:names:tc:ac:classes:300",
+    "level400": "urn:qa.agov.ch:names:tc:ac:classes:400",
+    "level500": "urn:qa.agov.ch:names:tc:ac:classes:500"
+]
+
+def maxLoiRecoveryStepupMap = [
+    "level100": "level200",
+    "level200": "level300",
+    "level300": "level300",
+    "level400": "level400",
+    "level500": "level500"
+]
+
+def getUserIdVerificationForRecovery(currentLoaRole) {
+  // application is AGOV-AccountStatus
+  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  def result = list.'**'.find {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-AccountStatus,mustRecover'}?.value?.text()
+
+  if (!result) {
+    // fallback if not explicitly set
+    def chDomicile = list.country.text() == 'ch'
+    def lastIdVerification = list.'**'.find {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-Loi,' + currentLoaRole}?.value?.text() ?: 'missing'
+    switch (currentLoaRole) {
+      case 'level100':
+        result = chDomicile ? 'SimpleLetter' : 'Video'
+        break
+      case 'level200':
+        result = chDomicile ? 'Bmid' : 'Video'
+        break
+      case 'level300':
+      case 'level400':
+        result = chDomicile ? lastIdVerification : 'Video'
+        break
+      default:
+        LOG.warn("unexpected loa on account: ${currentLoaRole}")
+        // safest default, should work in any case
+        result = 'Video'
+    }
+    LOG.warn("Recovery method not set, choosing ${result} (based on currentLoad: ${currentLoaRole}, CH-domicile: ${chDomicile}, last verification method: ${lastIdVerification})")
+  }
+  return result
+}
+
+def getUserMustRecoverValidFrom() {
+  // set attibutes from DTO: -> validFrom
+  def payload = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  def authzNode = payload.'**'.find {node -> node.name() == 'authorizations' && node.role.name.text() == 'mustRecover'}
+  return (authzNode) ? ((authzNode.validFrom && !authzNode.validFrom.text().isEmpty()) ? authzNode.validFrom?.text() : authzNode.ctlCreDat?.text()) : ''
+}
+
+
+// for autditing
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+def maxLoi = null
+
+
+// new
+if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null) {
+  try {
+    def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto'])
+    def userState = userDto.state
+    LOG.debug("Recovery: Dto is '${userDto}")
+    LOG.debug("Recovery: state is '${userState}")
+    def session = request.getAuthSession(true)
+
+    if (userState == 'ACTIVE') {
+
+      session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
+
+      def maxLoiList =   userDto.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-Loi' }.collect({ node -> node.name.text() })
+      maxLoi = (maxLoiList == null || maxLoiList.isEmpty()) ? null : maxLoiList.sort().last()
+
+      def idVerification = null
+      def agovAqValidFrom = null
+      if (maxLoi) {
+        idVerification = userDto.'**'.find { node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-Loi,' + maxLoi}?.value?.text()
+        idVerification = idVerification ?: 'None'
+        agovAqValidFrom = userDto.'**'.find { node -> node.name() == 'authorizations' && node.role.name.text() == maxLoi}?.validFrom?.text()
+        agovAqValidFrom = agovAqValidFrom?: userDto.'**'.find { node -> node.name() == 'authorizations' && node.role.name.text() == maxLoi}?.ctlCreDat?.text()
+      }
+
+      def mustRecover =   userDto.'**'.find { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-AccountStatus' && node.name.text() == 'mustRecover' }
+
+      def hasRecoveryRole = userDto.'**'.find { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-AccountStatus' && node.name.text() == 'recovery' }
+
+
+      if (mustRecover) {
+        // attributes are defined over the mustRecover authorization
+        session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
+
+        def recoveryVerification = userDto.'**'.find { node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-AccountStatus,mustRecover' }?.value?.text() 
+        idVerification = getUserIdVerificationForRecovery(maxLoi ?: 'level100') ?: idVerification
+
+        agovAqValidFrom = getUserMustRecoverValidFrom()
+
+        maxLoi = maxLoiRecoveryStepupMap[maxLoi ?: 'level100'] ?: 'level100'
+
+      }
+
+      LOG.debug("Recovery: MaxLoi is '${maxLoi}'")
+      LOG.debug("Recovery: IdVerification is  ${idVerification}")
+      LOG.debug("Recovery: agovAqValidFrom is ${agovAqValidFrom}")
+      LOG.debug("Recovery: hasRecoveryRole is '${hasRecoveryRole}'")
+
+      if (maxLoi != null) {       
+        if (maxLoiRoleToCtxClssConvertorMap.containsKey(maxLoi)) {
+          LOG.debug("Recovery: MaxLoiMapping is " + maxLoiRoleToCtxClssConvertorMap[maxLoi])
+          response.setSessionAttribute('agov.recovery.currentAgovAq', '' + maxLoiRoleToCtxClssConvertorMap[maxLoi])
+          response.setSessionAttribute('agov.recovery.currentIdVerification', '' + idVerification)
+          response.setSessionAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + agovAqValidFrom)
+
+          if ((maxLoi == 'level100') && (mustRecover == null)) {
+            // mustRecover role not set, so code needs to be checked
+            LOG.debug("Recovery: emailAndCode")
+            response.setSessionAttribute('agov.recovery.authenticatedWith', 'urn:qa.agov.ch:names:tc:authfactor:emailAndCode')
+            response.setResult('needCode')
+            return
+          } else {
+            LOG.debug("Recovery: email")
+            response.setSessionAttribute('agov.recovery.authenticatedWith', 'urn:qa.agov.ch:names:tc:authfactor:email')
+            response.setResult('ok')
+            return
+          }
+
+        } else {
+          LOG.error("Recovery: Failed to convert '${maxLoi}' to AGOVaq")
+          response.setResult('error')
+          return
+        }
+      } else {
+        // maxLoi is null
+        LOG.debug("Recovery: no 'AGOV-Loi'-role assigned to user ${user}")
+        if ((hasRecoveryRole != null) && (mustRecover == null)) {
+          response.setResult('notFullyRegistered')
+          return
+        } else {
+          LOG.error("Recovery: no 'AGOV-Loi'-role assigned to user ${user} and no recovery role ")
+          response.setResult('error')
+          return
+        }
+      }
+    } else {
+      // state != ACTIVE and no lasterror should not happen
+      LOG.error("Recovery: state='${userState}' but not lasterror set")
+      response.setNote('lasterror', '9909')
+      response.setNote('lasterrorinfo', 'internal error')
+      response.setResult('error')
+      return
+    }
+  } catch (Exception e) {
+    e = StackTraceUtils.sanitize(e)
+    def affectedLines = e.stackTrace.findAll { it.className.startsWith('Script') }.collect { "${it.methodName}:${it.lineNumber}" }
+    LOG.error("FATAL: Recovery processing failed (at lines: ${affectedLines})", e)
+    response.setNote('lasterror', '9909')
+    response.setNote('lasterrorinfo', 'internal error')
+    response.setResult('error')
+    return
+  }
+}
+
+LOG.error("Recovery: userDto missing or failure before (lasterror='${notes.getProperty('lasterror', '-')}')")
+response.setNote('lasterror', '9909')
+response.setNote('lasterrorinfo', 'internal error')
+response.setResult('error')
+return
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_fetchcaptchainfos.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_fetchcaptchainfos.groovy
@ -0,0 +1,38 @@
+//import ch.nevis.esauth.util.httpclient.api.HttpClients
+//import ch.nevis.esauth.util.httpclient.api.Http
+import groovy.json.JsonSlurper
+
+def url = parameters.get('url')
+
+try {
+  def jsonSlurper = new JsonSlurper()
+  def httpClient = HttpClients.create(parameters)
+  def httpResponse = Http.get().url(url).build().send(httpClient)
+  LOG.info('Response Message: ' + httpResponse.reasonPhrase())
+  LOG.info('Response Status Code: ' + httpResponse.code())
+  LOG.info('Response: ' + httpResponse.bodyAsString())
+
+  if (httpResponse.code() == 200) {
+    def json = jsonSlurper.parseText(httpResponse.bodyAsString())
+    response.setSessionAttribute('agov.recovery.json.accountUrl', json.accountUrl)
+    response.setSessionAttribute('agov.recovery.json.registrationUrl', json.registrationUrl)
+    response.setSessionAttribute('agov.recovery.json.captchaSettings.enabled', String.valueOf(json.captchaSettings.enabled))
+    response.setSessionAttribute('agov.recovery.json.captchaSettings.reCaptchaInvisibleSiteKey', json.captchaSettings.reCaptchaInvisibleSiteKey)
+    response.setSessionAttribute('agov.recovery.json.captchaSettings.reCaptchaVisibleSiteKey', json.captchaSettings.reCaptchaVisibleSiteKey)
+    if (session.get('agov.recovery.X-ReCAPTCHA-Integration') == null) {
+      response.setSessionAttribute('agov.recovery.X-ReCAPTCHA-Integration', 'INVISIBLE')
+    } else {
+      response.setSessionAttribute('agov.recovery.X-ReCAPTCHA-Integration', 'VISIBLE')
+    }
+    response.setResult('ok')
+  } else {
+    LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
+    response.setResult('error')
+    response.setError(1, 'Unexpected HTTP reponse')
+  }
+} catch (all) {
+  // Handle exception and set the transition
+  LOG.error('error: ' + all, all)
+  response.setResult('error')
+  response.setError(1, 'Exception during HTTP call')
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_fetchcaptcharesult.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_fetchcaptcharesult.groovy
@ -0,0 +1,52 @@
+//import ch.nevis.esauth.util.httpclient.api.HttpClients
+//import ch.nevis.esauth.util.httpclient.api.Http
+
+def url = parameters.get('url')
+def email = inargs['email']
+def payload = '{ "email": "' + inargs['email'] + '", "action": "LOGIN", "userIp": "' + session.get('agov.recovery.ip') + '", "userAgent": "' + session.get('agov.recovery.userAgent') + '"}'
+
+LOG.info('Token: ' + inargs['recaptcha_response'])
+LOG.info('Integration: ' + session['agov.recovery.X-ReCAPTCHA-Integration'])
+LOG.info('Payload: ' + payload)
+
+try {
+
+  def httpClient = HttpClients.create(parameters)
+  def httpResponse = Http.post()
+          .url(url)
+          .header("Accept", "application/json")
+          .header("X-ReCAPTCHA-Token", inargs['recaptcha_response'])
+          .header("X-ReCAPTCHA-Integration", session['agov.recovery.X-ReCAPTCHA-Integration'])
+          .entity(Http.entity()
+                  .content(payload)
+                  .contentType("application/json")
+               //   .charSet("utf-8")
+                  .build())
+          .build()
+          .send(httpClient)
+
+  LOG.info('Response Message: ' + httpResponse.reasonPhrase())
+  LOG.info('Response Status Code: ' + httpResponse.code())
+  LOG.info('Response: ' + httpResponse.bodyAsString())
+
+  if (httpResponse.code() == 200) {
+      if (httpResponse.bodyAsString().contains('SUCCESSFUL')) {
+          response.setResult('ok')
+          return
+       } else {
+
+       response.setSessionAttribute('agov.recovery.X-ReCAPTCHA-Integration', 'VISIBLE')
+       response.setResult('exit.1')
+       return      
+     }
+  } else {
+    LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
+    response.setResult('error')
+    response.setError(1, 'Unexpected HTTP reponse')
+  }
+} catch (all) {
+  // Handle exception and set the transition
+  LOG.error('error: ' + all, all)
+  response.setResult('error')
+  response.setError(1, 'Exception during HTTP call')
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_fido2_auth.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_fido2_auth.groovy
@ -0,0 +1,151 @@
+import groovy.json.JsonBuilder
+import groovy.json.JsonSlurper
+
+if (inargs.containsKey('cancel_fido2')) {
+    response.setResult('cancel')
+    return
+}
+
+def showGui() {
+    response.setGuiName('recovery_fidokey_auth') // name is the trigger for including the JS
+    //response.setGuiName('fido2_auth') // name is the trigger for including the JS
+    response.setGuiLabel('title.login.fido2')
+    response.addInfoGuiField('info', 'info.login.fido2', null)
+    response.addHiddenGuiField('authRequestId', 'not used', session['ch.nevis.auth.saml.request.id'])
+    response.addHiddenGuiField('securityKey', 'not used', session['agov.recovery.securityKey'])
+    response.addTextGuiField('email', 'email', session['ch.nevis.idm.User.email'])
+    if (notes.containsKey('lasterrorinfo') || notes.containsKey('lasterror')) {
+        response.addErrorGuiField('lasterror', notes['lasterrorinfo'], notes['lasterror'])
+    }
+    if (parameters.containsKey('cancel')) {
+        // TODO koenig 20221021: replace with specific label
+        response.addButtonGuiField('cancel_fido2', 'cancel.login.fido2.button.label', 'true')
+    }
+}
+
+def getPath() {
+    if (inargs.containsKey('path')) { // form POST
+        return inargs['path']
+    }
+    if (inargs.containsKey('o.path.v')) { // AJAX POST
+        return inargs['o.path.v']
+    }
+    return null
+}
+
+def post(connection, json) {
+    connection.setRequestMethod("POST")
+    connection.setRequestProperty("Content-Type", "application/json")
+    connection.setDoOutput(true) // required to write body
+    String body = json.toString()
+    LOG.info("==> Request: ${body}")
+    connection.getOutputStream().write(body.getBytes())
+}
+
+String userExtId = session['ch.adnovum.nevisidm.user.extId'] ?: session['ch.nevis.idm.User.extId'] ?: request.getUserId() ?: notes['userid']
+if (userExtId == null) {
+    LOG.error("missing extId of nevisIDM user. check your authentication flow.")
+}
+// without the user extId this script won't work and we can fail with a System Error
+Objects.requireNonNull(userExtId)
+
+def path = getPath()
+if (path == null) {
+    showGui() // POST from JavaScript not received
+    return
+}
+
+def connection = new URL("https://${parameters.get('fido')}${path}").openConnection()
+def json = new JsonBuilder()
+
+if (path == '/nevisfido/fido2/attestation/options') {
+    json {
+        "username" userExtId
+        "userVerification" "required"
+    }
+    post(connection, json)
+    def responseCode = connection.responseCode
+// account without FIDO2 case
+    if (responseCode == 400) {
+      def responseText = '''{"status": "ok",
+	                         "errorMessage": "",
+	                         "fido2SessionId": "270312ae-8d74-4ded-ad89-5310da2d2e6f",
+	                         "challenge": "tKCqUM6URnykri1ZFz-3ww",
+	                         "timeout": 300000,
+	                         "rpId": "agov-d.azure.adnovum.net",
+	                         "allowCredentials": [
+		                     {
+			                    "type": "public-key",
+			                    "id": "WVzzUwxOf-1doTGkrdRHWPDbETTawkULLPsEiwiQwA2AFC4_YgL5OVmJJOT2OulAZSq_tvOfNlMSRKRXyXH2kw",
+			                    "transports": []
+		                     }
+	                                             ],
+	                         "userVerification": "preferred"}'''
+	  LOG.info("<== Response: ${responseCode}")
+      response.setContent(responseText) // return response from nevisFIDO "as-is"
+      response.setContentType('application/json')
+      response.setHttpStatusCode(200)
+      response.setIsDirectResponse(true)
+      return
+    }
+
+    def responseText = connection.inputStream.text
+    LOG.info("<== Response: ${responseCode} : ${responseText}")
+    response.setContent(responseText) // return response from nevisFIDO "as-is"
+    response.setContentType('application/json')
+    response.setHttpStatusCode(200)
+    response.setIsDirectResponse(true)
+    return
+}
+
+if (path == '/nevisfido/fido2/assertion/result') {
+
+  if (inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])) {
+    // wrong request, "force" a timeout
+    LOG.info('authentication timeout enforced, due to concurrent requests')
+
+    response.setIsDirectResponse(true)
+    response.setContentType('text/html; charset=UTF-8')
+    response.setContent('Timeout')
+    response.setHttpStatusCode(205)
+    response.setHeader('IDP-AUTH', 'Timeout')
+
+    // CONTINUE to keep the other request beeing processed
+    response.setStatus(AuthResponse.AUTH_CONTINUE)
+    return
+  }
+
+    def userHandleValue = userExtId.getBytes().encodeBase64Url().toString()
+    LOG.info("encoded userHandle: ${userHandleValue}")
+    json {
+        "id" inargs['id']
+        "type" inargs['type']
+        response {
+            "clientDataJSON" inargs['response.clientDataJSON']
+            "authenticatorData" inargs['response.authenticatorData']
+            "signature" inargs['response.signature']
+            "userHandle" userHandleValue
+        }
+    }
+    post(connection, json)
+    def responseCode = connection.responseCode
+    // test if credentials exist
+    if (responseCode != 400) {
+        def responseText = connection.inputStream.text
+        LOG.info("<== Response: ${responseCode} : ${responseText}")
+        if (responseCode == 200 && new JsonSlurper().parseText(responseText).status == 'ok') {
+            response.setResult('ok')
+            return
+        }
+    }
+    //response.setHttpStatusCode(400)
+    //response.setIsDirectResponse(true)
+    // DEFINE how to handel error
+    notes.setProperty('lasterror', '1')
+    notes.setProperty('lasterrorinfo', 'FIDO2 authentication failed')
+    response.setResult('error')
+    return
+}
+
+response.setError(1, "FIDO2 authentication failed")
+showGui()
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_handlecode.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_handlecode.groovy
@ -0,0 +1,23 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+if (inargs['cancel'] == 'cancel') {
+      //cleanSession()
+      response.setStatus(AuthResponse.AUTH_ERROR)
+      response.setTransferDestination('/SAML2/SSO/')
+      response.setIsRedirectTransfer(true)
+      return
+ }
+if (inargs['cd'] == null && session['agov.recovery.code'] == null) {
+    response.setNote('lasterror', '9901')
+    response.setNote('lasterrorinfo', 'valid on-boarding link required')}
+if (inargs['cd'] != null) {
+      //cleanSession()
+      response.setSessionAttribute('agov.recovery.code', inargs['cd'])
+      response.setStatus(AuthResponse.AUTH_CONTINUE)
+      response.setTransferDestination('/AUTH/RECOVERY/')
+      response.setIsRedirectTransfer(true)
+      return
+ }
+if (inargs['cd'] == null && session['agov.recovery.code'] != null) {
+     response.setResult('exit.1')
+     return
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_ongoing.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_ongoing.groovy
@ -0,0 +1,4 @@
+if (inargs['recovery'] != null && inargs['recovery'] == 'recovery' ) {
+   response.setResult('ok')
+   return
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_sendemail031.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_sendemail031.groovy
@ -0,0 +1,41 @@
+//import ch.nevis.esauth.util.httpclient.api.HttpClient;
+//import ch.nevis.esauth.util.httpclient.api.HttpClients;
+//import ch.nevis.esauth.util.httpclient.api.Http;
+
+def url = parameters.get('url')
+//def payload = parameters.get('json')
+//def url = "https://me.agov-d.azure.adnovum.net:48081/utility/api/v1/email/031"
+def email = inargs['email']
+def language = session['ch.nevis.session.user.language'] ?: 'en'
+def payload = '{ "email": "' + email + '", "language": "' + language + '"}'
+
+try {
+  def httpClient = HttpClients.create(parameters)
+  def httpResponse = Http.post()
+          .url(url)
+          .header("Accept", "application/json")
+          .entity(Http.entity()
+                  .content(payload)
+                  .contentType("application/json")
+               //   .charSet("utf-8")
+                  .build())
+          .build()
+          .send(httpClient)
+
+  LOG.info('Response Message: ' + httpResponse.reasonPhrase())
+  LOG.info('Response Status Code: ' + httpResponse.code())
+  LOG.info('Response: ' + httpResponse.bodyAsString())
+
+  if (httpResponse.code() == 200) {
+    response.setResult('ok')
+  } else {
+    LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
+    response.setResult('error')
+    response.setError(1, 'Unexpected HTTP reponse')
+  }
+} catch (all) {
+  // Handle exception and set the transition
+  LOG.error('error: ' + all, all)
+  response.setResult('error')
+  response.setError(1, 'Exception during HTTP call')
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/requestedrolelevel.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/requestedrolelevel.groovy
@ -0,0 +1,129 @@
+import groovy.xml.XmlSlurper
+import groovy.json.JsonSlurper
+//import ch.nevis.esauth.util.httpclient.api.HttpClients
+//import ch.nevis.esauth.util.httpclient.api.Http
+
+
+int getRequestedLevel(String authnContextClassRef, def roleList){
+  if (!authnContextClassRef) {
+    return 100
+  }
+  if (authnContextClassRef && authnContextClassRef.startsWith('urn:qa.agov.ch:names:tc:ac:classes:')) {
+    def requestedLevel = authnContextClassRef.substring(35)
+    LOG.debug('authnContextClassRef agov found: ' + requestedLevel)
+    if (requestedLevel.isNumber()) {
+      int requestedLevelNumber = Integer.parseInt(requestedLevel)
+      LOG.debug('contains ' + roleList.contains(requestedLevelNumber))
+      if (requestedLevel.isNumber() && roleList.contains(requestedLevelNumber)) {
+        LOG.debug('Requested role number: ' + requestedLevel)
+        return requestedLevelNumber
+      }
+    }
+    else return 0
+  }
+  else {
+         return 0
+  }
+}
+
+def session = request.getAuthSession(true)
+def context = session.get('ch.nevis.auth.saml.request.authnContextClassRef')
+def roleLevels = [100,200,300,400]
+def requestedRoleLevelNumber = getRequestedLevel(context, roleLevels)
+
+//set attribute Requested Role Level
+session.setAttribute('agov.requestedRoleLevel', '' + requestedRoleLevelNumber)
+LOG.debug('Requested role level (agov) '+ requestedRoleLevelNumber)
+
+// SAML finisherstate is now available, we can backup it
+session.setAttribute('agov.backup.finishers', '' + session.getAttribute('ch.nevis.session.finishers'))
+
+// Accounting
+def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+def replacedRequestId = session['agov.replacedRequestId'] ?: '-'
+def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+LOG.info("Event='AUTHREQUEST', Requester='${requester}', RequestId='${requestId}', ReplacedRequestId='${replacedRequestId}', RequestedAq=${requestedAq}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+
+
+def appAddressRequiredWhitelist = ',' + (parameters.get('appAddressRequired.whitelist') ?: '').replaceAll('\\s','') + ','
+def appIsOnappAddressRequiredWhitelist = appAddressRequiredWhitelist.contains(','+requester+',')
+
+if (requestedRoleLevelNumber == 0 || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == null) {
+  response.setResult('error');
+  return
+}
+
+try {
+      def jsonSlurper = new JsonSlurper()
+      def url = parameters.get('url') + '?entity-id=' + session.get('ch.nevis.auth.saml.request.scoping.requesterId')
+      LOG.debug('Request url: ' + url)
+      def httpClient = HttpClients.create(parameters)
+      def httpResponse = Http.get().url(url).build().send(httpClient)
+      LOG.debug('Response Message: ' + httpResponse.reasonPhrase())
+      LOG.debug('Response Status Code: ' + httpResponse.code())
+      LOG.debug('Response: ' + httpResponse.bodyAsString())
+
+      if (httpResponse.code() == 200) {
+        def json = jsonSlurper.parseText(httpResponse.bodyAsString())
+        LOG.debug('AdressRequired: ' + json.addrRequired)
+        LOG.debug('SvnrAllowed: ' + json.svnrAllowed)
+        LOG.debug('appAddressRequiredWhitelist applies: ' + appIsOnappAddressRequiredWhitelist)
+
+        // address will be returned to the application if allowed by connect (json.addrRequired) 
+        // and the authRequest was done with at least AGOVaq 200
+        // BITBKAGOVSUP-362: or whitelisted to receive the address
+        session.setAttribute('agov.appAddressRequired', '' + (json.addrRequired && ((requestedRoleLevelNumber >= 200) || appIsOnappAddressRequiredWhitelist)))
+
+        // address will be returned to the application if allowed by connect (json.svnrAllowed) 
+        // and the authRequest was done with at least AGOVaq 300
+        session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && requestedRoleLevelNumber >= 300))
+
+        session.setAttribute('agov.appDisplayNameDE', '' + json.displayNameDe)
+        session.setAttribute('agov.appDisplayNameFR', '' + json.displayNameFr)
+        session.setAttribute('agov.appDisplayNameIT', '' + json.displayNameIt)
+        session.setAttribute('agov.appDisplayNameEN', '' + json.displayNameEn)
+        response.setResult('ok')
+        return
+      } else {
+        LOG.warn("Failed to fetch connect meta data for relying party '${session.get('ch.nevis.auth.saml.request.scoping.requesterId')}'")
+        LOG.warn('Unexcpected HTTP response code: ' + httpResponse.code())
+
+        if ( requestedRoleLevelNumber == 100) {
+           session.setAttribute('agov.appAddressRequired', '' + appIsOnappAddressRequiredWhitelist)
+           session.setAttribute('agov.appSvnrAllowed', 'false')
+           response.setResult('ok')
+        }
+        else if ( requestedRoleLevelNumber == 200) {
+           session.setAttribute('agov.appAddressRequired', 'true')
+           session.setAttribute('agov.appSvnrAllowed', 'false')
+           response.setResult('ok')
+        }
+        else {
+          response.setResult('error')
+          response.setError(9071, "Missing meta data for relying party, can't process request")
+        }
+        return
+      }
+
+} catch (Exception e) {
+  LOG.error("Failed to fetch connect meta data for relying party '${session.get('ch.nevis.auth.saml.request.scoping.requesterId')}'", e)
+  if ( requestedRoleLevelNumber == 100) {
+     session.setAttribute('agov.appAddressRequired', '' + appIsOnappAddressRequiredWhitelist)
+     session.setAttribute('agov.appSvnrAllowed', 'false')
+     response.setResult('ok')
+  }
+  else if ( requestedRoleLevelNumber == 200) {
+     session.setAttribute('agov.appAddressRequired', 'true')
+     session.setAttribute('agov.appSvnrAllowed', 'false')
+     response.setResult('ok')
+  }
+  else {
+    response.setResult('error')
+    response.setError(9072, "Failure while processing meta data for relying party, can't continue processing request")
+  }
+  return
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/returnTimeoutButKeepSession.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/returnTimeoutButKeepSession.groovy
@ -0,0 +1,11 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+
+response.setIsDirectResponse(true)
+response.setContentType('text/html; charset=UTF-8')
+response.setContent('Timeout')
+response.setHttpStatusCode(205)
+response.setHeader('IDP-AUTH', 'Timeout')
+
+// CONTINUE to keep the other request beeing processed
+response.setStatus(AuthResponse.AUTH_CONTINUE)
+return
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_authorization.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_authorization.groovy
@ -0,0 +1,179 @@
+boolean isEnabled() {
+    def paths = parameters.get("paths")
+    if (paths && !paths.isEmpty()) {
+        for (path in paths.split(',')) {
+            String url = request.currentResource
+            if (url.matches(path)) {
+                return true
+            }
+        }
+    }
+    return false
+}
+
+boolean isLevel(String role) {
+    if (role != null && role.isNumber()) {
+        def number = Integer.parseInt(role)
+        if (number > 0 && number <= 9) {
+            return true
+        }
+    }
+    return false
+}
+
+int getCurrentLevel() {
+    int level = 1 // level 1 is reached by definition on successful authentication
+    // levels are stored as roles once the authentication is done
+    for (String role : response.getActualRoles()) {
+        if (isLevel(role)) {
+            Integer number = Integer.parseInt(role)
+            if (number > level) {
+                level = number
+            }
+        }
+    }
+    LOG.debug("current level: $level")
+    return level
+}
+
+Integer getRequestedLevel() {
+    // try to determine required level based on SAML request (SP-initiated)
+    def context = session['ch.nevis.auth.saml.request.authnContextClassRef']
+    if (context == null) {
+        // this is expected for non-Nevis SAML partners
+        LOG.debug("unable to determine required authentication level: no AuthnContext")
+        return null
+    }
+    String prefix = 'urn:nevis:level:'
+    Integer level = null
+    if (context.contains(prefix)) {
+        def start = context.indexOf(prefix) // the prefix can appear anywhere in the context but only once
+        def remainder = context.substring(start + prefix.length())
+        for (String candidate : remainder.split(',')) {
+            if (!candidate.isNumber()) {
+                continue // must be an actual role
+            }
+            def number = Integer.parseInt(candidate)
+            if (level == null || number < level) {
+                level = number
+            }
+        }
+    }
+    if (level == null) {
+        // an AuthnContext has been sent but it does not contain the required authentication level
+        LOG.debug("unable to determine required authentication level from request: $context")
+    }
+    else {
+        LOG.info("extracted required authentication level from request: $context -> $level")
+    }
+    return level
+}
+
+Integer getRequiredLevel(levels, String issuer) {
+    // try to determine required level based on request
+    def level = getRequestedLevel()
+    if (level != null) {
+        LOG.info("required authentication level from request: $level")
+        return level
+    }
+    // else determine required level based on configuration (IDP-initiated or no authnContextClassRef sent)
+    if (issuer != null && levels.containsKey(issuer)) {
+        level = levels[issuer]
+        LOG.debug("required authentication level for issuer $issuer defined as $level")
+        return level
+    }
+    // else return null
+    LOG.debug("required authentication level for issuer $issuer is not defined")
+    return null
+}
+
+void setAuthnContext() {
+    def parts = [] as Set
+    def authLevel = response.getAuthLevel()
+    if (authLevel != null) {
+        if (isLevel(authLevel)) {
+            parts.add("urn:nevis:level:$authLevel")
+        }
+        else { // might be legacy auth.weak / auth.strong
+            parts.add(authLevel)
+        }
+    }
+    for (String role : response.getActualRoles()) {
+        if (isLevel(role)) { // previous authLevels might have been added to the roles already
+            parts.add("urn:nevis:level:$role")
+        }
+        // levels can also be normal roles so we add them always
+        parts.add(role)
+    }
+    def value = parts.sort().join(",")
+    LOG.debug("calculated AuthnContextClassRef for SAML Response: $value")
+    session['saml.idp.response.authncontext'] = value
+}
+
+boolean stepupRequired(levels, String issuer) {
+
+    Integer requiredLevel = getRequiredLevel(levels, issuer)
+    if (requiredLevel == null) {
+        LOG.info("unable to determine required authentication level for request from issuer $issuer")
+        setAuthnContext()
+        return false
+    }
+
+    Integer currentLevel = getCurrentLevel()
+    if (currentLevel >= requiredLevel) {
+        LOG.info("required authentication level $requiredLevel has been reached (current level $currentLevel)")
+        setAuthnContext()
+        return false
+    }
+
+    LOG.info("required authentication level $requiredLevel has not been reached (current level $currentLevel) - session upgrade needed")
+    request.setRequiredRoles("$requiredLevel")
+    return true
+}
+
+boolean hasAnyRequiredRole(i2r, issuer) {
+    if (issuer != null && i2r.containsKey(issuer)) {
+        def roles = i2r[issuer]
+        for (role in response.getActualRoles()) {
+            if (roles.contains(role)) {
+                return true
+            }
+        }
+    }
+}
+
+if (!isEnabled()) {
+    LOG.info("skipping SAML authorization checks.")
+    response.setResult('ok') // skip execution
+    return
+}
+
+// issuer set by IdentityProviderState (SP-initiated)
+def issuer = session['ch.nevis.auth.saml.request.issuer']
+
+// issuer to minimum required authentication level
+def i2l = [:]
+
+
+if (stepupRequired(i2l, issuer)) {
+    LOG.info("authentication level stepup required.")
+    response.setResult("stepup")
+    return // we are done for now
+}
+
+// issuer to list of required roles
+def i2r = [:]
+
+
+// issuer to ResultCond name
+def i2e = [:]
+i2e.put('https://trustbroker.agov-d.azure.adnovum.net', 'forbidden_0')
+
+
+if (!i2r.isEmpty() && !hasAnyRequiredRole(i2r, issuer)) {
+    LOG.info("required roles check failed.")
+    response.setResult(i2e[issuer])
+    return // we are done
+}
+
+response.setResult('ok')
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_dispatcher.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_dispatcher.groovy
@ -0,0 +1,127 @@
+import groovy.xml.XmlSlurper
+import groovy.xml.slurpersupport.GPathResult
+import groovy.xml.slurpersupport.NodeChild
+
+import java.util.zip.Inflater
+import java.util.zip.InflaterInputStream
+
+/**
+ * Gets the value of the Referer header.
+ * If the header is missing the fallback is returned
+ *
+ * This method is used when SAML IDP / Dispatch Error Redirect is not set
+ *
+ * @param fallback - value to return if the Referer header is missing
+ * @return value of header or fallback
+ */
+def getReferer(String fallback) {
+    return request.getHttpHeader('Referer') ?: fallback
+}
+
+def redirect(String url) {
+    outargs.put('nevis.transfer.type', 'redirect')
+    outargs.put('nevis.transfer.destination', url)
+}
+
+/**
+ * Extracts the content of the Issuer element from a parsed SAML message.
+ * The Issuer is optional according to SAML specification but we need it for dispatching.
+ *
+ * @param xml - as parsed by Groovy XmlSlurper
+ * @return text content of Issuer element converted or null
+ */
+String getIssuer(GPathResult xml) {
+    return (xml.depthFirst().find { GPathResult node -> "Issuer".equalsIgnoreCase(node.name()) } as NodeChild)?.text()
+}
+
+String getIssuer(String value) {
+    def parser = new XmlSlurper()
+    byte[] decoded = value.decodeBase64()
+    String text = new String(decoded)
+    if (text.startsWith("<")) {
+        LOG.debug("assuming POST binding")
+        // plain String (POST parameter)
+        def xml = parser.parseText(text)
+        return getIssuer(xml)
+    }
+    else {
+        LOG.debug("assuming redirect binding")
+        // should be deflate encoded (query parameter)
+        def is = new InflaterInputStream(new ByteArrayInputStream(decoded), new Inflater(true))
+        def xml = parser.parse(is)
+        return getIssuer(xml)
+    }
+}
+
+def dispatchIssuer(i2s, String issuer) {
+    def result = i2s.get(issuer)
+    if (result == null) {
+        LOG.info("No SP found for issuer '$issuer'. Hint: check SAML SP Connector patterns.")
+    }
+    response.setResult(result)
+    session.put("saml.inbound.issuer", issuer)
+    session.put('saml.idp.result', result) // remember decision for sub-sequent requests without a SAML message
+}
+
+def dispatchMessage(i2s, String message) {
+    def issuer = getIssuer(message)
+    if (issuer == null) {
+        LOG.info("No issuer found in incoming SAML message. Giving up.")
+    }
+    session.put("saml.inbound.issuer", issuer)
+    dispatchIssuer(i2s, issuer)
+}
+
+if (parameters.get('logoutConfirmation') == 'true' && "stepup" == request.getMethod()) {
+    String url = request.currentResource
+    def path = new URL(url).getPath()
+    if (path.endsWith("/logout")) {
+        // next AuthState will show a logout confirmation GUI
+        response.setResult('confirm')
+        return
+    }
+}
+
+// ensure session exists
+if (request.getSession(false) == null) {
+    session = request.getSession(true).getData()
+}
+
+// issuer (any case) -> ResultCond name
+def i2s = new TreeMap<String, String>(String.CASE_INSENSITIVE_ORDER)
+
+
+i2s.put('https://trustbroker.agov-d.azure.adnovum.net', 'state0')
+
+if (parameters.get('spInitiated') == 'true' && inargs.containsKey('SAMLRequest')) { // SP-initiated authentication
+    LOG.debug("found SAMLRequest parameter for SP-initiated authentication")
+    String message = inargs.get('SAMLRequest')
+    dispatchMessage(i2s, message)
+    return
+}
+
+if (inargs.containsKey('SAMLResponse')) { // response to IDP-initiated SAML Logout
+    LOG.debug("found SAMLResponse parameter")
+    String message = inargs.get('SAMLResponse')
+    dispatchMessage(i2s, message)
+    return
+}
+
+String issuer = inargs['Issuer'] ?: inargs['issuer']
+if (parameters.get('idpInitiated') == 'true' && issuer != null) { // IDP-initiated authentication
+    LOG.debug("found Issuer parameter for IDP-initiated authentication")
+    dispatchIssuer(i2s, issuer)
+    return
+}
+
+// used as fallback in case of ?logout (we need an IdentityProviderState)
+if (inargs.containsKey("logout") && session.containsKey('saml.idp.result')) {
+    def result = session.get('saml.idp.result')
+    LOG.debug("dispatching to last used ResultCond: $result")
+    response.setResult(result)
+    return
+}
+
+def location = getReferer('/')
+LOG.info("Unable to dispatch request. Giving up and redirecting (back) to $location")
+redirect(location)
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_logout_confirm.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_logout_confirm.groovy
@ -0,0 +1,64 @@
+def redirect(location) {
+    outargs.put('nevis.transfer.type', 'redirect')
+    outargs.put('nevis.transfer.destination', location)
+}
+
+def getReturnURL() {
+    if (inargs.containsKey('return')) {
+        return inargs.get('return')
+    }
+    // determine returnURL based on Referer header (if present and not pointing to this page)
+    def referer = request.getHttpHeader('Referer')
+    if (referer == null) {
+        LOG.debug('no Referer header found')
+        return null
+    }
+    // strip query String for comparison
+    String previous = referer.contains('?') ? referer.substring(0, referer.indexOf("?")) : referer
+    def current = request.getCurrentResource()
+    if (current.startsWith(previous)) {
+        LOG.debug("Referer header $referer cannot be used as return URL - cyclic redirect")
+        return null
+    }
+    return referer
+}
+
+if (inargs.containsKey('logout-confirm')) {
+    def current = request.getCurrentResource()
+    // user has confirmed logout -> replace /logout with /?logout
+    String location
+    if (current.contains('?')) {
+        location = current.replace("/logout?", "/?logout&")
+    }
+    else {
+        location = current.replace("/logout", "/?logout")
+    }
+    redirect(location)
+    return
+}
+
+if (inargs.containsKey('logout-abort')) {
+    // user has aborted logout -> redirect to stored return URL
+    def location = session.get('logout-abort-url')
+    redirect(location)
+    return
+}
+
+// user has not clicked any button -> render GUI
+response.setGuiName('saml_logout_confirm')
+response.setGuiLabel('title.logout.confirmation')
+// not setting a target as the API has been removed
+response.addInfoGuiField('info', 'info.logout.confirmation', null)
+response.addButtonGuiField('logout-confirm', 'continue.button.label', 'true')
+
+def returnURL = getReturnURL()
+
+if (returnURL != null) {
+    // store return URL in session
+    session.put('logout-abort-url', returnURL)
+}
+
+if (session.containsKey('logout-abort-url')) {
+    // add cancel button to go back
+    response.addButtonGuiField('logout-abort', 'cancel.button.label', 'true')
+}
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/sanitizeAndDispatchEmailInput.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/sanitizeAndDispatchEmailInput.groovy
@ -0,0 +1,31 @@
+def EMAIL_REGEXP = '^(([^<>()\\[\\]\\\\\\.,;:\\s@"]+(\\.[^<>()\\[\\]\\\\\\.,;:\\s@"]+)*)|(\\.\\+))@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\])|(([a-zA-Z\\-0-9]+\\.)+[a-zA-Z]{2,}))$'
+
+
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+
+if ( inargs['cancelFido2'] && inargs['cancelFido2'] == 'cancelFido2') {
+    response.setResult('cancel')
+    return
+}
+
+if ( inargs['authRequestId'] && inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'] ) {
+    response.setResult('timeout')
+    return
+}
+
+if ( inargs['submit'] && inargs['submit'] == 'submit' ) {
+  if (inargs['userInputValue_prompt.email'] && inargs['userInputValue_prompt.email'].matches(EMAIL_REGEXP)) {
+    response.setResult('verifyEmail')
+    return
+  } else {
+    LOG.warn("User attempted to bypass frontend emailvalidation with inavlid email: '${inargs['userInputValue_prompt.email']}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+    request.getInArgs().setProperty('userInputValue_prompt.email', 'inavalid@email.org')
+    response.setResult('stay')
+    return
+  }
+}
+
+response.setResult('stay')
+return
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`bc.tracer.TraceIndentFactory=ch.nevis.bc.io.Log4jTraceIndentFactory`