diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-default-default-signer-trust-7022472ae407577ae604bbb8.yaml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-internal-idp-auth-signer-trust-7022472ae407577ae604bbb8.yaml
similarity index 72%
rename from DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-default-default-signer-trust-7022472ae407577ae604bbb8.yaml
rename to DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-internal-idp-auth-signer-trust-7022472ae407577ae604bbb8.yaml
index 43932f7..c0e34e3 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-default-default-signer-trust-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-internal-idp-auth-signer-trust-7022472ae407577ae604bbb8.yaml
@@ -1,7 +1,7 @@
 apiVersion: "operator.nevis-security.ch/v1"
 kind: "NevisTrustStore"
 metadata:
-  name: "auth-default-default-signer-trust"
+  name: "auth-internal-idp-auth-signer-trust"
   namespace: "adn-agov-nevisidm-01-uat"
   labels:
     deploymentTarget: "auth"
@@ -10,5 +10,7 @@ metadata:
     patternId: "7022472ae407577ae604bbb8"
 spec:
   keystores:
+  - name: "auth-sts-sh4r3d-internal-idp-auth-signer"
+    namespace: "adn-agov-nevisidm-01-uat"
   - name: "auth-sh4r3d-internal-idp-auth-signer"
     namespace: "adn-agov-nevisidm-01-uat"
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-technical-trust-store-7022472ae407577ae604bbb8.yaml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-technical-trust-store-7022472ae407577ae604bbb8.yaml
index 4d5308b..dd63da9 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-technical-trust-store-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-technical-trust-store-7022472ae407577ae604bbb8.yaml
@@ -12,6 +12,8 @@ spec:
   keystores:
   - name: "proxy-idp-notused-auth-realm-identity"
     namespace: "adn-agov-nevisidm-01-uat"
+  - name: "proxy-idp-auth-realm-main-idp-identity"
+    namespace: "adn-agov-nevisidm-01-uat"
   - name: "proxy-idp-auth-realm-mobile-fido-uaf-identity"
     namespace: "adn-agov-nevisidm-01-uat"
   - name: "proxy-idp-auth-realm-recovery-identity"
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
index c04c000..6940f56 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
@@ -45,7 +45,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-1663a8d1d9ae71e0fb7c5af2e10bfc2536ee973b"
+    tag: "r-d9f8becba9a6acfa30f490d16e18038ab79e9d92"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
     credentials: "git-credentials"
   keystores:
@@ -55,7 +55,7 @@ spec:
   truststores:
   - "auth-default-tls-trust"
   - "auth-auth-realm-mobile-fido-uaf-tls-trust-nevisfido"
-  - "auth-default-default-signer-trust"
+  - "auth-internal-idp-auth-signer-trust"
   - "auth-technical-trust-store"
   podSecurity:
     policy: "baseline"
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_authorization.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/authorization.groovy
similarity index 96%
rename from DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_authorization.groovy
rename to DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/authorization.groovy
index 7c3a5d9..af289b3 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_authorization.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/authorization.groovy
@@ -167,8 +167,8 @@ def i2r = [:]
 
 // issuer to ResultCond name
 def i2e = [:]
-i2e.put('https://trustbroker.agov-d.azure.adnovum.net', 'forbidden_0')
-i2e.put('https://trustbroker-idp.agov-w.azure.adnovum.net', 'forbidden_1')
+i2e.put('https://trustbroker.agov-epr-lab.azure.adnovum.net', 'forbidden_0')
+i2e.put('https://trustbroker-idp.agov-epr-lab.azure.adnovum.net', 'forbidden_1')
 
 
 if (!i2r.isEmpty() && !hasAnyRequiredRole(i2r, issuer)) {
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy
index dc2bc6c..313cce5 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy
@@ -162,33 +162,22 @@ try {
 
 
   for (String role : getUserAGOVLoiRoles()) {
-    if (role.startsWith('level')) {
-      def roleLevel = role.substring(5)
-      int roleLevelNumber = Integer.parseInt(roleLevel)
-      if (highestRoleLevelNumber< roleLevelNumber) { 
-        highestRoleLevelNumber=roleLevelNumber 
-      } 
+  if (role.startsWith('level')) {
+    def roleLevel = role.substring(5)
+    int roleLevelNumber = Integer.parseInt(roleLevel)
+    
+    if (highestRoleLevelNumber< roleLevelNumber) { 
+      highestRoleLevelNumber=roleLevelNumber 
     } 
-  }
-
+  } 
+  } 
   LOG.debug('CheckLoa: Highest role Level ' + highestRoleLevelNumber.toString() +' contextclassref ' + requestedRoleLevelNumber.toString()) 
-  LOG.debug('CheckLoa: Compare ' + (highestRoleLevelNumber>=requestedRoleLevelNumber)) 
+  LOG.debug('CheckLoa: Compare ' + (highestRoleLevelNumber>=requestedRoleLevelNumber))  
 
   //set attribute Actual Role Level
   session.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
   LOG.debug('CheckLoa: actual role level (agov) '+ highestRoleLevelNumber)
 
-
-  // Best Token Available only if account's AQlevel is high enough
-  if ((session.getAttribute('agov.appAddressRequired') == 'true') && (highestRoleLevelNumber < 200)) {
-     LOG.debug("Best Token: Address requested but account has to low AQ (${highestRoleLevelNumber})") 
-     session.setAttribute('agov.appAddressRequired', 'false')
-  }
-  if ((session.getAttribute('agov.appSvnrAllowed') == 'true') && (highestRoleLevelNumber < 400)) {
-     LOG.debug("Best Token: SVNr requested but account has to low AQ (${highestRoleLevelNumber})") 
-     session.setAttribute('agov.appSvnrAllowed', 'false')
-  }
-
   if (highestRoleLevelNumber > 0) {
     // set attribute contextClassRefToSet
     session.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:' .concat(highestRoleLevelNumber.toString()))
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
index 7b25064..e3a0bd4 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
@@ -75,7 +75,7 @@
             <!-- source: pattern://7022472ae407577ae604bbb8 -->
             <KeyObject name="DefaultSigner" certificate="/var/opt/keys/own/auth-sh4r3d-internal-idp-auth-signer/cert.pem" privateKey="/var/opt/keys/own/auth-sh4r3d-internal-idp-auth-signer/keystore.jks" passPhrase="pipe:///var/opt/keys/own/auth-sh4r3d-internal-idp-auth-signer/keypass"/>
             <!-- source: pattern://7022472ae407577ae604bbb8 -->
-            <KeyObject name="DefaultSignerTrust" certificate="/var/opt/keys/trust/auth-default-default-signer-trust/truststore.jks"/>
+            <KeyObject name="DefaultSignerTrust" certificate="/var/opt/keys/trust/auth-internal-idp-auth-signer-trust/truststore.jks"/>
             <!-- source: pattern://94e0b7b92ff2593f958c1eec -->
             <KeyObject name="Signer_SecToken" certificate="/var/opt/keys/own/auth-sh4r3d-internal-idp-auth-signer/cert.pem" privateKey="/var/opt/keys/own/auth-sh4r3d-internal-idp-auth-signer/keystore.jks" passPhrase="pipe:///var/opt/keys/own/auth-sh4r3d-internal-idp-auth-signer/keypass"/>
         </KeyStore>
@@ -99,13 +99,13 @@
             <!-- source: pattern://95220b3005deb118adeb01aa -->
             <KeyObject name="FIDO_UAF_Truststore" certificate="/var/opt/keys/trust/env-ca/truststore.jks"/>
         </KeyStore>
-        <!-- source: pattern://27cefc3861bce987f6766342 -->
+        <!-- source: pattern://0a15213c00dec3668fb94a65, pattern://c0f2c118a88327acce1687fe, pattern://8dbec5bb024707d73fca93ef -->
         <KeyStore name="Store_IDP_AGOV">
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
+            <!-- source: pattern://c0f2c118a88327acce1687fe -->
             <KeyObject name="Signer_IDP_AGOV" certificate="/var/opt/keys/own/idp-pem-signer/cert.pem" privateKey="/var/opt/keys/own/idp-pem-signer/keystore.jks" passPhrase="pipe:///var/opt/keys/own/idp-pem-signer/keypass"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
+            <!-- source: pattern://0a15213c00dec3668fb94a65 -->
             <KeyObject name="https://trustbroker.agov-d.azure.adnovum.net" certificate="/var/opt/keys/trust/idp-pem-atb/truststore.jks"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <!-- source: pattern://8dbec5bb024707d73fca93ef -->
             <KeyObject name="https://trustbroker-idp.agov-w.azure.adnovum.net" certificate="/var/opt/keys/trust/idp-pem-atb/truststore.jks"/>
         </KeyStore>
         <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
@@ -132,8 +132,9 @@
     <AuthEngine useLiteralDictionary="true" literalDictionaryLanguages="en,de,fr,it" inputLanguageCookie="LANG" compatLevel="none" addAutheLevelToSecRoles="true" classPath="/opt/nevisidmcl/nevisauth/lib:/opt/nevisfidocl/nevisauth/lib:/opt/nevisauth/plugin" propagateSession="false">
         <!-- source: pattern://4fcfadb4a5c946ead7e6e995 -->
         <Domain name="Auth_Realm_Main_IDP" default="false" inactiveInterval="1800" reauthInterval="0" resetAuthenticationCondition="#{ (inargs.containsKey('SAMLRequest') and session.containsKey('ch.nevis.auth.saml.request.id')) ? 'restart' : '' }">
-            <Entry method="authenticate" state="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <Entry method="authenticate" state="Auth_Realm_Main_IDP_IDP_Status_Check"/>
             <Entry method="authenticate" state="Auth_Realm_Main_IDP_IDP_Status_Check" selector="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/SSO/.*$:true}"/>
+            <Entry method="logout" state="Auth_Realm_Main_IDP_IDP_Status_Check"/>
             <Entry method="logout" state="Auth_Realm_Main_IDP_IDP_Status_Check" selector="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/SSO/.*$:true}"/>
             <Entry method="stepup" state="Auth_Realm_Main_IDP_Selector"/>
             <Entry method="stepup" state="Auth_Realm_Main_IDP_IDP_Status_Check" selector="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/SSO/.*$:true}"/>
@@ -157,75 +158,19 @@
             <Entry method="authenticate" state="NotUsed_Auth_Realm_NotUsed_Pwd_Login"/>
             <Entry method="stepup" state="NotUsed_Auth_Realm_Selector"/>
         </Domain>
-        <AuthState name="Auth_Realm_Main_IDP_RequestedRoleLevel" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
-            <!-- source: pattern://68665057549fd887ea09fb86 -->
-            <ResultCond name="error" next="Auth_Realm_Main_IDP_SendSamlResponseWithError"/>
-            <!-- source: pattern://68665057549fd887ea09fb86 -->
-            <ResultCond name="exit.1" next="Auth_Realm_Main_IDP_EId_Verification_Auth"/>
-            <!-- source: pattern://68665057549fd887ea09fb86 -->
-            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Mobile_NLess_Auth"/>
-            <!-- source: pattern://68665057549fd887ea09fb86 -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://68665057549fd887ea09fb86 -->
-                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
-            </Response>
-            <!-- source: pattern://68665057549fd887ea09fb86 -->
-            <property name="parameter.bestTokenAddressWhitelist" value="https://testapp-01.agov-d.azure.adnovum.net/test/api/saml2/service-provider-metadata/agovidp, OidcPlayground, https://admin.agov-w.azure.adnovum.net/SAML2/ACS/"/>
-            <!-- source: pattern://68665057549fd887ea09fb86 -->
-            <property name="parameter.bestTokenSvnrWhitelist" value="https://testapp-01.agov-d.azure.adnovum.net/test/api/saml2/service-provider-metadata/agovidp, OidcPlayground, https://op.agov-w.azure.adnovum.net/SAML2/ACS/"/>
-            <!-- source: pattern://68665057549fd887ea09fb86 -->
-            <property name="parameter.url" value="https://utility.agov-d.azure.adnovum.net/connect/billing/relying-party"/>
-            <!-- source: pattern://68665057549fd887ea09fb86 -->
+        <AuthState name="Auth_Realm_Main_IDP_IDP_Status_Check" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
+            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
+            <ResultCond name="continueAfterRepost" next="Auth_Realm_Main_IDP_Mobile_NLess_Auth"/>
+            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Preprocess_Done"/>
+            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
+            <Response value="AUTH_ERROR"/>
+            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
             <property name="scriptTraceGroup" value="AGOV-ACCT"/>
-            <!-- source: pattern://68665057549fd887ea09fb86 -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/requestedrolelevel.groovy"/>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_SendSamlResponseWithError" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
-            <!-- source: pattern://4c65de021d362462324a3a5f -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://4c65de021d362462324a3a5f -->
-                <Gui name="NotUsed"/>
-            </Response>
-            <!-- source: pattern://4c65de021d362462324a3a5f -->
+            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
             <property name="parameter.cookie.domain" value="auth.agov-w.azure.adnovum.net"/>
-            <!-- source: pattern://4c65de021d362462324a3a5f -->
-            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
-            <!-- source: pattern://4c65de021d362462324a3a5f -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithError.groovy"/>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_EId_Verification_Auth" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
-            <!-- source: pattern://7441fca76f479e4beb5ca796 -->
-            <ResultCond name="default" next="Auth_Realm_Main_IDP_EId_Verification_Auth"/>
-            <!-- source: pattern://7441fca76f479e4beb5ca796 -->
-            <ResultCond name="error" next="Auth_Realm_Main_IDP_SendSamlResponseWithError"/>
-            <!-- source: pattern://7441fca76f479e4beb5ca796 -->
-            <ResultCond name="ok" next="Auth_Realm_Main_IDP_SendSamlResponseWithAssertion"/>
-            <!-- source: pattern://7441fca76f479e4beb5ca796 -->
-            <Response value="AUTH_CONTINUE">
-                <!-- source: pattern://7441fca76f479e4beb5ca796 -->
-                <Gui name="eid_verification">
-                    <!-- source: pattern://7441fca76f479e4beb5ca796 -->
-                    <GuiElem name="agov.appDisplayNameDE" type="hidden" value="${sess:agov.appDisplayNameDE}" optional="true"/>
-                    <!-- source: pattern://7441fca76f479e4beb5ca796 -->
-                    <GuiElem name="agov.appDisplayNameFR" type="hidden" value="${sess:agov.appDisplayNameFR}" optional="true"/>
-                    <!-- source: pattern://7441fca76f479e4beb5ca796 -->
-                    <GuiElem name="agov.appDisplayNameIT" type="hidden" value="${sess:agov.appDisplayNameIT}" optional="true"/>
-                    <!-- source: pattern://7441fca76f479e4beb5ca796 -->
-                    <GuiElem name="agov.appDisplayNameEN" type="hidden" value="${sess:agov.appDisplayNameEN}" optional="true"/>
-                    <!-- source: pattern://7441fca76f479e4beb5ca796 -->
-                    <GuiElem name="agov.appSamlRpEntityId" type="hidden" value="https://auth.agov-w.azure.adnovum.net/app-info/app-icon?entity-id=${sess:ch.nevis.auth.saml.request.scoping.requesterId}" optional="true"/>
-                    <!-- source: pattern://7441fca76f479e4beb5ca796 -->
-                    <GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
-                    <!-- source: pattern://7441fca76f479e4beb5ca796 -->
-                    <GuiElem name="oid4vp" type="hidden" value="UNKNOWN" optional="true"/>
-                </Gui>
-            </Response>
-            <!-- source: pattern://7441fca76f479e4beb5ca796 -->
-            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
-            <!-- source: pattern://7441fca76f479e4beb5ca796 -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/eid_verification_auth.groovy"/>
-            <!-- source: pattern://7441fca76f479e4beb5ca796 -->
-            <property name="parameter.eidVerifierBaseUrl" value="https://verifier-management.agov-epr-lab.azure.adnovum.net"/>
+            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/idp_status_check.groovy"/>
         </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Mobile_NLess_Auth" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
             <!-- source: pattern://f63c475c35b616b7c6c1901c -->
@@ -265,20 +210,18 @@
             <!-- source: pattern://f63c475c35b616b7c6c1901c -->
             <property name="parameter.recoveryurl" value="https://auth.agov-w.azure.adnovum.net/AUTH/RECOVERY/"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_SendSamlResponseWithAssertion" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
-            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
-            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Prepare_Done"/>
-            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
-            <Response value="AUTH_DONE">
-                <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
-                <Gui name="not_used"/>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Preprocess_Done" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
+            <!-- source: pattern://03326b180687860ffe06a58c -->
+            <ResultCond name="nomatch" next="Auth_Realm_Main_IDP_Auth_Failed"/>
+            <!-- source: pattern://03326b180687860ffe06a58c -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_IDP_Dispatcher"/>
+            <!-- source: pattern://03326b180687860ffe06a58c -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://03326b180687860ffe06a58c -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
             </Response>
-            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
-            <property name="parameter.cookie.domain" value="auth.agov-w.azure.adnovum.net"/>
-            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
-            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
-            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy"/>
+            <!-- source: pattern://03326b180687860ffe06a58c -->
+            <property name="condition:ok" value="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/SSO/.*$:true}"/>
         </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_fido2_fetchCaptchaInfos" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
             <!-- source: pattern://f39352769cb2a1c88e1a176d -->
@@ -333,16 +276,43 @@
             <!-- source: pattern://d76231eaa88cb1645ce44cf3 -->
             <property name="script" value="file:///var/opt/nevisauth/default/conf/createuuid.groovy"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
-            <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
-            <ResultCond name="default" next="Auth_Realm_Main_IDP_IDP_AGOV_Authorization"/>
-            <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
-            <Response value="AUTH_DONE">
-                <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
-                <Gui name="ContinueResponse"/>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
+            <!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
+                <Gui name="Error">
+                    <!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
+                    <GuiElem name="info" type="error" label="error_99"/>
+                    <!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
+                    <GuiElem name="submit" type="button" label="continue.button.label"/>
+                </Gui>
             </Response>
-            <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_IDP_Dispatcher" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <ResultCond name="confirm" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Confirm"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <ResultCond name="epd" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_EPD_IDP"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <ResultCond name="epd_artifact" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_EPD_Artifact_IDP"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <ResultCond name="main" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <Response value="AUTH_CONTINUE">
+                <!-- source: pattern://73efd00d67082ff1eb927922 -->
+                <Gui name="saml_dispatcher" label="title.saml.failed">
+                    <!-- source: pattern://73efd00d67082ff1eb927922 -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <property name="parameter.logoutConfirmation" value="false"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <property name="parameter.spInitiated" value="true"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <property name="parameter.epdMode" value="post"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/idp_dispatcher.groovy"/>
         </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Email_Input" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="true" resumeState="true">
             <!-- source: pattern://e3cac41e75980361d7d26bde -->
@@ -413,6 +383,10 @@
             <!-- source: pattern://bfd395eb0dab50aff2f2c01b -->
             <property name="in.binding" value="none"/>
             <!-- source: pattern://bfd395eb0dab50aff2f2c01b -->
+            <property name="in.keystoreref" value=""/>
+            <!-- source: pattern://bfd395eb0dab50aff2f2c01b -->
+            <property name="in.keyobjectref" value=""/>
+            <!-- source: pattern://bfd395eb0dab50aff2f2c01b -->
             <property name="out.binding" value="internal"/>
             <!-- source: pattern://bfd395eb0dab50aff2f2c01b -->
             <property name="out.sign" value="Response Assertion"/>
@@ -453,23 +427,310 @@
             <!-- source: pattern://bfd395eb0dab50aff2f2c01b -->
             <property name="out.audienceRestriction" value="https://ob.agov-w.azure.adnovum.net/mock-me/registration"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_IDP_AGOV_Authorization" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
-            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Done"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <ResultCond name="forbidden_0" next="Auth_Realm_Main_IDP_IDP_AGOV_Authorization"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <ResultCond name="forbidden_1" next="Auth_Realm_Main_IDP_IDP_AGOV_Authorization"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <ResultCond name="stepup" next="Auth_Realm_Main_IDP_Selector"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Confirm" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://9196b809b539716b03ad8565 -->
+            <Response value="AUTH_CONTINUE">
+                <!-- source: pattern://9196b809b539716b03ad8565 -->
+                <Gui name="saml_logout_confirm" label="title.logout.confirmation"/>
             </Response>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <property name="parameter.paths" value="^http[s]?\u003A//[^/]+/SAML2/SSO/.*$"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/saml_idp_agov_authorization.groovy"/>
+            <!-- source: pattern://9196b809b539716b03ad8565 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/logout_confirm.groovy"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_EPD_IDP" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_EPD_IDP"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+                <Gui name="saml_idp" label="title.saml.failed">
+                    <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="session.participants-store.key" value="IDP_AGOV-session-participants"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="logoutMode" value="ConcurrentLogout-Redirect"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="logoutTrigger" value="#{request['currentResource'].contains('logout') || inargs.containsKey('logout') || inargs.containsKey('SAMLLogout')}"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.binding" value="http-post"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.post.relayStateEncoding" value="HTML"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.sign" value="Response Assertion LogoutResponse"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.signatureKeyInfo" value="Certificate"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.ttl" value="30"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.subject" value="${response:userId}"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.subject.format" value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.extension.Bearer" value="ch.nevis.esauth.auth.states.saml.extensions.SubjectConfirmationExtender"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2/"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.keystoreref" value="Store_IDP_AGOV"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="spIssuer" value="https://trustbroker-idp.agov-w.azure.adnovum.net"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="spURL" value="https://trustbroker-idp.agov-w.azure.adnovum.net/adfs/ls"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="acsUrlWhitelist.uris" value="https://trustbroker-idp.agov-w.azure.adnovum.net/adfs/ls"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="in.binding" value="auto"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="in.max_age" value="60"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="in.keystoreref" value="Store_IDP_AGOV"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.authnContextClassRef" value="${sess:contextClassRefToSet}"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:ch.nevis.idm.User.firstName}"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:ch.nevis.idm.User.lastName}"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:ch.nevis.idm.User.birthDate:^(\d\d\d\d-\d\d-\d\d).*$}"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.audienceRestriction" value="https://trustbroker-idp.agov-epr-lab.azure.adnovum.net"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_EPD_Artifact_IDP" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_EPD_Artifact_IDP"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+                <Gui name="saml_idp" label="title.saml.failed">
+                    <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="session.participants-store.key" value="IDP_AGOV-session-participants"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="logoutMode" value="ConcurrentLogout-Redirect"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="logoutTrigger" value="#{request['currentResource'].contains('logout') || inargs.containsKey('logout') || inargs.containsKey('SAMLLogout')}"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.binding" value="http-artifact"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.artifactSourceId" value="0x49899452c60f53e500d7d8b221536c9745dfaf0f"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.post.relayStateEncoding" value="HTML"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.sign" value="Response Assertion LogoutResponse ArtifactResponse"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.signatureKeyInfo" value="Certificate"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.ttl" value="30"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.subject" value="${response:userId}"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.subject.format" value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.extension.Bearer" value="ch.nevis.esauth.auth.states.saml.extensions.SubjectConfirmationExtender"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2/"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.keystoreref" value="Store_IDP_AGOV"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="spIssuer" value="https://trustbroker-idp.agov-w.azure.adnovum.net"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="spURL" value="https://trustbroker-idp.agov-w.azure.adnovum.net/adfs/ls"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="acsUrlWhitelist.uris" value="https://trustbroker-idp.agov-w.azure.adnovum.net/adfs/ls"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="in.binding" value="auto"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="in.max_age" value="60"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="in.keystoreref" value="Store_IDP_AGOV"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.authnContextClassRef" value="${sess:contextClassRefToSet}"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.audienceRestriction" value="https://trustbroker-idp.agov-epr-lab.azure.adnovum.net"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:ch.nevis.idm.User.firstName}"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:ch.nevis.idm.User.lastName}"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:ch.nevis.idm.User.birthDate:^(\d\d\d\d-\d\d-\d\d).*$}"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+                <Gui name="saml_idp" label="title.saml.failed">
+                    <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="session.participants-store.key" value="IDP_AGOV-session-participants"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="logoutMode" value="ConcurrentLogout-Redirect"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="logoutTrigger" value="#{request['currentResource'].contains('logout') || inargs.containsKey('logout') || inargs.containsKey('SAMLLogout')}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.binding" value="http-post"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.post.relayStateEncoding" value="HTML"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.sign" value="Response Assertion"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.signatureKeyInfo" value="Certificate"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.ttl" value="30"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.subject" value="${response:userId}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.subject.format" value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.extension.Bearer" value="ch.nevis.esauth.auth.states.saml.extensions.SubjectConfirmationExtender"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2/"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.keystoreref" value="Store_IDP_AGOV"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="spIssuer" value="https://trustbroker.agov-d.azure.adnovum.net"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="spURL" value="https://trustbroker.agov-d.azure.adnovum.net/adfs/ls"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="acsUrlWhitelist.uris" value="https://trustbroker.agov-d.azure.adnovum.net/adfs/ls"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="in.binding" value="auto"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="in.max_age" value="60"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="in.keystoreref" value="Store_IDP_AGOV"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.authnContextClassRef" value="${sess:contextClassRefToSet}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="${sess:ch.nevis.idm.User.email}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance" value="${sess:ch.nevis.idm.User.language}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:ch.nevis.idm.User.firstName}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:ch.nevis.idm.User.lastName}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:ch.nevis.idm.User.birthDate:^(\d\d\d\d-\d\d-\d\d).*$}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.svnr'] : ''}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/placeOfBirth" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.placeOfBirth'] : ''}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/eIdNumber" value="${sess:ch.nevis.idm.User.prop.eIdNumber}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/dateOfVerification" value="${sess:ValidFrom}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/validTillDate" value="${sess:ValidTo}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/verificationMethod" value="#{ ''.concat(sess.get('idVerification')).replace('SelfPaid', '') }"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/nationality" value="#{ sess.containsKey('ch.nevis.idm.User.prop.nationality') ? sess['ch.nevis.idm.User.prop.nationality'].toUpperCase(): '' }"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/authenticatedWith" value="${sess:authenticatedWith}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/emailVerified" value="true"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/street" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.street'] : '' }"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/houseNumber" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.houseNumber'] : '' }"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/zipCode" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.postalCode'] : '' }"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/town" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.city'] : '' }"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/country" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.country'].toUpperCase() : '' }"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/qa/verificationMethod" value="#{ (sess['agov.appAddressRequired'] == 'true') ? ''.concat(sess.get('agov.adressVerification')).replace('Location', 'Domicile') : '' }"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/countryName" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['agov.countryName'] : ''}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.audienceRestriction" value="https://trustbroker.agov-epr-lab.azure.adnovum.net"/>
         </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_ReturnTimeoutButKeepSession" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
             <!-- source: pattern://826166d230a6a4849f2837ae -->
@@ -557,19 +818,72 @@
             <!-- source: pattern://bfd395eb0dab50aff2f2c01b -->
             <property name="script" value="file:///var/opt/nevisauth/default/conf/handleRedirectRegistration.groovy"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
-            <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
-            <Response value="AUTH_DONE">
-                <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
-                <Gui name="ContinueResponse"/>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout" class="ch.nevis.esauth.auth.states.standard.AuthLogout" final="false" resumeState="false">
+            <!-- source: pattern://db4eead0bb25b03205afd79f -->
+            <Response value="AUTH_CONTINUE">
+                <!-- source: pattern://db4eead0bb25b03205afd79f -->
+                <Gui name="saml_logout" label="title.logout">
+                    <!-- source: pattern://db4eead0bb25b03205afd79f -->
+                    <GuiElem name="saml.logoutURLs" type="hidden" value="${outargs:saml.logoutURLs}" optional="true"/>
+                    <!-- source: pattern://db4eead0bb25b03205afd79f -->
+                    <GuiElem name="saml.logoutURL" type="hidden" value="#{ session.containsKey('saml.logoutURL') ? session.get('saml.logoutURL') : '/' }" optional="true"/>
+                </Gui>
             </Response>
         </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_Selector" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
-            <!-- source: pattern://4fcfadb4a5c946ead7e6e995 -->
-            <ResultCond name="nomatch" next="Auth_Realm_Main_IDP_Prepare_Done"/>
-            <!-- source: pattern://4fcfadb4a5c946ead7e6e995 -->
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://2f81f8b878ef787fc5cc284a -->
+            <ResultCond name="default" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Authorization"/>
+            <!-- source: pattern://2f81f8b878ef787fc5cc284a -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://2f81f8b878ef787fc5cc284a -->
+                <Gui name="ContinueResponse"/>
+            </Response>
+            <!-- source: pattern://2f81f8b878ef787fc5cc284a -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="true">
+            <!-- source: pattern://06515d4815de4afde6f8116a -->
             <Response value="AUTH_ERROR">
-                <!-- source: pattern://4fcfadb4a5c946ead7e6e995 -->
+                <!-- source: pattern://06515d4815de4afde6f8116a -->
+                <Gui name="empty"/>
+            </Response>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="true">
+            <!-- source: pattern://3f719a1e5c1447ee46c69cb2 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://3f719a1e5c1447ee46c69cb2 -->
+                <Gui name="empty"/>
+            </Response>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_RequestedRoleLevel" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <ResultCond name="error" next="Auth_Realm_Main_IDP_SendSamlResponseWithError"/>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <ResultCond name="exit.1" next="Auth_Realm_Main_IDP_EId_Verification_Auth"/>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Mobile_NLess_Auth"/>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://68665057549fd887ea09fb86 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <property name="parameter.bestTokenAddressWhitelist" value="https://testapp-01.agov-d.azure.adnovum.net/test/api/saml2/service-provider-metadata/agovidp, OidcPlayground, https://admin.agov-w.azure.adnovum.net/SAML2/ACS/"/>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <property name="parameter.bestTokenSvnrWhitelist" value="https://testapp-01.agov-d.azure.adnovum.net/test/api/saml2/service-provider-metadata/agovidp, OidcPlayground, https://op.agov-w.azure.adnovum.net/SAML2/ACS/"/>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <property name="parameter.url" value="https://utility.agov-d.azure.adnovum.net/connect/billing/relying-party"/>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/requestedrolelevel.groovy"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="true">
+            <!-- source: pattern://5f7e44f4fb2e3f710e4a3e91 -->
+            <ResultCond name="nomatch" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://5f7e44f4fb2e3f710e4a3e91 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5f7e44f4fb2e3f710e4a3e91 -->
                 <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
             </Response>
         </AuthState>
@@ -629,6 +943,19 @@
             <!-- source: pattern://0b3ce3ceec7bfca3ea524983 -->
             <property name="notes:saml.errorMessage" value="permanent error, not linked to user, but to system , Request ID: ${request:traceId}"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_SendSamlResponseWithError" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://4c65de021d362462324a3a5f -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://4c65de021d362462324a3a5f -->
+                <Gui name="NotUsed"/>
+            </Response>
+            <!-- source: pattern://4c65de021d362462324a3a5f -->
+            <property name="parameter.cookie.domain" value="auth.agov-w.azure.adnovum.net"/>
+            <!-- source: pattern://4c65de021d362462324a3a5f -->
+            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
+            <!-- source: pattern://4c65de021d362462324a3a5f -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithError.groovy"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Mobile_UserID_Verify_IdmGetPropertiesState" class="ch.nevis.idm.authstate.IdmGetPropertiesState" final="false" resumeState="false">
             <!-- source: pattern://c686c1bdd5355351f7f98cc8 -->
             <ResultCond name="clientNotFound" next="Auth_Realm_Main_IDP_AuthnFailed_Client_NotFound"/>
@@ -686,6 +1013,59 @@
             <!-- source: pattern://e0fda9336be9c69dafc9b69e -->
             <property name="admin.service.connection.0" value="https://idm:8989/nevisidm/services/v1/AdminService"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Authorization" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://596e3e37c4d524690ea35897 -->
+            <ResultCond name="forbidden_0" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Authorization"/>
+            <!-- source: pattern://596e3e37c4d524690ea35897 -->
+            <ResultCond name="forbidden_1" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Authorization"/>
+            <!-- source: pattern://596e3e37c4d524690ea35897 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Auth_Done_GUI"/>
+            <!-- source: pattern://596e3e37c4d524690ea35897 -->
+            <ResultCond name="stepup" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://596e3e37c4d524690ea35897 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://596e3e37c4d524690ea35897 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://596e3e37c4d524690ea35897 -->
+            <property name="parameter.paths" value="^http[s]?\u003A//[^/]+/SAML2/SSO/.*$"/>
+            <!-- source: pattern://596e3e37c4d524690ea35897 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/authorization.groovy"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_EId_Verification_Auth" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://e335f57d4c64dfc97223697a -->
+            <ResultCond name="default" next="Auth_Realm_Main_IDP_EId_Verification_Auth"/>
+            <!-- source: pattern://e335f57d4c64dfc97223697a -->
+            <ResultCond name="error" next="Auth_Realm_Main_IDP_SendSamlResponseWithError"/>
+            <!-- source: pattern://e335f57d4c64dfc97223697a -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_SendSamlResponseWithAssertion"/>
+            <!-- source: pattern://e335f57d4c64dfc97223697a -->
+            <Response value="AUTH_CONTINUE">
+                <!-- source: pattern://e335f57d4c64dfc97223697a -->
+                <Gui name="eid_verification">
+                    <!-- source: pattern://e335f57d4c64dfc97223697a -->
+                    <GuiElem name="agov.appDisplayNameDE" type="hidden" value="${sess:agov.appDisplayNameDE}" optional="true"/>
+                    <!-- source: pattern://e335f57d4c64dfc97223697a -->
+                    <GuiElem name="agov.appDisplayNameFR" type="hidden" value="${sess:agov.appDisplayNameFR}" optional="true"/>
+                    <!-- source: pattern://e335f57d4c64dfc97223697a -->
+                    <GuiElem name="agov.appDisplayNameIT" type="hidden" value="${sess:agov.appDisplayNameIT}" optional="true"/>
+                    <!-- source: pattern://e335f57d4c64dfc97223697a -->
+                    <GuiElem name="agov.appDisplayNameEN" type="hidden" value="${sess:agov.appDisplayNameEN}" optional="true"/>
+                    <!-- source: pattern://e335f57d4c64dfc97223697a -->
+                    <GuiElem name="agov.appSamlRpEntityId" type="hidden" value="https://auth.agov-w.azure.adnovum.net/app-info/app-icon?entity-id=${sess:ch.nevis.auth.saml.request.scoping.requesterId}" optional="true"/>
+                    <!-- source: pattern://e335f57d4c64dfc97223697a -->
+                    <GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
+                    <!-- source: pattern://e335f57d4c64dfc97223697a -->
+                    <GuiElem name="oid4vp" type="hidden" value="UNKNOWN" optional="true"/>
+                </Gui>
+            </Response>
+            <!-- source: pattern://e335f57d4c64dfc97223697a -->
+            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
+            <!-- source: pattern://e335f57d4c64dfc97223697a -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/eid_verification_auth.groovy"/>
+            <!-- source: pattern://e335f57d4c64dfc97223697a -->
+            <property name="parameter.eidVerifierBaseUrl" value="https://verifier-management.agov-epr-lab.azure.adnovum.net"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Fido_Email_Verify_FailedEmailState" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="true">
             <!-- source: pattern://7fb39bfd6c34685866a22180 -->
             <ResultCond name="default" next="Auth_Realm_Main_IDP_FIDO2_Authentication"/>
@@ -769,6 +1149,28 @@
             <!-- source: pattern://f393012a278e525956a362d3 -->
             <property name="parameter.idm.httpclient.tls.trustStoreRef" value="Ensure_Account_State"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Auth_Done_GUI" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false" resumeState="true">
+            <!-- source: pattern://cf0e8f8de1c8ac7345c5a6bb -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://cf0e8f8de1c8ac7345c5a6bb -->
+                <Gui name="ContinueResponse"/>
+            </Response>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_SendSamlResponseWithAssertion" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Prepare_Done"/>
+            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
+                <Gui name="not_used"/>
+            </Response>
+            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
+            <property name="parameter.cookie.domain" value="auth.agov-w.azure.adnovum.net"/>
+            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
+            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
+            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_FIDO2_Authentication" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
             <!-- source: pattern://302b0fa3c5c3d1d17e9b1004 -->
             <ResultCond name="cancel" next="Auth_Realm_Main_IDP_OnCancel_Dispatch"/>
@@ -863,6 +1265,17 @@
             <!-- source: pattern://f393012a278e525956a362d3 -->
             <property name="detaillevel.default" value="EXCLUDE"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
+            <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
+            <ResultCond name="default" next="Auth_Realm_Main_IDP_Auth_Done"/>
+            <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
+                <Gui name="ContinueResponse"/>
+            </Response>
+            <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_OnCancel_Dispatch" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
             <!-- source: pattern://af4ec934e8efbef422f03926 -->
             <ResultCond name="AccessApp" next="Auth_Realm_Main_IDP_Mobile_NLess_Auth"/>
@@ -903,6 +1316,13 @@
             <!-- source: pattern://9ff0369f3cf662f95d94ff09 -->
             <property name="${sess:agov.new.recovery.code.cipher}?notes:agov.new.recovery.code:decrypt-b64" value="${sess:agov.new.recovery.code.cipher}"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
+            <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
+                <Gui name="ContinueResponse"/>
+            </Response>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_clear_request_session" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false">
             <!-- source: pattern://8c28e8f3352491ef7c5315fc -->
             <ResultCond name="ok" next="Auth_Realm_Main_IDP_Email_Input"/>
@@ -1321,331 +1741,14 @@
             <!-- source: pattern://9a8294b080ea769d22924af0 -->
             <property name="script" value="file:///var/opt/nevisauth/default/conf/checkInsufficientLoa.groovy"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_IDP_Status_Check" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
-            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
-            <ResultCond name="continueAfterRepost" next="Auth_Realm_Main_IDP_Mobile_NLess_Auth"/>
-            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
-            <ResultCond name="ok" next="Auth_Realm_Main_IDP_PreProcess_Done"/>
-            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
-            <Response value="AUTH_ERROR"/>
-            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
-            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
-            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
-            <property name="parameter.cookie.domain" value="auth.agov-w.azure.adnovum.net"/>
-            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/idp_status_check.groovy"/>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_PreProcess_Done" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <ResultCond name="idp_2055108788" next="Auth_Realm_Main_IDP_IDP_AGOV_Dispatcher"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
+        <AuthState name="Auth_Realm_Main_IDP_Selector" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
+            <!-- source: pattern://4fcfadb4a5c946ead7e6e995 -->
+            <ResultCond name="nomatch" next="Auth_Realm_Main_IDP_Prepare_Done"/>
+            <!-- source: pattern://4fcfadb4a5c946ead7e6e995 -->
             <Response value="AUTH_ERROR">
-                <!-- source: pattern://c642107fde6b2e07f16bfedb -->
+                <!-- source: pattern://4fcfadb4a5c946ead7e6e995 -->
                 <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
             </Response>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <property name="condition:idp_2055108788" value="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/SSO/.*$:true}"/>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_IDP_AGOV_Dispatcher" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <ResultCond name="confirm" next="Auth_Realm_Main_IDP_IDP_AGOV_Logout_Confirm"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <ResultCond name="state0" next="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_Connector"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <ResultCond name="state1" next="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_EPD_Connector"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <Response value="AUTH_CONTINUE">
-                <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-                <Gui name="saml_dispatcher" label="title.saml.failed">
-                    <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
-                </Gui>
-            </Response>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <property name="parameter.logoutConfirmation" value="false"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <property name="parameter.spInitiated" value="true"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/saml_idp_agov_dispatcher.groovy"/>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_IDP_AGOV_Logout_Confirm" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <Response value="AUTH_CONTINUE">
-                <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-                <Gui name="saml_logout_confirm" label="title.logout.confirmation"/>
-            </Response>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/saml_idp_logout_confirm.groovy"/>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_Connector" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Concurrent_Logout"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Prepare_Done"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Logout_Done"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Logout_Fail"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Concurrent_Logout"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Prepare_Done"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_Connector"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Prepare_Done"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Selector"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Selector"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://27cefc3861bce987f6766342 -->
-                <Gui name="saml_idp" label="title.saml.failed">
-                    <!-- source: pattern://27cefc3861bce987f6766342 -->
-                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
-                </Gui>
-            </Response>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="session.participants-store.key" value="IDP_AGOV-session-participants"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="logoutMode" value="ConcurrentLogout-Redirect"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="in.keystoreref" value="Store_IDP_AGOV"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="logoutTrigger" value="#{request['currentResource'].contains('logout') || inargs.containsKey('logout') || inargs.containsKey('SAMLLogout')}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.binding" value="http-post"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.post.relayStateEncoding" value="HTML"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.sign" value="Response Assertion"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.signatureKeyInfo" value="Certificate"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.ttl" value="30"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.subject" value="${response:userId}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.subject.format" value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.extension.Bearer" value="ch.nevis.esauth.auth.states.saml.extensions.SubjectConfirmationExtender"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2/"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.keystoreref" value="Store_IDP_AGOV"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="spURL" value="https://trustbroker.agov-d.azure.adnovum.net/adfs/ls"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="spIssuer" value="https://trustbroker.agov-d.azure.adnovum.net"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="acsUrlWhitelist.uris" value="https://trustbroker.agov-d.azure.adnovum.net/adfs/ls"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="in.binding" value="auto"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="in.max_age" value="60"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.authnContextClassRef" value="${sess:contextClassRefToSet}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="${sess:ch.nevis.idm.User.email}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance" value="${sess:ch.nevis.idm.User.language}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:ch.nevis.idm.User.firstName}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:ch.nevis.idm.User.lastName}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:ch.nevis.idm.User.birthDate:^(\d\d\d\d-\d\d-\d\d).*$}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.svnr'] : ''}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/placeOfBirth" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.placeOfBirth'] : ''}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/eIdNumber" value="${sess:ch.nevis.idm.User.prop.eIdNumber}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/dateOfVerification" value="${sess:ValidFrom}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/validTillDate" value="${sess:ValidTo}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/verificationMethod" value="#{ ''.concat(sess.get('idVerification')).replace('SelfPaid', '') }"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/nationality" value="#{ sess.containsKey('ch.nevis.idm.User.prop.nationality') ? sess['ch.nevis.idm.User.prop.nationality'].toUpperCase(): '' }"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/authenticatedWith" value="${sess:authenticatedWith}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/emailVerified" value="true"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/street" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.street'] : '' }"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/houseNumber" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.houseNumber'] : '' }"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/zipCode" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.postalCode'] : '' }"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/town" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.city'] : '' }"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/country" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.country'].toUpperCase() : '' }"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/qa/verificationMethod" value="#{ (sess['agov.appAddressRequired'] == 'true') ? ''.concat(sess.get('agov.adressVerification')).replace('Location', 'Domicile') : '' }"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/countryName" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['agov.countryName'] : ''}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.audienceRestriction" value="https://trustbroker.agov-d.azure.adnovum.net"/>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_EPD_Connector" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Concurrent_Logout"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Prepare_Done"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Logout_Done"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Logout_Fail"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Concurrent_Logout"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Prepare_Done"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_EPD_Connector"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Prepare_Done"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Selector"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Selector"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-                <Gui name="saml_idp" label="title.saml.failed">
-                    <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
-                </Gui>
-            </Response>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="session.participants-store.key" value="IDP_AGOV-session-participants"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="logoutMode" value="ConcurrentLogout-Redirect"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="in.keystoreref" value="Store_IDP_AGOV"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="logoutTrigger" value="#{request['currentResource'].contains('logout') || inargs.containsKey('logout') || inargs.containsKey('SAMLLogout')}"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.binding" value="http-post"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.post.relayStateEncoding" value="HTML"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.sign" value="Response Assertion"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.signatureKeyInfo" value="Certificate"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.ttl" value="30"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.subject" value="${response:userId}"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.subject.format" value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.extension.Bearer" value="ch.nevis.esauth.auth.states.saml.extensions.SubjectConfirmationExtender"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2/"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.keystoreref" value="Store_IDP_AGOV"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="spURL" value="https://trustbroker-idp.agov-w.azure.adnovum.net/adfs/ls"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="spIssuer" value="https://trustbroker-idp.agov-w.azure.adnovum.net"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="acsUrlWhitelist.uris" value="https://trustbroker-idp.agov-w.azure.adnovum.net/adfs/ls"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="in.binding" value="auto"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="in.max_age" value="60"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.authnContextClassRef" value="${sess:contextClassRefToSet}"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="${sess:ch.nevis.idm.User.email}"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance" value="${sess:ch.nevis.idm.User.language}"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:ch.nevis.idm.User.firstName}"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:ch.nevis.idm.User.lastName}"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:ch.nevis.idm.User.birthDate:^(\d\d\d\d-\d\d-\d\d).*$}"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.svnr'] : ''}"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/placeOfBirth" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.placeOfBirth'] : ''}"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/eIdNumber" value="${sess:ch.nevis.idm.User.prop.eIdNumber}"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/dateOfVerification" value="${sess:ValidFrom}"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/validTillDate" value="${sess:ValidTo}"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/verificationMethod" value="#{ ''.concat(sess.get('idVerification')).replace('SelfPaid', '') }"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/nationality" value="#{ sess.containsKey('ch.nevis.idm.User.prop.nationality') ? sess['ch.nevis.idm.User.prop.nationality'].toUpperCase(): '' }"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/authenticatedWith" value="${sess:authenticatedWith}"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/emailVerified" value="true"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/street" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.street'] : '' }"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/houseNumber" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.houseNumber'] : '' }"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/zipCode" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.postalCode'] : '' }"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/town" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.city'] : '' }"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/country" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.country'].toUpperCase() : '' }"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/qa/verificationMethod" value="#{ (sess['agov.appAddressRequired'] == 'true') ? ''.concat(sess.get('agov.adressVerification')).replace('Location', 'Domicile') : '' }"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/countryName" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['agov.countryName'] : ''}"/>
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <property name="out.audienceRestriction" value="https://trustbroker-idp.agov-w.azure.adnovum.net"/>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_Concurrent_Logout" class="ch.nevis.esauth.auth.states.standard.AuthLogout" final="false" resumeState="false">
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <Response value="AUTH_CONTINUE">
-                <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-                <Gui name="saml_logout" label="title.logout">
-                    <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-                    <GuiElem name="saml.logoutURLs" type="hidden" value="${outargs:saml.logoutURLs}" optional="true"/>
-                    <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-                    <GuiElem name="saml.logoutURL" type="hidden" value="#{ session.containsKey('saml.logoutURL') ? session.get('saml.logoutURL') : '/' }" optional="true"/>
-                </Gui>
-            </Response>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_Logout_Done" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true">
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-                <Gui name="empty"/>
-            </Response>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_Logout_Fail" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true">
-            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
-                <Gui name="empty"/>
-            </Response>
         </AuthState>
         <AuthState name="Auth_Realm_Mobile_FIDO_UAF_DirectFidoAuthRequired" class="ch.nevis.esauth.auth.states.directResponse.DirectResponseState" final="true" resumeState="false">
             <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
@@ -2846,4 +2949,13 @@
             <property name="generateNow" value="true"/>
         </AuthState>
     </AuthEngine>
+    <!-- source: pattern://ab5a82719993921822e95751 -->
+    <WebService name="ArtifactResolutionService" class="ch.nevis.esauth.auth.adapter.saml.ArtifactResolutionService" uri="/nevisauth/services/artifactresolution" SSODomain="Auth_Realm_Main_IDP">
+        <!-- source: pattern://ab5a82719993921822e95751 -->
+        <property name="issuer" value="Auth_Realm_Main_IDP_Custom_EPD_Artifact_IDP"/>
+        <!-- source: pattern://ab5a82719993921822e95751 -->
+        <property name="out.keystoreref" value="Store_IDP_AGOV"/>
+        <!-- source: pattern://ab5a82719993921822e95751 -->
+        <property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
+    </WebService>
 </esauth-server>
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_dispatcher.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_dispatcher.groovy
similarity index 92%
rename from DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_dispatcher.groovy
rename to DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_dispatcher.groovy
index 115cd87..350d230 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_dispatcher.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_dispatcher.groovy
@@ -75,9 +75,18 @@ def dispatchIssuer(i2s, String issuer) {
     if (result == null) {
         LOG.info("No SP found for issuer '$issuer'. Hint: check SAML SP Connector patterns.")
     }
+    
+    // dispatch different idp if artifact binding is enabled
+    if(parameters.get('epdMode') == 'artifact' && result == 'epd'){
+        LOG.debug("EPD: Artifact mode")
+        result = result + "_artifact"
+    }else{
+        LOG.debug("EPD: POST mode")
+    }
     response.setResult(result)
     session.put("saml.inbound.issuer", issuer)
     session.put('saml.idp.result', result) // remember decision for sub-sequent requests without a SAML message
+    
 }
 
 def dispatchMessage(i2s, String message) {
@@ -108,8 +117,8 @@ if (request.getSession(false) == null) {
 def i2s = new TreeMap<String, String>(String.CASE_INSENSITIVE_ORDER)
 
 
-i2s.put('https://trustbroker.agov-d.azure.adnovum.net', 'state0')
-i2s.put('https://trustbroker-idp.agov-w.azure.adnovum.net', 'state1')
+i2s.put('https://trustbroker.agov-epr-lab.azure.adnovum.net', 'main')
+i2s.put('https://trustbroker-idp.agov-epr-lab.azure.adnovum.net', 'epd')
 
 if (parameters.get('spInitiated') == 'true' && inargs.containsKey('SAMLRequest')) { // SP-initiated authentication
     LOG.debug("found SAMLRequest parameter for SP-initiated authentication")
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_logout_confirm.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/logout_confirm.groovy
similarity index 100%
rename from DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_logout_confirm.groovy
rename to DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/logout_confirm.groovy
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml
index 9ec159a..6e4c246 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml
@@ -46,7 +46,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-50299cb935be4a677ffbde29128d0706fb4a25d9"
+    tag: "r-d9f8becba9a6acfa30f490d16e18038ab79e9d92"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp"
     credentials: "git-credentials"
   keystores:
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml
index f34ef23..78e1626 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml
@@ -1597,10 +1597,10 @@
             <param-value>true</param-value>
         </init-param>
     </servlet>
-    <!-- source: pattern://e0fda9336be9c69dafc9b69e, pattern://c642107fde6b2e07f16bfedb, pattern://decb9b3f88d430fb5c95f466 -->
+    <!-- source: pattern://e0fda9336be9c69dafc9b69e, pattern://a6f6dc6affdc7c692ff857b9, pattern://decb9b3f88d430fb5c95f466 -->
     <servlet>
         <servlet-name>Hosting_Default</servlet-name>
-        <!-- source: pattern://e0fda9336be9c69dafc9b69e, pattern://c642107fde6b2e07f16bfedb, pattern://decb9b3f88d430fb5c95f466 -->
+        <!-- source: pattern://e0fda9336be9c69dafc9b69e, pattern://a6f6dc6affdc7c692ff857b9, pattern://decb9b3f88d430fb5c95f466 -->
         <servlet-class>ch::nevis::isiweb4::servlet::defaults::DefaultServlet</servlet-class>
     </servlet>
     <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
@@ -1671,7 +1671,7 @@
         <servlet-name>Hosting_Default</servlet-name>
         <url-pattern>/AUTH/RECOVERY/*</url-pattern>
     </servlet-mapping>
-    <!-- source: pattern://c642107fde6b2e07f16bfedb -->
+    <!-- source: pattern://a6f6dc6affdc7c692ff857b9 -->
     <servlet-mapping>
         <servlet-name>Hosting_Default</servlet-name>
         <url-pattern>/SAML2/SSO/*</url-pattern>