new configuration version

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/k8s-nevisauth-sts-4bad2fe3ccc54716cc87138f.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisAuth"
   replicas: 1
-  version: "8.2405.2"
+  version: "8.2411.3"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -45,7 +45,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-6c62b8946330d7c4f2ed7d6bb4e18322c0a85ad9"
+    tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts"
     credentials: "git-credentials"
   keystores:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/env.conf

@@ -3,6 +3,7 @@ RTENV_SECURITY_CHECK=no_shell
 JAVA_OPTS=(
     "-XX:+UseContainerSupport"
     "-Dfile.encoding=UTF-8"
+    "-Dotel.instrumentation.metro.enabled=false"
     "-XX:MaxRAMPercentage=80.0"
     "-Djava.net.preferIPv4Stack=true"
     "-Djava.net.connectionTimeout=10000"
@@ -12,7 +13,7 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevisauth/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2405.2,service.instance.id=$HOSTNAME"
+    "-Dotel.resource.attributes=service.version=8.2411.3,service.instance.id=$HOSTNAME"
     "-Djavax.net.ssl.trustStore=/var/opt/keys/trust/auth-sts-default-tls-trust/truststore.p12"
     "-Djavax.net.ssl.trustStorePassword=\${exec:/var/opt/keys/trust/auth-sts-default-tls-trust/keypass}"
 )

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/logging.yml

@@ -12,6 +12,8 @@ Configuration:
         onMismatch: "ACCEPT"
   Loggers:
     Logger:
+    - name: "ProductAnalytics"
+      level: "INFO"
     - name: "EsAuthStart"
       level: "INFO"
     - name: "org.apache.catalina.loader.WebappClassLoader"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/nevisauth.yml

@@ -3,6 +3,7 @@ server:
   protocol: "https"
   port: "8991"
   host: "0.0.0.0"
+  max-threads: "200"
   tls:
     keystore: "/var/opt/keys/own/auth-sts-default-identity/keystore.p12"
     keystore-passphrase: "${exec:/var/opt/keys/own/auth-sts-default-identity/keypass}"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-internal-idp-auth-signer-trust-7022472ae407577ae604bbb8.yaml

@@ -1,7 +1,7 @@
 apiVersion: "operator.nevis-security.ch/v1"
 kind: "NevisTrustStore"
 metadata:
-  name: "auth-default-default-signer-trust"
+  name: "auth-internal-idp-auth-signer-trust"
   namespace: "adn-agov-nevisidm-01-uat"
   labels:
     deploymentTarget: "auth"
@@ -10,5 +10,7 @@ metadata:
     patternId: "7022472ae407577ae604bbb8"
 spec:
   keystores:
+  - name: "auth-sts-sh4r3d-internal-idp-auth-signer"
+    namespace: "adn-agov-nevisidm-01-uat"
   - name: "auth-sh4r3d-internal-idp-auth-signer"
     namespace: "adn-agov-nevisidm-01-uat"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-technical-trust-store-7022472ae407577ae604bbb8.yaml

@@ -12,6 +12,8 @@ spec:
   keystores:
   - name: "proxy-idp-notused-auth-realm-identity"
     namespace: "adn-agov-nevisidm-01-uat"
+  - name: "proxy-idp-auth-realm-main-idp-identity"
+    namespace: "adn-agov-nevisidm-01-uat"
   - name: "proxy-idp-auth-realm-mobile-fido-uaf-identity"
     namespace: "adn-agov-nevisidm-01-uat"
   - name: "proxy-idp-auth-realm-recovery-identity"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisAuth"
   replicas: 1
-  version: "8.2405.2"
+  version: "8.2411.3"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -45,7 +45,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-b7543a0cfa5709d415da026ee75c467a9ce59430"
+    tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
     credentials: "git-credentials"
   keystores:
@@ -55,7 +55,7 @@ spec:
   truststores:
   - "auth-default-tls-trust"
   - "auth-auth-realm-mobile-fido-uaf-tls-trust-nevisfido"
-  - "auth-default-default-signer-trust"
+  - "auth-internal-idp-auth-signer-trust"
   - "auth-technical-trust-store"
   podSecurity:
     policy: "baseline"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/key.pem

@@ -1,54 +1,54 @@
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJqzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQUbPUZn/3VpMbderej
-CK2+IC16nwwCAggAMB0GCWCGSAFlAwQBKgQQvPO51vuHnkHznERAJ+mJngSCCVDI
-JlL/aK5MTWYntg5qFJ2L3w4GNTaKeVXrCE1Q/UrXo4/OnNVQdHnyWiuzOt0FoGow
-H22nWxbehwlykBPhPNw4719QOiMWQJqggR/61IUh8xOBrchqjQ2irIDjiXnTgD1N
-ADmtLHZC6duXncdFOtpeooHKMW61P6+KGBck0n8jM96+DuIKZKF2VO0hEzrUCF3d
-4ODXNX8EEc4l1UdGUU0l7r/SvxoDyprGnFW1Di+PZCRWwUkHbDrqOWEzs5UIzTRM
-2Tyt5osJB7v+0XB3f2PeBEHkQQhd9mvPIiSO5EwQF4JNQx7LMcnV1eFYXGF30pVb
-g9nG3UFbI68uH+uuuEU66yug/h/0RzMSBp8Le6eIck5/jaXBPzDstrc3VW5f1f+n
-I3LsVplUE5znK5okwcGNKr84Ppf6QJ0Hjmbx927j8/n5yMYAn8xa1X5XNeC0dmy8
-Fjbsz1YpiTx9uQ33thXWbpQXno3fJzXvTVJ258GciPwcwqUTiudkMz3eD/tk/Ehd
-SM2oxCKIFDjEUnTSJ89uj+vz9OlTAdaUr0uEfpM6vwq+610UviVRPrNpI2v/qiqJ
-SCeCsce4cN4eIjdpgPIt89H/ISDaOlpeCNQ8yLkkM4P89zXjir7Mt7jt3Uh58xoO
-rOHwQW8xUp+92BvES17PS072ywPS2jO/+hVQv6lf1LPHOmIlEWUln8no6KUBupMM
-ukaW+AmBxxYA1nycC+7IyXDUGiX8MU8GhT45xBpj6t5gKr5QwvJpGcH5oJ0qqq+s
-5B4bmIkaDUgbyAcnishANkHt8/wPvKLbefgRPkpRzaPFQqXu18nRr5GTa+dWfS1y
-GJOVtKcGEyMCHTWfvT9NQZryP3uSsVvl4unEcScWqUL12rDfe31EuTr8JD79I7US
-ssJoDtOKSsP/fFcUatUDcfsb+hkBGN19CdDb4LvPY23FhUc1ApYbWmU5HlY16uQx
-zjoVVZ3lCckJHojPlXpgv0y/CC6tOyEwKxC2u2voPunbR/D7rJ+5AIWDDc3pzzPZ
-KH1jfJPL8KbM8lBc+hpyLBtSnQpj/osN/jLY7El3ciFcux/NFSffeWKn/QuYYC8p
-LtJzWZiURZ6SWFZ4llPKbDeXsKhSOuroMt0aRUfQu2zHw++Ss94X+wJ3Tg64uP/9
-Bw9B5LFdTogChz7ObmGr9OnyJuQaj9/riWP6kowjXSQhku30RMpf6MQnxg8KLhI/
-99y4rGp+OLcxZcKbmENWIl9QcEVbyPfBq2yGSk/drT3xUJghCcPjObKToutHRs9r
-cN0IE6kzRiruRdm2bejgni+v5BhioiZRiSwr5om57G1N4e8BseTxY+zQrU2WwdJp
-ll1zqk5t2J+83uU/EQBmIkXpP+xqrod/uOUm84d5nYRXuO94DLUDwqU0KI7QKoHK
-W6XSU5TDzmynPrycl1IGW1l6ddb92h4FPYyYsppb+G78v2WfVFSsze2aBIDbDZUh
-QEaElJuNIOA+bOSctpTr0i70HXhGzVMXStXJMAIFgR9wKppxW+0IXdjYzhKVE8gx
-uXiJfwJx5pSDBWFDZqLM8uTH3hGOuvRX06iSHIFCsxjds7VWXBh91iGw9Xef9D50
-DVaIhF12dTRsrdi5AqYYkTb4AEzpUQXg7HPi678F6UnsOzCVYZqMWZaF3Ec1UHxu
-PZ9A27DvK1MsUm4QZ+7XrzWrRdkmRFXqhtfxCxHRpF+YlRPTyWSVmx0fEkGjLiAd
-uHU0D14lcqNvmusWOWXVYePOS44R3DrQFULgzfsly09bKFqRZdKGQavVjUbokP1S
-+MDQOca4I6KSxo2358rUGDhq3A0xI5U24wjinNWHktTPXkJbvcJubx/sHb8QMxST
-qSXr5vYjJfms1sU3v2QYrORU42CBOvUAaZYTwLDq+PSN37IcyQoAhTU2ZgPSzSQe
-8aJvxgZWgWedsoeKpKK54yk7rG7b+Qhk6ZHrvFS6cI0YasYQ4GHZHfieG0dTGlVS
-FAAF+HF9/TI3vZPx5qzS6jhtpy6bI/MxjCachA1suShqHZNn4dGW13C6Kf6a6Ci8
-fOMVK/3t4H5oU+2fqoo41jU/1MmLuNUFt7F08X+3eRw/dmhGuf6Mcd46L9SMPtXp
-quSmX/q8kG1YUfj0vXfxBox9rQWYY8kNjp6OUkvAwBYoy6a1j0h420ZQhyNS0vzy
-w2d3UjTjoEdo3qOKCDKLGA9ILSJvK/jzDEoS0G23eiaQJ5DHDK6m++izm+2oCMwM
-+5fcoRhn0SVzAgE63x80btbGuo52sMp57PcGZq50s8yeVYziyZEVPIb5I/vau8BH
-CxZ++8ENtvKmYWX84hXApR+2rX6hWWi/b34YIG4jtCr+aeaNumv5NT19G+g84BsL
-akcBUtt3px2icLZtUv+ck/JCG/7pUvIqZ2HMKLZgsSZan1pfdfdl1Q28xG97X/dR
-gCzr15ZjlX8bwtRNQs+xhv6lDQtFOv0wgYYW6rolZS3SOaGhWU4/E1a+RT16NUvS
-lajoYD1jFCk6Y2WWIB1tHxAlNC06EQB3oT+gPtzZ9upcM3Qv0X0RyXgPcLFcveiC
-aZZtBY6MElzXiRpRB8y6XNyvJz+1vB05DDlcCnx2ovztHAk74AiUp0VlSk6ylqDQ
-DKOaXHz5ZzFT+Ptaj3m1xBYc3m4Iyw98RXX7IGs7hOY2roaqO3rI/lmgTVuA3hv7
-m3CX8vbk3gqV1+Rt2ObuddnKtkrG07lP72HliZBLNRgEoaX1DSKdWq7A8G5uNWJj
-xvwWUDIu/PESII1x8D52pmZ0QH1VQmas17Ezme/4BGvOR5/0vwKUEXPYWhHvtB31
-4q/HMWpCCH5wF5DF0JfWmOhDpR3EvtG8HnNMzP8cdHbCLaG4SUz5uNKgJ6pI5cjV
-E+HS+McIN1wp5mFodR3qwjMdLoH2uJ4YOqP05qri1b40xXM/j6+p9tXXYuV/8d6K
-+L8sZxNvORwf6z8yys2cAHC5xPYBC8c0qKE9a1GtYJRPpjXona+iHoM5KooGFmYx
-qZz2AvqbPYIwTHD5sV/K0wA3Zjlw6HOHBnZ6C7ZINAL/idY5uLOP6c3HCmVLRz3a
-KIZCBintlvOKVSlzfGh7MjAJpEkzqGBNQIFCkRflrJW13R4/fiRL2fqRm2UjbU7q
-QQo+ffs3emwCxkfxdOpubKUoANiFdXvQlKiC2BP/Yw==
+MIIJqzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQU95KG57RacAYBmkeQ
+DIe1bZS0sbkCAggAMB0GCWCGSAFlAwQBKgQQyxdAya9Sd4oHLO1pzVWcYASCCVDT
+ozdXT3vjyqMzza4QKaMD4ywSAzGhQRM/TnxU5JbRLNMpdtq76Mfet2pv++UUjcof
+16EsdOOpDQdxdzQWmwGUNwjkX5YyWTaAefV8l9n6Bp8LV0XabS9We3g5Jr1KjuzP
+O/xJgB2o6BcD/WRPeOaANSGoyWce4rCkpDwqxrp+tY9EK19SoCZG9Zy2hnPPH2Hc
+QgtgCAzqaXIp49KIXHn/Uo532lIz3WqkkhzVakwgAKLKIvc/SwgP0eSXLvPjeJYS
+L8DngPP0YD7IPgIs7WmMNNE7or69e7mO0miUOl7xStNHzHpLmtLNbYI7Pk6NLT7N
+kWfh2+E21R7llsW57boMACXVr7N3CHOlZQhUNViyjPayo1njVnp6gGzuIxluhHJY
+CL070oqBeEYVfvE07HQ4Qd0BL5c02pdrKjdzBYyLwzSNKn2RzgS2R/XtEqdmOUo+
+iuRngv9D1UPSI2xlFhv84778ktEeSf8l1nLltqhPJAmJUjSAcu/zjN4Q+HXqMRaF
+IocDV4I7CaXDc2E0YdU8uHuzzUHLflJ2OZwU5N7tkoVOtAYHKUwCP4J/zpLSe2V2
+MIh40IVJK4gzb+iyBiOnsnKKQCKMPbS4lH8zC2S486MgjgbhlZeFg0nOF955c61l
+Sb4MBrexU4s1TUg/fDpYt6jPZoKivN72jzi60kV43gBFHmP3X4SRAUQ4Y3h5NFF8
+h2p4wvYRsYEexjJU/+WJG4Yi1wSi3oEqD161a6vPOsKBLBdLRo1vgnQdGFx/k83X
+vjPlI2eEUMPCntNBbrTy8eUSJz/0OH2phztZpHuh5cfy4ErUi19d9ywZUlhurGvX
+dC7ouTEqRZLkkSCfGTQM0q0O4JQJTLb5N4gWdZxQd2UwGv3jCK7m5eWx3bTdhhXi
+179DoSpYBCJF3msn0ROO6PxsccH0w/I6KMi3QNmsDlXhDr6XIBya8CU0lx9lp0pl
+5q62D26Ylr2fovd3qKKbwP6RaZarCzKLO6dWdyMqtUwVlX2FDCFd/SPGWc2TmuVS
+vLb981Zm13AfYtNUSfusroDp3TEuvl7cwozg7p33SQhuCmgKnxMd0iXd5QQZjrR0
+t+y22dHrD1agkkoFMLz/+d+930J0sY4odG/HbL2Bv8ZelVUjA8XSFoGBEA+rfQCg
+DGmLh5a+/yfzxCEKWVLqmwHWbSkub8bXdl6EKEyaO9qo1KCLAf3tArQx45sqw8bK
+8AYq2mrNIiMDhHub+XEEC0Aw2lZkJOrwwMEsTcZWfBvj56MdRNXuZMvPdarTbnDx
+zzxatqIwfvpOy/S2Poyrc6GuprbZCM6N+cDLdWQqAHVwAlx77NhiJ6s3vUnE3vB7
+aHgmXU+a8uPA64tKKaRNQJ31f7viCkWJXEbbEhVTzCvFcoqbKPPMm9w7nO8PMUTu
+BmwSFEKhd3BDKZavqTHKi66fF3A5ALFYAkMw/AlvinMitb9s+7WlWQrdvSFkqHsY
+wNQ1ankleYd24/8ZllvsQpleLMepDSxP6zUMpXSHbTKp5MZeoCaaY1RCkg7aOduz
+brnD7lRAfLp0H72nxVgC7n6VjidOSruF7k9WIN9VVbP0ZVL/QtkKRWd/hEmtMNaH
+ELg2ekdm3zvdBuvtr0jNiCxbhTr3j5OWQkT/BjZxHpZfA14XEROJC2Slo3PxUwBH
+0lE0cICWTeaeYcCX8ofawN+t1Qa6UD0sLl2670Kc7pozkJM4ul19rGA2KsHX89gE
+CaB1CkhFCqZhPbqX9yonv9XZtLb8Of8rBNVd/2QKN4/tOXcMYshzakSfSSIsyxxt
+QgMPRfz0nJTtP7v8ZbwIO+ayGoUeH7aYKhQ6Ku3qW9XuYiy+oMTIOToCSddnEI5t
+JNuPkT9kzA9stkRbFV5kBvrv5LWprWDXdA/wyAWG7txncWj6UzGlP8C3KhtMHLHv
+CiOXrE8UJdNNeT52dYI9slg+tzcCfz3sqMr9zXratvT6JMzrQZqCSis8vIx18TIK
+N5yDWHDFUOeNpo7aRqd5goW3qProwfZDjBXiqE4J+AJ5wc73PuftHt2l00zvLDWs
+SFIRvXbavNBA7GxpVtN8Qxmk6Lm0u0pBiastndowgAI5OIQVuwoA21vXyC5n9pMd
+bPJsmiPyme62OkCWmAjBNDLNVViwKMH8BxmLKJxX+6ysNsn0YY1+9YfI/zC3j4jM
+OYsK1c0NvFIv5aUxRQZLTJJt9C299jGNvdAJsfdp4LHejzZUjnx3nguz/l6RI1Vb
+vjQ1qDRPhkgErGXSHsCoCt+z5Y6mq17JWEX/FiXBWQbfSGoG/ZvoOqiBybCQ3HNl
+o9QM1sNQ5fUZDh0TgwkJB91rZXPwi828RklMW8VZszZir5gziTnndhw0ADLCZZ6z
+nA0vZAI7sjoEeIgiJq3egrsSLq2ZQRQsh5QF+Xo2QktleGvPrtMv//ZyGz4l59yc
+wX/7DtABurFhVs3KdYohcqXk2v5jJCMs+j9YDn6540QR6yXcbifp9ySqhm/PeH91
+UuL16YKxoV6QBZIGE0vjdUitGKNsS+H4ibD/0ZHYG+VcyL90eIrBq61CjfIO79O0
+L9+G4gKB91stXwtpqZWXTrlzrnjloZOPhqyQN/bs/liWQ6qy0a6Cd6nbWc141An1
+zEiOihbwLJ4ziCut+bq5lwyw6z/wWEhaVNnYspEEBr2URLMHbnBceS6zXoePT0ur
+9mQQLitmtlANlJ93vBDPhCaEjkK1v5J7MmIHQzyLSQGuLdXwz50piJukWru3aNax
+skloghJYeTMILEcGAszvyVtcvPqkrJnZXx4Qp7Luj5HK9THr78v3T4nWzirfqxPZ
+x70xRyhsC2lLcIrJ+3jkXj44edIqdh3Wvi30L2x2iUFyZ0ojQJQDo/+5b+p9k36L
+Dk8ktpeIa/BE3NsfcFaWn9bvRkQ6UAQcNn1zmkavfw5TLI4C1PnD/WUpPHZdhzNV
+K87CsUawxjEg0uCCaViShF6bD9mOWQxE3SM9yNizjTmotF6KrgkT16y/qZ17KGQM
+hJ5PraGu9jvg+L/MrQpr91eyJaeh9JFl9dM/SPM0mXo5q813bdMmqD4cc3YWCLee
+dHtmaKJ08KD1cJqHBz0DRLVV+zH00BMoYt5HZ5DmHFU1zhDekWZLhilbyWt8+z1E
+bzsoEAfZvyfvF7fJuxQ/HhYdR6TX5H+aNzZZivVc6g==
 -----END ENCRYPTED PRIVATE KEY-----

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/keystore.pem

@@ -1,56 +1,56 @@
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJqzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQUbPUZn/3VpMbderej
-CK2+IC16nwwCAggAMB0GCWCGSAFlAwQBKgQQvPO51vuHnkHznERAJ+mJngSCCVDI
-JlL/aK5MTWYntg5qFJ2L3w4GNTaKeVXrCE1Q/UrXo4/OnNVQdHnyWiuzOt0FoGow
-H22nWxbehwlykBPhPNw4719QOiMWQJqggR/61IUh8xOBrchqjQ2irIDjiXnTgD1N
-ADmtLHZC6duXncdFOtpeooHKMW61P6+KGBck0n8jM96+DuIKZKF2VO0hEzrUCF3d
-4ODXNX8EEc4l1UdGUU0l7r/SvxoDyprGnFW1Di+PZCRWwUkHbDrqOWEzs5UIzTRM
-2Tyt5osJB7v+0XB3f2PeBEHkQQhd9mvPIiSO5EwQF4JNQx7LMcnV1eFYXGF30pVb
-g9nG3UFbI68uH+uuuEU66yug/h/0RzMSBp8Le6eIck5/jaXBPzDstrc3VW5f1f+n
-I3LsVplUE5znK5okwcGNKr84Ppf6QJ0Hjmbx927j8/n5yMYAn8xa1X5XNeC0dmy8
-Fjbsz1YpiTx9uQ33thXWbpQXno3fJzXvTVJ258GciPwcwqUTiudkMz3eD/tk/Ehd
-SM2oxCKIFDjEUnTSJ89uj+vz9OlTAdaUr0uEfpM6vwq+610UviVRPrNpI2v/qiqJ
-SCeCsce4cN4eIjdpgPIt89H/ISDaOlpeCNQ8yLkkM4P89zXjir7Mt7jt3Uh58xoO
-rOHwQW8xUp+92BvES17PS072ywPS2jO/+hVQv6lf1LPHOmIlEWUln8no6KUBupMM
-ukaW+AmBxxYA1nycC+7IyXDUGiX8MU8GhT45xBpj6t5gKr5QwvJpGcH5oJ0qqq+s
-5B4bmIkaDUgbyAcnishANkHt8/wPvKLbefgRPkpRzaPFQqXu18nRr5GTa+dWfS1y
-GJOVtKcGEyMCHTWfvT9NQZryP3uSsVvl4unEcScWqUL12rDfe31EuTr8JD79I7US
-ssJoDtOKSsP/fFcUatUDcfsb+hkBGN19CdDb4LvPY23FhUc1ApYbWmU5HlY16uQx
-zjoVVZ3lCckJHojPlXpgv0y/CC6tOyEwKxC2u2voPunbR/D7rJ+5AIWDDc3pzzPZ
-KH1jfJPL8KbM8lBc+hpyLBtSnQpj/osN/jLY7El3ciFcux/NFSffeWKn/QuYYC8p
-LtJzWZiURZ6SWFZ4llPKbDeXsKhSOuroMt0aRUfQu2zHw++Ss94X+wJ3Tg64uP/9
-Bw9B5LFdTogChz7ObmGr9OnyJuQaj9/riWP6kowjXSQhku30RMpf6MQnxg8KLhI/
-99y4rGp+OLcxZcKbmENWIl9QcEVbyPfBq2yGSk/drT3xUJghCcPjObKToutHRs9r
-cN0IE6kzRiruRdm2bejgni+v5BhioiZRiSwr5om57G1N4e8BseTxY+zQrU2WwdJp
-ll1zqk5t2J+83uU/EQBmIkXpP+xqrod/uOUm84d5nYRXuO94DLUDwqU0KI7QKoHK
-W6XSU5TDzmynPrycl1IGW1l6ddb92h4FPYyYsppb+G78v2WfVFSsze2aBIDbDZUh
-QEaElJuNIOA+bOSctpTr0i70HXhGzVMXStXJMAIFgR9wKppxW+0IXdjYzhKVE8gx
-uXiJfwJx5pSDBWFDZqLM8uTH3hGOuvRX06iSHIFCsxjds7VWXBh91iGw9Xef9D50
-DVaIhF12dTRsrdi5AqYYkTb4AEzpUQXg7HPi678F6UnsOzCVYZqMWZaF3Ec1UHxu
-PZ9A27DvK1MsUm4QZ+7XrzWrRdkmRFXqhtfxCxHRpF+YlRPTyWSVmx0fEkGjLiAd
-uHU0D14lcqNvmusWOWXVYePOS44R3DrQFULgzfsly09bKFqRZdKGQavVjUbokP1S
-+MDQOca4I6KSxo2358rUGDhq3A0xI5U24wjinNWHktTPXkJbvcJubx/sHb8QMxST
-qSXr5vYjJfms1sU3v2QYrORU42CBOvUAaZYTwLDq+PSN37IcyQoAhTU2ZgPSzSQe
-8aJvxgZWgWedsoeKpKK54yk7rG7b+Qhk6ZHrvFS6cI0YasYQ4GHZHfieG0dTGlVS
-FAAF+HF9/TI3vZPx5qzS6jhtpy6bI/MxjCachA1suShqHZNn4dGW13C6Kf6a6Ci8
-fOMVK/3t4H5oU+2fqoo41jU/1MmLuNUFt7F08X+3eRw/dmhGuf6Mcd46L9SMPtXp
-quSmX/q8kG1YUfj0vXfxBox9rQWYY8kNjp6OUkvAwBYoy6a1j0h420ZQhyNS0vzy
-w2d3UjTjoEdo3qOKCDKLGA9ILSJvK/jzDEoS0G23eiaQJ5DHDK6m++izm+2oCMwM
-+5fcoRhn0SVzAgE63x80btbGuo52sMp57PcGZq50s8yeVYziyZEVPIb5I/vau8BH
-CxZ++8ENtvKmYWX84hXApR+2rX6hWWi/b34YIG4jtCr+aeaNumv5NT19G+g84BsL
-akcBUtt3px2icLZtUv+ck/JCG/7pUvIqZ2HMKLZgsSZan1pfdfdl1Q28xG97X/dR
-gCzr15ZjlX8bwtRNQs+xhv6lDQtFOv0wgYYW6rolZS3SOaGhWU4/E1a+RT16NUvS
-lajoYD1jFCk6Y2WWIB1tHxAlNC06EQB3oT+gPtzZ9upcM3Qv0X0RyXgPcLFcveiC
-aZZtBY6MElzXiRpRB8y6XNyvJz+1vB05DDlcCnx2ovztHAk74AiUp0VlSk6ylqDQ
-DKOaXHz5ZzFT+Ptaj3m1xBYc3m4Iyw98RXX7IGs7hOY2roaqO3rI/lmgTVuA3hv7
-m3CX8vbk3gqV1+Rt2ObuddnKtkrG07lP72HliZBLNRgEoaX1DSKdWq7A8G5uNWJj
-xvwWUDIu/PESII1x8D52pmZ0QH1VQmas17Ezme/4BGvOR5/0vwKUEXPYWhHvtB31
-4q/HMWpCCH5wF5DF0JfWmOhDpR3EvtG8HnNMzP8cdHbCLaG4SUz5uNKgJ6pI5cjV
-E+HS+McIN1wp5mFodR3qwjMdLoH2uJ4YOqP05qri1b40xXM/j6+p9tXXYuV/8d6K
-+L8sZxNvORwf6z8yys2cAHC5xPYBC8c0qKE9a1GtYJRPpjXona+iHoM5KooGFmYx
-qZz2AvqbPYIwTHD5sV/K0wA3Zjlw6HOHBnZ6C7ZINAL/idY5uLOP6c3HCmVLRz3a
-KIZCBintlvOKVSlzfGh7MjAJpEkzqGBNQIFCkRflrJW13R4/fiRL2fqRm2UjbU7q
-QQo+ffs3emwCxkfxdOpubKUoANiFdXvQlKiC2BP/Yw==
+MIIJqzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQU95KG57RacAYBmkeQ
+DIe1bZS0sbkCAggAMB0GCWCGSAFlAwQBKgQQyxdAya9Sd4oHLO1pzVWcYASCCVDT
+ozdXT3vjyqMzza4QKaMD4ywSAzGhQRM/TnxU5JbRLNMpdtq76Mfet2pv++UUjcof
+16EsdOOpDQdxdzQWmwGUNwjkX5YyWTaAefV8l9n6Bp8LV0XabS9We3g5Jr1KjuzP
+O/xJgB2o6BcD/WRPeOaANSGoyWce4rCkpDwqxrp+tY9EK19SoCZG9Zy2hnPPH2Hc
+QgtgCAzqaXIp49KIXHn/Uo532lIz3WqkkhzVakwgAKLKIvc/SwgP0eSXLvPjeJYS
+L8DngPP0YD7IPgIs7WmMNNE7or69e7mO0miUOl7xStNHzHpLmtLNbYI7Pk6NLT7N
+kWfh2+E21R7llsW57boMACXVr7N3CHOlZQhUNViyjPayo1njVnp6gGzuIxluhHJY
+CL070oqBeEYVfvE07HQ4Qd0BL5c02pdrKjdzBYyLwzSNKn2RzgS2R/XtEqdmOUo+
+iuRngv9D1UPSI2xlFhv84778ktEeSf8l1nLltqhPJAmJUjSAcu/zjN4Q+HXqMRaF
+IocDV4I7CaXDc2E0YdU8uHuzzUHLflJ2OZwU5N7tkoVOtAYHKUwCP4J/zpLSe2V2
+MIh40IVJK4gzb+iyBiOnsnKKQCKMPbS4lH8zC2S486MgjgbhlZeFg0nOF955c61l
+Sb4MBrexU4s1TUg/fDpYt6jPZoKivN72jzi60kV43gBFHmP3X4SRAUQ4Y3h5NFF8
+h2p4wvYRsYEexjJU/+WJG4Yi1wSi3oEqD161a6vPOsKBLBdLRo1vgnQdGFx/k83X
+vjPlI2eEUMPCntNBbrTy8eUSJz/0OH2phztZpHuh5cfy4ErUi19d9ywZUlhurGvX
+dC7ouTEqRZLkkSCfGTQM0q0O4JQJTLb5N4gWdZxQd2UwGv3jCK7m5eWx3bTdhhXi
+179DoSpYBCJF3msn0ROO6PxsccH0w/I6KMi3QNmsDlXhDr6XIBya8CU0lx9lp0pl
+5q62D26Ylr2fovd3qKKbwP6RaZarCzKLO6dWdyMqtUwVlX2FDCFd/SPGWc2TmuVS
+vLb981Zm13AfYtNUSfusroDp3TEuvl7cwozg7p33SQhuCmgKnxMd0iXd5QQZjrR0
+t+y22dHrD1agkkoFMLz/+d+930J0sY4odG/HbL2Bv8ZelVUjA8XSFoGBEA+rfQCg
+DGmLh5a+/yfzxCEKWVLqmwHWbSkub8bXdl6EKEyaO9qo1KCLAf3tArQx45sqw8bK
+8AYq2mrNIiMDhHub+XEEC0Aw2lZkJOrwwMEsTcZWfBvj56MdRNXuZMvPdarTbnDx
+zzxatqIwfvpOy/S2Poyrc6GuprbZCM6N+cDLdWQqAHVwAlx77NhiJ6s3vUnE3vB7
+aHgmXU+a8uPA64tKKaRNQJ31f7viCkWJXEbbEhVTzCvFcoqbKPPMm9w7nO8PMUTu
+BmwSFEKhd3BDKZavqTHKi66fF3A5ALFYAkMw/AlvinMitb9s+7WlWQrdvSFkqHsY
+wNQ1ankleYd24/8ZllvsQpleLMepDSxP6zUMpXSHbTKp5MZeoCaaY1RCkg7aOduz
+brnD7lRAfLp0H72nxVgC7n6VjidOSruF7k9WIN9VVbP0ZVL/QtkKRWd/hEmtMNaH
+ELg2ekdm3zvdBuvtr0jNiCxbhTr3j5OWQkT/BjZxHpZfA14XEROJC2Slo3PxUwBH
+0lE0cICWTeaeYcCX8ofawN+t1Qa6UD0sLl2670Kc7pozkJM4ul19rGA2KsHX89gE
+CaB1CkhFCqZhPbqX9yonv9XZtLb8Of8rBNVd/2QKN4/tOXcMYshzakSfSSIsyxxt
+QgMPRfz0nJTtP7v8ZbwIO+ayGoUeH7aYKhQ6Ku3qW9XuYiy+oMTIOToCSddnEI5t
+JNuPkT9kzA9stkRbFV5kBvrv5LWprWDXdA/wyAWG7txncWj6UzGlP8C3KhtMHLHv
+CiOXrE8UJdNNeT52dYI9slg+tzcCfz3sqMr9zXratvT6JMzrQZqCSis8vIx18TIK
+N5yDWHDFUOeNpo7aRqd5goW3qProwfZDjBXiqE4J+AJ5wc73PuftHt2l00zvLDWs
+SFIRvXbavNBA7GxpVtN8Qxmk6Lm0u0pBiastndowgAI5OIQVuwoA21vXyC5n9pMd
+bPJsmiPyme62OkCWmAjBNDLNVViwKMH8BxmLKJxX+6ysNsn0YY1+9YfI/zC3j4jM
+OYsK1c0NvFIv5aUxRQZLTJJt9C299jGNvdAJsfdp4LHejzZUjnx3nguz/l6RI1Vb
+vjQ1qDRPhkgErGXSHsCoCt+z5Y6mq17JWEX/FiXBWQbfSGoG/ZvoOqiBybCQ3HNl
+o9QM1sNQ5fUZDh0TgwkJB91rZXPwi828RklMW8VZszZir5gziTnndhw0ADLCZZ6z
+nA0vZAI7sjoEeIgiJq3egrsSLq2ZQRQsh5QF+Xo2QktleGvPrtMv//ZyGz4l59yc
+wX/7DtABurFhVs3KdYohcqXk2v5jJCMs+j9YDn6540QR6yXcbifp9ySqhm/PeH91
+UuL16YKxoV6QBZIGE0vjdUitGKNsS+H4ibD/0ZHYG+VcyL90eIrBq61CjfIO79O0
+L9+G4gKB91stXwtpqZWXTrlzrnjloZOPhqyQN/bs/liWQ6qy0a6Cd6nbWc141An1
+zEiOihbwLJ4ziCut+bq5lwyw6z/wWEhaVNnYspEEBr2URLMHbnBceS6zXoePT0ur
+9mQQLitmtlANlJ93vBDPhCaEjkK1v5J7MmIHQzyLSQGuLdXwz50piJukWru3aNax
+skloghJYeTMILEcGAszvyVtcvPqkrJnZXx4Qp7Luj5HK9THr78v3T4nWzirfqxPZ
+x70xRyhsC2lLcIrJ+3jkXj44edIqdh3Wvi30L2x2iUFyZ0ojQJQDo/+5b+p9k36L
+Dk8ktpeIa/BE3NsfcFaWn9bvRkQ6UAQcNn1zmkavfw5TLI4C1PnD/WUpPHZdhzNV
+K87CsUawxjEg0uCCaViShF6bD9mOWQxE3SM9yNizjTmotF6KrgkT16y/qZ17KGQM
+hJ5PraGu9jvg+L/MrQpr91eyJaeh9JFl9dM/SPM0mXo5q813bdMmqD4cc3YWCLee
+dHtmaKJ08KD1cJqHBz0DRLVV+zH00BMoYt5HZ5DmHFU1zhDekWZLhilbyWt8+z1E
+bzsoEAfZvyfvF7fJuxQ/HhYdR6TX5H+aNzZZivVc6g==
 -----END ENCRYPTED PRIVATE KEY-----
 
 -----BEGIN CERTIFICATE-----

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict.properties

@@ -96,7 +96,7 @@ language.it=Italiano
 languageDropdown.aria.label=Select language
 loainfo.description.200=To access the application, we need to verify your data. The process can take up to 2 - 3 days.
 loainfo.description.300=To access the application we need to verify your data through one of two processes. You can choose your preferred process in the next step.
-loainfo.description.400=To access the application we need you to add your AHV Number (Swiss Social Security number).
+loainfo.description.400=To access the application we need you to add your SSN (AHV) number.
 loainfo.helper=Your data needs to be verified!
 loainfo.later=Later
 loainfo.startNow=Do you want to start the process now?
@@ -224,6 +224,8 @@ recovery_check_code.invalid.code.tooLong=The code is too long
 recovery_check_code.noAccess=I do not have access to my code
 recovery_check_code.noCodeAccess=Are you sure you don't have access to your recovery code?
 recovery_check_code.noCodeAccessInstructions=If you have lost access to your recovery code please go to AGOV help in order to contact a AGOV support agent. They will be able to help you with the recovery process.
+recovery_check_code.too_many_tries.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
+recovery_check_code.too_many_tries.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
 recovery_check_noCode.banner.error=Too many attempts.
 recovery_check_noCode.instruction1=You might have tried to enter the recovery code too many times.
 recovery_check_noCode.instruction2=Please close the web browser and start the account recovery again in ten minutes from <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_de.properties

@@ -96,7 +96,7 @@ language.it=Italiano
 languageDropdown.aria.label=Sprache wählen
 loainfo.description.200=Um auf diese Applikation zuzugreifen, müssen wir Ihre Angaben verifizieren. Der Vorgang kann bis zu 2 - 3 Tage dauern.
 loainfo.description.300=Um auf diese Applikation zuzugreifen, müssen wir Ihre Angaben durch einen von zwei Vorgängen verifizieren. Sie können die bevorzugte Methode im nächsten Schritt auswählen.
-loainfo.description.400=Für den Zugang zu dieser Anwendung müssen Sie Ihre AHV-Nummer angeben.
+loainfo.description.400=Bitte AHV-Nummer angeben, um auf die Applikation zuzugreifen.
 loainfo.helper=Ihre persönlichen Daten müssen überprüft werden!
 loainfo.later=Später
 loainfo.startNow=Möchten Sie den Prozess jetzt starten?
@@ -224,6 +224,8 @@ recovery_check_code.invalid.code.tooLong=Eingegebener Code ist zu lang
 recovery_check_code.noAccess=Ich kann auf meinen Code nicht zugreifen
 recovery_check_code.noCodeAccess=Sind Sie sicher, dass Sie auf Ihren Wiederherstellungscode nicht zugreifen können?
 recovery_check_code.noCodeAccessInstructions=Wenn Sie auf Ihren Wiederherstellungscode nicht mehr zugreifen können, gehen Sie bitte zur AGOV-Hilfe, um jemanden vom AGOV-Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterstützen.
+recovery_check_code.too_many_tries.instruction1=Der von Ihnen eingegebene Wiederherstellungscode ist möglicherweise abgelaufen oder Sie haben zu oft versucht, einen Code einzugeben.
+recovery_check_code.too_many_tries.instruction2=Gehen Sie bitte zur AGOV-Hilfe, um jemanden vom Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterstützen.
 recovery_check_noCode.banner.error=Zu viele Versuche.
 recovery_check_noCode.instruction1=Möglicherweise haben Sie zu oft versucht, den Wiederherstellungscode einzugeben.
 recovery_check_noCode.instruction2=Bitte schliessen Sie den Webbrowser und starten Sie die Kontowiederherstellung in zehn Minuten erneut auf <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_en.properties

@@ -96,7 +96,7 @@ language.it=Italiano
 languageDropdown.aria.label=Select language
 loainfo.description.200=To access the application, we need to verify your data. The process can take up to 2 - 3 days.
 loainfo.description.300=To access the application we need to verify your data through one of two processes. You can choose your preferred process in the next step.
-loainfo.description.400=To access the application we need you to add your AHV Number (Swiss Social Security number).
+loainfo.description.400=To access the application we need you to add your SSN (AHV) number.
 loainfo.helper=Your data needs to be verified!
 loainfo.later=Later
 loainfo.startNow=Do you want to start the process now?
@@ -224,6 +224,8 @@ recovery_check_code.invalid.code.tooLong=The code is too long
 recovery_check_code.noAccess=I do not have access to my code
 recovery_check_code.noCodeAccess=Are you sure you don't have access to your recovery code?
 recovery_check_code.noCodeAccessInstructions=If you have lost access to your recovery code please go to AGOV help in order to contact a AGOV support agent. They will be able to help you with the recovery process.
+recovery_check_code.too_many_tries.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
+recovery_check_code.too_many_tries.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
 recovery_check_noCode.banner.error=Too many attempts.
 recovery_check_noCode.instruction1=You might have tried to enter the recovery code too many times.
 recovery_check_noCode.instruction2=Please close the web browser and start the account recovery again in ten minutes from <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_fr.properties

@@ -96,7 +96,7 @@ language.it=Italiano
 languageDropdown.aria.label=Sélectionner la langue
 loainfo.description.200=Pour accéder à l'application, nous devons vérifier vos données. Ce processus peut prendre jusqu'à 2 ou 3 jours.
 loainfo.description.300=Pour accéder à l'application, nous devons vérifier vos données par le biais de l'une des deux procédures suivantes. Vous pouvez choisir la procédure que vous préférez à l'étape suivante.
-loainfo.description.400=Pour accéder à l'application, vous devez ajouter votre numéro AVS.
+loainfo.description.400=Veuillez saisir votre numéro AVS pour accéder à l'application.
 loainfo.helper=Vos données doivent être vérifiées!
 loainfo.later=Plus tard
 loainfo.startNow=Voulez-vous commencer le processus maintenant?
@@ -224,6 +224,8 @@ recovery_check_code.invalid.code.tooLong=Le code est trop long
 recovery_check_code.noAccess=Je n’ai pas accès à mon code de récupération
 recovery_check_code.noCodeAccess=Êtes-vous sûr de ne pas avoir accès à votre code de récupération ?
 recovery_check_code.noCodeAccessInstructions=En cas de perte de votre code de récupération, veuillez vous rendre sur AGOV help et contacter le service d’assistance AGOV. Un agent pourra vous aider dans le processus de récupération.
+recovery_check_code.too_many_tries.instruction1=Le code de récupération que vous avez saisi a peut-être expiré ou vous avez peut-être essayé de le saisir trop de fois.
+recovery_check_code.too_many_tries.instruction2=Veuillez vous rendre sur AGOV help et contacter le service d’assistance. Un agent pourra vous aider dans le processus de récupération.
 recovery_check_noCode.banner.error=Trop de tentatives.
 recovery_check_noCode.instruction1=Vous avez peut-être essayé de saisir le code de récupération trop de fois.
 recovery_check_noCode.instruction2=Veuillez fermer le navigateur web et recommencer la r&eacute;cup&eacute;ration du compte dans dix minutes &agrave; partir de <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_it.properties

@@ -96,7 +96,7 @@ language.it=Italiano
 languageDropdown.aria.label=Selezionare la lingua
 loainfo.description.200=Per accedere all'app è necessaria una verifica dei dati. La procedura può richiedere fino a 2–3 giorni lavorativi.
 loainfo.description.300=Per accedere all'app dobbiamo verificare i suoi dati tramite uno dei due processi. Al prossimo passaggio, può selezionare la procedura di verifica desiderata.
-loainfo.description.400=Per acceddere all'applicazione deve inserire il numero AVS.
+loainfo.description.400=Per accedere all'applicazione è necessario inserire il numero AVS.
 loainfo.helper=I dati devono essere verificati!
 loainfo.later=Più tardi
 loainfo.startNow=Iniziare la procedura?
@@ -224,6 +224,8 @@ recovery_check_code.invalid.code.tooLong=Il codice è troppo lungo
 recovery_check_code.noAccess=Non ho il mio codice.
 recovery_check_code.noCodeAccess=Conferma di non avere il codice di ripristino?
 recovery_check_code.noCodeAccessInstructions=Se non ha più il codice di ripristino, acceda ad AGOV help per contattare il supporto AGOV, che la assisterà nel processo di ripristino.
+recovery_check_code.too_many_tries.instruction1=Il codice di ripristino inserito può essere scaduto o è stato inserito troppe volte.
+recovery_check_code.too_many_tries.instruction2=Si prega di andare alla guida di AGOV aiuto per contattare un agente dell'assistenza. Saranno in grado di aiutarla con il processo di recupero.
 recovery_check_noCode.banner.error=Troppi tentativi.
 recovery_check_noCode.instruction1=Potresti aver tentato di inserire il codice di ripristino troppe volte.
 recovery_check_noCode.instruction2=Chiudi il browser web e inizia nuovamente il processo di ripristino dell'account tra dieci minuti da <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy

@@ -10,6 +10,20 @@ def tAuth = System.currentTimeMillis() - (request.getSession(true).getCreationTi
 
 LOG.info("Event='AUTHENTICATION', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', tAuth=${tAuth}ms, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
 
+// BUNDBITBK-4824: Address was missing after bmid verification
+def session = request.getAuthSession(true)
+int loa = session.get('agov.actualRoleLevel') as int
+
+// Best Token Available only if account's AQlevel is high enough
+if ((session.getAttribute('agov.appAddressRequired') == 'true') && (loa < 200)) {
+    LOG.debug("Best Token: Address requested but account has to low AQ (${loa})")
+    session.setAttribute('agov.appAddressRequired', 'false')
+}
+if ((session.getAttribute('agov.appSvnrAllowed') == 'true') && (loa < 400)) {
+    LOG.debug("Best Token: SVNr requested but account has to low AQ (${loa})")
+    session.setAttribute('agov.appSvnrAllowed', 'false')
+}
+// BUNDBITBK-4824 END
 
 // delete the login cookie
 def agovLoginCookie = "agovLogin=deleted; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=0; SameSite=Strict; Secure; HttpOnly"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/authorization.groovy

@@ -167,7 +167,8 @@ def i2r = [:]
 
 // issuer to ResultCond name
 def i2e = [:]
-i2e.put('https://trustbroker.agov-d.azure.adnovum.net', 'forbidden_0')
+i2e.put('https://trustbroker.agov-epr-lab.azure.adnovum.net', 'forbidden_0')
+i2e.put('https://trustbroker-idp.agov-epr-lab.azure.adnovum.net', 'forbidden_1')
 
 
 if (!i2r.isEmpty() && !hasAnyRequiredRole(i2r, issuer)) {

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy

@@ -2,9 +2,8 @@ import org.codehaus.groovy.runtime.StackTraceUtils
 import groovy.xml.XmlSlurper
 
 def getUserAGOVLoiRoles() {
-  // set attibutes from DTO: -> AGOVaq
-  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
-  return list.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-Loi' }.collect({ node -> node.name.text() })
+  // we take the roles from actualRoles
+  return request.getActualRoles().findAll { role -> role.startsWith('AGOV-Loi.') }.collect({ role -> role.substring(9) })
 }
 
 def getUserAGOVRecoveryRoles() {
@@ -141,6 +140,11 @@ try {
     LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='Account without Profile', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
 
     session.setAttribute('contextClassRefToSet', 'urn:qa.agov.ch:names:tc:ac:classes:100')
+
+    // if the account has no profile, we must not return address or svnr
+    session.setAttribute('agov.appAddressRequired', 'false')
+    session.setAttribute('agov.appSvnrAllowed', 'false')
+
     response.setResult('ok')
     return
   }
@@ -161,16 +165,14 @@ try {
   if (role.startsWith('level')) {
     def roleLevel = role.substring(5)
     int roleLevelNumber = Integer.parseInt(roleLevel)
-    if (highestRoleLevelNumber == 0) {
-      highestRoleLevelNumber = roleLevelNumber
-    }
+    
     if (highestRoleLevelNumber< roleLevelNumber) { 
       highestRoleLevelNumber=roleLevelNumber 
     } 
   } 
   } 
-  LOG.debug('CheckLoa: Highest role Level' + highestRoleLevelNumber.toString() +' contextclassref' + requestedRoleLevelNumber.toString()) 
-  LOG.debug('CheckLoa: Compare' + (highestRoleLevelNumber>=requestedRoleLevelNumber)) 
+  LOG.debug('CheckLoa: Highest role Level ' + highestRoleLevelNumber.toString() +' contextclassref ' + requestedRoleLevelNumber.toString()) 
+  LOG.debug('CheckLoa: Compare ' + (highestRoleLevelNumber>=requestedRoleLevelNumber))  
 
   //set attribute Actual Role Level
   session.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/eid_verification_auth.groovy

@@ -0,0 +1,326 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+import ch.nevis.esauth.util.httpclient.api.HttpClient
+import groovy.json.JsonSlurper
+import io.opentelemetry.api.trace.Span
+
+def getHeader(String name) {
+	def inctx = request.getLoginContext()
+	// case-insensitive lookup of HTTP headers
+	def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
+	map.putAll(inctx)
+	return map['connection.HttpHeader.' + name]
+}
+
+def verification_request_template = '''
+{ "presentation_definition": {
+    "id": "{{UUID}}",
+    "name": "AGOV Verification",
+    "purpose": "AGOV Login",
+    "format": {
+      "vc+sd-jwt": {
+        "sd-jwt_alg_values": [
+          "ES256"
+        ],
+        "kb-jwt_alg_values": [
+          "ES256"
+        ]
+      }
+    },
+    "input_descriptors": [
+      {
+        "id": "agov-all-attributes",
+        "name": "AGOV Identity Verification",
+        "purpose": "verification and authentication",
+        "format": {
+          "vc+sd-jwt": {
+            "sd-jwt_alg_values": [
+              "ES256"
+            ],
+            "kb-jwt_alg_values": [
+              "ES256"
+            ]
+          }
+        },
+        "constraints": {
+          "fields": [
+            {
+              "path": [
+                "$.family_name"
+              ]
+            },
+            {
+              "path": [
+                "$.given_name"
+              ]
+            },
+            {
+              "path": [
+                "$.birth_date"
+              ]
+            },
+            {
+              "path": [
+                "$.sex"
+              ]
+            },
+            {
+              "path": [
+                "$.place_of_origin"
+              ]
+            },
+            {
+              "path": [
+                "$.birth_place"
+              ]
+            },
+            {
+              "path": [
+                "$.nationality"
+              ]
+            },
+            {
+              "path": [
+                "$.personal_administrative_number"
+              ]
+            },
+            {
+              "path": [
+                "$.document_number"
+              ]
+            },
+            {
+              "path": [
+                "$.issuance_date"
+              ]
+            },
+            {
+              "path": [
+                "$.expiry_date"
+              ]
+            },
+            {
+              "path": [
+                "$.issuing_authority"
+              ]
+            },
+            {
+              "path": [
+                "$.issuing_country"
+              ]
+            }
+          ]
+        }
+      }
+    ]
+  }
+}
+'''
+
+def ERROR_CODE_TO_STATUS_MAPPER = [
+		'CREDENTIAL_INVALID'               : 'FAILED',
+		'JWT_EXPIRED'                      : 'ERROR',
+		'INVALID_FORMAT'                   : 'ERROR',
+		'CREDENTIAL_EXPIRED'               : 'FAILED',
+		'MISSING_NONCE'                    : 'ERROR',
+		'UNSUPPORTED_FORMAT'               : 'ERROR',
+		'CREDENTIAL_REVOKED'               : 'FAILED',
+		'CREDENTIAL_SUSPENDED'             : 'FAILED',
+		'HOLDER_BINDING_MISMATCH'          : 'ERROR',
+		'CREDENTIAL_MISSING_DATA'          : 'FAILED',
+		'UNRESOLVABLE_STATUS_LIST'         : 'ERROR',
+		'PUBLIC_KEY_OF_ISSUER_UNRESOLVABLE': 'ERROR',
+		'CLIENT_REJECTED'                  : 'CANCELED',
+		'ISSUER_NOT_ACCEPTED'              : 'ERROR'
+]
+
+// ---------------
+// check, whether we are still processing the correct AuthnRequest
+if (inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])) {
+	// wrong request, "force" a timeout
+	LOG.debug('authentication timeout enforced, due to concurrent requests -> return a 408')
+
+	response.setIsDirectResponse(true)
+	response.setContentType('text/html; charset=UTF-8')
+	response.setContent('Timeout')
+	response.setHttpStatusCode(205)
+	response.setHeader('IDP-AUTH', 'Timeout')
+
+	// CONTINUE to keep the other request beeing processed
+	response.setStatus(AuthResponse.AUTH_CONTINUE)
+	return
+}
+
+if (inargs['oid4vp'] == 'ERROR') {
+	response.setResult('error')
+	return
+}
+
+if (inargs['oid4vp'] == 'SUCCEEDED') {
+	response.setResult('ok')
+	return
+}
+
+
+def sess = request.getAuthSession(true)
+
+HttpClient httpClient = HttpClients.create(parameters)
+def spanCtxt = Span.current().getSpanContext()
+def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
+
+if (!session['agov.eid.verification']) {
+	// Initialize the verification session on the verifier
+	def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications"
+
+	try {
+		def httpResponse = Http.post()
+				.url(endPoint)
+				.header("Accept", "application/json")
+				.header("traceparent", traceparent)
+				.entity(Http.entity()
+						.content(verification_request_template.replaceAll("\\{\\{UUID}}", UUID.randomUUID().toString()))
+						.contentType("application/json")
+						.build())
+				.build()
+				.send(httpClient)
+
+
+		if (httpResponse.code() != 200) {
+			LOG.debug("Result: ${httpResponse}")
+			response.setResult('error')
+			return
+		}
+
+		def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
+		LOG.debug("Result: ${json}")
+
+		sess.setAttribute('agov.eid.verification', 'true')
+		sess.setAttribute('agov.eid.verification.id', json.id)
+		sess.setAttribute('agov.eid.verification.link', json.verification_url)
+
+		if (json.state != 'PENDING') {
+			response.setResult('error')
+			return
+		}
+	}
+	catch (Exception e) {
+		LOG.error("Eid verification failed: $e")
+		response.setResult('error')
+		return
+	}
+}
+
+if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.v')) {
+	// request for a status update from the verifier
+	def result
+
+	// TODO/haburger/2025-03-24: we should make sure, that we have an actual session on the verifier with id.v
+	// and that authRequestId is correct
+	def idvalue = (!inargs['o.id.v'] || inargs['o.id.v'] == 'NEW') ? session['agov.eid.verification.id'] : inargs['o.id.v']
+
+	try {
+		def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications/${idvalue}"
+
+		def httpResponse = Http.get()
+				.url(endPoint)
+				.header("Accept", "application/json")
+				.header("traceparent", traceparent)
+				.build()
+				.send(httpClient)
+
+		if (httpResponse.code() != 200) {
+			// TODO/haburger/2025-03-25: 404 we should create a new verification request
+			LOG.debug("Result: ${httpResponse}")
+			result = """{
+				"oid4vp": {
+					"status": "ERROR",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "HTTP-ERROR",
+					"error_message": "failed to verify status of verification ${idvalue}, http status: ${httpResponse.code()}"
+				}}"""
+			LOG.warn("<== Response: ${responseCode}")
+		}
+		else {
+
+			def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
+
+			if (json.state == 'SUCCESS') {
+				def claims = json.wallet_response.credential_subject_data
+
+				// TODO/haburger/2025-03-25: format changes to align with IDM read data
+				sess.setAttribute('ch.nevis.idm.User.firstName', claims.given_name)
+				sess.setAttribute('ch.nevis.idm.User.lastName', claims.family_name)
+				sess.setAttribute('ch.nevis.idm.User.birthDate', claims.birth_date)
+				sess.setAttribute('ch.nevis.idm.User.gender', claims.sex)
+				sess.setAttribute('ch.nevis.idm.User.prop.svnr', claims.personal_administrative_number)
+				sess.setAttribute('ch.nevis.idm.User.prop.placeOfBirth', claims.birth_place)
+				sess.setAttribute('ch.nevis.idm.User.prop.eIdNumber', claims.personal_administrative_number)
+				sess.setAttribute('ch.nevis.idm.User.prop.nationality', claims.nationality.toString())
+				sess.setAttribute('ValidFrom', claims.issuance_date)
+				sess.setAttribute('ValidTo', claims.expiry_date)
+				sess.setAttribute('authenticatedWith', "urn:qa.agov.ch:names:tc:authfactor:eid")
+				sess.setAttribute('idVerification', "Eid")
+				sess.setAttribute('contextClassRefToSet', "urn:qa.agov.ch:names:tc:ac:classes:600")
+
+				response.setUserId(claims.personal_administrative_number)
+				response.setLoginId(claims.document_number)
+				response.setAuthLevel("EID")
+
+				result = """{
+				"oid4vp": {
+					"status": "SUCCEEDED",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "NONE"
+				}}"""
+			}
+			else if (json.state == 'FAILED') {
+				// TODO/haburger/2025-03-25: ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] == 'FAILED' we should
+				//  initiate a new verification and return the new id, url together with the message
+
+				LOG
+						.error("Eid verification failed: ${json.wallet_response.error_code} (${json.wallet_response.error_description})")
+				result = """{
+				"oid4vp": {
+					"status": "${ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] ?: 'ERROR'}",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "${json.wallet_response.error_code}",
+					"error_message": "${json.wallet_response.error_description}"
+				}}"""
+			}
+			else {
+				result = """{
+				"oid4vp": {
+					"status": "${inargs['o.id.v'] == 'NEW' ? 'INITIATED' : 'PENDING'}",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "NONE"
+				}}"""
+			}
+		}
+
+	}
+	catch (Exception e) {
+		LOG.error("Eid verification failed: ${e}")
+		result = """{
+				"oid4vp": {
+					"status": "ERROR",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "HTTP-ERROR",
+					"error_message": "failed to verify status of verification ${idvalue}, http exception"
+				}}"""
+	}
+
+	response.setContent(result.toString())
+	response.setContentType('application/json')
+	response.setHttpStatusCode(200)
+	response.setIsDirectResponse(true)
+	response.setStatus(AuthResponse.AUTH_CONTINUE)
+	return
+}
+
+// if we reach this place, display GUI
+response.setStatus(AuthResponse.AUTH_CONTINUE)
+return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/ensureRecoveryCode.groovy

@@ -39,21 +39,26 @@ if (Arrays.stream(response.getActualRoles()).filter( r -> r.matches('^.*AGOV-Loi
 	return
 }
 
-
-// 1b) check if user has a credential
+// 1a) check if user has a credential
 if ( recoveryCredential != null ) {
 	LOG.debug("Account '${user}' has an active recovery code, no need to create new code")
 	response.setResult('done')
 	return
 }
 
-// 1c) check if a recovery is ongoing (nothing to do)
+// 1b) check if a recovery is ongoing (nothing to do)
 if (Arrays.stream(response.getActualRoles()).filter( r -> r.contains('AGOV-AccountStatus.recovery')).findAny().isPresent()) {
 	LOG.debug("Account '${user}' is in recovery, no need to create new code")
 	response.setResult('done')
 	return
 }
 
+// 1c) don't do it for mobile phones (BUNDBITBK-4445)
+if (userAgent =~ /(iPhone|Android)/ ) {
+	LOG.debug("User '${user}' used a mobile phone, recovery code creation skipped")
+	response.setResult('done')
+	return
+}
 
 // 2) set cookie for recoveryCode
 if (outargs.containsKey('out.JWTToken')) {

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/env.conf

@@ -3,6 +3,7 @@ RTENV_SECURITY_CHECK=no_shell
 JAVA_OPTS=(
     "-XX:+UseContainerSupport"
     "-Dfile.encoding=UTF-8"
+    "-Dotel.instrumentation.metro.enabled=false"
     "-XX:MaxRAMPercentage=80.0"
     "-Djava.net.preferIPv4Stack=true"
     "-Djava.net.connectionTimeout=10000"
@@ -12,7 +13,7 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevisauth/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2405.2,service.instance.id=$HOSTNAME"
+    "-Dotel.resource.attributes=service.version=8.2411.3,service.instance.id=$HOSTNAME"
     "-Djavax.net.ssl.trustStore=/var/opt/keys/trust/auth-default-tls-trust/truststore.p12"
     "-Djavax.net.ssl.trustStorePassword=\${exec:/var/opt/keys/trust/auth-default-tls-trust/keypass}"
 )

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml

@@ -75,7 +75,7 @@
             <!-- source: pattern://7022472ae407577ae604bbb8 -->
             <KeyObject name="DefaultSigner" certificate="/var/opt/keys/own/auth-sh4r3d-internal-idp-auth-signer/cert.pem" privateKey="/var/opt/keys/own/auth-sh4r3d-internal-idp-auth-signer/keystore.jks" passPhrase="pipe:///var/opt/keys/own/auth-sh4r3d-internal-idp-auth-signer/keypass"/>
             <!-- source: pattern://7022472ae407577ae604bbb8 -->
-            <KeyObject name="DefaultSignerTrust" certificate="/var/opt/keys/trust/auth-default-default-signer-trust/truststore.jks"/>
+            <KeyObject name="DefaultSignerTrust" certificate="/var/opt/keys/trust/auth-internal-idp-auth-signer-trust/truststore.jks"/>
             <!-- source: pattern://94e0b7b92ff2593f958c1eec -->
             <KeyObject name="Signer_SecToken" certificate="/var/opt/keys/own/auth-sh4r3d-internal-idp-auth-signer/cert.pem" privateKey="/var/opt/keys/own/auth-sh4r3d-internal-idp-auth-signer/keystore.jks" passPhrase="pipe:///var/opt/keys/own/auth-sh4r3d-internal-idp-auth-signer/keypass"/>
         </KeyStore>
@@ -99,12 +99,14 @@
             <!-- source: pattern://95220b3005deb118adeb01aa -->
             <KeyObject name="FIDO_UAF_Truststore" certificate="/var/opt/keys/trust/env-ca/truststore.jks"/>
         </KeyStore>
-        <!-- source: pattern://27cefc3861bce987f6766342 -->
+        <!-- source: pattern://0a15213c00dec3668fb94a65, pattern://c0f2c118a88327acce1687fe, pattern://8dbec5bb024707d73fca93ef -->
         <KeyStore name="Store_IDP_AGOV">
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
+            <!-- source: pattern://c0f2c118a88327acce1687fe -->
             <KeyObject name="Signer_IDP_AGOV" certificate="/var/opt/keys/own/idp-pem-signer/cert.pem" privateKey="/var/opt/keys/own/idp-pem-signer/keystore.jks" passPhrase="pipe:///var/opt/keys/own/idp-pem-signer/keypass"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
+            <!-- source: pattern://0a15213c00dec3668fb94a65 -->
             <KeyObject name="https://trustbroker.agov-d.azure.adnovum.net" certificate="/var/opt/keys/trust/idp-pem-atb/truststore.jks"/>
+            <!-- source: pattern://8dbec5bb024707d73fca93ef -->
+            <KeyObject name="https://trustbroker-idp.agov-w.azure.adnovum.net" certificate="/var/opt/keys/trust/idp-pem-atb/truststore.jks"/>
         </KeyStore>
         <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
         <KeyStore name="Auth_Realm_Mobile_FIDO_UAFKeyStore">
@@ -130,8 +132,9 @@
     <AuthEngine useLiteralDictionary="true" literalDictionaryLanguages="en,de,fr,it" inputLanguageCookie="LANG" compatLevel="none" addAutheLevelToSecRoles="true" classPath="/opt/nevisidmcl/nevisauth/lib:/opt/nevisfidocl/nevisauth/lib:/opt/nevisauth/plugin" propagateSession="false">
         <!-- source: pattern://4fcfadb4a5c946ead7e6e995 -->
         <Domain name="Auth_Realm_Main_IDP" default="false" inactiveInterval="1800" reauthInterval="0" resetAuthenticationCondition="#{ (inargs.containsKey('SAMLRequest') and session.containsKey('ch.nevis.auth.saml.request.id')) ? 'restart' : '' }">
-            <Entry method="authenticate" state="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <Entry method="authenticate" state="Auth_Realm_Main_IDP_IDP_Status_Check"/>
             <Entry method="authenticate" state="Auth_Realm_Main_IDP_IDP_Status_Check" selector="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/SSO/.*$:true}"/>
+            <Entry method="logout" state="Auth_Realm_Main_IDP_IDP_Status_Check"/>
             <Entry method="logout" state="Auth_Realm_Main_IDP_IDP_Status_Check" selector="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/SSO/.*$:true}"/>
             <Entry method="stepup" state="Auth_Realm_Main_IDP_Selector"/>
             <Entry method="stepup" state="Auth_Realm_Main_IDP_IDP_Status_Check" selector="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/SSO/.*$:true}"/>
@@ -155,37 +158,19 @@
             <Entry method="authenticate" state="NotUsed_Auth_Realm_NotUsed_Pwd_Login"/>
             <Entry method="stepup" state="NotUsed_Auth_Realm_Selector"/>
         </Domain>
-        <AuthState name="Auth_Realm_Main_IDP_RequestedRoleLevel" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
-            <!-- source: pattern://68665057549fd887ea09fb86 -->
-            <ResultCond name="error" next="Auth_Realm_Main_IDP_SendSamlResponseWithError"/>
-            <!-- source: pattern://68665057549fd887ea09fb86 -->
-            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Mobile_NLess_Auth"/>
-            <!-- source: pattern://68665057549fd887ea09fb86 -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://68665057549fd887ea09fb86 -->
-                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
-            </Response>
-            <!-- source: pattern://68665057549fd887ea09fb86 -->
-            <property name="parameter.appAddressRequired.whitelist" value="https://testapp-01.agov-d.azure.adnovum.net/test/api/saml2/service-provider-metadata/agovidp, OidcPlayground"/>
-            <!-- source: pattern://68665057549fd887ea09fb86 -->
-            <property name="parameter.url" value="https://utility.agov-d.azure.adnovum.net/connect/billing/relying-party"/>
-            <!-- source: pattern://68665057549fd887ea09fb86 -->
+        <AuthState name="Auth_Realm_Main_IDP_IDP_Status_Check" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
+            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
+            <ResultCond name="continueAfterRepost" next="Auth_Realm_Main_IDP_Mobile_NLess_Auth"/>
+            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Preprocess_Done"/>
+            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
+            <Response value="AUTH_ERROR"/>
+            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
             <property name="scriptTraceGroup" value="AGOV-ACCT"/>
-            <!-- source: pattern://68665057549fd887ea09fb86 -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/requestedrolelevel.groovy"/>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_SendSamlResponseWithError" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
-            <!-- source: pattern://4c65de021d362462324a3a5f -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://4c65de021d362462324a3a5f -->
-                <Gui name="NotUsed"/>
-            </Response>
-            <!-- source: pattern://4c65de021d362462324a3a5f -->
+            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
             <property name="parameter.cookie.domain" value="auth.agov-w.azure.adnovum.net"/>
-            <!-- source: pattern://4c65de021d362462324a3a5f -->
-            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
-            <!-- source: pattern://4c65de021d362462324a3a5f -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithError.groovy"/>
+            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/idp_status_check.groovy"/>
         </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Mobile_NLess_Auth" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
             <!-- source: pattern://f63c475c35b616b7c6c1901c -->
@@ -225,6 +210,19 @@
             <!-- source: pattern://f63c475c35b616b7c6c1901c -->
             <property name="parameter.recoveryurl" value="https://auth.agov-w.azure.adnovum.net/AUTH/RECOVERY/"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Preprocess_Done" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
+            <!-- source: pattern://03326b180687860ffe06a58c -->
+            <ResultCond name="nomatch" next="Auth_Realm_Main_IDP_Auth_Failed"/>
+            <!-- source: pattern://03326b180687860ffe06a58c -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_IDP_Dispatcher"/>
+            <!-- source: pattern://03326b180687860ffe06a58c -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://03326b180687860ffe06a58c -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://03326b180687860ffe06a58c -->
+            <property name="condition:ok" value="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/SSO/.*$:true}"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_fido2_fetchCaptchaInfos" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
             <!-- source: pattern://f39352769cb2a1c88e1a176d -->
             <ResultCond name="error" next="Auth_Realm_Main_IDP_Mobile_NLess_Auth"/>
@@ -278,6 +276,48 @@
             <!-- source: pattern://d76231eaa88cb1645ce44cf3 -->
             <property name="script" value="file:///var/opt/nevisauth/default/conf/createuuid.groovy"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
+            <!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
+                <Gui name="Error">
+                    <!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
+                    <GuiElem name="info" type="error" label="error_99"/>
+                    <!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
+                    <GuiElem name="submit" type="button" label="continue.button.label"/>
+                </Gui>
+            </Response>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_IDP_Dispatcher" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <ResultCond name="confirm" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Confirm"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <ResultCond name="epd" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_EPD_IDP"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <ResultCond name="epd_artifact" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_EPD_Artifact_IDP"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <ResultCond name="main" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <Response value="AUTH_CONTINUE">
+                <!-- source: pattern://73efd00d67082ff1eb927922 -->
+                <Gui name="saml_dispatcher" label="title.saml.failed">
+                    <!-- source: pattern://73efd00d67082ff1eb927922 -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <property name="parameter.logoutConfirmation" value="false"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <property name="parameter.spInitiated" value="true"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <property name="parameter.epdMode" value="post"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <property name="parameter.atb" value="https://trustbroker.agov-d.azure.adnovum.net"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <property name="parameter.epd_atb" value="https://trustbroker-idp.agov-w.azure.adnovum.net"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/idp_dispatcher.groovy"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Email_Input" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="true" resumeState="true">
             <!-- source: pattern://e3cac41e75980361d7d26bde -->
             <ResultCond name="cancel" next="Auth_Realm_Main_IDP_Mobile_NLess_Auth"/>
@@ -347,6 +387,10 @@
             <!-- source: pattern://bfd395eb0dab50aff2f2c01b -->
             <property name="in.binding" value="none"/>
             <!-- source: pattern://bfd395eb0dab50aff2f2c01b -->
+            <property name="in.keystoreref" value=""/>
+            <!-- source: pattern://bfd395eb0dab50aff2f2c01b -->
+            <property name="in.keyobjectref" value=""/>
+            <!-- source: pattern://bfd395eb0dab50aff2f2c01b -->
             <property name="out.binding" value="internal"/>
             <!-- source: pattern://bfd395eb0dab50aff2f2c01b -->
             <property name="out.sign" value="Response Assertion"/>
@@ -387,6 +431,311 @@
             <!-- source: pattern://bfd395eb0dab50aff2f2c01b -->
             <property name="out.audienceRestriction" value="https://ob.agov-w.azure.adnovum.net/mock-me/registration"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Confirm" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://9196b809b539716b03ad8565 -->
+            <Response value="AUTH_CONTINUE">
+                <!-- source: pattern://9196b809b539716b03ad8565 -->
+                <Gui name="saml_logout_confirm" label="title.logout.confirmation"/>
+            </Response>
+            <!-- source: pattern://9196b809b539716b03ad8565 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/logout_confirm.groovy"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_EPD_IDP" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_EPD_IDP"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+                <Gui name="saml_idp" label="title.saml.failed">
+                    <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="session.participants-store.key" value="IDP_AGOV-session-participants"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="logoutMode" value="ConcurrentLogout-Redirect"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="logoutTrigger" value="#{request['currentResource'].contains('logout') || inargs.containsKey('logout') || inargs.containsKey('SAMLLogout')}"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.binding" value="http-post"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.post.relayStateEncoding" value="HTML"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.sign" value="Response Assertion LogoutResponse"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.signatureKeyInfo" value="Certificate"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.ttl" value="30"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.subject" value="${response:userId}"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.subject.format" value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.extension.Bearer" value="ch.nevis.esauth.auth.states.saml.extensions.SubjectConfirmationExtender"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2/"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.keystoreref" value="Store_IDP_AGOV"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="spIssuer" value="https://trustbroker-idp.agov-w.azure.adnovum.net"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="spURL" value="https://trustbroker-idp.agov-w.azure.adnovum.net/adfs/ls"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="acsUrlWhitelist.uris" value="https://trustbroker-idp.agov-w.azure.adnovum.net/adfs/ls"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="in.binding" value="auto"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="in.max_age" value="60"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="in.keystoreref" value="Store_IDP_AGOV"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.authnContextClassRef" value="${sess:contextClassRefToSet}"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.audienceRestriction" value="https://trustbroker-idp.agov-w.azure.adnovum.net"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:ch.nevis.idm.User.firstName}"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:ch.nevis.idm.User.lastName}"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
+            <!-- source: pattern://1d81bd987455a8e1ee044ccf -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:ch.nevis.idm.User.birthDate:^(\d\d\d\d-\d\d-\d\d).*$}"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_EPD_Artifact_IDP" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_EPD_Artifact_IDP"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+                <Gui name="saml_idp" label="title.saml.failed">
+                    <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="session.participants-store.key" value="IDP_AGOV-session-participants"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="logoutMode" value="ConcurrentLogout-Redirect"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="logoutTrigger" value="#{request['currentResource'].contains('logout') || inargs.containsKey('logout') || inargs.containsKey('SAMLLogout')}"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.binding" value="http-artifact"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.artifactSourceId" value="0x49899452c60f53e500d7d8b221536c9745dfaf0f"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.post.relayStateEncoding" value="HTML"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.sign" value="Response Assertion LogoutResponse ArtifactResponse"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.signatureKeyInfo" value="Certificate"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.ttl" value="30"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.subject" value="${response:userId}"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.subject.format" value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.extension.Bearer" value="ch.nevis.esauth.auth.states.saml.extensions.SubjectConfirmationExtender"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2/"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.keystoreref" value="Store_IDP_AGOV"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="spIssuer" value="https://trustbroker-idp.agov-w.azure.adnovum.net"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="spURL" value="https://trustbroker-idp.agov-w.azure.adnovum.net/adfs/ls"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="acsUrlWhitelist.uris" value="https://trustbroker-idp.agov-w.azure.adnovum.net/adfs/ls"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="in.binding" value="auto"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="in.max_age" value="60"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="in.keystoreref" value="Store_IDP_AGOV"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.authnContextClassRef" value="${sess:contextClassRefToSet}"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.audienceRestriction" value="https://trustbroker-idp.agov-w.azure.adnovum.net"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:ch.nevis.idm.User.firstName}"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:ch.nevis.idm.User.lastName}"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
+            <!-- source: pattern://5a75ffc73b91b88cfab6168e -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:ch.nevis.idm.User.birthDate:^(\d\d\d\d-\d\d-\d\d).*$}"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+                <Gui name="saml_idp" label="title.saml.failed">
+                    <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="session.participants-store.key" value="IDP_AGOV-session-participants"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="logoutMode" value="ConcurrentLogout-Redirect"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="logoutTrigger" value="#{request['currentResource'].contains('logout') || inargs.containsKey('logout') || inargs.containsKey('SAMLLogout')}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.binding" value="http-post"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.post.relayStateEncoding" value="HTML"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.sign" value="Response Assertion"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.signatureKeyInfo" value="Certificate"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.ttl" value="30"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.subject" value="${response:userId}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.subject.format" value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.extension.Bearer" value="ch.nevis.esauth.auth.states.saml.extensions.SubjectConfirmationExtender"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2/"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.keystoreref" value="Store_IDP_AGOV"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="spIssuer" value="https://trustbroker.agov-d.azure.adnovum.net"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="spURL" value="https://trustbroker.agov-d.azure.adnovum.net/adfs/ls"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="acsUrlWhitelist.uris" value="https://trustbroker.agov-d.azure.adnovum.net/adfs/ls"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="in.binding" value="auto"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="in.max_age" value="60"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="in.keystoreref" value="Store_IDP_AGOV"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.authnContextClassRef" value="${sess:contextClassRefToSet}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.audienceRestriction" value="https://trustbroker.agov-d.azure.adnovum.net"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="${sess:ch.nevis.idm.User.email}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance" value="${sess:ch.nevis.idm.User.language}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:ch.nevis.idm.User.firstName}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:ch.nevis.idm.User.lastName}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:ch.nevis.idm.User.birthDate:^(\d\d\d\d-\d\d-\d\d).*$}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.svnr'] : ''}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/placeOfBirth" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.placeOfBirth'] : ''}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/eIdNumber" value="${sess:ch.nevis.idm.User.prop.eIdNumber}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/dateOfVerification" value="${sess:ValidFrom}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/validTillDate" value="${sess:ValidTo}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/verificationMethod" value="#{ ''.concat(sess.get('idVerification')).replace('SelfPaid', '') }"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/nationality" value="#{ sess.containsKey('ch.nevis.idm.User.prop.nationality') ? sess['ch.nevis.idm.User.prop.nationality'].toUpperCase(): '' }"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/authenticatedWith" value="${sess:authenticatedWith}"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/emailVerified" value="true"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/street" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.street'] : '' }"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/houseNumber" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.houseNumber'] : '' }"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/zipCode" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.postalCode'] : '' }"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/town" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.city'] : '' }"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/country" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.country'].toUpperCase() : '' }"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/qa/verificationMethod" value="#{ (sess['agov.appAddressRequired'] == 'true') ? ''.concat(sess.get('agov.adressVerification')).replace('Location', 'Domicile') : '' }"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/countryName" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['agov.countryName'] : ''}"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_ReturnTimeoutButKeepSession" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
             <!-- source: pattern://826166d230a6a4849f2837ae -->
             <Response value="AUTH_CONTINUE">
@@ -473,6 +822,75 @@
             <!-- source: pattern://bfd395eb0dab50aff2f2c01b -->
             <property name="script" value="file:///var/opt/nevisauth/default/conf/handleRedirectRegistration.groovy"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout" class="ch.nevis.esauth.auth.states.standard.AuthLogout" final="false" resumeState="false">
+            <!-- source: pattern://db4eead0bb25b03205afd79f -->
+            <Response value="AUTH_CONTINUE">
+                <!-- source: pattern://db4eead0bb25b03205afd79f -->
+                <Gui name="saml_logout" label="title.logout">
+                    <!-- source: pattern://db4eead0bb25b03205afd79f -->
+                    <GuiElem name="saml.logoutURLs" type="hidden" value="${outargs:saml.logoutURLs}" optional="true"/>
+                    <!-- source: pattern://db4eead0bb25b03205afd79f -->
+                    <GuiElem name="saml.logoutURL" type="hidden" value="#{ session.containsKey('saml.logoutURL') ? session.get('saml.logoutURL') : '/' }" optional="true"/>
+                </Gui>
+            </Response>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://2f81f8b878ef787fc5cc284a -->
+            <ResultCond name="default" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Authorization"/>
+            <!-- source: pattern://2f81f8b878ef787fc5cc284a -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://2f81f8b878ef787fc5cc284a -->
+                <Gui name="ContinueResponse"/>
+            </Response>
+            <!-- source: pattern://2f81f8b878ef787fc5cc284a -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="true">
+            <!-- source: pattern://06515d4815de4afde6f8116a -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://06515d4815de4afde6f8116a -->
+                <Gui name="empty"/>
+            </Response>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="true">
+            <!-- source: pattern://3f719a1e5c1447ee46c69cb2 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://3f719a1e5c1447ee46c69cb2 -->
+                <Gui name="empty"/>
+            </Response>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_RequestedRoleLevel" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <ResultCond name="error" next="Auth_Realm_Main_IDP_SendSamlResponseWithError"/>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <ResultCond name="exit.1" next="Auth_Realm_Main_IDP_EId_Verification_Auth"/>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Mobile_NLess_Auth"/>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://68665057549fd887ea09fb86 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <property name="parameter.bestTokenAddressWhitelist" value="https://testapp-01.agov-d.azure.adnovum.net/test/api/saml2/service-provider-metadata/agovidp, OidcPlayground, https://admin.agov-w.azure.adnovum.net/SAML2/ACS/"/>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <property name="parameter.bestTokenSvnrWhitelist" value="https://testapp-01.agov-d.azure.adnovum.net/test/api/saml2/service-provider-metadata/agovidp, OidcPlayground, https://op.agov-w.azure.adnovum.net/SAML2/ACS/"/>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <property name="parameter.url" value="https://utility.agov-d.azure.adnovum.net/connect/billing/relying-party"/>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/requestedrolelevel.groovy"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="true">
+            <!-- source: pattern://5f7e44f4fb2e3f710e4a3e91 -->
+            <ResultCond name="nomatch" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://5f7e44f4fb2e3f710e4a3e91 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5f7e44f4fb2e3f710e4a3e91 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Fido_Email_Verify" class="ch.nevis.idm.authstate.IdmUserVerifyState" final="false" resumeState="false">
             <!-- source: pattern://7fb39bfd6c34685866a22180 -->
             <ResultCond name="clientNotFound" next="Auth_Realm_Main_IDP_AuthnFailed_Client_NotFound"/>
@@ -529,6 +947,19 @@
             <!-- source: pattern://0b3ce3ceec7bfca3ea524983 -->
             <property name="notes:saml.errorMessage" value="permanent error, not linked to user, but to system , Request ID: ${request:traceId}"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_SendSamlResponseWithError" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://4c65de021d362462324a3a5f -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://4c65de021d362462324a3a5f -->
+                <Gui name="NotUsed"/>
+            </Response>
+            <!-- source: pattern://4c65de021d362462324a3a5f -->
+            <property name="parameter.cookie.domain" value="auth.agov-w.azure.adnovum.net"/>
+            <!-- source: pattern://4c65de021d362462324a3a5f -->
+            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
+            <!-- source: pattern://4c65de021d362462324a3a5f -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithError.groovy"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Mobile_UserID_Verify_IdmGetPropertiesState" class="ch.nevis.idm.authstate.IdmGetPropertiesState" final="false" resumeState="false">
             <!-- source: pattern://c686c1bdd5355351f7f98cc8 -->
             <ResultCond name="clientNotFound" next="Auth_Realm_Main_IDP_AuthnFailed_Client_NotFound"/>
@@ -586,6 +1017,59 @@
             <!-- source: pattern://e0fda9336be9c69dafc9b69e -->
             <property name="admin.service.connection.0" value="https://idm:8989/nevisidm/services/v1/AdminService"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Authorization" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://596e3e37c4d524690ea35897 -->
+            <ResultCond name="forbidden_0" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Authorization"/>
+            <!-- source: pattern://596e3e37c4d524690ea35897 -->
+            <ResultCond name="forbidden_1" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Authorization"/>
+            <!-- source: pattern://596e3e37c4d524690ea35897 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Auth_Done_GUI"/>
+            <!-- source: pattern://596e3e37c4d524690ea35897 -->
+            <ResultCond name="stepup" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://596e3e37c4d524690ea35897 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://596e3e37c4d524690ea35897 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://596e3e37c4d524690ea35897 -->
+            <property name="parameter.paths" value="^http[s]?\u003A//[^/]+/SAML2/SSO/.*$"/>
+            <!-- source: pattern://596e3e37c4d524690ea35897 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/authorization.groovy"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_EId_Verification_Auth" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://e335f57d4c64dfc97223697a -->
+            <ResultCond name="default" next="Auth_Realm_Main_IDP_EId_Verification_Auth"/>
+            <!-- source: pattern://e335f57d4c64dfc97223697a -->
+            <ResultCond name="error" next="Auth_Realm_Main_IDP_SendSamlResponseWithError"/>
+            <!-- source: pattern://e335f57d4c64dfc97223697a -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_SendSamlResponseWithAssertion"/>
+            <!-- source: pattern://e335f57d4c64dfc97223697a -->
+            <Response value="AUTH_CONTINUE">
+                <!-- source: pattern://e335f57d4c64dfc97223697a -->
+                <Gui name="eid_verification">
+                    <!-- source: pattern://e335f57d4c64dfc97223697a -->
+                    <GuiElem name="agov.appDisplayNameDE" type="hidden" value="${sess:agov.appDisplayNameDE}" optional="true"/>
+                    <!-- source: pattern://e335f57d4c64dfc97223697a -->
+                    <GuiElem name="agov.appDisplayNameFR" type="hidden" value="${sess:agov.appDisplayNameFR}" optional="true"/>
+                    <!-- source: pattern://e335f57d4c64dfc97223697a -->
+                    <GuiElem name="agov.appDisplayNameIT" type="hidden" value="${sess:agov.appDisplayNameIT}" optional="true"/>
+                    <!-- source: pattern://e335f57d4c64dfc97223697a -->
+                    <GuiElem name="agov.appDisplayNameEN" type="hidden" value="${sess:agov.appDisplayNameEN}" optional="true"/>
+                    <!-- source: pattern://e335f57d4c64dfc97223697a -->
+                    <GuiElem name="agov.appSamlRpEntityId" type="hidden" value="https://auth.agov-w.azure.adnovum.net/app-info/app-icon?entity-id=${sess:ch.nevis.auth.saml.request.scoping.requesterId}" optional="true"/>
+                    <!-- source: pattern://e335f57d4c64dfc97223697a -->
+                    <GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
+                    <!-- source: pattern://e335f57d4c64dfc97223697a -->
+                    <GuiElem name="oid4vp" type="hidden" value="UNKNOWN" optional="true"/>
+                </Gui>
+            </Response>
+            <!-- source: pattern://e335f57d4c64dfc97223697a -->
+            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
+            <!-- source: pattern://e335f57d4c64dfc97223697a -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/eid_verification_auth.groovy"/>
+            <!-- source: pattern://e335f57d4c64dfc97223697a -->
+            <property name="parameter.eidVerifierBaseUrl" value="https://verifier-management.agov-epr-lab.azure.adnovum.net"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Fido_Email_Verify_FailedEmailState" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="true">
             <!-- source: pattern://7fb39bfd6c34685866a22180 -->
             <ResultCond name="default" next="Auth_Realm_Main_IDP_FIDO2_Authentication"/>
@@ -669,6 +1153,28 @@
             <!-- source: pattern://f393012a278e525956a362d3 -->
             <property name="parameter.idm.httpclient.tls.trustStoreRef" value="Ensure_Account_State"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Auth_Done_GUI" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false" resumeState="true">
+            <!-- source: pattern://cf0e8f8de1c8ac7345c5a6bb -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://cf0e8f8de1c8ac7345c5a6bb -->
+                <Gui name="ContinueResponse"/>
+            </Response>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_SendSamlResponseWithAssertion" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Prepare_Done"/>
+            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
+                <Gui name="not_used"/>
+            </Response>
+            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
+            <property name="parameter.cookie.domain" value="auth.agov-w.azure.adnovum.net"/>
+            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
+            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
+            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_FIDO2_Authentication" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
             <!-- source: pattern://302b0fa3c5c3d1d17e9b1004 -->
             <ResultCond name="cancel" next="Auth_Realm_Main_IDP_OnCancel_Dispatch"/>
@@ -763,6 +1269,17 @@
             <!-- source: pattern://f393012a278e525956a362d3 -->
             <property name="detaillevel.default" value="EXCLUDE"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
+            <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
+            <ResultCond name="default" next="Auth_Realm_Main_IDP_Auth_Done"/>
+            <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
+                <Gui name="ContinueResponse"/>
+            </Response>
+            <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_OnCancel_Dispatch" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
             <!-- source: pattern://af4ec934e8efbef422f03926 -->
             <ResultCond name="AccessApp" next="Auth_Realm_Main_IDP_Mobile_NLess_Auth"/>
@@ -803,6 +1320,13 @@
             <!-- source: pattern://9ff0369f3cf662f95d94ff09 -->
             <property name="${sess:agov.new.recovery.code.cipher}?notes:agov.new.recovery.code:decrypt-b64" value="${sess:agov.new.recovery.code.cipher}"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
+            <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
+                <Gui name="ContinueResponse"/>
+            </Response>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_clear_request_session" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false">
             <!-- source: pattern://8c28e8f3352491ef7c5315fc -->
             <ResultCond name="ok" next="Auth_Realm_Main_IDP_Email_Input"/>
@@ -1129,21 +1653,6 @@
             <!-- source: pattern://6061abea33a234fad73897b7 -->
             <property name="out.audienceRestriction" value="https://ob.agov-w.azure.adnovum.net/mock-me/process"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_SendSamlResponseWithAssertion" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
-            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
-            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Prepare_Done"/>
-            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
-            <Response value="AUTH_DONE">
-                <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
-                <Gui name="not_used"/>
-            </Response>
-            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
-            <property name="parameter.cookie.domain" value="auth.agov-w.azure.adnovum.net"/>
-            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
-            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
-            <!-- source: pattern://b87d0d2b640e8e545ad70234 -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy"/>
-        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Redirect_to_IDVerification_Handle_Redirect" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
             <!-- source: pattern://cdb228eccc12b4b1dea20d9d -->
             <ResultCond name="ok" next="Auth_Realm_Main_IDP_Fetch_Attributes"/>
@@ -1174,17 +1683,6 @@
             <!-- source: pattern://6061abea33a234fad73897b7 -->
             <property name="script" value="file:///var/opt/nevisauth/default/conf/handleRedirectRecovery.groovy"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
-            <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
-            <ResultCond name="default" next="Auth_Realm_Main_IDP_IDP_AGOV_Authorization"/>
-            <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
-            <Response value="AUTH_DONE">
-                <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
-                <Gui name="ContinueResponse"/>
-            </Response>
-            <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
-        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Fetch_Attributes" class="ch.nevis.idm.authstate.IdmGetPropertiesState" final="false" resumeState="false">
             <!-- source: pattern://9a8294b080ea769d22924af0 -->
             <ResultCond name="insufficientLoa" next="Auth_Realm_Main_IDP_Insufficient_LoaInfo"/>
@@ -1234,22 +1732,6 @@
             <!-- source: pattern://9a8294b080ea769d22924af0 -->
             <property name="detaillevel.default" value="EXCLUDE"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_IDP_AGOV_Authorization" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
-            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Done"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <ResultCond name="forbidden_0" next="Auth_Realm_Main_IDP_IDP_AGOV_Authorization"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <ResultCond name="stepup" next="Auth_Realm_Main_IDP_Selector"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
-            </Response>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <property name="parameter.paths" value="^http[s]?\u003A//[^/]+/SAML2/SSO/.*$"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/saml_idp_agov_authorization.groovy"/>
-        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Fetch_Attributes_Check_new_LOA" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
             <!-- source: pattern://9a8294b080ea769d22924af0 -->
             <ResultCond name="insufficientLoa" next="Auth_Realm_Main_IDP_Insufficient_LoaInfo"/>
@@ -1263,13 +1745,6 @@
             <!-- source: pattern://9a8294b080ea769d22924af0 -->
             <property name="script" value="file:///var/opt/nevisauth/default/conf/checkInsufficientLoa.groovy"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
-            <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
-            <Response value="AUTH_DONE">
-                <!-- source: pattern://6061abea33a234fad73897b7, pattern://4fcfadb4a5c946ead7e6e995 -->
-                <Gui name="ContinueResponse"/>
-            </Response>
-        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Selector" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
             <!-- source: pattern://4fcfadb4a5c946ead7e6e995 -->
             <ResultCond name="nomatch" next="Auth_Realm_Main_IDP_Prepare_Done"/>
@@ -1279,208 +1754,6 @@
                 <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
             </Response>
         </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_IDP_Status_Check" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
-            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
-            <ResultCond name="continueAfterRepost" next="Auth_Realm_Main_IDP_Mobile_NLess_Auth"/>
-            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
-            <ResultCond name="ok" next="Auth_Realm_Main_IDP_PreProcess_Done"/>
-            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
-            <Response value="AUTH_ERROR"/>
-            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
-            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
-            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
-            <property name="parameter.cookie.domain" value="auth.agov-w.azure.adnovum.net"/>
-            <!-- source: pattern://7a913eec7f78ce674cd87854 -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/idp_status_check.groovy"/>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_PreProcess_Done" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <ResultCond name="idp_2055108788" next="Auth_Realm_Main_IDP_IDP_AGOV_Dispatcher"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
-            </Response>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <property name="condition:idp_2055108788" value="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/SSO/.*$:true}"/>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_IDP_AGOV_Dispatcher" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <ResultCond name="confirm" next="Auth_Realm_Main_IDP_IDP_AGOV_Logout_Confirm"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <ResultCond name="state0" next="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_Connector"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <Response value="AUTH_CONTINUE">
-                <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-                <Gui name="saml_dispatcher" label="title.saml.failed">
-                    <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
-                </Gui>
-            </Response>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <property name="parameter.logoutConfirmation" value="false"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <property name="parameter.spInitiated" value="true"/>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/saml_idp_agov_dispatcher.groovy"/>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_IDP_AGOV_Logout_Confirm" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <Response value="AUTH_CONTINUE">
-                <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-                <Gui name="saml_logout_confirm" label="title.logout.confirmation"/>
-            </Response>
-            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/saml_idp_logout_confirm.groovy"/>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_Connector" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Concurrent_Logout"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Prepare_Done"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Logout_Done"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Logout_Fail"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Concurrent_Logout"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Prepare_Done"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_Connector"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Prepare_Done"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Selector"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Selector"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://27cefc3861bce987f6766342 -->
-                <Gui name="saml_idp" label="title.saml.failed">
-                    <!-- source: pattern://27cefc3861bce987f6766342 -->
-                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
-                </Gui>
-            </Response>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="session.participants-store.key" value="IDP_AGOV-session-participants"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="logoutMode" value="ConcurrentLogout-Redirect"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="in.keystoreref" value="Store_IDP_AGOV"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="logoutTrigger" value="#{request['currentResource'].contains('logout') || inargs.containsKey('logout') || inargs.containsKey('SAMLLogout')}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.binding" value="http-post"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.post.relayStateEncoding" value="HTML"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.sign" value="Response Assertion"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.signatureKeyInfo" value="Certificate"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.ttl" value="30"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.subject" value="${response:userId}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.subject.format" value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.extension.Bearer" value="ch.nevis.esauth.auth.states.saml.extensions.SubjectConfirmationExtender"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2/"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.keystoreref" value="Store_IDP_AGOV"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="spURL" value="https://trustbroker.agov-d.azure.adnovum.net/adfs/ls"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="spIssuer" value="https://trustbroker.agov-d.azure.adnovum.net"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="acsUrlWhitelist.uris" value="https://trustbroker.agov-d.azure.adnovum.net/adfs/ls"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="in.binding" value="auto"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="in.max_age" value="60"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.authnContextClassRef" value="${sess:contextClassRefToSet}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="${sess:ch.nevis.idm.User.email}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance" value="${sess:ch.nevis.idm.User.language}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:ch.nevis.idm.User.firstName}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:ch.nevis.idm.User.lastName}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:ch.nevis.idm.User.birthDate:^(\d\d\d\d-\d\d-\d\d).*$}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.svnr'] : ''}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/placeOfBirth" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.placeOfBirth'] : ''}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/eIdNumber" value="${sess:ch.nevis.idm.User.prop.eIdNumber}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/dateOfVerification" value="${sess:ValidFrom}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/validTillDate" value="${sess:ValidTo}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/verificationMethod" value="#{ ''.concat(sess.get('idVerification')).replace('SelfPaid', '') }"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/nationality" value="#{ sess.containsKey('ch.nevis.idm.User.prop.nationality') ? sess['ch.nevis.idm.User.prop.nationality'].toUpperCase(): '' }"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/authenticatedWith" value="${sess:authenticatedWith}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/emailVerified" value="true"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/street" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.street'] : '' }"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/houseNumber" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.houseNumber'] : '' }"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/zipCode" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.postalCode'] : '' }"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/town" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.city'] : '' }"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/country" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.country'].toUpperCase() : '' }"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/qa/verificationMethod" value="#{ (sess['agov.appAddressRequired'] == 'true') ? ''.concat(sess.get('agov.adressVerification')).replace('Location', 'Domicile') : '' }"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/countryName" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['agov.countryName'] : ''}"/>
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <property name="out.audienceRestriction" value="https://trustbroker.agov-d.azure.adnovum.net"/>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_Concurrent_Logout" class="ch.nevis.esauth.auth.states.standard.AuthLogout" final="false" resumeState="false">
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <Response value="AUTH_CONTINUE">
-                <!-- source: pattern://27cefc3861bce987f6766342 -->
-                <Gui name="saml_logout" label="title.logout">
-                    <!-- source: pattern://27cefc3861bce987f6766342 -->
-                    <GuiElem name="saml.logoutURLs" type="hidden" value="${outargs:saml.logoutURLs}" optional="true"/>
-                    <!-- source: pattern://27cefc3861bce987f6766342 -->
-                    <GuiElem name="saml.logoutURL" type="hidden" value="#{ session.containsKey('saml.logoutURL') ? session.get('saml.logoutURL') : '/' }" optional="true"/>
-                </Gui>
-            </Response>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_Logout_Done" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true">
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://27cefc3861bce987f6766342 -->
-                <Gui name="empty"/>
-            </Response>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_Logout_Fail" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true">
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://27cefc3861bce987f6766342 -->
-                <Gui name="empty"/>
-            </Response>
-        </AuthState>
         <AuthState name="Auth_Realm_Mobile_FIDO_UAF_DirectFidoAuthRequired" class="ch.nevis.esauth.auth.states.directResponse.DirectResponseState" final="true" resumeState="false">
             <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
             <Response value="AUTH_ERROR">
@@ -2680,4 +2953,13 @@
             <property name="generateNow" value="true"/>
         </AuthState>
     </AuthEngine>
+    <!-- source: pattern://ab5a82719993921822e95751 -->
+    <WebService name="ArtifactResolutionService" class="ch.nevis.esauth.auth.adapter.saml.ArtifactResolutionService" uri="/nevisauth/services/artifactresolution" SSODomain="Auth_Realm_Main_IDP">
+        <!-- source: pattern://ab5a82719993921822e95751 -->
+        <property name="issuer" value="Auth_Realm_Main_IDP_Custom_EPD_Artifact_IDP"/>
+        <!-- source: pattern://ab5a82719993921822e95751 -->
+        <property name="out.keystoreref" value="Store_IDP_AGOV"/>
+        <!-- source: pattern://ab5a82719993921822e95751 -->
+        <property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
+    </WebService>
 </esauth-server>

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_dispatcher.groovy

@@ -75,9 +75,18 @@ def dispatchIssuer(i2s, String issuer) {
     if (result == null) {
         LOG.info("No SP found for issuer '$issuer'. Hint: check SAML SP Connector patterns.")
     }
+    
+    // dispatch different idp if artifact binding is enabled
+    if(parameters.get('epdMode') == 'artifact' && result == 'epd'){
+        LOG.debug("EPD: Artifact mode")
+        result = result + "_artifact"
+    }else{
+        LOG.debug("EPD: POST mode")
+    }
     response.setResult(result)
     session.put("saml.inbound.issuer", issuer)
     session.put('saml.idp.result', result) // remember decision for sub-sequent requests without a SAML message
+    
 }
 
 def dispatchMessage(i2s, String message) {
@@ -108,7 +117,8 @@ if (request.getSession(false) == null) {
 def i2s = new TreeMap<String, String>(String.CASE_INSENSITIVE_ORDER)
 
 
-i2s.put('https://trustbroker.agov-d.azure.adnovum.net', 'state0')
+i2s.put(parameters.get('atb'), 'main')
+i2s.put(parameters.get('epd_atb'), 'epd')
 
 if (parameters.get('spInitiated') == 'true' && inargs.containsKey('SAMLRequest')) { // SP-initiated authentication
     LOG.debug("found SAMLRequest parameter for SP-initiated authentication")

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/logging.yml

@@ -12,6 +12,8 @@ Configuration:
         onMismatch: "ACCEPT"
   Loggers:
     Logger:
+    - name: "ProductAnalytics"
+      level: "INFO"
     - name: "EsAuthStart"
       level: "INFO"
     - name: "org.apache.catalina.loader.WebappClassLoader"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/nevisauth.yml

@@ -3,6 +3,7 @@ server:
   protocol: "https"
   port: "8991"
   host: "0.0.0.0"
+  max-threads: "200"
   tls:
     keystore: "/var/opt/keys/own/auth-default-identity/keystore.p12"
     keystore-passphrase: "${exec:/var/opt/keys/own/auth-default-identity/keypass}"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/requestedrolelevel.groovy

@@ -26,7 +26,7 @@ int getRequestedLevel(String authnContextClassRef, def roleList){
 
 def session = request.getAuthSession(true)
 def context = session.get('ch.nevis.auth.saml.request.authnContextClassRef')
-def roleLevels = [100,200,300,400]
+def roleLevels = [100,200,300,400,500,600]
 def requestedRoleLevelNumber = getRequestedLevel(context, roleLevels)
 
 //set attribute Requested Role Level
@@ -44,17 +44,27 @@ def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
 def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
 def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
 
-LOG.info("Event='AUTHREQUEST', Requester='${requester}', RequestId='${requestId}', ReplacedRequestId='${replacedRequestId}', RequestedAq=${requestedAq}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+def bestTokenAddressWhitelist = ',' + (parameters.get('bestTokenAddressWhitelist') ?: '').replaceAll('\\s','') + ','
+def appRequiresBestTokenWithAddress = bestTokenAddressWhitelist.contains(','+requester+',')
 
+def bestTokenSvnrWhitelist = ',' + (parameters.get('bestTokenSvnrWhitelist') ?: '').replaceAll('\\s','') + ','
+def appRequiresBestTokenWithSvnr = bestTokenSvnrWhitelist.contains(','+requester+',')
+
+LOG.info("Event='AUTHREQUEST', Requester='${requester}', RequestId='${requestId}', ReplacedRequestId='${replacedRequestId}', RequestedAq=${requestedAq}, BestTokenRequired='svnr: ${appRequiresBestTokenWithSvnr}; address: ${appRequiresBestTokenWithAddress}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
 
-def appAddressRequiredWhitelist = ',' + (parameters.get('appAddressRequired.whitelist') ?: '').replaceAll('\\s','') + ','
-def appIsOnappAddressRequiredWhitelist = appAddressRequiredWhitelist.contains(','+requester+',')
 
 if (requestedRoleLevelNumber == 0 || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == null) {
   response.setResult('error');
   return
 }
 
+// TODO/haburger/2024-03-21: move this later, now here for a simple start
+if (requestedRoleLevelNumber == 600 || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == 'OidcPlaygroundWork') {
+  session.setAttribute('agov.appSvnrAllowed', 'true')
+  response.setResult('exit.1');
+  return
+}
+
 try {
       def spanCtxt = Span.current().getSpanContext()
       def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
@@ -71,16 +81,18 @@ try {
         def json = jsonSlurper.parseText(httpResponse.bodyAsString())
         LOG.debug('AdressRequired: ' + json.addrRequired)
         LOG.debug('SvnrAllowed: ' + json.svnrAllowed)
-        LOG.debug('appAddressRequiredWhitelist applies: ' + appIsOnappAddressRequiredWhitelist)
+        LOG.debug('appRequiresBestTokenWithAddress: ' + appRequiresBestTokenWithAddress)
+        LOG.debug('appRequiresBestTokenWithSvnr: ' + appRequiresBestTokenWithSvnr)
 
         // address will be returned to the application if allowed by connect (json.addrRequired) 
         // and the authRequest was done with at least AGOVaq 200
-        // BITBKAGOVSUP-362: or whitelisted to receive the address
-        session.setAttribute('agov.appAddressRequired', '' + (json.addrRequired && ((requestedRoleLevelNumber >= 200) || appIsOnappAddressRequiredWhitelist)))
+        // BUNDBITBK-4307: or best token for address is enabled
+        session.setAttribute('agov.appAddressRequired', '' + (json.addrRequired && ((requestedRoleLevelNumber >= 200) || appRequiresBestTokenWithAddress)))
 
         // address will be returned to the application if allowed by connect (json.svnrAllowed) 
         // and the authRequest was done with at least AGOVaq 300
-        session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && requestedRoleLevelNumber >= 300))
+        // BUNDBITBK-4307: or best token for svnr is enabled
+        session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && ((requestedRoleLevelNumber >= 300) || appRequiresBestTokenWithSvnr)))
 
         session.setAttribute('agov.appDisplayNameDE', '' + json.displayNameDe)
         session.setAttribute('agov.appDisplayNameFR', '' + json.displayNameFr)
@@ -93,7 +105,7 @@ try {
         LOG.warn('Unexcpected HTTP response code: ' + httpResponse.code())
 
         if ( requestedRoleLevelNumber == 100) {
-           session.setAttribute('agov.appAddressRequired', '' + appIsOnappAddressRequiredWhitelist)
+           session.setAttribute('agov.appAddressRequired', '' + appRequiresBestTokenWithAddress)
            session.setAttribute('agov.appSvnrAllowed', 'false')
            response.setResult('ok')
         }
@@ -112,7 +124,7 @@ try {
 } catch (Exception e) {
   LOG.error("Failed to fetch connect meta data for relying party '${session.get('ch.nevis.auth.saml.request.scoping.requesterId')}'", e)
   if ( requestedRoleLevelNumber == 100) {
-     session.setAttribute('agov.appAddressRequired', '' + appIsOnappAddressRequiredWhitelist)
+     session.setAttribute('agov.appAddressRequired', '' + appRequiresBestTokenWithAddress)
      session.setAttribute('agov.appSvnrAllowed', 'false')
      response.setResult('ok')
   }

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/etc/nevis/k8s-fido-uaf-instance-ca92034f995b39fde562293c.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisFIDO"
   replicas: 1
-  version: "8.2405.2"
+  version: "8.2411.2"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -46,12 +46,12 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-3a33cc8960643d6afc30bade3f2d225bea96681a"
+    tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf"
     credentials: "git-credentials"
   database:
     name: "fido-uaf"
-    requiredVersion: "8.2405.0"
+    requiredVersion: "8.2411.1"
   keystores:
   - "fido-uaf-default-server-identity"
   - "fido-uaf-default-client-identity"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/etc/nevis/k8s-nevisfido-uaf-database-9385d1b33aefe975fb1c5914.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisFIDO"
   databaseType: "MariaDB"
-  version: "8.2405.2"
+  version: "8.2411.1"
   url: "mariadb-session-store-service.adn-agov-nevisidm-ob-01-uat"
   port: 3306
   database: "nevisfido_uaf"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/env.conf

@@ -7,5 +7,5 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevisfido/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2405.2,service.instance.id=$HOSTNAME"
+    "-Dotel.resource.attributes=service.version=8.2411.2,service.instance.id=$HOSTNAME"
 )

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/logging.yml

@@ -12,6 +12,8 @@ Configuration:
         onMismatch: "ACCEPT"
   Loggers:
     Logger:
+    - name: "ProductAnalytics"
+      level: "INFO"
     - name: "ch.nevis.auth.fido.application.Application"
       level: "INFO"
     - name: "ch.nevis.auth.fido.api.uaf"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/metadata/metadata.json

@@ -3,8 +3,16 @@
     "aaid" : "F1D0#0001",
     "description" : "Android NEVIS Mobile Authentication PIN Authenticator",
     "assertionScheme" : "UAFV1TLV",
-    "attestationRootCertificates" : [],
-    "attestationTypes" : [ 15880 ],
+    "attestationRootCertificates" : [
+      "MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk",
+      "MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAzNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnuXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83Uh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cnoL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2okQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vAD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAImMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoWFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09ojm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUBZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCHex0SdDrx+tWUDqG8At2JHA==",
+      "MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMxMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTGzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/TQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiLZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0bHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7wlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7mD/vFDkzF+wm7cyWpQpCVQ==",
+      "MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgwNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGICW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2GtkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkxoSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mFmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPzlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVwn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1EuzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHovaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHnw1IdYIg2Wxg7yHcQZemFQg==",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrJblQMA0GCSqGSIb3DQEBCwUAMDoxDTALBgNVBAMMBHRlc3QxCzAJBgNVBAYTAkNIMRwwGgYJKoZIhvcNAQkBFg1mYWtlQGFjbWUuY29tMB4XDTI0MDgxOTE0NTg0MFoXDTI1MDgxOTE0NTg0MFowOjENMAsGA1UEAwwEdGVzdDELMAkGA1UEBhMCQ0gxHDAaBgkqhkiG9w0BCQEWDWZha2VAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcWDBNmdq13fYHnhsmLndAW+MfbI6PeU4OenqfbrTtQUxqpyqhP6QccPYKX2SK3JeQo5uuF1jRD/9i9vAXI9NyiMMHSItjt9LjRs7bWnY4lokYGCAcSZooR9fGZX63dBSQo73V7MC8LDFGy5rw6dGDOmh0ktKxFzaT/nav8/Mx8FyG7M9+b5OPIBo2yze5Rd5cdErGJuUYa9No93BBr5tq+JfnmR/gwgCOke97ovhNj+sMu5bt946AxC6t00wNyPNVlJHKi1os0c/pWztTQkoRAx/w0JYKS9Afl0ZnGWQQ5PNLHHecp2GzriBpQAPXq81QTbOh5H7SzvhkaFQ4oxstAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD8GOaeMDqj2mzMmCqR6Cr3ChkbDAkdsBa5lOAikMKs7/tJyaw8iA5yH0nyobC58Jb61IATuxABPUALhP3RiNsUhnQQF/Dh+6CnCTD/2wsZmr8vUvNqyCLom+xkMT6Wayd9LYW4UONARv1qCLVI4RhiAr5kcomwqZnuj2DRF697lbSQDoz3iuKrCyBYSCBhS+k7UXpqpMyB2D6quRuPqh7JNtMjGSeMiNpMXhx5f4kl1YWb8NU93LDwHFR2kwnGmPA3M272VitcJC4dz3itGRKm9EYGd6d5D7kdC6lqpZPSIopChvXDyVrXjQgckvgtSGKscs6AvYgjthJGsR2z3Eao=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc="
+    ],
+    "attestationTypes" : [ 15879, 15880 ],
     "upv" : [ {
       "major" : 1,
       "minor" : 1
@@ -13,12 +21,12 @@
       "userVerification" : 4
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 9,
+    "authenticationAlgorithms" : [ 2, 9 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 1,
     "matcherProtection" : 1,
-    "publicKeyAlgAndEncoding" : 256,
+    "publicKeyAlgAndEncodings" : [ 257, 259 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   },
@@ -26,8 +34,16 @@
     "aaid" : "F1D0#0002",
     "description" : "Android NEVIS Mobile Authentication Fingerprint Authenticator",
     "assertionScheme" : "UAFV1TLV",
-    "attestationRootCertificates" : [],
-    "attestationTypes" : [ 15880 ],
+    "attestationRootCertificates" : [
+      "MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk",
+      "MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAzNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnuXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83Uh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cnoL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2okQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vAD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAImMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoWFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09ojm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUBZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCHex0SdDrx+tWUDqG8At2JHA==",
+      "MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMxMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTGzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/TQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiLZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0bHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7wlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7mD/vFDkzF+wm7cyWpQpCVQ==",
+      "MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgwNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGICW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2GtkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkxoSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mFmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPzlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVwn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1EuzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHovaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHnw1IdYIg2Wxg7yHcQZemFQg==",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrJblQMA0GCSqGSIb3DQEBCwUAMDoxDTALBgNVBAMMBHRlc3QxCzAJBgNVBAYTAkNIMRwwGgYJKoZIhvcNAQkBFg1mYWtlQGFjbWUuY29tMB4XDTI0MDgxOTE0NTg0MFoXDTI1MDgxOTE0NTg0MFowOjENMAsGA1UEAwwEdGVzdDELMAkGA1UEBhMCQ0gxHDAaBgkqhkiG9w0BCQEWDWZha2VAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcWDBNmdq13fYHnhsmLndAW+MfbI6PeU4OenqfbrTtQUxqpyqhP6QccPYKX2SK3JeQo5uuF1jRD/9i9vAXI9NyiMMHSItjt9LjRs7bWnY4lokYGCAcSZooR9fGZX63dBSQo73V7MC8LDFGy5rw6dGDOmh0ktKxFzaT/nav8/Mx8FyG7M9+b5OPIBo2yze5Rd5cdErGJuUYa9No93BBr5tq+JfnmR/gwgCOke97ovhNj+sMu5bt946AxC6t00wNyPNVlJHKi1os0c/pWztTQkoRAx/w0JYKS9Afl0ZnGWQQ5PNLHHecp2GzriBpQAPXq81QTbOh5H7SzvhkaFQ4oxstAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD8GOaeMDqj2mzMmCqR6Cr3ChkbDAkdsBa5lOAikMKs7/tJyaw8iA5yH0nyobC58Jb61IATuxABPUALhP3RiNsUhnQQF/Dh+6CnCTD/2wsZmr8vUvNqyCLom+xkMT6Wayd9LYW4UONARv1qCLVI4RhiAr5kcomwqZnuj2DRF697lbSQDoz3iuKrCyBYSCBhS+k7UXpqpMyB2D6quRuPqh7JNtMjGSeMiNpMXhx5f4kl1YWb8NU93LDwHFR2kwnGmPA3M272VitcJC4dz3itGRKm9EYGd6d5D7kdC6lqpZPSIopChvXDyVrXjQgckvgtSGKscs6AvYgjthJGsR2z3Eao=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc="
+    ],
+    "attestationTypes" : [ 15879, 15880 ],
     "upv" : [ {
       "major" : 1,
       "minor" : 1
@@ -36,12 +52,12 @@
       "userVerification" : 2
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 9,
+    "authenticationAlgorithms" : [ 2, 9 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 4,
     "matcherProtection" : 2,
-    "publicKeyAlgAndEncoding" : 256,
+    "publicKeyAlgAndEncodings" : [ 257, 259 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   },
@@ -49,8 +65,16 @@
     "aaid" : "F1D0#0003",
     "description" : "Android NEVIS Mobile Authentication Biometric Authenticator",
     "assertionScheme" : "UAFV1TLV",
-    "attestationRootCertificates" : [],
-    "attestationTypes" : [ 15880 ],
+    "attestationRootCertificates" : [
+      "MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk",
+      "MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAzNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnuXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83Uh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cnoL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2okQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vAD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAImMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoWFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09ojm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUBZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCHex0SdDrx+tWUDqG8At2JHA==",
+      "MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMxMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTGzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/TQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiLZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0bHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7wlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7mD/vFDkzF+wm7cyWpQpCVQ==",
+      "MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgwNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGICW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2GtkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkxoSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mFmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPzlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVwn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1EuzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHovaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHnw1IdYIg2Wxg7yHcQZemFQg==",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrJblQMA0GCSqGSIb3DQEBCwUAMDoxDTALBgNVBAMMBHRlc3QxCzAJBgNVBAYTAkNIMRwwGgYJKoZIhvcNAQkBFg1mYWtlQGFjbWUuY29tMB4XDTI0MDgxOTE0NTg0MFoXDTI1MDgxOTE0NTg0MFowOjENMAsGA1UEAwwEdGVzdDELMAkGA1UEBhMCQ0gxHDAaBgkqhkiG9w0BCQEWDWZha2VAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcWDBNmdq13fYHnhsmLndAW+MfbI6PeU4OenqfbrTtQUxqpyqhP6QccPYKX2SK3JeQo5uuF1jRD/9i9vAXI9NyiMMHSItjt9LjRs7bWnY4lokYGCAcSZooR9fGZX63dBSQo73V7MC8LDFGy5rw6dGDOmh0ktKxFzaT/nav8/Mx8FyG7M9+b5OPIBo2yze5Rd5cdErGJuUYa9No93BBr5tq+JfnmR/gwgCOke97ovhNj+sMu5bt946AxC6t00wNyPNVlJHKi1os0c/pWztTQkoRAx/w0JYKS9Afl0ZnGWQQ5PNLHHecp2GzriBpQAPXq81QTbOh5H7SzvhkaFQ4oxstAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD8GOaeMDqj2mzMmCqR6Cr3ChkbDAkdsBa5lOAikMKs7/tJyaw8iA5yH0nyobC58Jb61IATuxABPUALhP3RiNsUhnQQF/Dh+6CnCTD/2wsZmr8vUvNqyCLom+xkMT6Wayd9LYW4UONARv1qCLVI4RhiAr5kcomwqZnuj2DRF697lbSQDoz3iuKrCyBYSCBhS+k7UXpqpMyB2D6quRuPqh7JNtMjGSeMiNpMXhx5f4kl1YWb8NU93LDwHFR2kwnGmPA3M272VitcJC4dz3itGRKm9EYGd6d5D7kdC6lqpZPSIopChvXDyVrXjQgckvgtSGKscs6AvYgjthJGsR2z3Eao=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc="
+    ],
+    "attestationTypes" : [ 15879, 15880 ],
     "upv" : [ {
       "major" : 1,
       "minor" : 1
@@ -59,12 +83,12 @@
       "userVerification" : 346
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 9,
+    "authenticationAlgorithms" : [ 2, 9 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 4,
     "matcherProtection" : 2,
-    "publicKeyAlgAndEncoding" : 256,
+    "publicKeyAlgAndEncodings" : [ 257, 259 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   },
@@ -72,8 +96,16 @@
     "aaid" : "F1D0#0004",
     "description" : "Android NEVIS Mobile Authentication Device Passcode Authenticator",
     "assertionScheme" : "UAFV1TLV",
-    "attestationRootCertificates" : [],
-    "attestationTypes" : [ 15880 ],
+    "attestationRootCertificates" : [
+      "MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk",
+      "MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAzNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnuXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83Uh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cnoL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2okQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vAD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAImMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoWFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09ojm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUBZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCHex0SdDrx+tWUDqG8At2JHA==",
+      "MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMxMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTGzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/TQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiLZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0bHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7wlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7mD/vFDkzF+wm7cyWpQpCVQ==",
+      "MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgwNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGICW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2GtkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkxoSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mFmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPzlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVwn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1EuzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHovaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHnw1IdYIg2Wxg7yHcQZemFQg==",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrJblQMA0GCSqGSIb3DQEBCwUAMDoxDTALBgNVBAMMBHRlc3QxCzAJBgNVBAYTAkNIMRwwGgYJKoZIhvcNAQkBFg1mYWtlQGFjbWUuY29tMB4XDTI0MDgxOTE0NTg0MFoXDTI1MDgxOTE0NTg0MFowOjENMAsGA1UEAwwEdGVzdDELMAkGA1UEBhMCQ0gxHDAaBgkqhkiG9w0BCQEWDWZha2VAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcWDBNmdq13fYHnhsmLndAW+MfbI6PeU4OenqfbrTtQUxqpyqhP6QccPYKX2SK3JeQo5uuF1jRD/9i9vAXI9NyiMMHSItjt9LjRs7bWnY4lokYGCAcSZooR9fGZX63dBSQo73V7MC8LDFGy5rw6dGDOmh0ktKxFzaT/nav8/Mx8FyG7M9+b5OPIBo2yze5Rd5cdErGJuUYa9No93BBr5tq+JfnmR/gwgCOke97ovhNj+sMu5bt946AxC6t00wNyPNVlJHKi1os0c/pWztTQkoRAx/w0JYKS9Afl0ZnGWQQ5PNLHHecp2GzriBpQAPXq81QTbOh5H7SzvhkaFQ4oxstAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD8GOaeMDqj2mzMmCqR6Cr3ChkbDAkdsBa5lOAikMKs7/tJyaw8iA5yH0nyobC58Jb61IATuxABPUALhP3RiNsUhnQQF/Dh+6CnCTD/2wsZmr8vUvNqyCLom+xkMT6Wayd9LYW4UONARv1qCLVI4RhiAr5kcomwqZnuj2DRF697lbSQDoz3iuKrCyBYSCBhS+k7UXpqpMyB2D6quRuPqh7JNtMjGSeMiNpMXhx5f4kl1YWb8NU93LDwHFR2kwnGmPA3M272VitcJC4dz3itGRKm9EYGd6d5D7kdC6lqpZPSIopChvXDyVrXjQgckvgtSGKscs6AvYgjthJGsR2z3Eao=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc="
+    ],
+    "attestationTypes" : [ 15879, 15880 ],
     "upv" : [ {
       "major" : 1,
       "minor" : 1
@@ -82,12 +114,12 @@
       "userVerification" : 132
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 9,
+    "authenticationAlgorithms" : [ 2, 9 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 4,
     "matcherProtection" : 2,
-    "publicKeyAlgAndEncoding" : 259,
+    "publicKeyAlgAndEncodings" : [ 257, 259 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   },
@@ -95,8 +127,16 @@
     "aaid" : "F1D0#0005",
     "description" : "Android NEVIS Mobile Authentication Password Authenticator",
     "assertionScheme" : "UAFV1TLV",
-    "attestationRootCertificates" : [],
-    "attestationTypes" : [ 15880 ],
+    "attestationRootCertificates" : [
+      "MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk",
+      "MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAzNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnuXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83Uh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cnoL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2okQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vAD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAImMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoWFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09ojm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUBZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCHex0SdDrx+tWUDqG8At2JHA==",
+      "MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMxMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTGzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/TQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiLZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0bHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7wlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7mD/vFDkzF+wm7cyWpQpCVQ==",
+      "MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgwNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGICW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2GtkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkxoSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mFmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPzlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVwn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1EuzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHovaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHnw1IdYIg2Wxg7yHcQZemFQg==",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrJblQMA0GCSqGSIb3DQEBCwUAMDoxDTALBgNVBAMMBHRlc3QxCzAJBgNVBAYTAkNIMRwwGgYJKoZIhvcNAQkBFg1mYWtlQGFjbWUuY29tMB4XDTI0MDgxOTE0NTg0MFoXDTI1MDgxOTE0NTg0MFowOjENMAsGA1UEAwwEdGVzdDELMAkGA1UEBhMCQ0gxHDAaBgkqhkiG9w0BCQEWDWZha2VAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcWDBNmdq13fYHnhsmLndAW+MfbI6PeU4OenqfbrTtQUxqpyqhP6QccPYKX2SK3JeQo5uuF1jRD/9i9vAXI9NyiMMHSItjt9LjRs7bWnY4lokYGCAcSZooR9fGZX63dBSQo73V7MC8LDFGy5rw6dGDOmh0ktKxFzaT/nav8/Mx8FyG7M9+b5OPIBo2yze5Rd5cdErGJuUYa9No93BBr5tq+JfnmR/gwgCOke97ovhNj+sMu5bt946AxC6t00wNyPNVlJHKi1os0c/pWztTQkoRAx/w0JYKS9Afl0ZnGWQQ5PNLHHecp2GzriBpQAPXq81QTbOh5H7SzvhkaFQ4oxstAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD8GOaeMDqj2mzMmCqR6Cr3ChkbDAkdsBa5lOAikMKs7/tJyaw8iA5yH0nyobC58Jb61IATuxABPUALhP3RiNsUhnQQF/Dh+6CnCTD/2wsZmr8vUvNqyCLom+xkMT6Wayd9LYW4UONARv1qCLVI4RhiAr5kcomwqZnuj2DRF697lbSQDoz3iuKrCyBYSCBhS+k7UXpqpMyB2D6quRuPqh7JNtMjGSeMiNpMXhx5f4kl1YWb8NU93LDwHFR2kwnGmPA3M272VitcJC4dz3itGRKm9EYGd6d5D7kdC6lqpZPSIopChvXDyVrXjQgckvgtSGKscs6AvYgjthJGsR2z3Eao=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc="
+    ],
+    "attestationTypes" : [ 15879, 15880 ],
     "upv" : [ {
       "major" : 1,
       "minor" : 1
@@ -105,12 +145,12 @@
       "userVerification" : 4
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 9,
+    "authenticationAlgorithms" : [ 2, 9 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 1,
     "matcherProtection" : 1,
-    "publicKeyAlgAndEncoding" : 256,
+    "publicKeyAlgAndEncodings" : [ 257, 259 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   },
@@ -128,12 +168,12 @@
       "userVerification" : 4
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 2,
+    "authenticationAlgorithms" : [ 2 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 1,
     "matcherProtection" : 1,
-    "publicKeyAlgAndEncoding" : 257,
+    "publicKeyAlgAndEncodings" : [ 257 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   },
@@ -151,12 +191,12 @@
       "userVerification" : 2
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 2,
+    "authenticationAlgorithms" : [ 2 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 6,
     "matcherProtection" : 2,
-    "publicKeyAlgAndEncoding" : 257,
+    "publicKeyAlgAndEncodings" : [ 257 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   },
@@ -174,12 +214,12 @@
       "userVerification" : 16
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 2,
+    "authenticationAlgorithms" : [ 2 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 6,
     "matcherProtection" : 2,
-    "publicKeyAlgAndEncoding" : 257,
+    "publicKeyAlgAndEncodings" : [ 257 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   },
@@ -197,12 +237,12 @@
       "userVerification" : 4
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 2,
+    "authenticationAlgorithms" : [ 2 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 6,
     "matcherProtection" : 2,
-    "publicKeyAlgAndEncoding" : 257,
+    "publicKeyAlgAndEncodings" : [ 257 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   },
@@ -220,12 +260,12 @@
       "userVerification" : 4
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 2,
+    "authenticationAlgorithms" : [ 2 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 1,
     "matcherProtection" : 1,
-    "publicKeyAlgAndEncoding" : 257,
+    "publicKeyAlgAndEncodings" : [ 257 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   }]

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/nevisfido.yml

@@ -1,116 +1,116 @@
 server:
   port: 9443
-  host: 0.0.0.0
-  protocol: https
+  host: "0.0.0.0"
+  protocol: "https"
   tls:
-    keystore: /var/opt/keys/own/fido-uaf-default-server-identity/keystore.p12
-    keystore-passphrase: ${exec:/var/opt/keys/own/fido-uaf-default-server-identity/keypass}
-    keystore-type: pkcs12
-    truststore: /var/opt/keys/trust/fido-uaf-fido-uaf-extended-frontent-truststore/truststore.p12
-    truststore-passphrase: ${exec:/var/opt/keys/trust/fido-uaf-fido-uaf-extended-frontent-truststore/keypass}
-    truststore-type: pkcs12
-
+    keystore: "/var/opt/keys/own/fido-uaf-default-server-identity/keystore.p12"
+    keystore-type: "pkcs12"
+    keystore-passphrase: "${exec:/var/opt/keys/own/fido-uaf-default-server-identity/keypass}"
+    truststore: "/var/opt/keys/trust/fido-uaf-fido-uaf-extended-frontent-truststore/truststore.p12"
+    truststore-type: "pkcs12"
+    truststore-passphrase: "${exec:/var/opt/keys/trust/fido-uaf-fido-uaf-extended-frontent-truststore/keypass}"
 management:
   server:
     port: 9089
   healthchecks:
     enabled: true
-
-credential-repository:
-  type: nevisidm
-  rest-url: https://idm:8989/nevisidm
-  administration-url: https://idm:8989/nevisidm/services/v1_46/AdminService
-  keystore: /var/opt/keys/own/fido-uaf-default-client-identity/keystore.p12
-  keystore-passphrase: ${exec:/var/opt/keys/own/fido-uaf-default-client-identity/keypass}
-  keystore-type: pkcs12
-  truststore: /var/opt/keys/trust/fido-uaf-default-server-trust/truststore.p12
-  truststore-passphrase: ${exec:/var/opt/keys/trust/fido-uaf-default-server-trust/keypass}
-  truststore-type: pkcs12
-  admin-service-version: v1_46
-  client-id: cfa9c9b9-119f-4dff-9bb8-86d7c0cf2720
-  user-attribute: extId
-
-session-repository:
-  type: sql
-  jdbc-url: jdbc:mariadb://mariadb-session-store-service.adn-agov-nevisidm-ob-01-uat:3306/nevisfido_uaf?sslMode=disable&autocommit=true
-  max-connection-lifetime: 10m
-  user: ${exec:/var/opt/nevisfido/default/conf/credentials/dbUser}
-  password: ${exec:/var/opt/nevisfido/default/conf/credentials/dbPassword}
-  schema-user: 
-  schema-user-password: 
-  automatic-db-schema-setup: false
-
 fido-uaf:
   enabled: true
-  app-id: https://auth.agov-w.azure.adnovum.net/nevisfido/uaf/1.1/facets
+  app-id: "https://auth.agov-w.azure.adnovum.net/nevisfido/uaf/1.1/facets"
   facets:
-    - android:apk-key-hash:kb0yJ345nFUmt4nOYK5Li7KvwDDobMKPosY48Uwb0QI
-    - ios:bundle-id:ch.agov.accessapp.t
-    - android:apk-key-hash:msmxrDDoIcxmazyIf9aj8uIvRXdH/wX668OQYaYdXpE
-    - ios:bundle-id:ch.agov.accessapp
-    - android:apk-key-hash:BFZz7gpBpUUk8rLis19LKpR6ZcIZkdxxFPYOwBSKKQk
-    - android:apk-key-hash:xoRd0kamp4TSJcvzfWzNoivuNldp+GKI7fjnwX+VEFg
-  metadata:
-    path: conf/metadata/metadata.json
+  - "android:apk-key-hash:kb0yJ345nFUmt4nOYK5Li7KvwDDobMKPosY48Uwb0QI"
+  - "ios:bundle-id:ch.agov.accessapp.t"
+  - "android:apk-key-hash:msmxrDDoIcxmazyIf9aj8uIvRXdH/wX668OQYaYdXpE"
+  - "ios:bundle-id:ch.agov.accessapp"
+  - "android:apk-key-hash:BFZz7gpBpUUk8rLis19LKpR6ZcIZkdxxFPYOwBSKKQk"
+  - "android:apk-key-hash:xoRd0kamp4TSJcvzfWzNoivuNldp+GKI7fjnwX+VEFg"
   policy:
-    path: conf/policy/
+    path: "conf/policy/"
   timeout:
-    registration: 600s
-    authentication: 600s
-    token-registration: 180s
-    token-authentication: 180s
-    token-deregistration: 600s
+    registration: "300s"
+    authentication: "300s"
+    token-registration: "180s"
+    token-deregistration: "180s"
+    token-authentication: "180s"
+    device-request: "600s"
   transaction-confirmation:
     max-text-length: 2000
+  metadata:
+    path: "conf/metadata/metadata.json"
+  idm-connection-type: "soap"
+  dispatchers:
+  - type: "firebase-cloud-messaging"
+    dry-run: false
+    service-account-json: "inv-res-secret://a78926e06a159811ee15c224-bdd107d2"
+    registration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/registration"
+    authentication-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/authentication"
+    deregistration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/deregistration"
+  - type: "png-qr-code"
+    registration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/registration"
+    authentication-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/authentication"
+    deregistration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/deregistration"
+  - type: "link"
+    registration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/registration"
+    authentication-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/authentication"
+    deregistration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/deregistration"
+    base-url: "ch.agov.access-t://x-callback-url/authenticate"
+  basic-full-attestation:
+    android-verification-level: "default"
   authorization:
     registration:
-      type: sectoken
-      truststore: /var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/truststore.p12
-      truststore-passphrase: ${exec:/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/keypass}
-      truststore-type: pkcs12
+      type: "sectoken"
+      truststore: "/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/truststore.p12"
+      truststore-type: "pkcs12"
+      truststore-passphrase: "${exec:/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/keypass}"
       username-attribute-names:
-        - loginId
-        - userid
+      - "loginId"
+      - "userid"
     authentication:
-      type: none
+      type: "none"
     deregistration:
-      type: sectoken
-      truststore: /var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/truststore.p12
-      truststore-passphrase: ${exec:/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/keypass}
-      truststore-type: pkcs12
+      type: "sectoken"
+      truststore: "/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/truststore.p12"
+      truststore-type: "pkcs12"
+      truststore-passphrase: "${exec:/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/keypass}"
       username-attribute-names:
-        - loginId
-        - userid
+      - "loginId"
+      - "userid"
     create-dispatch-target:
-      type: sectoken
-      truststore: /var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/truststore.p12
-      truststore-passphrase: ${exec:/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/keypass}
-      truststore-type: pkcs12
+      type: "sectoken"
+      truststore: "/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/truststore.p12"
+      truststore-type: "pkcs12"
+      truststore-passphrase: "${exec:/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/keypass}"
       username-attribute-names:
-        - loginId
-        - userid
+      - "loginId"
+      - "userid"
     query-dispatch-target:
-      type: none
+      type: "none"
     delete-dispatch-target:
-      type: sectoken
-      truststore: /var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/truststore.p12
-      truststore-passphrase: ${exec:/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/keypass}
-      truststore-type: pkcs12
+      type: "sectoken"
+      truststore: "/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/truststore.p12"
+      truststore-type: "pkcs12"
+      truststore-passphrase: "${exec:/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/keypass}"
       username-attribute-names:
-        - userid
-  dispatchers:
-    - type: "firebase-cloud-messaging"
-      dry-run: false
-      service-account-json: "inv-res-secret://a78926e06a159811ee15c224-bdd107d2"
-      registration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/registration"
-      authentication-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/authentication"
-      deregistration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/deregistration"
-    - type: "png-qr-code"
-      registration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/registration"
-      authentication-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/authentication"
-      deregistration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/deregistration"
-    - type: "link"
-      registration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/registration"
-      authentication-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/authentication"
-      deregistration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/deregistration"
-      base-url: "ch.agov.access-t://x-callback-url/authenticate"
+      - "userid"
+session-repository:
+  type: "sql"
+  jdbc-url: "jdbc:mariadb://mariadb-session-store-service.adn-agov-nevisidm-ob-01-uat:3306/nevisfido_uaf?sslMode=disable&autocommit=true"
+  max-connection-lifetime: "10m"
+  user: "${exec:/var/opt/nevisfido/default/conf/credentials/dbUser}"
+  password: "${exec:/var/opt/nevisfido/default/conf/credentials/dbPassword}"
+  schema-user: ""
+  schema-user-password: ""
+  automatic-db-schema-setup: false
+credential-repository:
+  type: "nevisidm"
+  client-id: "cfa9c9b9-119f-4dff-9bb8-86d7c0cf2720"
+  user-attribute: "extId"
+  administration-url: "https://idm:8989/nevisidm/services/v1_46/AdminService"
+  admin-service-version: "v1_46"
+  rest-url: "https://idm:8989/nevisidm"
+  keystore: "/var/opt/keys/own/fido-uaf-default-client-identity/keystore.p12"
+  keystore-type: "pkcs12"
+  keystore-passphrase: "${exec:/var/opt/keys/own/fido-uaf-default-client-identity/keypass}"
+  truststore: "/var/opt/keys/trust/fido-uaf-default-server-trust/truststore.p12"
+  truststore-type: "pkcs12"
+  truststore-passphrase: "${exec:/var/opt/keys/trust/fido-uaf-default-server-trust/keypass}"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/etc/nevis/k8s-fido2-default-signer-trust-087f275433f3973a1421318f.yaml

@@ -1,12 +0,0 @@
-apiVersion: "operator.nevis-security.ch/v1"
-kind: "NevisTrustStore"
-metadata:
-  name: "fido2-default-signer-trust"
-  namespace: "adn-agov-nevisidm-01-uat"
-  labels:
-    deploymentTarget: "fido2"
-  annotations:
-    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
-    patternId: "087f275433f3973a1421318f"
-spec:
-  keystores: []

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/etc/nevis/k8s-nevisfido2-087f275433f3973a1421318f.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisFIDO"
   replicas: 1
-  version: "8.2405.2"
+  version: "8.2411.2"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -46,7 +46,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-2f8a215769d731c34e6278cbfb370e06e976f51f"
+    tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2"
     credentials: "git-credentials"
   keystores:
@@ -54,7 +54,6 @@ spec:
   - "fido2-default-client-identity"
   truststores:
   - "fido2-default-tls-client-trust"
-  - "fido2-default-signer-trust"
   - "fido2-default-server-trust"
   podSecurity:
     policy: "baseline"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/var/opt/nevisfido/default/conf/env.conf

@@ -6,5 +6,5 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevisfido/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2405.2,service.instance.id=$HOSTNAME"
+    "-Dotel.resource.attributes=service.version=8.2411.2,service.instance.id=$HOSTNAME"
 )

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/var/opt/nevisfido/default/conf/logging.yml

@@ -12,6 +12,8 @@ Configuration:
         onMismatch: "ACCEPT"
   Loggers:
     Logger:
+    - name: "ProductAnalytics"
+      level: "INFO"
     - name: "ch.nevis.auth.fido.application.Application"
       level: "INFO"
     Root:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/var/opt/nevisfido/default/conf/nevisfido.yml

@@ -1,51 +1,50 @@
 server:
   port: 9443
-  protocol: https
+  protocol: "https"
   tls:
-    keystore: /var/opt/keys/own/fido2-default-identity/keystore.p12
-    keystore-passphrase: ${exec:/var/opt/keys/own/fido2-default-identity/keypass}
-    keystore-type: pkcs12
-
+    keystore: "/var/opt/keys/own/fido2-default-identity/keystore.p12"
+    keystore-passphrase: "${exec:/var/opt/keys/own/fido2-default-identity/keypass}"
+    keystore-type: "pkcs12"
+    truststore: "/var/opt/keys/trust/fido2-default-tls-client-trust/truststore.p12"
+    truststore-passphrase: "${exec:/var/opt/keys/trust/fido2-default-tls-client-trust/keypass}"
+    truststore-type: "pkcs12"
 management:
   server:
     port: 9089
   healthchecks:
     enabled: true
-
 credential-repository:
-  type: nevisidm
-  client-id: cfa9c9b9-119f-4dff-9bb8-86d7c0cf2720
-  rest-url: https://idm:8989/nevisidm
-  keystore: /var/opt/keys/own/fido2-default-client-identity/keystore.p12
-  keystore-passphrase: ${exec:/var/opt/keys/own/fido2-default-client-identity/keypass}
-  truststore: /var/opt/keys/trust/fido2-default-server-trust/truststore.p12
-  truststore-passphrase: ${exec:/var/opt/keys/trust/fido2-default-server-trust/keypass}
-  user-attribute: extId
-
-session-repository:
-  type: in-memory
-  jdbc-url: 
-  max-connection-lifetime: 
-  user: 
-  password: 
-  schema-user: 
-  schema-user-password: 
-  automatic-db-schema-setup: true
-
+  type: "nevisidm"
+  client-id: "cfa9c9b9-119f-4dff-9bb8-86d7c0cf2720"
+  rest-url: "https://idm:8989/nevisidm"
+  keystore: "/var/opt/keys/own/fido2-default-client-identity/keystore.p12"
+  keystore-passphrase: "${exec:/var/opt/keys/own/fido2-default-client-identity/keypass}"
+  keystore-type: "pkcs12"
+  truststore: "/var/opt/keys/trust/fido2-default-server-trust/truststore.p12"
+  truststore-passphrase: "${exec:/var/opt/keys/trust/fido2-default-server-trust/keypass}"
+  truststore-type: "pkcs12"
+  user-attribute: "extId"
 fido2:
   enabled: true
-  rp-name: AGOV-RelPartName
-  rp-id: adnovum.net
+  rp-name: "AGOV-RelPartName"
+  rp-id: "adnovum.net"
   origins:
-    - https://me.agov-w.azure.adnovum.net
-    - https://nevisidm.agov-w.azure.adnovum.net
-    - https://auth.agov-w.azure.adnovum.net
+  - "https://ob.agov-w.azure.adnovum.net"
+  - "https://nevisidm.agov-w.azure.adnovum.net"
+  - "https://auth.agov-w.azure.adnovum.net"
   signature-algorithms:
-    - RS1
-    - RS256
-    - RS384
-    - RS512
-    - ES256
-    - ES384
-    - ES512
-  display-name-source: email
+  - "RS1"
+  - "RS256"
+  - "RS384"
+  - "RS512"
+  - "ES256"
+  - "ES384"
+  - "ES512"
+  display-name-source: "email"
+  metadata:
+    allow-listing-enabled: false
+  timeout:
+    user-verification: "300s"
+    no-user-verification: "120s"
+session-repository:
+  type: "in-memory"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/idm/etc/nevis/k8s-idm-db-2951ead44a7a9362a4545094.yaml

@@ -0,0 +1,28 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisDatabase"
+metadata:
+  name: "idm"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "idm"
+    trustImport: "idm-technical-trust-store-1058498828"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "2951ead44a7a9362a4545094"
+spec:
+  type: "NevisIDM"
+  databaseType: "MariaDB"
+  version: "8.2411.1"
+  url: "mariadb-agov-uat.mariadb.database.azure.com"
+  port: 3306
+  ssl: true
+  database: "nevisidm_uat"
+  bootstrap: true
+  migrate: true
+  rootCredentials:
+    name: "root-adn-agov-nevisidm-admin-01-uat-idm"
+    namespace: "adn-agov-nevisidm-admin-01-uat"
+  podSecurity:
+    policy: "baseline"
+    automountServiceAccountToken: false
+  timeZone: "Europe/Zurich"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/idm/etc/nevis/k8s-nevisidm-b8a36646f81c3247cdb5d90b.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisIDM"
   replicas: 1
-  version: "8.2405.2"
+  version: "8.2411.2"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -28,27 +28,30 @@ spec:
     management:
       httpGet:
         path: "/liveness"
-      periodSeconds: 30
+      periodSeconds: 5
       timeoutSeconds: 6
   readinessProbe:
     management:
       httpGet:
         path: "/health"
-      periodSeconds: 30
+      periodSeconds: 5
       timeoutSeconds: 6
   startupProbe:
     management:
       httpGet:
         path: "/health"
-      periodSeconds: 30
+      periodSeconds: 5
       timeoutSeconds: 6
-      failureThreshold: 10
+      failureThreshold: 50
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-3a33cc8960643d6afc30bade3f2d225bea96681a"
+    tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/idm"
     credentials: "git-credentials"
+  database:
+    name: "idm"
+    requiredVersion: "8.2411.1"
   keystores:
   - "idm-default-identity"
   truststores:
@@ -61,4 +64,3 @@ spec:
   secrets:
     secret:
     - "0eb37a5f44023ef0ad1013b6-89ec31e5"
-    - "a2068eb83a60702322c13949-27ed70d3"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/idm/var/opt/nevisidm/default/conf/env.conf

@@ -4,5 +4,5 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevisidm/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2405.2,service.instance.id=$HOSTNAME"
+    "-Dotel.resource.attributes=service.version=8.2411.2,service.instance.id=$HOSTNAME"
 )

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/idm/var/opt/nevisidm/default/conf/logging.yml

@@ -20,6 +20,8 @@ Configuration:
         onMismatch: "ACCEPT"
   Loggers:
     Logger:
+    - name: "ProductAnalytics"
+      level: "INFO"
     - name: "ch.nevis.idm.batch.jobs"
       level: "INFO"
       additivity: "false"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/idm/var/opt/nevisidm/default/conf/nevisidm-prod.properties

@@ -3,9 +3,9 @@ web.gui.languages.default=de
 # source: pattern://2951ead44a7a9362a4545094
 database.connection.url=jdbc:mariadb://mariadb-agov-uat.mariadb.database.azure.com:3306/nevisidm_uat?pinGlobalTxToPhysicalConnection=1&useMysqlMetadata=true&cachePrepStmts=true&prepStmtCacheSize=1000&useSSL=true&trustStore=/var/opt/keys/trust/idm-db-tls-truststore/truststore.jks
 # source: pattern://2951ead44a7a9362a4545094
-database.connection.username=adndbadmin
+database.connection.username=${exec:/var/opt/nevisidm/default/conf/credentials/dbUser}
 # source: pattern://2951ead44a7a9362a4545094
-database.connection.password=secret://a2068eb83a60702322c13949-27ed70d3
+database.connection.password=${exec:/var/opt/nevisidm/default/conf/credentials/dbPassword}
 # source: pattern://b8a36646f81c3247cdb5d90b
 application.mail.smtp.host=greenmail.adn-agov-mail-01-uat.svc
 # source: pattern://b8a36646f81c3247cdb5d90b
@@ -13,6 +13,8 @@ application.mail.smtp.port=3025
 # source: pattern://b8a36646f81c3247cdb5d90b
 application.mail.sender=noreply-agov-uat@adnovum.ch
 # source: pattern://71411a755a625f9b850c6cf5
+application.config.credentialTypesToBeLockedInDatabase=URLTICKET,SAMLFEDERATION,CONTEXTPASSWORD
+# source: pattern://71411a755a625f9b850c6cf5
 application.feature.email.validation.enabled=false
 # source: pattern://71411a755a625f9b850c6cf5, pattern://b8a36646f81c3247cdb5d90b
 application.feature.multiclientmode.enabled=true

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/etc/nevis/k8s-nevislogrend-097929211988398a87bcbb0c.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisLogrend"
   replicas: 1
-  version: "8.2405.0"
+  version: "8.2411.2"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -44,7 +44,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-b7543a0cfa5709d415da026ee75c467a9ce59430"
+    tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend"
     credentials: "git-credentials"
   podSecurity:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/conf/env.conf

@@ -10,5 +10,5 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevislogrend/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2405.0,service.instance.id=$HOSTNAME"
+    "-Dotel.resource.attributes=service.version=8.2411.2,service.instance.id=$HOSTNAME"
 )

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/conf/logging.yml

@@ -11,7 +11,9 @@ Configuration:
         onMatch: "DENY"
         onMismatch: "ACCEPT"
   Loggers:
-    Logger: []
+    Logger:
+    - name: "ProductAnalytics"
+      level: "INFO"
     Root:
       level: "WARN"
       additivity: "false"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/resources/conf/text.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Select language
 loainfo.description.200=To access the application, we need to verify your data. The process can take up to 2 - 3 days.
 loainfo.description.300=To access the application we need to verify your data through one of two processes. You can choose your preferred process in the next step.
-loainfo.description.400=To access the application we need you to add your AHV Number (Swiss Social Security number).
+loainfo.description.400=To access the application we need you to add your SSN (AHV) number.
 loainfo.helper=Your data needs to be verified!
 loainfo.later=Later
 loainfo.startNow=Do you want to start the process now?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=The code is too long
 recovery_check_code.noAccess=I do not have access to my code
 recovery_check_code.noCodeAccess=Are you sure you don't have access to your recovery code?
 recovery_check_code.noCodeAccessInstructions=If you have lost access to your recovery code please go to AGOV help in order to contact a AGOV support agent. They will be able to help you with the recovery process.
+recovery_check_code.too_many_tries.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
+recovery_check_code.too_many_tries.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
 recovery_check_noCode.banner.error=Too many attempts.
 recovery_check_noCode.instruction1=You might have tried to enter the recovery code too many times.
 recovery_check_noCode.instruction2=Please close the web browser and start the account recovery again in ten minutes from <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/resources/conf/text_de.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Sprache wählen
 loainfo.description.200=Um auf diese Applikation zuzugreifen, müssen wir Ihre Angaben verifizieren. Der Vorgang kann bis zu 2 - 3 Tage dauern.
 loainfo.description.300=Um auf diese Applikation zuzugreifen, müssen wir Ihre Angaben durch einen von zwei Vorgängen verifizieren. Sie können die bevorzugte Methode im nächsten Schritt auswählen.
-loainfo.description.400=Für den Zugang zu dieser Anwendung müssen Sie Ihre AHV-Nummer angeben.
+loainfo.description.400=Bitte AHV-Nummer angeben, um auf die Applikation zuzugreifen.
 loainfo.helper=Ihre persönlichen Daten müssen überprüft werden!
 loainfo.later=Später
 loainfo.startNow=Möchten Sie den Prozess jetzt starten?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=Eingegebener Code ist zu lang
 recovery_check_code.noAccess=Ich kann auf meinen Code nicht zugreifen
 recovery_check_code.noCodeAccess=Sind Sie sicher, dass Sie auf Ihren Wiederherstellungscode nicht zugreifen können?
 recovery_check_code.noCodeAccessInstructions=Wenn Sie auf Ihren Wiederherstellungscode nicht mehr zugreifen können, gehen Sie bitte zur AGOV-Hilfe, um jemanden vom AGOV-Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterstützen.
+recovery_check_code.too_many_tries.instruction1=Der von Ihnen eingegebene Wiederherstellungscode ist möglicherweise abgelaufen oder Sie haben zu oft versucht, einen Code einzugeben.
+recovery_check_code.too_many_tries.instruction2=Gehen Sie bitte zur AGOV-Hilfe, um jemanden vom Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterstützen.
 recovery_check_noCode.banner.error=Zu viele Versuche.
 recovery_check_noCode.instruction1=Möglicherweise haben Sie zu oft versucht, den Wiederherstellungscode einzugeben.
 recovery_check_noCode.instruction2=Bitte schliessen Sie den Webbrowser und starten Sie die Kontowiederherstellung in zehn Minuten erneut auf <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/resources/conf/text_en.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Select language
 loainfo.description.200=To access the application, we need to verify your data. The process can take up to 2 - 3 days.
 loainfo.description.300=To access the application we need to verify your data through one of two processes. You can choose your preferred process in the next step.
-loainfo.description.400=To access the application we need you to add your AHV Number (Swiss Social Security number).
+loainfo.description.400=To access the application we need you to add your SSN (AHV) number.
 loainfo.helper=Your data needs to be verified!
 loainfo.later=Later
 loainfo.startNow=Do you want to start the process now?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=The code is too long
 recovery_check_code.noAccess=I do not have access to my code
 recovery_check_code.noCodeAccess=Are you sure you don't have access to your recovery code?
 recovery_check_code.noCodeAccessInstructions=If you have lost access to your recovery code please go to AGOV help in order to contact a AGOV support agent. They will be able to help you with the recovery process.
+recovery_check_code.too_many_tries.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
+recovery_check_code.too_many_tries.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
 recovery_check_noCode.banner.error=Too many attempts.
 recovery_check_noCode.instruction1=You might have tried to enter the recovery code too many times.
 recovery_check_noCode.instruction2=Please close the web browser and start the account recovery again in ten minutes from <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/resources/conf/text_fr.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Sélectionner la langue
 loainfo.description.200=Pour accéder à l'application, nous devons vérifier vos données. Ce processus peut prendre jusqu'à 2 ou 3 jours.
 loainfo.description.300=Pour accéder à l'application, nous devons vérifier vos données par le biais de l'une des deux procédures suivantes. Vous pouvez choisir la procédure que vous préférez à l'étape suivante.
-loainfo.description.400=Pour accéder à l'application, vous devez ajouter votre numéro AVS.
+loainfo.description.400=Veuillez saisir votre numéro AVS pour accéder à l'application.
 loainfo.helper=Vos données doivent être vérifiées!
 loainfo.later=Plus tard
 loainfo.startNow=Voulez-vous commencer le processus maintenant?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=Le code est trop long
 recovery_check_code.noAccess=Je n’ai pas accès à mon code de récupération
 recovery_check_code.noCodeAccess=Êtes-vous sûr de ne pas avoir accès à votre code de récupération ?
 recovery_check_code.noCodeAccessInstructions=En cas de perte de votre code de récupération, veuillez vous rendre sur AGOV help et contacter le service d’assistance AGOV. Un agent pourra vous aider dans le processus de récupération.
+recovery_check_code.too_many_tries.instruction1=Le code de récupération que vous avez saisi a peut-être expiré ou vous avez peut-être essayé de le saisir trop de fois.
+recovery_check_code.too_many_tries.instruction2=Veuillez vous rendre sur AGOV help et contacter le service d’assistance. Un agent pourra vous aider dans le processus de récupération.
 recovery_check_noCode.banner.error=Trop de tentatives.
 recovery_check_noCode.instruction1=Vous avez peut-être essayé de saisir le code de récupération trop de fois.
 recovery_check_noCode.instruction2=Veuillez fermer le navigateur web et recommencer la r&eacute;cup&eacute;ration du compte dans dix minutes &agrave; partir de <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/resources/conf/text_it.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Selezionare la lingua
 loainfo.description.200=Per accedere all'app è necessaria una verifica dei dati. La procedura può richiedere fino a 2–3 giorni lavorativi.
 loainfo.description.300=Per accedere all'app dobbiamo verificare i suoi dati tramite uno dei due processi. Al prossimo passaggio, può selezionare la procedura di verifica desiderata.
-loainfo.description.400=Per acceddere all'applicazione deve inserire il numero AVS.
+loainfo.description.400=Per accedere all'applicazione è necessario inserire il numero AVS.
 loainfo.helper=I dati devono essere verificati!
 loainfo.later=Più tardi
 loainfo.startNow=Iniziare la procedura?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=Il codice è troppo lungo
 recovery_check_code.noAccess=Non ho il mio codice.
 recovery_check_code.noCodeAccess=Conferma di non avere il codice di ripristino?
 recovery_check_code.noCodeAccessInstructions=Se non ha più il codice di ripristino, acceda ad AGOV help per contattare il supporto AGOV, che la assisterà nel processo di ripristino.
+recovery_check_code.too_many_tries.instruction1=Il codice di ripristino inserito può essere scaduto o è stato inserito troppe volte.
+recovery_check_code.too_many_tries.instruction2=Si prega di andare alla guida di AGOV aiuto per contattare un agente dell'assistenza. Saranno in grado di aiutarla con il processo di recupero.
 recovery_check_noCode.banner.error=Troppi tentativi.
 recovery_check_noCode.instruction1=Potresti aver tentato di inserire il codice di ripristino troppe volte.
 recovery_check_noCode.instruction2=Chiudi il browser web e inizia nuovamente il processo di ripristino dell'account tra dieci minuti da <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/resources/mauth_link_qr.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function dispatchLink() {
 
         document.getElementById("mauth_started").style.display = "block"; // show
@@ -55,9 +61,7 @@
                     });
                     var sessionId = o.sessionId;
                     console.log("started polling for session ID: " + sessionId);
-                    statusPolling = window.setInterval(function () {
-                        poll(sessionId);
-                    }, 2000);
+                    poll(sessionId);
                 }
                 else {
                     console.log("authentication failed: " + o.dispatchResult);
@@ -70,21 +74,36 @@
     }
 
     function poll(sessionId) {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
 
-        const request = {};
-        request.fidoUafSessionId = sessionId;
+        isPolling = true;
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const request = { fidoUafSessionId: sessionId };
+
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
+
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
+
                 if (status == 'clientAuthenticating') {
                     // show process icon
                     document.getElementById("mauth_loading").style.display = 'block';
@@ -99,20 +118,24 @@
                     addInput(form, "continue", "true"); // required for custom dispatching in usernameless
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("authentication failed with status: " + status);
-
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     addInput(form, "fidoUafSessionId", sessionId);
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(sessionId), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     dispatchLink();

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/resources/mauth_onboard.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function renderEnrollment() {
 
         // link is provided by a hidden GuiElem
@@ -52,44 +58,53 @@
     }
 
     function poll() {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
+
+        isPolling = true;
 
         // state is held on backend side
         const request = {};
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
 
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
 
                 if (status == 'clientRegistering') {
-
                     // show process icon
                     document.getElementById("mauth_loading").style.display = 'block';
 
                     // hide QR-code and information
                     document.getElementById("mauth_qrcode").style.display = 'none';
                     document.getElementById("mauth_qrcode_info").style.display = 'none';
-                }
-                else if (status == 'succeeded') {
-
+                } else if (status == 'succeeded') {
                     clearInterval(statusPolling);
-                    console.error("onboarding successful");
+                    console.log("onboarding successful");
 
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("onboarding failed with status: " + status);
 
@@ -98,8 +113,15 @@
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     renderEnrollment();

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/resources/mauth_push_qr.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function dispatch(id) {
 
         document.getElementById("mauth_devices").style.display = "none"; // hide selection menu
@@ -70,9 +76,7 @@
                     });
                     var sessionId = o.sessionId;
                     console.log("started polling for session ID: " + sessionId);
-                    statusPolling = window.setInterval(function () {
-                        poll(sessionId);
-                    }, 2000);
+                    poll(sessionId);
                 }
                 else {
                     console.log("authentication failed: " + o.dispatchResult);
@@ -125,47 +129,64 @@
     }
 
     function poll(sessionId) {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
+        isPolling = true;
 
-        const request = {};
-        request.fidoUafSessionId = sessionId;
+        const request = { fidoUafSessionId: sessionId };
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
+
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
+
                 if (status == 'clientAuthenticating') {
                     document.getElementById("mauth_qrcode").style.display = 'none';
                     document.getElementById("mauth_qrcode_info").style.display = 'none';
                     document.getElementById("mauth_match_numbers").style.display = 'block';
                     document.getElementById("mauth_loading").style.display = 'block';
                 }
+
                 if (status == 'succeeded') {
                     clearInterval(statusPolling);
-                    // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("authentication failed with status: " + status);
-
-                    // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     addInput(form, "fidoUafSessionId", sessionId);
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(sessionId), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     renderDeviceList();

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/resources/mauth_usernameless.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function dispatch() {
 
         console.log("initiating usernameless mobile authentication...");
@@ -58,9 +64,7 @@
                     });
                     var sessionId = o.sessionId;
                     console.log("started polling for session ID: " + sessionId);
-                    statusPolling = window.setInterval(function () {
-                        poll(sessionId);
-                    }, 2000);
+                    poll(sessionId);
                 }
                 else {
                     console.log("authentication failed: " + o.dispatchResult);
@@ -73,46 +77,66 @@
     }
 
     function poll(sessionId) {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
 
-        const request = {};
-        request.fidoUafSessionId = sessionId;
+        isPolling = true;
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const request = { fidoUafSessionId: sessionId };
+
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
+
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
+
                 if (status == 'clientAuthenticating') {
-                    document.getElementById("mauth_qrcode").style.display = 'none';
+                    // show process icon
                     document.getElementById("mauth_loading").style.display = 'block';
+                    document.getElementById("mauth_qrcode").style.display = 'none';
                 }
                 if (status == 'succeeded') {
                     clearInterval(statusPolling);
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
-                    addInput(form, "fidoUafDone", "true"); // checked by Groovy script
+                    addInput(form, "continue", "true"); // required for custom dispatching in usernameless
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("authentication failed with status: " + status);
-
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
-                    addInput(form, "fidoUafSessionId", sessionId); // checked by Groovy script
+                    addInput(form, "fidoUafSessionId", sessionId);
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(sessionId), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     dispatch();

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/static/js-code/eid_verification.js

@@ -0,0 +1,4 @@
+document.addEventListener('DOMContentLoaded', function() {
+	document.dispatchEvent(new Event('initEidVerification'));
+	document.dispatchEvent(new Event('initCantonalBranding'));
+});

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/template/eid_verification.mock.js

@@ -0,0 +1,3 @@
+module.exports = {
+	...require('./mock-defaults')
+};

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/template/eid_verification.vm

@@ -0,0 +1,224 @@
+#parse("${templatePath}/header.vm")
+#set ($formTarget = $utils.escapeHtmlAttribute($gui.target.replaceAll('&?language=[^&]*','')))
+
+<agov-backdrop></agov-backdrop>
+<div id="mainContent" class="container mx-auto sm:mt-2 sm:max-w-full flex h-full sm:h-auto">
+	<div class="flex flex-col items-start gap-4 w-full rounded-[36px] sm:p-6 mx-auto
+	 max-w-[600px] md:max-w-[1200px] sm:bg-lily-blue dark:sm:bg-purple-black">
+
+		<div id="cantonalBranding"
+			 class="flex items-center rounded-xl gap-5 p-2 sm:p-0 sm:w-auto w-full hidden bg-pale-blue dark:bg-purple-black sm:bg-transparent">
+			<div class="flex items-center p-2 bg-white rounded sm:rounded-xl w-16 h-16" id="logo"></div>
+			<h1 class="font-header text-h6 sm:text-h4 text-space-blue dark:text-white">
+                #if ($login.language =="en")
+						$utils.escapeHtmlAttribute($gui.getGuiElem('agov.appDisplayNameEN').value)
+				#elseif ($login.language =="de")
+                    $utils.escapeHtmlAttribute($gui.getGuiElem('agov.appDisplayNameDE').value)
+                #elseif ($login.language =="fr")
+                    $utils.escapeHtmlAttribute($gui.getGuiElem('agov.appDisplayNameFR').value)
+                #else
+                    $utils.escapeHtmlAttribute($gui.getGuiElem('agov.appDisplayNameIT').value)
+                #end
+			</h1>
+		</div>
+
+		<div class="flex flex-col md:flex-row w-full gap-6">
+			<div id="registerCard" class="w-full md:min-h-[689px] flex flex-col justify-between">
+				<div id="swiyuLoginImage"
+					 class="relative md:max-w-[520px] max-w-[350px] sm:max-w-[300px] mb-10 w-full mx-auto hidden md:block">
+					<img alt="" src="${login.appDataPath}/static/images/login.svg"
+						 class="hidden md:block dark:hidden w-full">
+					<img alt="" src="${login.appDataPath}/static/images/login-dark.svg"
+						 class="hidden md:hidden dark:md:block w-full">
+				</div>
+			</div>
+
+			<div id="loginModal"
+				 class="flex flex-col bg-white dark:bg-surface-black rounded-[20px] sm:min-h-[700px] p-6 sm:pb-8 sm:pt-10 sm:px-10
+				 max-w-[550px] w-full">
+
+				<div class="flex mb-4 sm:mb-6 items-baseline">
+					<h1 class="font-header text-h4 text-space-blue dark:text-white mr-3">$text.get("eid_verification.login")</h1>
+				</div>
+
+				<div id="cantonalBrandingMobile"
+					 class="flex items-center rounded-xl gap-5 mb-4 p-2 sm:p-0 sm:w-auto w-full hidden bg-pale-blue dark:bg-purple-black sm:bg-transparent">
+					<div class="flex items-center p-2 bg-white dark:bg-black rounded sm:rounded-xl w-16 h-16"
+						 id="logoMobile"></div>
+					<h1 class="font-header text-h6 sm:text-h4 text-space-blue dark:text-white">
+                        #if ($login.language =="en")
+							$utils.escapeHtmlAttribute($gui.getGuiElem('agov.appDisplayNameEN').value)
+						#elseif ($login.language =="de")
+                            $utils.escapeHtmlAttribute($gui.getGuiElem('agov.appDisplayNameDE').value)
+                        #elseif ($login.language =="fr")
+                            $utils.escapeHtmlAttribute($gui.getGuiElem('agov.appDisplayNameFR').value)
+                        #else
+                            $utils.escapeHtmlAttribute($gui.getGuiElem('agov.appDisplayNameIT').value)
+                        #end
+					</h1>
+				</div>
+
+				<div id="swiyuWalletAppModal" class="h-full">
+
+					<div class="desktopBanner" aria-live="assertive">
+						<div class="hidden info flex rounded-xl bg-info-background dark:bg-dark-info-background items-center p-4
+						mb-4">
+							<i class="fa-regular fa-info-circle rounded-full p-3 text-info dark:text-dark-info bg-info/10 dark:bg-dark-info-icon mr-4 text-xl leading-none"></i>
+							<p class="font-body text-body-l text-space-blue dark:text-white">
+                                $text.get("eid_verification.banner.info")
+							</p>
+						</div>
+
+						<div class="hidden success flex rounded-xl bg-success-background dark:bg-dark-success-background
+						items-center p-4 mb-4">
+							<i class="fa-regular fa-check-circle rounded-full p-3 text-success dark:text-dark-success bg-success/10 dark:bg-dark-success-icon mr-4 text-xl leading-none"></i>
+							<div>
+								<p class="font-body text-body-l text-space-blue dark:text-white">
+                                    $text.get("eid_verification.banner.success")
+								</p>
+							</div>
+						</div>
+
+						<div class="hidden error flex rounded-xl bg-error-background dark:bg-dark-error-background items-center
+						p-4 mb-4">
+							<i class="fa-regular fa-exclamation-circle rounded-full p-3 text-error dark:text-dark-error bg-error/10 dark:bg-dark-error-icon mr-4 text-xl leading-none"></i>
+							<p class="font-body text-body-l text-space-blue dark:text-white">
+                                $text.get("eid_verification.banner.error")
+							</p>
+						</div>
+					</div>
+
+					<div class="relative flex flex-col h-full">
+						<div id="blurBackdrop" class="hidden absolute backdrop-blur-sm -top-1 -bottom-8 -left-4 -right-4
+						z-10"></div>
+						<div class="mobileBanner relative z-20" aria-live="assertive">
+							<div class="hidden info flex rounded-xl bg-info-background dark:bg-dark-info-background items-center
+							p-4 mb-4">
+								<i class="fa-regular fa-info-circle rounded-full p-3 text-info dark:text-dark-info bg-info/10 dark:bg-dark-info-icon mr-4 text-xl leading-none"></i>
+								<p class="font-body text-body-l text-space-blue dark:text-white">
+                                    $text.get("eid_verification.banner.info")
+								</p>
+							</div>
+
+							<div class="hidden success flex rounded-xl bg-success-background dark:bg-dark-success-background
+								 items-center p-4 mb-4">
+								<i class="fa-regular fa-check-circle rounded-full p-3 text-success dark:text-dark-success bg-success/10 dark:bg-dark-success-icon mr-4 text-xl leading-none"></i>
+								<div>
+									<p class="font-body text-body-l text-space-blue dark:text-white">
+                                        $text.get("eid_verification.banner.success")
+									</p>
+								</div>
+							</div>
+
+							<div class="hidden error flex rounded-xl bg-error-background dark:bg-dark-error-background
+							items-center p-4 mb-4">
+								<i class="fa-regular fa-exclamation-circle rounded-full p-3 text-error dark:text-dark-error bg-error/10 dark:bg-dark-error-icon mr-4 text-xl leading-none"></i>
+								<p class="font-body text-body-l text-space-blue dark:text-white">
+                                    $text.get("eid_verification.banner.error")
+								</p>
+							</div>
+						</div>
+						<div id="swiyuLoginImageMobile"
+							 class="hidden max-w-[200px] sm:max-w-full sm:w-full basis-1/2 mx-auto mb-6">
+							<img alt=""
+								 src="${login.appDataPath}/static/images/login.svg"
+								 class="block dark:hidden w-full">
+
+							<img alt=""
+								 src="${login.appDataPath}/static/images/login-dark.svg"
+								 class="hidden dark:block w-full">
+						</div>
+						<div id="QRCodeHolder">
+							<div class="relative">
+								<canvas role="img" aria-labelledby="labelQRCodeInstructions" id="swiyu_qrcode"
+										class="mb-6 mx-auto"></canvas>
+								<div class="hidden" id="QRcodeHiddenLink"></div>
+								<span id="spinner" class="hidden absolute left-1/2 top-1/2 -translate-x-1/2 -translate-y-1/2
+								z-20">
+								<img src="${login.appDataPath}/static/images/spinner.svg" class="animate-spin block dark:hidden">
+								<img src="${login.appDataPath}/static/images/spinner-dark.svg"
+									 class="animate-spin hidden dark:block">
+								</span>
+							</div>
+
+							<a id="swiyuWalletAppLinkIpad" href="" class="hidden">
+								<agov-button
+										class="block basis-full mb-6"
+										data-name="swiyuWalletApp"
+										data-value="swiyuWalletApp"
+										data-id="swiyuWalletAppIpad"
+										data-label="$text.get("general.goSwiyuWalletApp")"
+										data-type="button"
+										data-fullwidth="true">
+								</agov-button>
+							</a>
+
+							<div class="swiyuWalletAppInstructions flex bg-indigo-light rounded-xl p-4 mb-2 items-center
+							dark:bg-purple-black">
+								<img alt="" src="${login.appDataPath}/static/images/access-app.svg" class="h-12 mr-4">
+								<p id="labelQRCodeInstructions" class="font-header text-h5 text-space-blue dark:text-white">
+                                    $text.get("eid_verification.instructions")
+								</p>
+							</div>
+						</div>
+
+						<form id="$gui.name" name="$gui.name" method="POST" target="_self" action="$formTarget" autocomplete="off"
+							  accept-charset="UTF-8" class="w-full sm:static mt-auto mb-20 sm:mb-0">
+
+							<div id="mobileButtons" class="hidden w-full">
+								<div class="flex flex-col">
+									<a id="swiyuWalletAppLink" href="">
+										<agov-button
+												class="block basis-full mb-4"
+												data-name="swiyuWalletApp"
+												data-value="swiyuWalletApp"
+												data-id="swiyuWalletApp"
+												data-label="$text.get("general.goSwiyuWalletApp")"
+												data-type="button"
+												data-fullwidth="true">
+										</agov-button>
+									</a>
+									<agov-button
+											id="showQR"
+											class="block basis-full"
+											data-style="frameless"
+											data-name="EID"
+											data-value="EID"
+											data-id="EID"
+											data-label="<i class='fa-regular fa-eye align-middle text-xl text-indigo dark:text-lilac mr-2'></i>$text.get(
+                                                "eid_verification.showQR")"
+											data-type="button"
+											data-fullwidth="true">
+									</agov-button>
+
+									<agov-button
+											id="hideQR"
+											class="hidden basis-full"
+											data-style="frameless"
+											data-name="EID"
+											data-value="EID"
+											data-id="EID"
+											data-label="<i class='fa-regular fa-eye-slash align-middle text-xl text-indigo dark:text-lilac mr-2'></i>$text.get(
+                                                "eid_verification.hideQR")"
+											data-type="button"
+											data-fullwidth="true">
+									</agov-button>
+								</div>
+							</div>
+							<input class="hidden" name="authRequestId" type="hidden"
+								   value="$gui.getGuiElem('authRequestId').value"/>
+						</form>
+					</div>
+				</div>
+			</div>
+		</div>
+	</div>
+</div>
+
+<script src="${login.appDataPath}/static/js-code/eid_verification.js" defer>
+</script>
+<div id="appSamlRpEntityId" class="hidden" data-value="$gui.getGuiElem('agov.appSamlRpEntityId').value"
+	data-language="$login.language">
+</div>
+
+#parse("${templatePath}/footer.vm")

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/template/footer.vm

@@ -3,7 +3,7 @@
 			$text.get("footer.text")
 			<a target="_blank" class='text-hyperlink dark:text-dark-hyperlink underline' href='$text.get("footer.link")'>$text.get("footer.link.label")</a>
 		</div>
-		<p>1.8.x.2627-20250209T135612Z</p>
+		<p>1.10.0.local-20250321T164316Z-haburger: Tue Mar 25 11:16:24 CET 2025</p>
 	</footer>
 	<script src="${login.appDataPath}/static/bundle.js"></script>
 </body>

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/template/mauth_usernameless.vm

@@ -150,15 +150,15 @@
 								</p>
 							</div>
 						</div>
-						<div id="agovLoginImageMobile" class="hidden md:max-w-[520px] max-w-[350px] sm:max-w-[300px] w-full
-						mx-auto mb-6">
+						<div id="agovLoginImageMobile"
+							 class="hidden max-w-[200px] sm:max-w-full sm:w-full basis-1/2 mx-auto mb-6">
 							<img alt=""
 								 src="${login.appDataPath}/static/images/login.svg"
-								 class="block sm:hidden md:block dark:hidden w-full">
+								 class="block dark:hidden w-full">
 
 							<img alt=""
 								 src="${login.appDataPath}/static/images/login-dark.svg"
-								 class="dark:sm:hidden dark:md:block hidden dark:block w-full">
+								 class="hidden dark:block w-full">
 						</div>
 						<div id="QRCodeHolder">
 							<div class="relative">
@@ -242,7 +242,7 @@
 						</form>
 					</div>
 				</div>
-				<div id="securityKeyModal" class="hidden mt-16">
+				<div id="securityKeyModal" class="hidden sm:mt-16">
 
 					<h2 class="font-header text-h5 text-space-blue dark:text-white mt-4 text-center">
                         $text.get("mauth_usernameless.useSecurityKey")
@@ -253,7 +253,7 @@
 					</p>
 
 					<form id="$gui.name" name="$gui.name" method="POST" target="_self" action="$formTarget" autocomplete="off"
-						  accept-charset="UTF-8">
+						  accept-charset="UTF-8" class="mb-20 sm:mb-0">
 						<agov-button
 								class="mb-4 block"
 								data-name="fallback"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/template/recovery_accessapp_auth.vm

@@ -82,14 +82,14 @@
 						</div>
 					</div>
 					<div id="agovLoginImageMobile"
-						 class="hidden md:max-w-[520px] max-w-[350px] sm:max-w-[300px] w-full basis-1/2 mx-auto mb-4">
+						 class="hidden max-w-[200px] sm:max-w-full sm:w-full basis-1/2 mx-auto mb-4">
 						<img alt=""
 							 src="${login.appDataPath}/static/images/recovery.svg"
-							 class="block sm:hidden md:block dark:hidden w-full">
+							 class="block w-full">
 
 						<img alt=""
 							 src="${login.appDataPath}/static/images/recovery_dark.svg"
-							 class="dark:sm:hidden dark:md:block hidden dark:block w-full">
+							 class="hidden dark:block w-full">
 					</div>
 					<div id="QRCodeHolder">
 						<div class="relative">

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/template/recovery_check_code.vm

@@ -2,116 +2,151 @@
 
 <agov-backdrop></agov-backdrop>
 <div id="mainContent" class="container mx-auto sm:mt-32 sm:max-w-full flex flex-auto sm:block">
-    <div class="flex flex-col-reverse sm:flex-row justify-evenly items-center gap-5 w-full">
-        <div class="flex flex-col sm:bg-white sm:dark:bg-surface-black rounded-[20px] sm:px-10 sm:py-10 max-w-[550px] w-full
+	<div class="flex flex-col-reverse sm:flex-row justify-evenly items-center gap-5 w-full">
+		<div class="flex flex-col sm:bg-white sm:dark:bg-surface-black rounded-[20px] sm:px-10 sm:py-10 max-w-[550px] w-full
 		basis-full md:basis-1/2 min-h-[535px]">
-			<span id="spinner" class="hidden absolute left-1/2 top-1/2 -translate-x-1/2 -translate-y-1/2 z-30">
+	<span id="spinner" class="hidden absolute left-1/2 top-1/2 -translate-x-1/2 -translate-y-1/2 z-30">
 				<img src="${login.appDataPath}/static/images/spinner.svg" class="animate-spin block dark:hidden">
 				<img src="${login.appDataPath}/static/images/spinner-dark.svg" class="animate-spin hidden dark:block">
 			</span>
-            <div id="blurBackdrop" class="hidden absolute backdrop-blur-sm -top-1 -bottom-96 -left-4 -right-4 z-20"></div>
-            <div class="flex flex-col gap-8">
-                <div class="flex items-baseline">
+			<div id="blurBackdrop" class="hidden absolute backdrop-blur-sm -top-1 -bottom-96 -left-4 -right-4 z-20"></div>
+			<div class="flex flex-col gap-8">
+				<div class="flex items-baseline">
 					#set($error = $gui.getGuiElem("lasterror"))
-                    <h3 class="font-header text-h3 text-space-blue dark:text-white mr-3">
+					<h3 class="font-header text-h3 text-space-blue dark:text-white mr-3">
 						$text.get("general.recovery")
-                    </h3>
-                    <h4 class="font-header text-h4 text-disabled-grey dark:text-silver">
+					</h3>
+					<h4 class="font-header text-h4 text-disabled-grey dark:text-silver">
 						$text.get("general.entryCode")
-                    </h4>
-                </div>
+					</h4>
+				</div>
 				#if (($error.value && $error.value != ""))
 					#if (($error.value == "locked"))
-                        <div class="error flex rounded-xl bg-error-background dark:bg-dark-error-background items-center p-4">
-                            <i class="fa-regular fa-exclamation-circle rounded-full p-3 text-error dark:text-dark-error bg-error/10 dark:bg-dark-error-icon mr-4 text-xl leading-none"></i>
-                            <p class="font-body text-body-l text-space-blue dark:text-white">
+						<div class="error flex rounded-xl bg-error-background dark:bg-dark-error-background items-center p-4">
+							<i class="fa-regular fa-exclamation-circle rounded-full p-3 text-error dark:text-dark-error bg-error/10 dark:bg-dark-error-icon mr-4 text-xl leading-none"></i>
+							<p class="font-body text-body-l text-space-blue dark:text-white">
 								$text.get("recovery_check_code.banner.lockedError")
-                            </p>
-                        </div>
+							</p>
+						</div>
+						<p class="font-body text-body-l text-space-blue dark:text-white">
+							$text.get("recovery_check_code.too_many_tries.instruction1")
+						</p>
+						<p class="font-body text-body-l text-space-blue dark:text-white">
+							$text.get("recovery_check_code.too_many_tries.instruction2")
+						</p>
 					#else
-                        <div class="error flex rounded-xl bg-error-background dark:bg-dark-error-background items-center p-4">
-                            <i class="fa-regular fa-exclamation-circle rounded-full p-3 text-error dark:text-dark-error bg-error/10 dark:bg-dark-error-icon mr-4 text-xl leading-none"></i>
-                            <p class="font-body text-body-l text-space-blue dark:text-white">
+						<div class="error flex rounded-xl bg-error-background dark:bg-dark-error-background items-center p-4">
+							<i class="fa-regular fa-exclamation-circle rounded-full p-3 text-error dark:text-dark-error bg-error/10 dark:bg-dark-error-icon mr-4 text-xl leading-none"></i>
+							<p class="font-body text-body-l text-space-blue dark:text-white">
 								$text.get("recovery_check_code.codeIncorrect")
-                            </p>
-                        </div>
+							</p>
+						</div>
+						<p class="font-body text-body-l text-space-blue dark:text-white">
+							$text.get("recovery_check_code.instruction")
+						</p>
 					#end
+				#else
+					<p class="font-body text-body-l text-space-blue dark:text-white">
+						$text.get("recovery_check_code.instruction")
+					</p>
 				#end
-                <p class="font-body text-body-l text-space-blue dark:text-white">
-					$text.get("recovery_check_code.instruction")
-                </p>
-            </div>
+			</div>
 			#set ($formTarget = $utils.escapeHtmlAttribute($gui.target.replaceAll('&?language=[^&]*','')))
-            <form id="$gui.name" name="$gui.name" method="POST" target="_self" action="$formTarget" autocomplete="off"
-                  accept-charset="UTF-8"
-                  class="flex flex-col flex-auto block">
-                <agov-input
-                        id="recovery_code_input"
-                        class="py-16"
-                        data-label="$text.get("recovery_check_code.enterRecoveryCode")"
-                        data-isLabelHidden="true"
-                        data-placeholder=""
-                        data-id="code"
-                        data-name="code"
-                        data-value=""
-                        data-type="text"
-                        data-autofocus="true"
-                        data-email_invalid="$text.get("recovery_check_code.invalid.code")"
-                        data-email_too_long="$text.get("recovery_check_code.invalid.code.tooLong")"
-                        data-email_required="$text.get("recovery_check_code.invalid.code.required")">
-                </agov-input>
-                <div class="w-full sm:static mt-auto mb-6 sm:mb-0">
-                    <div class="flex flex-col flex-row-reverse gap-4">
-                        <agov-button
-                                id="recovery_code_btn"
-                                class="block basis-full"
-                                data-name="confirm"
-                                data-value="confirm"
-                                data-id="confirm"
-                                data-label="$text.get("general.confirm")"
-                                data-type="submit"
-                                data-fullwidth="true">
-                        </agov-button>
-                        <agov-button
-                                id="recovery_code_btn_cancel"
-                                class="block basis-full"
-                                data-style="frameless"
-                                data-name="cancelFido2"
-                                data-value="cancelFido2"
-                                data-id="cancelFido2"
-                                data-label="$text.get("recovery_check_code.noAccess")"
-                                data-type="button"
-                                data-fullwidth="true"
-                                data-validate="false">
-                        </agov-button>
-                    </div>
-                </div>
-                <input class="hidden" name="authRequestId" type="hidden" value="$gui.getGuiElem('authRequestId').value"/>
-            </form>
-        </div>
-        <form class="hidden"
-              id="$gui.name"
-              name="$gui.name"
-              method="POST"
-              target="_self"
-              action="$formTarget"
-              autocomplete="off"
-              accept-charset="UTF-8">
-            <agov-button
-                    data-name="submit"
-                    data-id="submitFormButton"
-                    data-value="submit"
-                    data-type="submit"
-                    data-fullwidth="true">
-            </agov-button>
-            <input class="hidden" name="no_code" id="noCodeCheckbox" type="checkbox" value="true">
-            <input class="hidden" name="authRequestId" type="hidden" value="$gui.getGuiElem('authRequestId').value"/>
-        </form>
-        <img alt="" src="${login.appDataPath}/static/images/recovery.svg"
-             class="md:max-w-[520px] max-w-[350px] sm:max-w-[300px] w-full md:basis-1/2 dark:hidden hidden md:block">
-        <img alt="" src="${login.appDataPath}/static/images/recovery_dark.svg"
-             class="md:max-w-[520px] max-w-[350px] sm:max-w-[300px] w-full md:basis-1/2 hidden dark:md:block">
-    </div>
+			#if (($error.value && $error.value != "locked") || !($error.value))
+				<form id="$gui.name" name="$gui.name" method="POST" target="_self" action="$formTarget" autocomplete="off"
+					  accept-charset="UTF-8"
+					  class="flex flex-col flex-auto block">
+					<agov-input
+							id="recovery_code_input"
+							class="py-16"
+							data-label="$text.get("recovery_check_code.enterRecoveryCode")"
+							data-isLabelHidden="true"
+							data-placeholder=""
+							data-id="code"
+							data-name="code"
+							data-value=""
+							data-type="text"
+							data-autofocus="true"
+							data-email_invalid="$text.get("recovery_check_code.invalid.code")"
+							data-email_too_long="$text.get("recovery_check_code.invalid.code.tooLong")"
+							data-email_required="$text.get("recovery_check_code.invalid.code.required")">
+					</agov-input>
+					<div class="w-full sm:static mt-auto mb-6 sm:mb-0">
+						<div class="flex flex-col flex-row-reverse gap-4">
+							<agov-button
+									id="recovery_code_btn"
+									class="block basis-full"
+									data-name="confirm"
+									data-value="confirm"
+									data-id="confirm"
+									data-label="$text.get("general.confirm")"
+									data-type="submit"
+									data-fullwidth="true">
+							</agov-button>
+							<agov-button
+									id="recovery_code_btn_cancel"
+									class="block basis-full"
+									data-style="frameless"
+									data-name="cancelFido2"
+									data-value="cancelFido2"
+									data-id="cancelFido2"
+									data-label="$text.get("recovery_check_code.noAccess")"
+									data-type="button"
+									data-fullwidth="true"
+									data-validate="false">
+							</agov-button>
+							<input class="hidden" name="authRequestId" type="hidden"
+								   value="$gui.getGuiElem('authRequestId').value"/>
+						</div>
+					</div>
+				</form>
+			#else
+				<form id="$gui.name" name="$gui.name" method="POST" target="_self" action="$formTarget" autocomplete="off"
+					  accept-charset="UTF-8"
+					  class="flex flex-col flex-auto block">
+					<div class="w-full sm:static mt-auto mb-6 sm:mb-0">
+						<div class="flex flex-col flex-row-reverse gap-4">
+							<agov-button
+									id="recovery_code_btn_cancel"
+									class="block basis-full"
+									data-name="cancelFido2"
+									data-value="cancelFido2"
+									data-id="cancelFido2"
+									data-label="$text.get("recovery_check_code.noAccess")"
+									data-type="button"
+									data-fullwidth="true"
+									data-validate="false">
+							</agov-button>
+							<input class="hidden" name="authRequestId" type="hidden"
+								   value="$gui.getGuiElem('authRequestId').value"/>
+						</div>
+					</div>
+				</form>
+			#end
+		</div>
+		<form class="hidden"
+			  id="$gui.name"
+			  name="$gui.name"
+			  method="POST"
+			  target="_self"
+			  action="$formTarget"
+			  autocomplete="off"
+			  accept-charset="UTF-8">
+			<agov-button
+					data-name="submit"
+					data-id="submitFormButton"
+					data-value="submit"
+					data-type="submit"
+					data-fullwidth="true">
+			</agov-button>
+			<input class="hidden" name="no_code" id="noCodeCheckbox" type="checkbox" value="true">
+			<input class="hidden" name="authRequestId" type="hidden" value="$gui.getGuiElem('authRequestId').value"/>
+		</form>
+		<img alt="" src="${login.appDataPath}/static/images/recovery.svg"
+			 class="md:max-w-[520px] max-w-[350px] sm:max-w-[300px] w-full md:basis-1/2 dark:hidden hidden md:block">
+		<img alt="" src="${login.appDataPath}/static/images/recovery_dark.svg"
+			 class="md:max-w-[520px] max-w-[350px] sm:max-w-[300px] w-full md:basis-1/2 hidden dark:md:block">
+	</div>
 </div>
 
 <script src="${login.appDataPath}/static/js-code/recovery_check_code.js">

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Mobile_FIDO_UAF/resources/conf/text.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Select language
 loainfo.description.200=To access the application, we need to verify your data. The process can take up to 2 - 3 days.
 loainfo.description.300=To access the application we need to verify your data through one of two processes. You can choose your preferred process in the next step.
-loainfo.description.400=To access the application we need you to add your AHV Number (Swiss Social Security number).
+loainfo.description.400=To access the application we need you to add your SSN (AHV) number.
 loainfo.helper=Your data needs to be verified!
 loainfo.later=Later
 loainfo.startNow=Do you want to start the process now?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=The code is too long
 recovery_check_code.noAccess=I do not have access to my code
 recovery_check_code.noCodeAccess=Are you sure you don't have access to your recovery code?
 recovery_check_code.noCodeAccessInstructions=If you have lost access to your recovery code please go to AGOV help in order to contact a AGOV support agent. They will be able to help you with the recovery process.
+recovery_check_code.too_many_tries.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
+recovery_check_code.too_many_tries.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
 recovery_check_noCode.banner.error=Too many attempts.
 recovery_check_noCode.instruction1=You might have tried to enter the recovery code too many times.
 recovery_check_noCode.instruction2=Please close the web browser and start the account recovery again in ten minutes from <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Mobile_FIDO_UAF/resources/conf/text_de.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Sprache wählen
 loainfo.description.200=Um auf diese Applikation zuzugreifen, müssen wir Ihre Angaben verifizieren. Der Vorgang kann bis zu 2 - 3 Tage dauern.
 loainfo.description.300=Um auf diese Applikation zuzugreifen, müssen wir Ihre Angaben durch einen von zwei Vorgängen verifizieren. Sie können die bevorzugte Methode im nächsten Schritt auswählen.
-loainfo.description.400=Für den Zugang zu dieser Anwendung müssen Sie Ihre AHV-Nummer angeben.
+loainfo.description.400=Bitte AHV-Nummer angeben, um auf die Applikation zuzugreifen.
 loainfo.helper=Ihre persönlichen Daten müssen überprüft werden!
 loainfo.later=Später
 loainfo.startNow=Möchten Sie den Prozess jetzt starten?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=Eingegebener Code ist zu lang
 recovery_check_code.noAccess=Ich kann auf meinen Code nicht zugreifen
 recovery_check_code.noCodeAccess=Sind Sie sicher, dass Sie auf Ihren Wiederherstellungscode nicht zugreifen können?
 recovery_check_code.noCodeAccessInstructions=Wenn Sie auf Ihren Wiederherstellungscode nicht mehr zugreifen können, gehen Sie bitte zur AGOV-Hilfe, um jemanden vom AGOV-Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterstützen.
+recovery_check_code.too_many_tries.instruction1=Der von Ihnen eingegebene Wiederherstellungscode ist möglicherweise abgelaufen oder Sie haben zu oft versucht, einen Code einzugeben.
+recovery_check_code.too_many_tries.instruction2=Gehen Sie bitte zur AGOV-Hilfe, um jemanden vom Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterstützen.
 recovery_check_noCode.banner.error=Zu viele Versuche.
 recovery_check_noCode.instruction1=Möglicherweise haben Sie zu oft versucht, den Wiederherstellungscode einzugeben.
 recovery_check_noCode.instruction2=Bitte schliessen Sie den Webbrowser und starten Sie die Kontowiederherstellung in zehn Minuten erneut auf <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Mobile_FIDO_UAF/resources/conf/text_en.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Select language
 loainfo.description.200=To access the application, we need to verify your data. The process can take up to 2 - 3 days.
 loainfo.description.300=To access the application we need to verify your data through one of two processes. You can choose your preferred process in the next step.
-loainfo.description.400=To access the application we need you to add your AHV Number (Swiss Social Security number).
+loainfo.description.400=To access the application we need you to add your SSN (AHV) number.
 loainfo.helper=Your data needs to be verified!
 loainfo.later=Later
 loainfo.startNow=Do you want to start the process now?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=The code is too long
 recovery_check_code.noAccess=I do not have access to my code
 recovery_check_code.noCodeAccess=Are you sure you don't have access to your recovery code?
 recovery_check_code.noCodeAccessInstructions=If you have lost access to your recovery code please go to AGOV help in order to contact a AGOV support agent. They will be able to help you with the recovery process.
+recovery_check_code.too_many_tries.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
+recovery_check_code.too_many_tries.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
 recovery_check_noCode.banner.error=Too many attempts.
 recovery_check_noCode.instruction1=You might have tried to enter the recovery code too many times.
 recovery_check_noCode.instruction2=Please close the web browser and start the account recovery again in ten minutes from <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Mobile_FIDO_UAF/resources/conf/text_fr.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Sélectionner la langue
 loainfo.description.200=Pour accéder à l'application, nous devons vérifier vos données. Ce processus peut prendre jusqu'à 2 ou 3 jours.
 loainfo.description.300=Pour accéder à l'application, nous devons vérifier vos données par le biais de l'une des deux procédures suivantes. Vous pouvez choisir la procédure que vous préférez à l'étape suivante.
-loainfo.description.400=Pour accéder à l'application, vous devez ajouter votre numéro AVS.
+loainfo.description.400=Veuillez saisir votre numéro AVS pour accéder à l'application.
 loainfo.helper=Vos données doivent être vérifiées!
 loainfo.later=Plus tard
 loainfo.startNow=Voulez-vous commencer le processus maintenant?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=Le code est trop long
 recovery_check_code.noAccess=Je n’ai pas accès à mon code de récupération
 recovery_check_code.noCodeAccess=Êtes-vous sûr de ne pas avoir accès à votre code de récupération ?
 recovery_check_code.noCodeAccessInstructions=En cas de perte de votre code de récupération, veuillez vous rendre sur AGOV help et contacter le service d’assistance AGOV. Un agent pourra vous aider dans le processus de récupération.
+recovery_check_code.too_many_tries.instruction1=Le code de récupération que vous avez saisi a peut-être expiré ou vous avez peut-être essayé de le saisir trop de fois.
+recovery_check_code.too_many_tries.instruction2=Veuillez vous rendre sur AGOV help et contacter le service d’assistance. Un agent pourra vous aider dans le processus de récupération.
 recovery_check_noCode.banner.error=Trop de tentatives.
 recovery_check_noCode.instruction1=Vous avez peut-être essayé de saisir le code de récupération trop de fois.
 recovery_check_noCode.instruction2=Veuillez fermer le navigateur web et recommencer la r&eacute;cup&eacute;ration du compte dans dix minutes &agrave; partir de <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Mobile_FIDO_UAF/resources/conf/text_it.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Selezionare la lingua
 loainfo.description.200=Per accedere all'app è necessaria una verifica dei dati. La procedura può richiedere fino a 2–3 giorni lavorativi.
 loainfo.description.300=Per accedere all'app dobbiamo verificare i suoi dati tramite uno dei due processi. Al prossimo passaggio, può selezionare la procedura di verifica desiderata.
-loainfo.description.400=Per acceddere all'applicazione deve inserire il numero AVS.
+loainfo.description.400=Per accedere all'applicazione è necessario inserire il numero AVS.
 loainfo.helper=I dati devono essere verificati!
 loainfo.later=Più tardi
 loainfo.startNow=Iniziare la procedura?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=Il codice è troppo lungo
 recovery_check_code.noAccess=Non ho il mio codice.
 recovery_check_code.noCodeAccess=Conferma di non avere il codice di ripristino?
 recovery_check_code.noCodeAccessInstructions=Se non ha più il codice di ripristino, acceda ad AGOV help per contattare il supporto AGOV, che la assisterà nel processo di ripristino.
+recovery_check_code.too_many_tries.instruction1=Il codice di ripristino inserito può essere scaduto o è stato inserito troppe volte.
+recovery_check_code.too_many_tries.instruction2=Si prega di andare alla guida di AGOV aiuto per contattare un agente dell'assistenza. Saranno in grado di aiutarla con il processo di recupero.
 recovery_check_noCode.banner.error=Troppi tentativi.
 recovery_check_noCode.instruction1=Potresti aver tentato di inserire il codice di ripristino troppe volte.
 recovery_check_noCode.instruction2=Chiudi il browser web e inizia nuovamente il processo di ripristino dell'account tra dieci minuti da <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Mobile_FIDO_UAF/webdata/resources/mauth_link_qr.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function dispatchLink() {
 
         document.getElementById("mauth_started").style.display = "block"; // show
@@ -55,9 +61,7 @@
                     });
                     var sessionId = o.sessionId;
                     console.log("started polling for session ID: " + sessionId);
-                    statusPolling = window.setInterval(function () {
-                        poll(sessionId);
-                    }, 2000);
+                    poll(sessionId);
                 }
                 else {
                     console.log("authentication failed: " + o.dispatchResult);
@@ -70,21 +74,36 @@
     }
 
     function poll(sessionId) {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
 
-        const request = {};
-        request.fidoUafSessionId = sessionId;
+        isPolling = true;
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const request = { fidoUafSessionId: sessionId };
+
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
+
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
+
                 if (status == 'clientAuthenticating') {
                     // show process icon
                     document.getElementById("mauth_loading").style.display = 'block';
@@ -99,20 +118,24 @@
                     addInput(form, "continue", "true"); // required for custom dispatching in usernameless
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("authentication failed with status: " + status);
-
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     addInput(form, "fidoUafSessionId", sessionId);
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(sessionId), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     dispatchLink();

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Mobile_FIDO_UAF/webdata/resources/mauth_onboard.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function renderEnrollment() {
 
         // link is provided by a hidden GuiElem
@@ -52,44 +58,53 @@
     }
 
     function poll() {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
+
+        isPolling = true;
 
         // state is held on backend side
         const request = {};
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
 
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
 
                 if (status == 'clientRegistering') {
-
                     // show process icon
                     document.getElementById("mauth_loading").style.display = 'block';
 
                     // hide QR-code and information
                     document.getElementById("mauth_qrcode").style.display = 'none';
                     document.getElementById("mauth_qrcode_info").style.display = 'none';
-                }
-                else if (status == 'succeeded') {
-
+                } else if (status == 'succeeded') {
                     clearInterval(statusPolling);
-                    console.error("onboarding successful");
+                    console.log("onboarding successful");
 
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("onboarding failed with status: " + status);
 
@@ -98,8 +113,15 @@
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     renderEnrollment();

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Mobile_FIDO_UAF/webdata/resources/mauth_push_qr.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function dispatch(id) {
 
         document.getElementById("mauth_devices").style.display = "none"; // hide selection menu
@@ -70,9 +76,7 @@
                     });
                     var sessionId = o.sessionId;
                     console.log("started polling for session ID: " + sessionId);
-                    statusPolling = window.setInterval(function () {
-                        poll(sessionId);
-                    }, 2000);
+                    poll(sessionId);
                 }
                 else {
                     console.log("authentication failed: " + o.dispatchResult);
@@ -125,47 +129,64 @@
     }
 
     function poll(sessionId) {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
+        isPolling = true;
 
-        const request = {};
-        request.fidoUafSessionId = sessionId;
+        const request = { fidoUafSessionId: sessionId };
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
+
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
+
                 if (status == 'clientAuthenticating') {
                     document.getElementById("mauth_qrcode").style.display = 'none';
                     document.getElementById("mauth_qrcode_info").style.display = 'none';
                     document.getElementById("mauth_match_numbers").style.display = 'block';
                     document.getElementById("mauth_loading").style.display = 'block';
                 }
+
                 if (status == 'succeeded') {
                     clearInterval(statusPolling);
-                    // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("authentication failed with status: " + status);
-
-                    // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     addInput(form, "fidoUafSessionId", sessionId);
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(sessionId), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     renderDeviceList();

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Mobile_FIDO_UAF/webdata/resources/mauth_usernameless.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function dispatch() {
 
         console.log("initiating usernameless mobile authentication...");
@@ -58,9 +64,7 @@
                     });
                     var sessionId = o.sessionId;
                     console.log("started polling for session ID: " + sessionId);
-                    statusPolling = window.setInterval(function () {
-                        poll(sessionId);
-                    }, 2000);
+                    poll(sessionId);
                 }
                 else {
                     console.log("authentication failed: " + o.dispatchResult);
@@ -73,46 +77,66 @@
     }
 
     function poll(sessionId) {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
 
-        const request = {};
-        request.fidoUafSessionId = sessionId;
+        isPolling = true;
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const request = { fidoUafSessionId: sessionId };
+
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
+
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
+
                 if (status == 'clientAuthenticating') {
-                    document.getElementById("mauth_qrcode").style.display = 'none';
+                    // show process icon
                     document.getElementById("mauth_loading").style.display = 'block';
+                    document.getElementById("mauth_qrcode").style.display = 'none';
                 }
                 if (status == 'succeeded') {
                     clearInterval(statusPolling);
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
-                    addInput(form, "fidoUafDone", "true"); // checked by Groovy script
+                    addInput(form, "continue", "true"); // required for custom dispatching in usernameless
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("authentication failed with status: " + status);
-
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
-                    addInput(form, "fidoUafSessionId", sessionId); // checked by Groovy script
+                    addInput(form, "fidoUafSessionId", sessionId);
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(sessionId), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     dispatch();

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Recovery/resources/conf/text.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Select language
 loainfo.description.200=To access the application, we need to verify your data. The process can take up to 2 - 3 days.
 loainfo.description.300=To access the application we need to verify your data through one of two processes. You can choose your preferred process in the next step.
-loainfo.description.400=To access the application we need you to add your AHV Number (Swiss Social Security number).
+loainfo.description.400=To access the application we need you to add your SSN (AHV) number.
 loainfo.helper=Your data needs to be verified!
 loainfo.later=Later
 loainfo.startNow=Do you want to start the process now?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=The code is too long
 recovery_check_code.noAccess=I do not have access to my code
 recovery_check_code.noCodeAccess=Are you sure you don't have access to your recovery code?
 recovery_check_code.noCodeAccessInstructions=If you have lost access to your recovery code please go to AGOV help in order to contact a AGOV support agent. They will be able to help you with the recovery process.
+recovery_check_code.too_many_tries.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
+recovery_check_code.too_many_tries.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
 recovery_check_noCode.banner.error=Too many attempts.
 recovery_check_noCode.instruction1=You might have tried to enter the recovery code too many times.
 recovery_check_noCode.instruction2=Please close the web browser and start the account recovery again in ten minutes from <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Recovery/resources/conf/text_de.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Sprache wählen
 loainfo.description.200=Um auf diese Applikation zuzugreifen, müssen wir Ihre Angaben verifizieren. Der Vorgang kann bis zu 2 - 3 Tage dauern.
 loainfo.description.300=Um auf diese Applikation zuzugreifen, müssen wir Ihre Angaben durch einen von zwei Vorgängen verifizieren. Sie können die bevorzugte Methode im nächsten Schritt auswählen.
-loainfo.description.400=Für den Zugang zu dieser Anwendung müssen Sie Ihre AHV-Nummer angeben.
+loainfo.description.400=Bitte AHV-Nummer angeben, um auf die Applikation zuzugreifen.
 loainfo.helper=Ihre persönlichen Daten müssen überprüft werden!
 loainfo.later=Später
 loainfo.startNow=Möchten Sie den Prozess jetzt starten?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=Eingegebener Code ist zu lang
 recovery_check_code.noAccess=Ich kann auf meinen Code nicht zugreifen
 recovery_check_code.noCodeAccess=Sind Sie sicher, dass Sie auf Ihren Wiederherstellungscode nicht zugreifen können?
 recovery_check_code.noCodeAccessInstructions=Wenn Sie auf Ihren Wiederherstellungscode nicht mehr zugreifen können, gehen Sie bitte zur AGOV-Hilfe, um jemanden vom AGOV-Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterstützen.
+recovery_check_code.too_many_tries.instruction1=Der von Ihnen eingegebene Wiederherstellungscode ist möglicherweise abgelaufen oder Sie haben zu oft versucht, einen Code einzugeben.
+recovery_check_code.too_many_tries.instruction2=Gehen Sie bitte zur AGOV-Hilfe, um jemanden vom Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterstützen.
 recovery_check_noCode.banner.error=Zu viele Versuche.
 recovery_check_noCode.instruction1=Möglicherweise haben Sie zu oft versucht, den Wiederherstellungscode einzugeben.
 recovery_check_noCode.instruction2=Bitte schliessen Sie den Webbrowser und starten Sie die Kontowiederherstellung in zehn Minuten erneut auf <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Recovery/resources/conf/text_en.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Select language
 loainfo.description.200=To access the application, we need to verify your data. The process can take up to 2 - 3 days.
 loainfo.description.300=To access the application we need to verify your data through one of two processes. You can choose your preferred process in the next step.
-loainfo.description.400=To access the application we need you to add your AHV Number (Swiss Social Security number).
+loainfo.description.400=To access the application we need you to add your SSN (AHV) number.
 loainfo.helper=Your data needs to be verified!
 loainfo.later=Later
 loainfo.startNow=Do you want to start the process now?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=The code is too long
 recovery_check_code.noAccess=I do not have access to my code
 recovery_check_code.noCodeAccess=Are you sure you don't have access to your recovery code?
 recovery_check_code.noCodeAccessInstructions=If you have lost access to your recovery code please go to AGOV help in order to contact a AGOV support agent. They will be able to help you with the recovery process.
+recovery_check_code.too_many_tries.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
+recovery_check_code.too_many_tries.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
 recovery_check_noCode.banner.error=Too many attempts.
 recovery_check_noCode.instruction1=You might have tried to enter the recovery code too many times.
 recovery_check_noCode.instruction2=Please close the web browser and start the account recovery again in ten minutes from <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Recovery/resources/conf/text_fr.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Sélectionner la langue
 loainfo.description.200=Pour accéder à l'application, nous devons vérifier vos données. Ce processus peut prendre jusqu'à 2 ou 3 jours.
 loainfo.description.300=Pour accéder à l'application, nous devons vérifier vos données par le biais de l'une des deux procédures suivantes. Vous pouvez choisir la procédure que vous préférez à l'étape suivante.
-loainfo.description.400=Pour accéder à l'application, vous devez ajouter votre numéro AVS.
+loainfo.description.400=Veuillez saisir votre numéro AVS pour accéder à l'application.
 loainfo.helper=Vos données doivent être vérifiées!
 loainfo.later=Plus tard
 loainfo.startNow=Voulez-vous commencer le processus maintenant?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=Le code est trop long
 recovery_check_code.noAccess=Je n’ai pas accès à mon code de récupération
 recovery_check_code.noCodeAccess=Êtes-vous sûr de ne pas avoir accès à votre code de récupération ?
 recovery_check_code.noCodeAccessInstructions=En cas de perte de votre code de récupération, veuillez vous rendre sur AGOV help et contacter le service d’assistance AGOV. Un agent pourra vous aider dans le processus de récupération.
+recovery_check_code.too_many_tries.instruction1=Le code de récupération que vous avez saisi a peut-être expiré ou vous avez peut-être essayé de le saisir trop de fois.
+recovery_check_code.too_many_tries.instruction2=Veuillez vous rendre sur AGOV help et contacter le service d’assistance. Un agent pourra vous aider dans le processus de récupération.
 recovery_check_noCode.banner.error=Trop de tentatives.
 recovery_check_noCode.instruction1=Vous avez peut-être essayé de saisir le code de récupération trop de fois.
 recovery_check_noCode.instruction2=Veuillez fermer le navigateur web et recommencer la r&eacute;cup&eacute;ration du compte dans dix minutes &agrave; partir de <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Recovery/resources/conf/text_it.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Selezionare la lingua
 loainfo.description.200=Per accedere all'app è necessaria una verifica dei dati. La procedura può richiedere fino a 2–3 giorni lavorativi.
 loainfo.description.300=Per accedere all'app dobbiamo verificare i suoi dati tramite uno dei due processi. Al prossimo passaggio, può selezionare la procedura di verifica desiderata.
-loainfo.description.400=Per acceddere all'applicazione deve inserire il numero AVS.
+loainfo.description.400=Per accedere all'applicazione è necessario inserire il numero AVS.
 loainfo.helper=I dati devono essere verificati!
 loainfo.later=Più tardi
 loainfo.startNow=Iniziare la procedura?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=Il codice è troppo lungo
 recovery_check_code.noAccess=Non ho il mio codice.
 recovery_check_code.noCodeAccess=Conferma di non avere il codice di ripristino?
 recovery_check_code.noCodeAccessInstructions=Se non ha più il codice di ripristino, acceda ad AGOV help per contattare il supporto AGOV, che la assisterà nel processo di ripristino.
+recovery_check_code.too_many_tries.instruction1=Il codice di ripristino inserito può essere scaduto o è stato inserito troppe volte.
+recovery_check_code.too_many_tries.instruction2=Si prega di andare alla guida di AGOV aiuto per contattare un agente dell'assistenza. Saranno in grado di aiutarla con il processo di recupero.
 recovery_check_noCode.banner.error=Troppi tentativi.
 recovery_check_noCode.instruction1=Potresti aver tentato di inserire il codice di ripristino troppe volte.
 recovery_check_noCode.instruction2=Chiudi il browser web e inizia nuovamente il processo di ripristino dell'account tra dieci minuti da <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Recovery/webdata/resources/mauth_link_qr.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function dispatchLink() {
 
         document.getElementById("mauth_started").style.display = "block"; // show
@@ -55,9 +61,7 @@
                     });
                     var sessionId = o.sessionId;
                     console.log("started polling for session ID: " + sessionId);
-                    statusPolling = window.setInterval(function () {
-                        poll(sessionId);
-                    }, 2000);
+                    poll(sessionId);
                 }
                 else {
                     console.log("authentication failed: " + o.dispatchResult);
@@ -70,21 +74,36 @@
     }
 
     function poll(sessionId) {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
 
-        const request = {};
-        request.fidoUafSessionId = sessionId;
+        isPolling = true;
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const request = { fidoUafSessionId: sessionId };
+
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
+
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
+
                 if (status == 'clientAuthenticating') {
                     // show process icon
                     document.getElementById("mauth_loading").style.display = 'block';
@@ -99,20 +118,24 @@
                     addInput(form, "continue", "true"); // required for custom dispatching in usernameless
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("authentication failed with status: " + status);
-
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     addInput(form, "fidoUafSessionId", sessionId);
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(sessionId), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     dispatchLink();

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Recovery/webdata/resources/mauth_onboard.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function renderEnrollment() {
 
         // link is provided by a hidden GuiElem
@@ -52,44 +58,53 @@
     }
 
     function poll() {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
+
+        isPolling = true;
 
         // state is held on backend side
         const request = {};
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
 
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
 
                 if (status == 'clientRegistering') {
-
                     // show process icon
                     document.getElementById("mauth_loading").style.display = 'block';
 
                     // hide QR-code and information
                     document.getElementById("mauth_qrcode").style.display = 'none';
                     document.getElementById("mauth_qrcode_info").style.display = 'none';
-                }
-                else if (status == 'succeeded') {
-
+                } else if (status == 'succeeded') {
                     clearInterval(statusPolling);
-                    console.error("onboarding successful");
+                    console.log("onboarding successful");
 
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("onboarding failed with status: " + status);
 
@@ -98,8 +113,15 @@
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     renderEnrollment();

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Recovery/webdata/resources/mauth_push_qr.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function dispatch(id) {
 
         document.getElementById("mauth_devices").style.display = "none"; // hide selection menu
@@ -70,9 +76,7 @@
                     });
                     var sessionId = o.sessionId;
                     console.log("started polling for session ID: " + sessionId);
-                    statusPolling = window.setInterval(function () {
-                        poll(sessionId);
-                    }, 2000);
+                    poll(sessionId);
                 }
                 else {
                     console.log("authentication failed: " + o.dispatchResult);
@@ -125,47 +129,64 @@
     }
 
     function poll(sessionId) {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
+        isPolling = true;
 
-        const request = {};
-        request.fidoUafSessionId = sessionId;
+        const request = { fidoUafSessionId: sessionId };
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
+
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
+
                 if (status == 'clientAuthenticating') {
                     document.getElementById("mauth_qrcode").style.display = 'none';
                     document.getElementById("mauth_qrcode_info").style.display = 'none';
                     document.getElementById("mauth_match_numbers").style.display = 'block';
                     document.getElementById("mauth_loading").style.display = 'block';
                 }
+
                 if (status == 'succeeded') {
                     clearInterval(statusPolling);
-                    // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("authentication failed with status: " + status);
-
-                    // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     addInput(form, "fidoUafSessionId", sessionId);
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(sessionId), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     renderDeviceList();

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Recovery/webdata/resources/mauth_usernameless.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function dispatch() {
 
         console.log("initiating usernameless mobile authentication...");
@@ -58,9 +64,7 @@
                     });
                     var sessionId = o.sessionId;
                     console.log("started polling for session ID: " + sessionId);
-                    statusPolling = window.setInterval(function () {
-                        poll(sessionId);
-                    }, 2000);
+                    poll(sessionId);
                 }
                 else {
                     console.log("authentication failed: " + o.dispatchResult);
@@ -73,46 +77,66 @@
     }
 
     function poll(sessionId) {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
 
-        const request = {};
-        request.fidoUafSessionId = sessionId;
+        isPolling = true;
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const request = { fidoUafSessionId: sessionId };
+
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
+
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
+
                 if (status == 'clientAuthenticating') {
-                    document.getElementById("mauth_qrcode").style.display = 'none';
+                    // show process icon
                     document.getElementById("mauth_loading").style.display = 'block';
+                    document.getElementById("mauth_qrcode").style.display = 'none';
                 }
                 if (status == 'succeeded') {
                     clearInterval(statusPolling);
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
-                    addInput(form, "fidoUafDone", "true"); // checked by Groovy script
+                    addInput(form, "continue", "true"); // required for custom dispatching in usernameless
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("authentication failed with status: " + status);
-
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
-                    addInput(form, "fidoUafSessionId", sessionId); // checked by Groovy script
+                    addInput(form, "fidoUafSessionId", sessionId);
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(sessionId), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     dispatch();

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Recovery/webdata/static/js-code/eid_verification.js

@@ -0,0 +1,4 @@
+document.addEventListener('DOMContentLoaded', function() {
+	document.dispatchEvent(new Event('initEidVerification'));
+	document.dispatchEvent(new Event('initCantonalBranding'));
+});

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Recovery/webdata/template/eid_verification.mock.js

@@ -0,0 +1,3 @@
+module.exports = {
+	...require('./mock-defaults')
+};

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Recovery/webdata/template/eid_verification.vm

@@ -0,0 +1,224 @@
+#parse("${templatePath}/header.vm")
+#set ($formTarget = $utils.escapeHtmlAttribute($gui.target.replaceAll('&?language=[^&]*','')))
+
+<agov-backdrop></agov-backdrop>
+<div id="mainContent" class="container mx-auto sm:mt-2 sm:max-w-full flex h-full sm:h-auto">
+	<div class="flex flex-col items-start gap-4 w-full rounded-[36px] sm:p-6 mx-auto
+	 max-w-[600px] md:max-w-[1200px] sm:bg-lily-blue dark:sm:bg-purple-black">
+
+		<div id="cantonalBranding"
+			 class="flex items-center rounded-xl gap-5 p-2 sm:p-0 sm:w-auto w-full hidden bg-pale-blue dark:bg-purple-black sm:bg-transparent">
+			<div class="flex items-center p-2 bg-white rounded sm:rounded-xl w-16 h-16" id="logo"></div>
+			<h1 class="font-header text-h6 sm:text-h4 text-space-blue dark:text-white">
+                #if ($login.language =="en")
+						$utils.escapeHtmlAttribute($gui.getGuiElem('agov.appDisplayNameEN').value)
+				#elseif ($login.language =="de")
+                    $utils.escapeHtmlAttribute($gui.getGuiElem('agov.appDisplayNameDE').value)
+                #elseif ($login.language =="fr")
+                    $utils.escapeHtmlAttribute($gui.getGuiElem('agov.appDisplayNameFR').value)
+                #else
+                    $utils.escapeHtmlAttribute($gui.getGuiElem('agov.appDisplayNameIT').value)
+                #end
+			</h1>
+		</div>
+
+		<div class="flex flex-col md:flex-row w-full gap-6">
+			<div id="registerCard" class="w-full md:min-h-[689px] flex flex-col justify-between">
+				<div id="swiyuLoginImage"
+					 class="relative md:max-w-[520px] max-w-[350px] sm:max-w-[300px] mb-10 w-full mx-auto hidden md:block">
+					<img alt="" src="${login.appDataPath}/static/images/login.svg"
+						 class="hidden md:block dark:hidden w-full">
+					<img alt="" src="${login.appDataPath}/static/images/login-dark.svg"
+						 class="hidden md:hidden dark:md:block w-full">
+				</div>
+			</div>
+
+			<div id="loginModal"
+				 class="flex flex-col bg-white dark:bg-surface-black rounded-[20px] sm:min-h-[700px] p-6 sm:pb-8 sm:pt-10 sm:px-10
+				 max-w-[550px] w-full">
+
+				<div class="flex mb-4 sm:mb-6 items-baseline">
+					<h1 class="font-header text-h4 text-space-blue dark:text-white mr-3">$text.get("eid_verification.login")</h1>
+				</div>
+
+				<div id="cantonalBrandingMobile"
+					 class="flex items-center rounded-xl gap-5 mb-4 p-2 sm:p-0 sm:w-auto w-full hidden bg-pale-blue dark:bg-purple-black sm:bg-transparent">
+					<div class="flex items-center p-2 bg-white dark:bg-black rounded sm:rounded-xl w-16 h-16"
+						 id="logoMobile"></div>
+					<h1 class="font-header text-h6 sm:text-h4 text-space-blue dark:text-white">
+                        #if ($login.language =="en")
+							$utils.escapeHtmlAttribute($gui.getGuiElem('agov.appDisplayNameEN').value)
+						#elseif ($login.language =="de")
+                            $utils.escapeHtmlAttribute($gui.getGuiElem('agov.appDisplayNameDE').value)
+                        #elseif ($login.language =="fr")
+                            $utils.escapeHtmlAttribute($gui.getGuiElem('agov.appDisplayNameFR').value)
+                        #else
+                            $utils.escapeHtmlAttribute($gui.getGuiElem('agov.appDisplayNameIT').value)
+                        #end
+					</h1>
+				</div>
+
+				<div id="swiyuWalletAppModal" class="h-full">
+
+					<div class="desktopBanner" aria-live="assertive">
+						<div class="hidden info flex rounded-xl bg-info-background dark:bg-dark-info-background items-center p-4
+						mb-4">
+							<i class="fa-regular fa-info-circle rounded-full p-3 text-info dark:text-dark-info bg-info/10 dark:bg-dark-info-icon mr-4 text-xl leading-none"></i>
+							<p class="font-body text-body-l text-space-blue dark:text-white">
+                                $text.get("eid_verification.banner.info")
+							</p>
+						</div>
+
+						<div class="hidden success flex rounded-xl bg-success-background dark:bg-dark-success-background
+						items-center p-4 mb-4">
+							<i class="fa-regular fa-check-circle rounded-full p-3 text-success dark:text-dark-success bg-success/10 dark:bg-dark-success-icon mr-4 text-xl leading-none"></i>
+							<div>
+								<p class="font-body text-body-l text-space-blue dark:text-white">
+                                    $text.get("eid_verification.banner.success")
+								</p>
+							</div>
+						</div>
+
+						<div class="hidden error flex rounded-xl bg-error-background dark:bg-dark-error-background items-center
+						p-4 mb-4">
+							<i class="fa-regular fa-exclamation-circle rounded-full p-3 text-error dark:text-dark-error bg-error/10 dark:bg-dark-error-icon mr-4 text-xl leading-none"></i>
+							<p class="font-body text-body-l text-space-blue dark:text-white">
+                                $text.get("eid_verification.banner.error")
+							</p>
+						</div>
+					</div>
+
+					<div class="relative flex flex-col h-full">
+						<div id="blurBackdrop" class="hidden absolute backdrop-blur-sm -top-1 -bottom-8 -left-4 -right-4
+						z-10"></div>
+						<div class="mobileBanner relative z-20" aria-live="assertive">
+							<div class="hidden info flex rounded-xl bg-info-background dark:bg-dark-info-background items-center
+							p-4 mb-4">
+								<i class="fa-regular fa-info-circle rounded-full p-3 text-info dark:text-dark-info bg-info/10 dark:bg-dark-info-icon mr-4 text-xl leading-none"></i>
+								<p class="font-body text-body-l text-space-blue dark:text-white">
+                                    $text.get("eid_verification.banner.info")
+								</p>
+							</div>
+
+							<div class="hidden success flex rounded-xl bg-success-background dark:bg-dark-success-background
+								 items-center p-4 mb-4">
+								<i class="fa-regular fa-check-circle rounded-full p-3 text-success dark:text-dark-success bg-success/10 dark:bg-dark-success-icon mr-4 text-xl leading-none"></i>
+								<div>
+									<p class="font-body text-body-l text-space-blue dark:text-white">
+                                        $text.get("eid_verification.banner.success")
+									</p>
+								</div>
+							</div>
+
+							<div class="hidden error flex rounded-xl bg-error-background dark:bg-dark-error-background
+							items-center p-4 mb-4">
+								<i class="fa-regular fa-exclamation-circle rounded-full p-3 text-error dark:text-dark-error bg-error/10 dark:bg-dark-error-icon mr-4 text-xl leading-none"></i>
+								<p class="font-body text-body-l text-space-blue dark:text-white">
+                                    $text.get("eid_verification.banner.error")
+								</p>
+							</div>
+						</div>
+						<div id="swiyuLoginImageMobile"
+							 class="hidden max-w-[200px] sm:max-w-full sm:w-full basis-1/2 mx-auto mb-6">
+							<img alt=""
+								 src="${login.appDataPath}/static/images/login.svg"
+								 class="block dark:hidden w-full">
+
+							<img alt=""
+								 src="${login.appDataPath}/static/images/login-dark.svg"
+								 class="hidden dark:block w-full">
+						</div>
+						<div id="QRCodeHolder">
+							<div class="relative">
+								<canvas role="img" aria-labelledby="labelQRCodeInstructions" id="swiyu_qrcode"
+										class="mb-6 mx-auto"></canvas>
+								<div class="hidden" id="QRcodeHiddenLink"></div>
+								<span id="spinner" class="hidden absolute left-1/2 top-1/2 -translate-x-1/2 -translate-y-1/2
+								z-20">
+								<img src="${login.appDataPath}/static/images/spinner.svg" class="animate-spin block dark:hidden">
+								<img src="${login.appDataPath}/static/images/spinner-dark.svg"
+									 class="animate-spin hidden dark:block">
+								</span>
+							</div>
+
+							<a id="swiyuWalletAppLinkIpad" href="" class="hidden">
+								<agov-button
+										class="block basis-full mb-6"
+										data-name="swiyuWalletApp"
+										data-value="swiyuWalletApp"
+										data-id="swiyuWalletAppIpad"
+										data-label="$text.get("general.goSwiyuWalletApp")"
+										data-type="button"
+										data-fullwidth="true">
+								</agov-button>
+							</a>
+
+							<div class="swiyuWalletAppInstructions flex bg-indigo-light rounded-xl p-4 mb-2 items-center
+							dark:bg-purple-black">
+								<img alt="" src="${login.appDataPath}/static/images/access-app.svg" class="h-12 mr-4">
+								<p id="labelQRCodeInstructions" class="font-header text-h5 text-space-blue dark:text-white">
+                                    $text.get("eid_verification.instructions")
+								</p>
+							</div>
+						</div>
+
+						<form id="$gui.name" name="$gui.name" method="POST" target="_self" action="$formTarget" autocomplete="off"
+							  accept-charset="UTF-8" class="w-full sm:static mt-auto mb-20 sm:mb-0">
+
+							<div id="mobileButtons" class="hidden w-full">
+								<div class="flex flex-col">
+									<a id="swiyuWalletAppLink" href="">
+										<agov-button
+												class="block basis-full mb-4"
+												data-name="swiyuWalletApp"
+												data-value="swiyuWalletApp"
+												data-id="swiyuWalletApp"
+												data-label="$text.get("general.goSwiyuWalletApp")"
+												data-type="button"
+												data-fullwidth="true">
+										</agov-button>
+									</a>
+									<agov-button
+											id="showQR"
+											class="block basis-full"
+											data-style="frameless"
+											data-name="EID"
+											data-value="EID"
+											data-id="EID"
+											data-label="<i class='fa-regular fa-eye align-middle text-xl text-indigo dark:text-lilac mr-2'></i>$text.get(
+                                                "eid_verification.showQR")"
+											data-type="button"
+											data-fullwidth="true">
+									</agov-button>
+
+									<agov-button
+											id="hideQR"
+											class="hidden basis-full"
+											data-style="frameless"
+											data-name="EID"
+											data-value="EID"
+											data-id="EID"
+											data-label="<i class='fa-regular fa-eye-slash align-middle text-xl text-indigo dark:text-lilac mr-2'></i>$text.get(
+                                                "eid_verification.hideQR")"
+											data-type="button"
+											data-fullwidth="true">
+									</agov-button>
+								</div>
+							</div>
+							<input class="hidden" name="authRequestId" type="hidden"
+								   value="$gui.getGuiElem('authRequestId').value"/>
+						</form>
+					</div>
+				</div>
+			</div>
+		</div>
+	</div>
+</div>
+
+<script src="${login.appDataPath}/static/js-code/eid_verification.js" defer>
+</script>
+<div id="appSamlRpEntityId" class="hidden" data-value="$gui.getGuiElem('agov.appSamlRpEntityId').value"
+	data-language="$login.language">
+</div>
+
+#parse("${templatePath}/footer.vm")

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Recovery/webdata/template/footer.vm

@@ -3,7 +3,7 @@
 			$text.get("footer.text")
 			<a target="_blank" class='text-hyperlink dark:text-dark-hyperlink underline' href='$text.get("footer.link")'>$text.get("footer.link.label")</a>
 		</div>
-		<p>1.8.x.2627-20250209T135612Z</p>
+		<p>1.10.0.local-20250321T164316Z-haburger: Tue Mar 25 11:16:24 CET 2025</p>
 	</footer>
 	<script src="${login.appDataPath}/static/bundle.js"></script>
 </body>

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Recovery/webdata/template/mauth_usernameless.vm

@@ -150,15 +150,15 @@
 								</p>
 							</div>
 						</div>
-						<div id="agovLoginImageMobile" class="hidden md:max-w-[520px] max-w-[350px] sm:max-w-[300px] w-full
-						mx-auto mb-6">
+						<div id="agovLoginImageMobile"
+							 class="hidden max-w-[200px] sm:max-w-full sm:w-full basis-1/2 mx-auto mb-6">
 							<img alt=""
 								 src="${login.appDataPath}/static/images/login.svg"
-								 class="block sm:hidden md:block dark:hidden w-full">
+								 class="block dark:hidden w-full">
 
 							<img alt=""
 								 src="${login.appDataPath}/static/images/login-dark.svg"
-								 class="dark:sm:hidden dark:md:block hidden dark:block w-full">
+								 class="hidden dark:block w-full">
 						</div>
 						<div id="QRCodeHolder">
 							<div class="relative">
@@ -242,7 +242,7 @@
 						</form>
 					</div>
 				</div>
-				<div id="securityKeyModal" class="hidden mt-16">
+				<div id="securityKeyModal" class="hidden sm:mt-16">
 
 					<h2 class="font-header text-h5 text-space-blue dark:text-white mt-4 text-center">
                         $text.get("mauth_usernameless.useSecurityKey")
@@ -253,7 +253,7 @@
 					</p>
 
 					<form id="$gui.name" name="$gui.name" method="POST" target="_self" action="$formTarget" autocomplete="off"
-						  accept-charset="UTF-8">
+						  accept-charset="UTF-8" class="mb-20 sm:mb-0">
 						<agov-button
 								class="mb-4 block"
 								data-name="fallback"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Recovery/webdata/template/recovery_accessapp_auth.vm

@@ -82,14 +82,14 @@
 						</div>
 					</div>
 					<div id="agovLoginImageMobile"
-						 class="hidden md:max-w-[520px] max-w-[350px] sm:max-w-[300px] w-full basis-1/2 mx-auto mb-4">
+						 class="hidden max-w-[200px] sm:max-w-full sm:w-full basis-1/2 mx-auto mb-4">
 						<img alt=""
 							 src="${login.appDataPath}/static/images/recovery.svg"
-							 class="block sm:hidden md:block dark:hidden w-full">
+							 class="block w-full">
 
 						<img alt=""
 							 src="${login.appDataPath}/static/images/recovery_dark.svg"
-							 class="dark:sm:hidden dark:md:block hidden dark:block w-full">
+							 class="hidden dark:block w-full">
 					</div>
 					<div id="QRCodeHolder">
 						<div class="relative">

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Recovery/webdata/template/recovery_check_code.vm

@@ -2,116 +2,151 @@
 
 <agov-backdrop></agov-backdrop>
 <div id="mainContent" class="container mx-auto sm:mt-32 sm:max-w-full flex flex-auto sm:block">
-    <div class="flex flex-col-reverse sm:flex-row justify-evenly items-center gap-5 w-full">
-        <div class="flex flex-col sm:bg-white sm:dark:bg-surface-black rounded-[20px] sm:px-10 sm:py-10 max-w-[550px] w-full
+	<div class="flex flex-col-reverse sm:flex-row justify-evenly items-center gap-5 w-full">
+		<div class="flex flex-col sm:bg-white sm:dark:bg-surface-black rounded-[20px] sm:px-10 sm:py-10 max-w-[550px] w-full
 		basis-full md:basis-1/2 min-h-[535px]">
-			<span id="spinner" class="hidden absolute left-1/2 top-1/2 -translate-x-1/2 -translate-y-1/2 z-30">
+	<span id="spinner" class="hidden absolute left-1/2 top-1/2 -translate-x-1/2 -translate-y-1/2 z-30">
 				<img src="${login.appDataPath}/static/images/spinner.svg" class="animate-spin block dark:hidden">
 				<img src="${login.appDataPath}/static/images/spinner-dark.svg" class="animate-spin hidden dark:block">
 			</span>
-            <div id="blurBackdrop" class="hidden absolute backdrop-blur-sm -top-1 -bottom-96 -left-4 -right-4 z-20"></div>
-            <div class="flex flex-col gap-8">
-                <div class="flex items-baseline">
+			<div id="blurBackdrop" class="hidden absolute backdrop-blur-sm -top-1 -bottom-96 -left-4 -right-4 z-20"></div>
+			<div class="flex flex-col gap-8">
+				<div class="flex items-baseline">
 					#set($error = $gui.getGuiElem("lasterror"))
-                    <h3 class="font-header text-h3 text-space-blue dark:text-white mr-3">
+					<h3 class="font-header text-h3 text-space-blue dark:text-white mr-3">
 						$text.get("general.recovery")
-                    </h3>
-                    <h4 class="font-header text-h4 text-disabled-grey dark:text-silver">
+					</h3>
+					<h4 class="font-header text-h4 text-disabled-grey dark:text-silver">
 						$text.get("general.entryCode")
-                    </h4>
-                </div>
+					</h4>
+				</div>
 				#if (($error.value && $error.value != ""))
 					#if (($error.value == "locked"))
-                        <div class="error flex rounded-xl bg-error-background dark:bg-dark-error-background items-center p-4">
-                            <i class="fa-regular fa-exclamation-circle rounded-full p-3 text-error dark:text-dark-error bg-error/10 dark:bg-dark-error-icon mr-4 text-xl leading-none"></i>
-                            <p class="font-body text-body-l text-space-blue dark:text-white">
+						<div class="error flex rounded-xl bg-error-background dark:bg-dark-error-background items-center p-4">
+							<i class="fa-regular fa-exclamation-circle rounded-full p-3 text-error dark:text-dark-error bg-error/10 dark:bg-dark-error-icon mr-4 text-xl leading-none"></i>
+							<p class="font-body text-body-l text-space-blue dark:text-white">
 								$text.get("recovery_check_code.banner.lockedError")
-                            </p>
-                        </div>
+							</p>
+						</div>
+						<p class="font-body text-body-l text-space-blue dark:text-white">
+							$text.get("recovery_check_code.too_many_tries.instruction1")
+						</p>
+						<p class="font-body text-body-l text-space-blue dark:text-white">
+							$text.get("recovery_check_code.too_many_tries.instruction2")
+						</p>
 					#else
-                        <div class="error flex rounded-xl bg-error-background dark:bg-dark-error-background items-center p-4">
-                            <i class="fa-regular fa-exclamation-circle rounded-full p-3 text-error dark:text-dark-error bg-error/10 dark:bg-dark-error-icon mr-4 text-xl leading-none"></i>
-                            <p class="font-body text-body-l text-space-blue dark:text-white">
+						<div class="error flex rounded-xl bg-error-background dark:bg-dark-error-background items-center p-4">
+							<i class="fa-regular fa-exclamation-circle rounded-full p-3 text-error dark:text-dark-error bg-error/10 dark:bg-dark-error-icon mr-4 text-xl leading-none"></i>
+							<p class="font-body text-body-l text-space-blue dark:text-white">
 								$text.get("recovery_check_code.codeIncorrect")
-                            </p>
-                        </div>
+							</p>
+						</div>
+						<p class="font-body text-body-l text-space-blue dark:text-white">
+							$text.get("recovery_check_code.instruction")
+						</p>
 					#end
+				#else
+					<p class="font-body text-body-l text-space-blue dark:text-white">
+						$text.get("recovery_check_code.instruction")
+					</p>
 				#end
-                <p class="font-body text-body-l text-space-blue dark:text-white">
-					$text.get("recovery_check_code.instruction")
-                </p>
-            </div>
+			</div>
 			#set ($formTarget = $utils.escapeHtmlAttribute($gui.target.replaceAll('&?language=[^&]*','')))
-            <form id="$gui.name" name="$gui.name" method="POST" target="_self" action="$formTarget" autocomplete="off"
-                  accept-charset="UTF-8"
-                  class="flex flex-col flex-auto block">
-                <agov-input
-                        id="recovery_code_input"
-                        class="py-16"
-                        data-label="$text.get("recovery_check_code.enterRecoveryCode")"
-                        data-isLabelHidden="true"
-                        data-placeholder=""
-                        data-id="code"
-                        data-name="code"
-                        data-value=""
-                        data-type="text"
-                        data-autofocus="true"
-                        data-email_invalid="$text.get("recovery_check_code.invalid.code")"
-                        data-email_too_long="$text.get("recovery_check_code.invalid.code.tooLong")"
-                        data-email_required="$text.get("recovery_check_code.invalid.code.required")">
-                </agov-input>
-                <div class="w-full sm:static mt-auto mb-6 sm:mb-0">
-                    <div class="flex flex-col flex-row-reverse gap-4">
-                        <agov-button
-                                id="recovery_code_btn"
-                                class="block basis-full"
-                                data-name="confirm"
-                                data-value="confirm"
-                                data-id="confirm"
-                                data-label="$text.get("general.confirm")"
-                                data-type="submit"
-                                data-fullwidth="true">
-                        </agov-button>
-                        <agov-button
-                                id="recovery_code_btn_cancel"
-                                class="block basis-full"
-                                data-style="frameless"
-                                data-name="cancelFido2"
-                                data-value="cancelFido2"
-                                data-id="cancelFido2"
-                                data-label="$text.get("recovery_check_code.noAccess")"
-                                data-type="button"
-                                data-fullwidth="true"
-                                data-validate="false">
-                        </agov-button>
-                    </div>
-                </div>
-                <input class="hidden" name="authRequestId" type="hidden" value="$gui.getGuiElem('authRequestId').value"/>
-            </form>
-        </div>
-        <form class="hidden"
-              id="$gui.name"
-              name="$gui.name"
-              method="POST"
-              target="_self"
-              action="$formTarget"
-              autocomplete="off"
-              accept-charset="UTF-8">
-            <agov-button
-                    data-name="submit"
-                    data-id="submitFormButton"
-                    data-value="submit"
-                    data-type="submit"
-                    data-fullwidth="true">
-            </agov-button>
-            <input class="hidden" name="no_code" id="noCodeCheckbox" type="checkbox" value="true">
-            <input class="hidden" name="authRequestId" type="hidden" value="$gui.getGuiElem('authRequestId').value"/>
-        </form>
-        <img alt="" src="${login.appDataPath}/static/images/recovery.svg"
-             class="md:max-w-[520px] max-w-[350px] sm:max-w-[300px] w-full md:basis-1/2 dark:hidden hidden md:block">
-        <img alt="" src="${login.appDataPath}/static/images/recovery_dark.svg"
-             class="md:max-w-[520px] max-w-[350px] sm:max-w-[300px] w-full md:basis-1/2 hidden dark:md:block">
-    </div>
+			#if (($error.value && $error.value != "locked") || !($error.value))
+				<form id="$gui.name" name="$gui.name" method="POST" target="_self" action="$formTarget" autocomplete="off"
+					  accept-charset="UTF-8"
+					  class="flex flex-col flex-auto block">
+					<agov-input
+							id="recovery_code_input"
+							class="py-16"
+							data-label="$text.get("recovery_check_code.enterRecoveryCode")"
+							data-isLabelHidden="true"
+							data-placeholder=""
+							data-id="code"
+							data-name="code"
+							data-value=""
+							data-type="text"
+							data-autofocus="true"
+							data-email_invalid="$text.get("recovery_check_code.invalid.code")"
+							data-email_too_long="$text.get("recovery_check_code.invalid.code.tooLong")"
+							data-email_required="$text.get("recovery_check_code.invalid.code.required")">
+					</agov-input>
+					<div class="w-full sm:static mt-auto mb-6 sm:mb-0">
+						<div class="flex flex-col flex-row-reverse gap-4">
+							<agov-button
+									id="recovery_code_btn"
+									class="block basis-full"
+									data-name="confirm"
+									data-value="confirm"
+									data-id="confirm"
+									data-label="$text.get("general.confirm")"
+									data-type="submit"
+									data-fullwidth="true">
+							</agov-button>
+							<agov-button
+									id="recovery_code_btn_cancel"
+									class="block basis-full"
+									data-style="frameless"
+									data-name="cancelFido2"
+									data-value="cancelFido2"
+									data-id="cancelFido2"
+									data-label="$text.get("recovery_check_code.noAccess")"
+									data-type="button"
+									data-fullwidth="true"
+									data-validate="false">
+							</agov-button>
+							<input class="hidden" name="authRequestId" type="hidden"
+								   value="$gui.getGuiElem('authRequestId').value"/>
+						</div>
+					</div>
+				</form>
+			#else
+				<form id="$gui.name" name="$gui.name" method="POST" target="_self" action="$formTarget" autocomplete="off"
+					  accept-charset="UTF-8"
+					  class="flex flex-col flex-auto block">
+					<div class="w-full sm:static mt-auto mb-6 sm:mb-0">
+						<div class="flex flex-col flex-row-reverse gap-4">
+							<agov-button
+									id="recovery_code_btn_cancel"
+									class="block basis-full"
+									data-name="cancelFido2"
+									data-value="cancelFido2"
+									data-id="cancelFido2"
+									data-label="$text.get("recovery_check_code.noAccess")"
+									data-type="button"
+									data-fullwidth="true"
+									data-validate="false">
+							</agov-button>
+							<input class="hidden" name="authRequestId" type="hidden"
+								   value="$gui.getGuiElem('authRequestId').value"/>
+						</div>
+					</div>
+				</form>
+			#end
+		</div>
+		<form class="hidden"
+			  id="$gui.name"
+			  name="$gui.name"
+			  method="POST"
+			  target="_self"
+			  action="$formTarget"
+			  autocomplete="off"
+			  accept-charset="UTF-8">
+			<agov-button
+					data-name="submit"
+					data-id="submitFormButton"
+					data-value="submit"
+					data-type="submit"
+					data-fullwidth="true">
+			</agov-button>
+			<input class="hidden" name="no_code" id="noCodeCheckbox" type="checkbox" value="true">
+			<input class="hidden" name="authRequestId" type="hidden" value="$gui.getGuiElem('authRequestId').value"/>
+		</form>
+		<img alt="" src="${login.appDataPath}/static/images/recovery.svg"
+			 class="md:max-w-[520px] max-w-[350px] sm:max-w-[300px] w-full md:basis-1/2 dark:hidden hidden md:block">
+		<img alt="" src="${login.appDataPath}/static/images/recovery_dark.svg"
+			 class="md:max-w-[520px] max-w-[350px] sm:max-w-[300px] w-full md:basis-1/2 hidden dark:md:block">
+	</div>
 </div>
 
 <script src="${login.appDataPath}/static/js-code/recovery_check_code.js">

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/NotUsed_Auth_Realm/resources/conf/text.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Select language
 loainfo.description.200=To access the application, we need to verify your data. The process can take up to 2 - 3 days.
 loainfo.description.300=To access the application we need to verify your data through one of two processes. You can choose your preferred process in the next step.
-loainfo.description.400=To access the application we need you to add your AHV Number (Swiss Social Security number).
+loainfo.description.400=To access the application we need you to add your SSN (AHV) number.
 loainfo.helper=Your data needs to be verified!
 loainfo.later=Later
 loainfo.startNow=Do you want to start the process now?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=The code is too long
 recovery_check_code.noAccess=I do not have access to my code
 recovery_check_code.noCodeAccess=Are you sure you don't have access to your recovery code?
 recovery_check_code.noCodeAccessInstructions=If you have lost access to your recovery code please go to AGOV help in order to contact a AGOV support agent. They will be able to help you with the recovery process.
+recovery_check_code.too_many_tries.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
+recovery_check_code.too_many_tries.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
 recovery_check_noCode.banner.error=Too many attempts.
 recovery_check_noCode.instruction1=You might have tried to enter the recovery code too many times.
 recovery_check_noCode.instruction2=Please close the web browser and start the account recovery again in ten minutes from <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/NotUsed_Auth_Realm/resources/conf/text_de.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Sprache wählen
 loainfo.description.200=Um auf diese Applikation zuzugreifen, müssen wir Ihre Angaben verifizieren. Der Vorgang kann bis zu 2 - 3 Tage dauern.
 loainfo.description.300=Um auf diese Applikation zuzugreifen, müssen wir Ihre Angaben durch einen von zwei Vorgängen verifizieren. Sie können die bevorzugte Methode im nächsten Schritt auswählen.
-loainfo.description.400=Für den Zugang zu dieser Anwendung müssen Sie Ihre AHV-Nummer angeben.
+loainfo.description.400=Bitte AHV-Nummer angeben, um auf die Applikation zuzugreifen.
 loainfo.helper=Ihre persönlichen Daten müssen überprüft werden!
 loainfo.later=Später
 loainfo.startNow=Möchten Sie den Prozess jetzt starten?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=Eingegebener Code ist zu lang
 recovery_check_code.noAccess=Ich kann auf meinen Code nicht zugreifen
 recovery_check_code.noCodeAccess=Sind Sie sicher, dass Sie auf Ihren Wiederherstellungscode nicht zugreifen können?
 recovery_check_code.noCodeAccessInstructions=Wenn Sie auf Ihren Wiederherstellungscode nicht mehr zugreifen können, gehen Sie bitte zur AGOV-Hilfe, um jemanden vom AGOV-Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterstützen.
+recovery_check_code.too_many_tries.instruction1=Der von Ihnen eingegebene Wiederherstellungscode ist möglicherweise abgelaufen oder Sie haben zu oft versucht, einen Code einzugeben.
+recovery_check_code.too_many_tries.instruction2=Gehen Sie bitte zur AGOV-Hilfe, um jemanden vom Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterstützen.
 recovery_check_noCode.banner.error=Zu viele Versuche.
 recovery_check_noCode.instruction1=Möglicherweise haben Sie zu oft versucht, den Wiederherstellungscode einzugeben.
 recovery_check_noCode.instruction2=Bitte schliessen Sie den Webbrowser und starten Sie die Kontowiederherstellung in zehn Minuten erneut auf <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/NotUsed_Auth_Realm/resources/conf/text_en.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Select language
 loainfo.description.200=To access the application, we need to verify your data. The process can take up to 2 - 3 days.
 loainfo.description.300=To access the application we need to verify your data through one of two processes. You can choose your preferred process in the next step.
-loainfo.description.400=To access the application we need you to add your AHV Number (Swiss Social Security number).
+loainfo.description.400=To access the application we need you to add your SSN (AHV) number.
 loainfo.helper=Your data needs to be verified!
 loainfo.later=Later
 loainfo.startNow=Do you want to start the process now?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=The code is too long
 recovery_check_code.noAccess=I do not have access to my code
 recovery_check_code.noCodeAccess=Are you sure you don't have access to your recovery code?
 recovery_check_code.noCodeAccessInstructions=If you have lost access to your recovery code please go to AGOV help in order to contact a AGOV support agent. They will be able to help you with the recovery process.
+recovery_check_code.too_many_tries.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
+recovery_check_code.too_many_tries.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
 recovery_check_noCode.banner.error=Too many attempts.
 recovery_check_noCode.instruction1=You might have tried to enter the recovery code too many times.
 recovery_check_noCode.instruction2=Please close the web browser and start the account recovery again in ten minutes from <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/NotUsed_Auth_Realm/resources/conf/text_fr.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Sélectionner la langue
 loainfo.description.200=Pour accéder à l'application, nous devons vérifier vos données. Ce processus peut prendre jusqu'à 2 ou 3 jours.
 loainfo.description.300=Pour accéder à l'application, nous devons vérifier vos données par le biais de l'une des deux procédures suivantes. Vous pouvez choisir la procédure que vous préférez à l'étape suivante.
-loainfo.description.400=Pour accéder à l'application, vous devez ajouter votre numéro AVS.
+loainfo.description.400=Veuillez saisir votre numéro AVS pour accéder à l'application.
 loainfo.helper=Vos données doivent être vérifiées!
 loainfo.later=Plus tard
 loainfo.startNow=Voulez-vous commencer le processus maintenant?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=Le code est trop long
 recovery_check_code.noAccess=Je n’ai pas accès à mon code de récupération
 recovery_check_code.noCodeAccess=Êtes-vous sûr de ne pas avoir accès à votre code de récupération ?
 recovery_check_code.noCodeAccessInstructions=En cas de perte de votre code de récupération, veuillez vous rendre sur AGOV help et contacter le service d’assistance AGOV. Un agent pourra vous aider dans le processus de récupération.
+recovery_check_code.too_many_tries.instruction1=Le code de récupération que vous avez saisi a peut-être expiré ou vous avez peut-être essayé de le saisir trop de fois.
+recovery_check_code.too_many_tries.instruction2=Veuillez vous rendre sur AGOV help et contacter le service d’assistance. Un agent pourra vous aider dans le processus de récupération.
 recovery_check_noCode.banner.error=Trop de tentatives.
 recovery_check_noCode.instruction1=Vous avez peut-être essayé de saisir le code de récupération trop de fois.
 recovery_check_noCode.instruction2=Veuillez fermer le navigateur web et recommencer la r&eacute;cup&eacute;ration du compte dans dix minutes &agrave; partir de <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/NotUsed_Auth_Realm/resources/conf/text_it.properties

@@ -87,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Selezionare la lingua
 loainfo.description.200=Per accedere all'app è necessaria una verifica dei dati. La procedura può richiedere fino a 2–3 giorni lavorativi.
 loainfo.description.300=Per accedere all'app dobbiamo verificare i suoi dati tramite uno dei due processi. Al prossimo passaggio, può selezionare la procedura di verifica desiderata.
-loainfo.description.400=Per acceddere all'applicazione deve inserire il numero AVS.
+loainfo.description.400=Per accedere all'applicazione è necessario inserire il numero AVS.
 loainfo.helper=I dati devono essere verificati!
 loainfo.later=Più tardi
 loainfo.startNow=Iniziare la procedura?
@@ -174,6 +174,8 @@ recovery_check_code.invalid.code.tooLong=Il codice è troppo lungo
 recovery_check_code.noAccess=Non ho il mio codice.
 recovery_check_code.noCodeAccess=Conferma di non avere il codice di ripristino?
 recovery_check_code.noCodeAccessInstructions=Se non ha più il codice di ripristino, acceda ad AGOV help per contattare il supporto AGOV, che la assisterà nel processo di ripristino.
+recovery_check_code.too_many_tries.instruction1=Il codice di ripristino inserito può essere scaduto o è stato inserito troppe volte.
+recovery_check_code.too_many_tries.instruction2=Si prega di andare alla guida di AGOV aiuto per contattare un agente dell'assistenza. Saranno in grado di aiutarla con il processo di recupero.
 recovery_check_noCode.banner.error=Troppi tentativi.
 recovery_check_noCode.instruction1=Potresti aver tentato di inserire il codice di ripristino troppe volte.
 recovery_check_noCode.instruction2=Chiudi il browser web e inizia nuovamente il processo di ripristino dell'account tra dieci minuti da <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/NotUsed_Auth_Realm/webdata/resources/mauth_link_qr.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function dispatchLink() {
 
         document.getElementById("mauth_started").style.display = "block"; // show
@@ -55,9 +61,7 @@
                     });
                     var sessionId = o.sessionId;
                     console.log("started polling for session ID: " + sessionId);
-                    statusPolling = window.setInterval(function () {
-                        poll(sessionId);
-                    }, 2000);
+                    poll(sessionId);
                 }
                 else {
                     console.log("authentication failed: " + o.dispatchResult);
@@ -70,21 +74,36 @@
     }
 
     function poll(sessionId) {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
 
-        const request = {};
-        request.fidoUafSessionId = sessionId;
+        isPolling = true;
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const request = { fidoUafSessionId: sessionId };
+
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
+
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
+
                 if (status == 'clientAuthenticating') {
                     // show process icon
                     document.getElementById("mauth_loading").style.display = 'block';
@@ -99,20 +118,24 @@
                     addInput(form, "continue", "true"); // required for custom dispatching in usernameless
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("authentication failed with status: " + status);
-
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     addInput(form, "fidoUafSessionId", sessionId);
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(sessionId), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     dispatchLink();