new configuration version

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/k8s-nevisauth-sts-4bad2fe3ccc54716cc87138f.yaml

@@ -11,8 +11,8 @@ metadata:
 spec:
   type: "NevisAuth"
   replicas: 1
-  version: "8.2411.3"
-  gitInitVersion: "1.3.0"
+  version: "8.2505.5"
+  gitInitVersion: "1.4.0"
   runAsNonRoot: true
   ports:
     management: 9000
@@ -39,13 +39,14 @@ spec:
     management:
       httpGet:
         path: "/nevisauth/liveness"
+      initialDelaySeconds: 50
       periodSeconds: 5
       timeoutSeconds: 6
-      failureThreshold: 50
+      failureThreshold: 30
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-317ed268556b37656f27fb58fcffd4797cea27e4"
+    tag: "r-d6878093aefa2bfb8cc241b61fff5fe94bc95282"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts"
     credentials: "git-credentials"
   keystores:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/LitDict.properties

@@ -3,6 +3,7 @@ accept.button.label=Accept
 cancel.button.label=Cancel
 continue.button.label=Continue
 deputy.profile.label=(Deputy Profile)
+error.account.exists=Account already exists. Continue to log in.
 error.saml.failed=Please close your browser and try again.
 error_1=Please check your input.
 error_10=Please select the correct user account.
@@ -70,6 +71,8 @@ policyInfo.regex.numeric=▪ must contain at least {0} numeric characters.
 policyInfo.regex.upper=▪ must contain at least {0} upper case characters.
 policyInfo.title=The password has to comply with the following password policy:
 reject.button.label=Deny
+signup.button.label=Signup
+skip.button.label=Skip
 submit.button.label=Submit
 tan.sent=Please enter the security code which has been sent to your mobile phone.
 title.logout=Logout
@@ -77,4 +80,5 @@ title.logout.confirmation=Logout
 title.logout.reminder=Logout
 title.oauth.consent=Client Authorization
 title.saml.failed=Error
+title.signup=Create account
 title.timeout.page=Logout

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/LitDict_de.properties

@@ -3,6 +3,7 @@ accept.button.label=Akzeptieren
 cancel.button.label=Abbrechen
 continue.button.label=Weiter
 deputy.profile.label=(Profil Stellvertreter)
+error.account.exists=Konto existiert bereits. Melden Sie sich an.
 error.saml.failed=Bitte schliessen Sie Ihren Browser und versuchen Sie es erneut.
 error_1=Bitte überprüfen Sie Ihre Eingabe.
 error_10=Bitte wählen Sie den gewünschten Benutzer.
@@ -70,6 +71,8 @@ policyInfo.regex.numeric=▪ muss mindestens {0} numerische Zeichen enthalte
 policyInfo.regex.upper=▪ muss mindestens {0} Grossbuchstaben enthalten.
 policyInfo.title=Das Passwort muss den folgenden Passwort-Richtlinien entsprechen:
 reject.button.label=Ablehnen
+signup.button.label=Registrieren
+skip.button.label=Überspringen
 submit.button.label=Senden
 tan.sent=Bitte erfassen Sie den Sicherheitscode, welcher an Ihr Mobiltelefon gesendet wurde.
 title.logout=Logout
@@ -77,4 +80,5 @@ title.logout.confirmation=Logout
 title.logout.reminder=Logout
 title.oauth.consent=Client Authorisierung
 title.saml.failed=Error
+title.signup=Konto erstellen
 title.timeout.page=Logout

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/LitDict_en.properties

@@ -3,6 +3,7 @@ accept.button.label=Accept
 cancel.button.label=Cancel
 continue.button.label=Continue
 deputy.profile.label=(Deputy Profile)
+error.account.exists=Account already exists. Continue to log in.
 error.saml.failed=Please close your browser and try again.
 error_1=Please check your input.
 error_10=Please select the correct user account.
@@ -70,6 +71,8 @@ policyInfo.regex.numeric=▪ must contain at least {0} numeric characters.
 policyInfo.regex.upper=▪ must contain at least {0} upper case characters.
 policyInfo.title=The password has to comply with the following password policy:
 reject.button.label=Deny
+signup.button.label=Signup
+skip.button.label=Skip
 submit.button.label=Submit
 tan.sent=Please enter the security code which has been sent to your mobile phone.
 title.logout=Logout
@@ -77,4 +80,5 @@ title.logout.confirmation=Logout
 title.logout.reminder=Logout
 title.oauth.consent=Client Authorization
 title.saml.failed=Error
+title.signup=Create account
 title.timeout.page=Logout

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/LitDict_fr.properties

@@ -3,6 +3,7 @@ accept.button.label=Accepter
 cancel.button.label=Abandonner
 continue.button.label=Continuer
 deputy.profile.label=(Profil du suppléant)
+error.account.exists=Le compte existe déjà. Continuez à vous connecter.
 error.saml.failed=Fermez votre navigateur et r;eacute;essayez.
 error_1=Veuillez vérifier vos données, s.v.p.
 error_10=Choisissez votre compte.
@@ -70,6 +71,8 @@ policyInfo.regex.numeric=▪ doit comprendre au minimum {0} caractères
 policyInfo.regex.upper=▪ doit contenir au moins {0} caractère(s) majuscule(s).
 policyInfo.title=Le mot de passe doit respecter les règles suivantes:
 reject.button.label=Refuser
+signup.button.label=Inscription
+skip.button.label=Passer
 submit.button.label=Envoyer
 tan.sent=Veuillez saisir le code de sécurité que vous avez reçu au votre téléphone mobile.
 title.logout=Logout
@@ -77,4 +80,5 @@ title.logout.confirmation=Logout
 title.logout.reminder=Logout
 title.oauth.consent=Autorisation du client
 title.saml.failed=Error
+title.signup=Créer un compte
 title.timeout.page=Logout

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/LitDict_it.properties

@@ -1,8 +1,9 @@
 
-accept.button.label=Accettare
-cancel.button.label=Abortire
+accept.button.label=Accetta
+cancel.button.label=Annulla
 continue.button.label=Continua
 deputy.profile.label=(profilo del delegato)
+error.account.exists=L'account esiste gi<67>. Prosegui col login.
 error.saml.failed=Chiudi il browser e riprova.
 error_1=Verificare i dati immessi.
 error_10=Per favore selezionare il conto utente corretto.
@@ -69,7 +70,9 @@ policyInfo.regex.nonLetter=&#9642; non pu&ograve; contenere pi&ugrave; di {0} nu
 policyInfo.regex.numeric=&#9642; deve contenere un minimo di {0} carattere/i numerico/i.
 policyInfo.regex.upper=&#9642; deve conenere almeno {0} carattere/i maiuscolo/i.
 policyInfo.title=La password deve rispettare le seguenti direttive:
-reject.button.label=Rifiuti
+reject.button.label=Rifiuta
+signup.button.label=Iscriviti
+skip.button.label=Salta
 submit.button.label=Continua
 tan.sent=Inserisci il codice di sicurezza che &egrave; stato inviato al tuo telefono cellulare.
 title.logout=Logout
@@ -77,4 +80,5 @@ title.logout.confirmation=Logout
 title.logout.reminder=Logout
 title.oauth.consent=Autorizzazione del client
 title.saml.failed=Error
+title.signup=Crea un account
 title.timeout.page=Logout

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/env.conf

@@ -13,8 +13,9 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevisauth/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2411.3,service.instance.id=$HOSTNAME"
+    "-Dotel.resource.attributes=service.version=8.2505.5,service.instance.id=$HOSTNAME"
     "-Djavax.net.ssl.trustStore=/var/opt/keys/trust/auth-sts-idp-extended-truststore/truststore.p12"
     "-Djavax.net.ssl.trustStorePassword=\${exec:/var/opt/keys/trust/auth-sts-idp-extended-truststore/keypass}"
 )
 
+

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/esauth4.xml

@@ -431,4 +431,6 @@
         <!-- source: pattern://eaae1a7d4c4e0ce653074f22 -->
         <property name="secToken.binary" value="true"/>
     </WebService>
+    <!-- source: pattern://4bad2fe3ccc54716cc87138f -->
+    <RESTService name="ManagementService" class="ch.nevis.esauth.rest.service.session.ManagementService"/>
 </esauth-server>

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/logging.yml

@@ -16,16 +16,12 @@ Configuration:
       level: "INFO"
     - name: "EsAuthStart"
       level: "INFO"
-    - name: "org.apache.catalina.loader.WebappClassLoader"
-      level: "FATAL"
-    - name: "org.apache.catalina.startup.HostConfig"
-      level: "ERROR"
-    - name: "ch.nevis.esauth.events"
-      level: "FATAL"
     - name: "AGOV-ACCT"
       level: "DEBUG"
     - name: "AgovCaptcha"
       level: "DEBUG"
+    - name: "ArtifactResolutionService"
+      level: "DEBUG"
     - name: "AuthEngine"
       level: "INFO"
     - name: "AuthPerf"
@@ -33,9 +29,11 @@ Configuration:
     - name: "IdmAuth"
       level: "DEBUG"
     - name: "OpTrace"
-      level: "DEBUG"
+      level: "INFO"
     - name: "Recovery"
       level: "DEBUG"
+    - name: "Saml"
+      level: "DEBUG"
     - name: "Script"
       level: "DEBUG"
     - name: "SessCoord"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/otel.properties

@@ -1,4 +1,5 @@
 otel.service.name = auth-sts
+otel.traces.sampler = always_on
 otel.traces.exporter = none
 otel.metrics.exporter = none
 otel.logs.exporter = none

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/sts_audit_failure.groovy

@@ -14,4 +14,4 @@ try {
   LOG.warn("Exception in Script: ${e}")
 } finally {
   response.setResult('ok')
-}
+}

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/sts_audit_success.groovy

@@ -13,4 +13,4 @@ try {
   LOG.warn("Exception in Script: ${e}")
 } finally {
   response.setResult('ok')
-}
+}

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-internal-idp-auth-signer-trust-7022472ae407577ae604bbb8.yaml

@@ -10,7 +10,7 @@ metadata:
     patternId: "7022472ae407577ae604bbb8"
 spec:
   keystores:
-  - name: "auth-sh4r3d-internal-idp-auth-signer"
-    namespace: "adn-agov-nevisidm-01-uat"
   - name: "auth-sts-sh4r3d-internal-idp-auth-signer"
     namespace: "adn-agov-nevisidm-01-uat"
+  - name: "auth-sh4r3d-internal-idp-auth-signer"
+    namespace: "adn-agov-nevisidm-01-uat"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml

@@ -11,8 +11,8 @@ metadata:
 spec:
   type: "NevisAuth"
   replicas: 1
-  version: "8.2411.3"
-  gitInitVersion: "1.3.0"
+  version: "8.2505.5"
+  gitInitVersion: "1.4.0"
   runAsNonRoot: true
   ports:
     management: 9000
@@ -39,15 +39,19 @@ spec:
     management:
       httpGet:
         path: "/nevisauth/liveness"
+      initialDelaySeconds: 50
       periodSeconds: 5
       timeoutSeconds: 6
-      failureThreshold: 50
+      failureThreshold: 30
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-e157935e7f17a778cb613627a645fe400a85af4d"
+    tag: "r-53c09bd6632aebeda2b892197a01a8f7f185561d"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
     credentials: "git-credentials"
+  database:
+    name: "auth"
+    requiredVersion: "8.2505.5"
   keystores:
   - "auth-sh4r3d-internal-idp-auth-signer"
   - "auth-auth-realm-mobile-fido-uaf-tls-client-nevisfido"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-database-b7b59e97b3fd18bb60178573.yaml

@@ -0,0 +1,26 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisDatabase"
+metadata:
+  name: "auth"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "auth"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "b7b59e97b3fd18bb60178573"
+spec:
+  type: "NevisAuth"
+  databaseType: "MariaDB"
+  version: "8.2505.5"
+  url: "mariadb-session-store-service.adn-agov-nevisidm-ob-01-uat"
+  port: 3306
+  database: "nevisauth"
+  bootstrap: true
+  migrate: true
+  rootCredentials:
+    name: "root-mariadb-session-store"
+    namespace: "adn-agov-nevisidm-ob-01-uat"
+  podSecurity:
+    policy: "baseline"
+    automountServiceAccountToken: false
+  timeZone: "Europe/Zurich"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/key.pem

@@ -1,54 +1,54 @@
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJqzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQU95KG57RacAYBmkeQ
-DIe1bZS0sbkCAggAMB0GCWCGSAFlAwQBKgQQyxdAya9Sd4oHLO1pzVWcYASCCVDT
-ozdXT3vjyqMzza4QKaMD4ywSAzGhQRM/TnxU5JbRLNMpdtq76Mfet2pv++UUjcof
-16EsdOOpDQdxdzQWmwGUNwjkX5YyWTaAefV8l9n6Bp8LV0XabS9We3g5Jr1KjuzP
-O/xJgB2o6BcD/WRPeOaANSGoyWce4rCkpDwqxrp+tY9EK19SoCZG9Zy2hnPPH2Hc
-QgtgCAzqaXIp49KIXHn/Uo532lIz3WqkkhzVakwgAKLKIvc/SwgP0eSXLvPjeJYS
-L8DngPP0YD7IPgIs7WmMNNE7or69e7mO0miUOl7xStNHzHpLmtLNbYI7Pk6NLT7N
-kWfh2+E21R7llsW57boMACXVr7N3CHOlZQhUNViyjPayo1njVnp6gGzuIxluhHJY
-CL070oqBeEYVfvE07HQ4Qd0BL5c02pdrKjdzBYyLwzSNKn2RzgS2R/XtEqdmOUo+
-iuRngv9D1UPSI2xlFhv84778ktEeSf8l1nLltqhPJAmJUjSAcu/zjN4Q+HXqMRaF
-IocDV4I7CaXDc2E0YdU8uHuzzUHLflJ2OZwU5N7tkoVOtAYHKUwCP4J/zpLSe2V2
-MIh40IVJK4gzb+iyBiOnsnKKQCKMPbS4lH8zC2S486MgjgbhlZeFg0nOF955c61l
-Sb4MBrexU4s1TUg/fDpYt6jPZoKivN72jzi60kV43gBFHmP3X4SRAUQ4Y3h5NFF8
-h2p4wvYRsYEexjJU/+WJG4Yi1wSi3oEqD161a6vPOsKBLBdLRo1vgnQdGFx/k83X
-vjPlI2eEUMPCntNBbrTy8eUSJz/0OH2phztZpHuh5cfy4ErUi19d9ywZUlhurGvX
-dC7ouTEqRZLkkSCfGTQM0q0O4JQJTLb5N4gWdZxQd2UwGv3jCK7m5eWx3bTdhhXi
-179DoSpYBCJF3msn0ROO6PxsccH0w/I6KMi3QNmsDlXhDr6XIBya8CU0lx9lp0pl
-5q62D26Ylr2fovd3qKKbwP6RaZarCzKLO6dWdyMqtUwVlX2FDCFd/SPGWc2TmuVS
-vLb981Zm13AfYtNUSfusroDp3TEuvl7cwozg7p33SQhuCmgKnxMd0iXd5QQZjrR0
-t+y22dHrD1agkkoFMLz/+d+930J0sY4odG/HbL2Bv8ZelVUjA8XSFoGBEA+rfQCg
-DGmLh5a+/yfzxCEKWVLqmwHWbSkub8bXdl6EKEyaO9qo1KCLAf3tArQx45sqw8bK
-8AYq2mrNIiMDhHub+XEEC0Aw2lZkJOrwwMEsTcZWfBvj56MdRNXuZMvPdarTbnDx
-zzxatqIwfvpOy/S2Poyrc6GuprbZCM6N+cDLdWQqAHVwAlx77NhiJ6s3vUnE3vB7
-aHgmXU+a8uPA64tKKaRNQJ31f7viCkWJXEbbEhVTzCvFcoqbKPPMm9w7nO8PMUTu
-BmwSFEKhd3BDKZavqTHKi66fF3A5ALFYAkMw/AlvinMitb9s+7WlWQrdvSFkqHsY
-wNQ1ankleYd24/8ZllvsQpleLMepDSxP6zUMpXSHbTKp5MZeoCaaY1RCkg7aOduz
-brnD7lRAfLp0H72nxVgC7n6VjidOSruF7k9WIN9VVbP0ZVL/QtkKRWd/hEmtMNaH
-ELg2ekdm3zvdBuvtr0jNiCxbhTr3j5OWQkT/BjZxHpZfA14XEROJC2Slo3PxUwBH
-0lE0cICWTeaeYcCX8ofawN+t1Qa6UD0sLl2670Kc7pozkJM4ul19rGA2KsHX89gE
-CaB1CkhFCqZhPbqX9yonv9XZtLb8Of8rBNVd/2QKN4/tOXcMYshzakSfSSIsyxxt
-QgMPRfz0nJTtP7v8ZbwIO+ayGoUeH7aYKhQ6Ku3qW9XuYiy+oMTIOToCSddnEI5t
-JNuPkT9kzA9stkRbFV5kBvrv5LWprWDXdA/wyAWG7txncWj6UzGlP8C3KhtMHLHv
-CiOXrE8UJdNNeT52dYI9slg+tzcCfz3sqMr9zXratvT6JMzrQZqCSis8vIx18TIK
-N5yDWHDFUOeNpo7aRqd5goW3qProwfZDjBXiqE4J+AJ5wc73PuftHt2l00zvLDWs
-SFIRvXbavNBA7GxpVtN8Qxmk6Lm0u0pBiastndowgAI5OIQVuwoA21vXyC5n9pMd
-bPJsmiPyme62OkCWmAjBNDLNVViwKMH8BxmLKJxX+6ysNsn0YY1+9YfI/zC3j4jM
-OYsK1c0NvFIv5aUxRQZLTJJt9C299jGNvdAJsfdp4LHejzZUjnx3nguz/l6RI1Vb
-vjQ1qDRPhkgErGXSHsCoCt+z5Y6mq17JWEX/FiXBWQbfSGoG/ZvoOqiBybCQ3HNl
-o9QM1sNQ5fUZDh0TgwkJB91rZXPwi828RklMW8VZszZir5gziTnndhw0ADLCZZ6z
-nA0vZAI7sjoEeIgiJq3egrsSLq2ZQRQsh5QF+Xo2QktleGvPrtMv//ZyGz4l59yc
-wX/7DtABurFhVs3KdYohcqXk2v5jJCMs+j9YDn6540QR6yXcbifp9ySqhm/PeH91
-UuL16YKxoV6QBZIGE0vjdUitGKNsS+H4ibD/0ZHYG+VcyL90eIrBq61CjfIO79O0
-L9+G4gKB91stXwtpqZWXTrlzrnjloZOPhqyQN/bs/liWQ6qy0a6Cd6nbWc141An1
-zEiOihbwLJ4ziCut+bq5lwyw6z/wWEhaVNnYspEEBr2URLMHbnBceS6zXoePT0ur
-9mQQLitmtlANlJ93vBDPhCaEjkK1v5J7MmIHQzyLSQGuLdXwz50piJukWru3aNax
-skloghJYeTMILEcGAszvyVtcvPqkrJnZXx4Qp7Luj5HK9THr78v3T4nWzirfqxPZ
-x70xRyhsC2lLcIrJ+3jkXj44edIqdh3Wvi30L2x2iUFyZ0ojQJQDo/+5b+p9k36L
-Dk8ktpeIa/BE3NsfcFaWn9bvRkQ6UAQcNn1zmkavfw5TLI4C1PnD/WUpPHZdhzNV
-K87CsUawxjEg0uCCaViShF6bD9mOWQxE3SM9yNizjTmotF6KrgkT16y/qZ17KGQM
-hJ5PraGu9jvg+L/MrQpr91eyJaeh9JFl9dM/SPM0mXo5q813bdMmqD4cc3YWCLee
-dHtmaKJ08KD1cJqHBz0DRLVV+zH00BMoYt5HZ5DmHFU1zhDekWZLhilbyWt8+z1E
-bzsoEAfZvyfvF7fJuxQ/HhYdR6TX5H+aNzZZivVc6g==
+MIIJqzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQUvdFHAj0YggoFr07l
+OCEjWZAMT1oCAggAMB0GCWCGSAFlAwQBKgQQc0LHn1pUPI8PXXos61VpwgSCCVBh
+wA/Ghkde2sb3r+cGG6k7iyM3UWPWu0f0Ac+i4uoKoQhGWlbsMVj/GRgDCcfr5D+C
+2DOvjttdX17UIbEpSC8qbUsplrlSnZGZrizQN5oS7iKNegFQENUpj7uNjZ7ASJy3
+ZOIOsCvuNau+7teDrlIfcUe/A7M9Pm+ZkVFhCDEys1igRb9Sv0EBwQ6aYeei2BtF
+KbnVuEJTi38uGj1VB1E6z8YswlqRIPjcs2UnOUuQ3GBMDLnd4hYGvYOs6Sh8p3kh
+ELP/vZ7zNtSdKVjmsTLyk7BVFkOI5sdBS6igon1aqDqTsY3POgLoqtqi3fF4BKIZ
+mhsU7CfF++AutxHaDWXj+0qLcKkA3SSnYdKOJmOBeBEnqqFv5SQ2YZe/DCetfhjS
+SpY4aST2aCfSAWzK6Amo2/TH7bLqgqwqs+RICcQLpOVD9OLSDX+7vqqo+xWzdONw
+pm+l/x/9NEgTSEwZv7gJxPg8omBub7HR/SHR7BSb8dsld8wUdgNFeixY6NXTLxHv
+92HKR6Cw5vFd0OaDGlQL1ay3UAc2SPNE2/0oHEAbwoRPKcNhhHGXl8skhuKHgupp
+6gWRpsQeKechQCysP/wRMm7v0przBCUm+PSUpbT5aV3j+iQYXGdme9E01TaRaKKb
+BhiuyzDBPwXeUktBpvpq7d/pOp3eTbF8cbXXDP+DqRl6KcHK5wB+wEavqVo06RGZ
+NtdHzOJTT1V0cUMobsI7hC0TcB0YeeZBRX66tMIrjCl4QuS2nv8Kn0oz2nZ8htfm
+5M6cwBd/NymfGIEI2RR53fv5dN917WsagY5n0lQzNV4VAK1WrxfxtbUuQVKK5S02
+zqGxriMQ9CA1tU86Ec0Gk4mbiEwExArD1YprHl0p8HhEV34J9VjG+GhSXpKp/1zL
+wl+LChF/GxW6INFxH0qo7ecFodoJPTNdTxFHhzdMBoXf2sXpR9nFMuvuRdlS6rKy
+zytxZLwT8EF7f4x0BgxCDFD+/1WonSSWahgMWfmthrt9MSFH17ZMd3/aVkJwDxrk
+61IBEgJI/DhGniNnzK171XiG7cpunwd7TV4RV1i8munPMi4Za1w4rwTzhnLzZ1/R
+jK5AO5waKqecmrMFOhWrcekwn43Tx0PpOeAA9iDlfGPGrY0mCgKTmlccqgrFKtn6
+sjNRsRQ8/77cBRbX8Acrc4wG1814ggLMp1RxRgoHLnzIz0tSbay6eE/TuUMqRalQ
+HAurDKHOJEjS3Kv5SKli0MzsTwGxyoycF6er76CYiIo+n1CBBRrIg/iDaLkKV4TK
+E56rxVfVKmN1yg5lNYTg+F7DDudY4/R6RGmORi9dsmgGS/qeKcX/ggdXrgt1Hd07
+0xOQmR1rdKnmNoqJXoYhSmMHvCRBc1Yf4xkfvOsE8LQoG91lpucsWjAJM6FnHZRU
+TlOXa/Z3DDtbr17arJdFtOSsaYodhZcG42diamhbMvKyoYYTwwXubFKOZCQplrin
+343cmbhpGfIyhSMerWOsULDffhizfkH8cyXjb2bJZk1zX8/CUtPegAjv0L0zdtv+
+6A8UZqGDSbzzGuksUtcNLpnaQeDoLm2GlF8r6JCGRt/31ROI2Eqf71hve55s2DE1
+whdv+YxmphNgnCn095p8gnOZMmYz2tQMEtslKr+TmYWNxSoB9MCtTDAbtRNxkfnn
+rjZxe2vHNapJ6VmIfDDuyNxz3323Z9sAzLkqGAe83Zx7XLpXjs0HUaG2EQnMffT8
+Frfr9ptczfav1tkmFQMBmCL5xS4/1gkQyNwB2wy8Kdez0T6Oxm31D63HgwKT9pmE
+6EGnxUOBvNk3MEeiaC10plR3cl2PxANqfbtwPuor/a2IQq2zABnjaPgrQn1zexB5
+0ncTjv3OcQLAH0di7V0vKpTIQpUL8QM+Sor5YRSO36CgJxVrS7aKo8W0QRSUwgy9
+PGEHu3tagqs05ryIcyU0KaO3KJzkGA/in/OGtm2x3/lFogsvTajleIDcqO6rHYGV
+JYtXn8drG31cbmTtak+N/VfmAVpQ6PJG8b3YevW1W1ySxriTm4jGMvtunDtreyEB
+MXzSeWhtWot6IBWDMNqh9JIghmG+gwI1xD2AK1BR9ifSgjQ8ZA8mc2C2kinka9wl
+Sl7/9/rdsQQRJs7inNUvJ8W4eY62ILlRyAe0xaUlo08JUhlK3Xf3LWD4frRfHoBx
+hCxfOAnlSzaRksatd0N72LiVLIL864peScyMpvS1EaE1aUGhfnFemb5wXIewyY1g
+Hj6bKTQlt0iB+aVj1EWSfGrZ8sshWB91dBNCssu0q+DHHzAX1wkE0i8eNlLlFcmm
+aDReRJSS+7qAVGdksEyzE+IGAzbXnYKyWudpdB/WwR+6kDEKsqFv52z0i0JH83Tj
+QvinHcyh3nLfXf+GV9LYjLhZEOkHm8diHgYdRMsY2d21jd0q6Eo7hiQzF3pSutj2
+GxDya0+rDK8LP9LboYOUTyJaNZPcqlTrQjQQls55kTnHinImYgiT91w6GhFS4GU4
+E3KSIsYzBo64HjHl0vLwcfJ6ghvUMu4cTW1z1L0+ieKqiajIMuvQmIxhS9fO2qVg
+FbsihnJKq/EbeU7uMGq/3FJWJk0D0G8SiJsgP85mbY90qePW3CvnoRnH6PemYCeF
+T3qJMPFgT2ncLhIrC5cR7F27DCU/CH1jJW4GRx7PeNBeLErWpDghzeJS5IJFW5q8
+RIw/HJaLd6TmPNnjQ7XXpU6J519EHRmFDnANXooLDFnwDqam0sokdg9ix4yQYw+e
+jh3mOQJ5lwtccSFpcgGvzApA+xd62//qFixqe0zoq9ThEvPB9wKQe8aAtCsDxrvw
+PKLbsdy9OdqM1h3TWh+ioWZJb69LRA9MoArAZ8ntpHluQ1amL1wiV8wJReXD4kua
+fGbf+S1wnUlH4lTkJa0ApTIM0OsWzYFb2F8VDdgvfmtCSYlbS37Qy4+TKJFNtMEA
+FQyLUmAlgCdgAiBLVrrV9uDYeRnPVUShlsyZCwBUm92cjDiQkSWhDjro7NQTBMfo
+I4A+5OhaX61eNJYFqXv0KWBTGjRnW/dhAilNlc0QWKO+p4mwtTUlwVe0EMb3naxh
+9ioJUHlwkcfJWBQAVAR/pbslzlpND8wE8NnH5P6z0H95ft3Q6v+JYD2zdhTTfTlw
+X/YlQuf14Vuey6B9bnAPHKh2zE5x53MwVL0OvnfVnw==
 -----END ENCRYPTED PRIVATE KEY-----

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/keystore.pem

@@ -1,56 +1,56 @@
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJqzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQU95KG57RacAYBmkeQ
-DIe1bZS0sbkCAggAMB0GCWCGSAFlAwQBKgQQyxdAya9Sd4oHLO1pzVWcYASCCVDT
-ozdXT3vjyqMzza4QKaMD4ywSAzGhQRM/TnxU5JbRLNMpdtq76Mfet2pv++UUjcof
-16EsdOOpDQdxdzQWmwGUNwjkX5YyWTaAefV8l9n6Bp8LV0XabS9We3g5Jr1KjuzP
-O/xJgB2o6BcD/WRPeOaANSGoyWce4rCkpDwqxrp+tY9EK19SoCZG9Zy2hnPPH2Hc
-QgtgCAzqaXIp49KIXHn/Uo532lIz3WqkkhzVakwgAKLKIvc/SwgP0eSXLvPjeJYS
-L8DngPP0YD7IPgIs7WmMNNE7or69e7mO0miUOl7xStNHzHpLmtLNbYI7Pk6NLT7N
-kWfh2+E21R7llsW57boMACXVr7N3CHOlZQhUNViyjPayo1njVnp6gGzuIxluhHJY
-CL070oqBeEYVfvE07HQ4Qd0BL5c02pdrKjdzBYyLwzSNKn2RzgS2R/XtEqdmOUo+
-iuRngv9D1UPSI2xlFhv84778ktEeSf8l1nLltqhPJAmJUjSAcu/zjN4Q+HXqMRaF
-IocDV4I7CaXDc2E0YdU8uHuzzUHLflJ2OZwU5N7tkoVOtAYHKUwCP4J/zpLSe2V2
-MIh40IVJK4gzb+iyBiOnsnKKQCKMPbS4lH8zC2S486MgjgbhlZeFg0nOF955c61l
-Sb4MBrexU4s1TUg/fDpYt6jPZoKivN72jzi60kV43gBFHmP3X4SRAUQ4Y3h5NFF8
-h2p4wvYRsYEexjJU/+WJG4Yi1wSi3oEqD161a6vPOsKBLBdLRo1vgnQdGFx/k83X
-vjPlI2eEUMPCntNBbrTy8eUSJz/0OH2phztZpHuh5cfy4ErUi19d9ywZUlhurGvX
-dC7ouTEqRZLkkSCfGTQM0q0O4JQJTLb5N4gWdZxQd2UwGv3jCK7m5eWx3bTdhhXi
-179DoSpYBCJF3msn0ROO6PxsccH0w/I6KMi3QNmsDlXhDr6XIBya8CU0lx9lp0pl
-5q62D26Ylr2fovd3qKKbwP6RaZarCzKLO6dWdyMqtUwVlX2FDCFd/SPGWc2TmuVS
-vLb981Zm13AfYtNUSfusroDp3TEuvl7cwozg7p33SQhuCmgKnxMd0iXd5QQZjrR0
-t+y22dHrD1agkkoFMLz/+d+930J0sY4odG/HbL2Bv8ZelVUjA8XSFoGBEA+rfQCg
-DGmLh5a+/yfzxCEKWVLqmwHWbSkub8bXdl6EKEyaO9qo1KCLAf3tArQx45sqw8bK
-8AYq2mrNIiMDhHub+XEEC0Aw2lZkJOrwwMEsTcZWfBvj56MdRNXuZMvPdarTbnDx
-zzxatqIwfvpOy/S2Poyrc6GuprbZCM6N+cDLdWQqAHVwAlx77NhiJ6s3vUnE3vB7
-aHgmXU+a8uPA64tKKaRNQJ31f7viCkWJXEbbEhVTzCvFcoqbKPPMm9w7nO8PMUTu
-BmwSFEKhd3BDKZavqTHKi66fF3A5ALFYAkMw/AlvinMitb9s+7WlWQrdvSFkqHsY
-wNQ1ankleYd24/8ZllvsQpleLMepDSxP6zUMpXSHbTKp5MZeoCaaY1RCkg7aOduz
-brnD7lRAfLp0H72nxVgC7n6VjidOSruF7k9WIN9VVbP0ZVL/QtkKRWd/hEmtMNaH
-ELg2ekdm3zvdBuvtr0jNiCxbhTr3j5OWQkT/BjZxHpZfA14XEROJC2Slo3PxUwBH
-0lE0cICWTeaeYcCX8ofawN+t1Qa6UD0sLl2670Kc7pozkJM4ul19rGA2KsHX89gE
-CaB1CkhFCqZhPbqX9yonv9XZtLb8Of8rBNVd/2QKN4/tOXcMYshzakSfSSIsyxxt
-QgMPRfz0nJTtP7v8ZbwIO+ayGoUeH7aYKhQ6Ku3qW9XuYiy+oMTIOToCSddnEI5t
-JNuPkT9kzA9stkRbFV5kBvrv5LWprWDXdA/wyAWG7txncWj6UzGlP8C3KhtMHLHv
-CiOXrE8UJdNNeT52dYI9slg+tzcCfz3sqMr9zXratvT6JMzrQZqCSis8vIx18TIK
-N5yDWHDFUOeNpo7aRqd5goW3qProwfZDjBXiqE4J+AJ5wc73PuftHt2l00zvLDWs
-SFIRvXbavNBA7GxpVtN8Qxmk6Lm0u0pBiastndowgAI5OIQVuwoA21vXyC5n9pMd
-bPJsmiPyme62OkCWmAjBNDLNVViwKMH8BxmLKJxX+6ysNsn0YY1+9YfI/zC3j4jM
-OYsK1c0NvFIv5aUxRQZLTJJt9C299jGNvdAJsfdp4LHejzZUjnx3nguz/l6RI1Vb
-vjQ1qDRPhkgErGXSHsCoCt+z5Y6mq17JWEX/FiXBWQbfSGoG/ZvoOqiBybCQ3HNl
-o9QM1sNQ5fUZDh0TgwkJB91rZXPwi828RklMW8VZszZir5gziTnndhw0ADLCZZ6z
-nA0vZAI7sjoEeIgiJq3egrsSLq2ZQRQsh5QF+Xo2QktleGvPrtMv//ZyGz4l59yc
-wX/7DtABurFhVs3KdYohcqXk2v5jJCMs+j9YDn6540QR6yXcbifp9ySqhm/PeH91
-UuL16YKxoV6QBZIGE0vjdUitGKNsS+H4ibD/0ZHYG+VcyL90eIrBq61CjfIO79O0
-L9+G4gKB91stXwtpqZWXTrlzrnjloZOPhqyQN/bs/liWQ6qy0a6Cd6nbWc141An1
-zEiOihbwLJ4ziCut+bq5lwyw6z/wWEhaVNnYspEEBr2URLMHbnBceS6zXoePT0ur
-9mQQLitmtlANlJ93vBDPhCaEjkK1v5J7MmIHQzyLSQGuLdXwz50piJukWru3aNax
-skloghJYeTMILEcGAszvyVtcvPqkrJnZXx4Qp7Luj5HK9THr78v3T4nWzirfqxPZ
-x70xRyhsC2lLcIrJ+3jkXj44edIqdh3Wvi30L2x2iUFyZ0ojQJQDo/+5b+p9k36L
-Dk8ktpeIa/BE3NsfcFaWn9bvRkQ6UAQcNn1zmkavfw5TLI4C1PnD/WUpPHZdhzNV
-K87CsUawxjEg0uCCaViShF6bD9mOWQxE3SM9yNizjTmotF6KrgkT16y/qZ17KGQM
-hJ5PraGu9jvg+L/MrQpr91eyJaeh9JFl9dM/SPM0mXo5q813bdMmqD4cc3YWCLee
-dHtmaKJ08KD1cJqHBz0DRLVV+zH00BMoYt5HZ5DmHFU1zhDekWZLhilbyWt8+z1E
-bzsoEAfZvyfvF7fJuxQ/HhYdR6TX5H+aNzZZivVc6g==
+MIIJqzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQUvdFHAj0YggoFr07l
+OCEjWZAMT1oCAggAMB0GCWCGSAFlAwQBKgQQc0LHn1pUPI8PXXos61VpwgSCCVBh
+wA/Ghkde2sb3r+cGG6k7iyM3UWPWu0f0Ac+i4uoKoQhGWlbsMVj/GRgDCcfr5D+C
+2DOvjttdX17UIbEpSC8qbUsplrlSnZGZrizQN5oS7iKNegFQENUpj7uNjZ7ASJy3
+ZOIOsCvuNau+7teDrlIfcUe/A7M9Pm+ZkVFhCDEys1igRb9Sv0EBwQ6aYeei2BtF
+KbnVuEJTi38uGj1VB1E6z8YswlqRIPjcs2UnOUuQ3GBMDLnd4hYGvYOs6Sh8p3kh
+ELP/vZ7zNtSdKVjmsTLyk7BVFkOI5sdBS6igon1aqDqTsY3POgLoqtqi3fF4BKIZ
+mhsU7CfF++AutxHaDWXj+0qLcKkA3SSnYdKOJmOBeBEnqqFv5SQ2YZe/DCetfhjS
+SpY4aST2aCfSAWzK6Amo2/TH7bLqgqwqs+RICcQLpOVD9OLSDX+7vqqo+xWzdONw
+pm+l/x/9NEgTSEwZv7gJxPg8omBub7HR/SHR7BSb8dsld8wUdgNFeixY6NXTLxHv
+92HKR6Cw5vFd0OaDGlQL1ay3UAc2SPNE2/0oHEAbwoRPKcNhhHGXl8skhuKHgupp
+6gWRpsQeKechQCysP/wRMm7v0przBCUm+PSUpbT5aV3j+iQYXGdme9E01TaRaKKb
+BhiuyzDBPwXeUktBpvpq7d/pOp3eTbF8cbXXDP+DqRl6KcHK5wB+wEavqVo06RGZ
+NtdHzOJTT1V0cUMobsI7hC0TcB0YeeZBRX66tMIrjCl4QuS2nv8Kn0oz2nZ8htfm
+5M6cwBd/NymfGIEI2RR53fv5dN917WsagY5n0lQzNV4VAK1WrxfxtbUuQVKK5S02
+zqGxriMQ9CA1tU86Ec0Gk4mbiEwExArD1YprHl0p8HhEV34J9VjG+GhSXpKp/1zL
+wl+LChF/GxW6INFxH0qo7ecFodoJPTNdTxFHhzdMBoXf2sXpR9nFMuvuRdlS6rKy
+zytxZLwT8EF7f4x0BgxCDFD+/1WonSSWahgMWfmthrt9MSFH17ZMd3/aVkJwDxrk
+61IBEgJI/DhGniNnzK171XiG7cpunwd7TV4RV1i8munPMi4Za1w4rwTzhnLzZ1/R
+jK5AO5waKqecmrMFOhWrcekwn43Tx0PpOeAA9iDlfGPGrY0mCgKTmlccqgrFKtn6
+sjNRsRQ8/77cBRbX8Acrc4wG1814ggLMp1RxRgoHLnzIz0tSbay6eE/TuUMqRalQ
+HAurDKHOJEjS3Kv5SKli0MzsTwGxyoycF6er76CYiIo+n1CBBRrIg/iDaLkKV4TK
+E56rxVfVKmN1yg5lNYTg+F7DDudY4/R6RGmORi9dsmgGS/qeKcX/ggdXrgt1Hd07
+0xOQmR1rdKnmNoqJXoYhSmMHvCRBc1Yf4xkfvOsE8LQoG91lpucsWjAJM6FnHZRU
+TlOXa/Z3DDtbr17arJdFtOSsaYodhZcG42diamhbMvKyoYYTwwXubFKOZCQplrin
+343cmbhpGfIyhSMerWOsULDffhizfkH8cyXjb2bJZk1zX8/CUtPegAjv0L0zdtv+
+6A8UZqGDSbzzGuksUtcNLpnaQeDoLm2GlF8r6JCGRt/31ROI2Eqf71hve55s2DE1
+whdv+YxmphNgnCn095p8gnOZMmYz2tQMEtslKr+TmYWNxSoB9MCtTDAbtRNxkfnn
+rjZxe2vHNapJ6VmIfDDuyNxz3323Z9sAzLkqGAe83Zx7XLpXjs0HUaG2EQnMffT8
+Frfr9ptczfav1tkmFQMBmCL5xS4/1gkQyNwB2wy8Kdez0T6Oxm31D63HgwKT9pmE
+6EGnxUOBvNk3MEeiaC10plR3cl2PxANqfbtwPuor/a2IQq2zABnjaPgrQn1zexB5
+0ncTjv3OcQLAH0di7V0vKpTIQpUL8QM+Sor5YRSO36CgJxVrS7aKo8W0QRSUwgy9
+PGEHu3tagqs05ryIcyU0KaO3KJzkGA/in/OGtm2x3/lFogsvTajleIDcqO6rHYGV
+JYtXn8drG31cbmTtak+N/VfmAVpQ6PJG8b3YevW1W1ySxriTm4jGMvtunDtreyEB
+MXzSeWhtWot6IBWDMNqh9JIghmG+gwI1xD2AK1BR9ifSgjQ8ZA8mc2C2kinka9wl
+Sl7/9/rdsQQRJs7inNUvJ8W4eY62ILlRyAe0xaUlo08JUhlK3Xf3LWD4frRfHoBx
+hCxfOAnlSzaRksatd0N72LiVLIL864peScyMpvS1EaE1aUGhfnFemb5wXIewyY1g
+Hj6bKTQlt0iB+aVj1EWSfGrZ8sshWB91dBNCssu0q+DHHzAX1wkE0i8eNlLlFcmm
+aDReRJSS+7qAVGdksEyzE+IGAzbXnYKyWudpdB/WwR+6kDEKsqFv52z0i0JH83Tj
+QvinHcyh3nLfXf+GV9LYjLhZEOkHm8diHgYdRMsY2d21jd0q6Eo7hiQzF3pSutj2
+GxDya0+rDK8LP9LboYOUTyJaNZPcqlTrQjQQls55kTnHinImYgiT91w6GhFS4GU4
+E3KSIsYzBo64HjHl0vLwcfJ6ghvUMu4cTW1z1L0+ieKqiajIMuvQmIxhS9fO2qVg
+FbsihnJKq/EbeU7uMGq/3FJWJk0D0G8SiJsgP85mbY90qePW3CvnoRnH6PemYCeF
+T3qJMPFgT2ncLhIrC5cR7F27DCU/CH1jJW4GRx7PeNBeLErWpDghzeJS5IJFW5q8
+RIw/HJaLd6TmPNnjQ7XXpU6J519EHRmFDnANXooLDFnwDqam0sokdg9ix4yQYw+e
+jh3mOQJ5lwtccSFpcgGvzApA+xd62//qFixqe0zoq9ThEvPB9wKQe8aAtCsDxrvw
+PKLbsdy9OdqM1h3TWh+ioWZJb69LRA9MoArAZ8ntpHluQ1amL1wiV8wJReXD4kua
+fGbf+S1wnUlH4lTkJa0ApTIM0OsWzYFb2F8VDdgvfmtCSYlbS37Qy4+TKJFNtMEA
+FQyLUmAlgCdgAiBLVrrV9uDYeRnPVUShlsyZCwBUm92cjDiQkSWhDjro7NQTBMfo
+I4A+5OhaX61eNJYFqXv0KWBTGjRnW/dhAilNlc0QWKO+p4mwtTUlwVe0EMb3naxh
+9ioJUHlwkcfJWBQAVAR/pbslzlpND8wE8NnH5P6z0H95ft3Q6v+JYD2zdhTTfTlw
+X/YlQuf14Vuey6B9bnAPHKh2zE5x53MwVL0OvnfVnw==
 -----END ENCRYPTED PRIVATE KEY-----
 
 -----BEGIN CERTIFICATE-----

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/idp-pem-atb-enc/keypass

@@ -0,0 +1,2 @@
+#!/bin/bash
+echo 'password'

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/idp-pem-atb-enc/truststore.pem

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFdzCCA1+gAwIBAgIUdL2pr5w+jKA9HF9llVbMRTK4MO8wDQYJKoZIhvcNAQEL
+BQAwSzELMAkGA1UEBhMCQ0gxDTALBgNVBAcMBEJlcm4xEjAQBgNVBAoMCUFHT1Yg
+V29yazEZMBcGA1UEAwwQYXRiLXdvcmstaWRwLWtleTAeFw0yNTA5MDMwNjQ2Mjha
+Fw0zNTA5MDEwNjQ2MjhaMEsxCzAJBgNVBAYTAkNIMQ0wCwYDVQQHDARCZXJuMRIw
+EAYDVQQKDAlBR09WIFdvcmsxGTAXBgNVBAMMEGF0Yi13b3JrLWlkcC1rZXkwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2s6fPlpWv/1zEnail7TCUphEQ
+A/dr/uY+qQqA/okB+Okd5hGDow7zBe/zICn7PJlGXzkq87o4Q3ZFvOFLqvlhwprp
+OQquIviN6VBss2F3c174Zkk7ksciLQzPYjGBgw+l/ZeZY/AOYBeConsrHobTbjPd
+StI8FZr8zVnamMWd/nBnryA5mZy9+vKz3iPJXPXZmyhBnOJfPZjMmkLvY9wEfGfc
+rGrbqh6f7grleVNU16Rt46TtJRIqWEAdqi1I81d3kEWuqHkYCZf1ZJpDtprJPVko
+fWViFzMz7zuAK5kdaGVwu0R7zeKz6FCHWWQ5bqScQbZ53zX6D3sP6ZNnZXdo6n0L
+i+x17sgZa6VJtWF6s/UUxl8jPteprfRHrgIT3yKK9ewpXEhcc4aNJyCTiXpicOOn
+QUBkkxyT7MtG1j51GPFcoFsBn4X9A1BXUmz2+YrDfFKtj0LwKZe6naI5v+FGtqeQ
+/GeRpaFISwg/L5ewHe3NTH//8ZyWQsbJ2FEIff3LM+0+ivrORJs45GW12ny6MDY1
+Q8PTEsPL/9nhY1Mf99qpB9ivouVF/vGDWont16PhaZ2N31Osbbok3Emfbk0MVfvh
+MuY0PPX/eWfn+5WlxBegS9PXbrcNW7MV0vsow8Js9+B29nao/VeFOQDfrU9p//xu
+nDkeh9z5vqRP7clgMQIDAQABo1MwUTAdBgNVHQ4EFgQUqqmWA9MTwbzRFOfxZbu8
+nIyk4dEwHwYDVR0jBBgwFoAUqqmWA9MTwbzRFOfxZbu8nIyk4dEwDwYDVR0TAQH/
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAnh1nayZy7CjTDvXjht0jNEyCPahL
+/gzcfx173FWnDbG3DMqjKB0u7bbpWIdStvTHpvs4NOg7H1/3Xc3cu3vtw6PF3Tkt
+ZGJrMgZ5H9BUPW7BeNPqylh0Xj9vWUhxOdRfthzHcuSg2H6k5GBe+ROVIWLcc5g2
+vIuEEnpL9H5mlt4MofodPJjDrOvbJ5eDOGnNlcSKgPy8ZxrvyesmjFquu9/941p5
+wOpGhfVRH6U9GBIy1wWjjO4y2oRtgdgV0Dm57VNaxNi4R0cRW+eg7H7jED2gWVdS
+Zftkrq44/lXFnWZDXWq8JJs0QPPD30i8fbGvZjRbrVQus5wW+dlirSkljQD8WpiY
+N7PS2y+Io9WDetabxDSkHQGduldlHqnjvvR7TtLBT73fbmrra7nLrxbwAyQs/lp9
+r2904tzgBfhHb5GCrYE1s3h339eb/HXZlPqG1EcYimsAIyyBQ7WyHOgXq5RqwgbW
+9O8aQUWPQrdtWrv8BkYSjjgDSxj9Pu7yBFnSdyI879uvBZDYovm/MmgcguAaJ8UC
+PUcchbvgdLJHnbBA5aFm/Fkhb2WKi3Q0vExUHM3sXazJAAjIplbunHkqf8Wc7lva
+94y3AXN9dg5LEjcwkjQbyGmmuSFq0Hse0b1KE+4INYUigECUcXuKYWrP0RuPzCKU
+4g4p3ZpFGmoq4lM=
+-----END CERTIFICATE-----

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict.properties

@@ -10,11 +10,11 @@ agov-ident.invalid-url.message=Link can't be processed
 agov-ident.invalid-url.title=Invalid Link
 agov-ident.onboarding=Registration & Verification
 agov-ident.retry=Try again
-button.submit=Submit
 cancel.button.label=Cancel
 continue.button.label=Continue
 darkModeSwitch.aria.label=Dark mode toggle
 deputy.profile.label=(Deputy Profile)
+error.account.exists=Account already exists. Continue to log in.
 error.policy.failed=The new password does not comply with the policy.
 error.saml.failed=Please close your browser and try again.
 error_1=Please check your input.
@@ -297,6 +297,8 @@ recovery_start_info.banner.warning=You will not be able to use your account unti
 recovery_start_info.instruction=During the recovery process you will register a new login factor. If  your account contains any verified information you might also have to go through a verification process to finish the recovery.
 recovery_start_info.title=You are about to start the recovery process
 reject.button.label=Deny
+signup.button.label=Signup
+skip.button.label=Skip
 submit.button.label=Submit
 tan.sent=Please enter the security code which has been sent to your mobile phone.
 title.login=Login
@@ -307,6 +309,7 @@ title.oauth.consent=Client Authorization
 title.pwchange.label=Password Change
 title.pwreset=Password Forgotten
 title.saml.failed=Error
+title.signup=Create account
 title.timeout.page=Logout
 user_input.invalid.email=Please enter a valid email address
 user_input.invalid.email.required=Field required

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_de.properties

@@ -10,11 +10,11 @@ agov-ident.invalid-url.message=Link kann nicht verarbeitet werden
 agov-ident.invalid-url.title=Ungültiger Link
 agov-ident.onboarding=Registrierung & Verifikation
 agov-ident.retry=Versuchen Sie es erneut
-button.submit=Senden
 cancel.button.label=Abbrechen
 continue.button.label=Weiter
 darkModeSwitch.aria.label=Dark-Mode-Schalter
 deputy.profile.label=(Profil Stellvertreter)
+error.account.exists=Konto existiert bereits. Melden Sie sich an.
 error.policy.failed=Das neue Passwort stimmt nicht mit der Richtlinie überein.
 error.saml.failed=Bitte schliessen Sie Ihren Browser und versuchen Sie es erneut.
 error_1=Bitte überprüfen Sie Ihre Eingaben.
@@ -297,6 +297,8 @@ recovery_start_info.banner.warning=Sie können Ihr Konto nicht nutzen, bis d
 recovery_start_info.instruction=Während des Wiederherstellungsprozesses werden Sie einen neuen Login-Faktor registrieren. Wenn Ihr Konto verifizierte Informationen enthält, müssen Sie zum Abschluss des Wiederherstellungsprozesses möglicherweise auch einen Verifikationsprozess durchlaufen.
 recovery_start_info.title=Sie sind dabei, den Wiederherstellungsprozess zu starten
 reject.button.label=Ablehnen
+signup.button.label=Registrieren
+skip.button.label=Überspringen
 submit.button.label=Senden
 tan.sent=Bitte erfassen Sie den Sicherheitscode, welcher an Ihr Mobiltelefon gesendet wurde.
 title.login=Login
@@ -307,6 +309,7 @@ title.oauth.consent=Client Authorisierung
 title.pwchange.label=Passwort ändern
 title.pwreset=Passwort Vergesssen
 title.saml.failed=Error
+title.signup=Konto erstellen
 title.timeout.page=Logout
 user_input.invalid.email=Bitte geben Sie eine gültige E-Mail ein
 user_input.invalid.email.required=Erforderliches Feld

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_en.properties

@@ -10,11 +10,11 @@ agov-ident.invalid-url.message=Link can't be processed
 agov-ident.invalid-url.title=Invalid Link
 agov-ident.onboarding=Registration & Verification
 agov-ident.retry=Try again
-button.submit=Submit
 cancel.button.label=Cancel
 continue.button.label=Continue
 darkModeSwitch.aria.label=Dark mode toggle
 deputy.profile.label=(Deputy Profile)
+error.account.exists=Account already exists. Continue to log in.
 error.policy.failed=The new password does not comply with the policy.
 error.saml.failed=Please close your browser and try again.
 error_1=Please check your input.
@@ -297,6 +297,8 @@ recovery_start_info.banner.warning=You will not be able to use your account unti
 recovery_start_info.instruction=During the recovery process you will register a new login factor. If  your account contains any verified information you might also have to go through a verification process to finish the recovery.
 recovery_start_info.title=You are about to start the recovery process
 reject.button.label=Deny
+signup.button.label=Signup
+skip.button.label=Skip
 submit.button.label=Submit
 tan.sent=Please enter the security code which has been sent to your mobile phone.
 title.login=Login
@@ -307,6 +309,7 @@ title.oauth.consent=Client Authorization
 title.pwchange.label=Password Change
 title.pwreset=Password Forgotten
 title.saml.failed=Error
+title.signup=Create account
 title.timeout.page=Logout
 user_input.invalid.email=Please enter a valid email address
 user_input.invalid.email.required=Field required

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_fr.properties

@@ -10,11 +10,11 @@ agov-ident.invalid-url.message=Le lien ne peut pas être traité
 agov-ident.invalid-url.title=Lien non valide
 agov-ident.onboarding=Enregistrement et vérification
 agov-ident.retry=Essayez à nouveau
-button.submit=Envoyer
 cancel.button.label=Abandonner
 continue.button.label=Continuer
 darkModeSwitch.aria.label=Activer l'apparence sombre
 deputy.profile.label=(Profil du suppléant)
+error.account.exists=Le compte existe déjà. Continuez à vous connecter.
 error.policy.failed=Votre nouveau mot de passe ne conforme pas aux mesures de sécurité
 error.saml.failed=Fermez votre navigateur et r;eacute;essayez.
 error_1=Veuillez vérifier votre saisie.
@@ -297,6 +297,8 @@ recovery_start_info.banner.warning=Vous ne pourrez pas utiliser votre compte tan
 recovery_start_info.instruction=Le processus de récupération nécessitera l’enregistrement d’un nouveau facteur d’authentification. Si votre compte contient des informations ayant déjà été vérifiées, il se peut que vous deviez les faire vérifier à nouveau pour terminer la récupération.
 recovery_start_info.title=Vous êtes sur le point de démarrer le processus de récupération.
 reject.button.label=Refuser
+signup.button.label=Inscription
+skip.button.label=Passer
 submit.button.label=Envoyer
 tan.sent=Veuillez saisir le code de sécurité que vous avez reçu au votre téléphone mobile.
 title.login=Login
@@ -307,6 +309,7 @@ title.oauth.consent=Autorisation du client
 title.pwchange.label=Changer mot de passe
 title.pwreset=Mot de Passe Oublié
 title.saml.failed=Error
+title.signup=Créer un compte
 title.timeout.page=Logout
 user_input.invalid.email=Veuillez saisir un e-mail valable.
 user_input.invalid.email.required=Champ requis

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_it.properties

@@ -1,5 +1,5 @@
 
-accept.button.label=Accettare
+accept.button.label=Accetta
 agov-ident.done.message=Il vostro conto AGOV è ora pronto per l'uso. Può chiudere questa pagina.
 agov-ident.done.title=Finito
 agov-ident.failed.instruction=Per completare la registrazione è necessario disporre di un account AGOV e superare la verifica dei dati suggerita. Riprova.
@@ -10,11 +10,11 @@ agov-ident.invalid-url.message=Il link non può essere elaborato
 agov-ident.invalid-url.title=Link non valido
 agov-ident.onboarding=Registrazione e verifica
 agov-ident.retry=Riprova
-button.submit=Continua
-cancel.button.label=Abortire
+cancel.button.label=Annulla
 continue.button.label=Continua
 darkModeSwitch.aria.label=Attivare la modalità scura
 deputy.profile.label=(profilo del delegato)
+error.account.exists=L'account esiste gi<67>. Prosegui col login.
 error.policy.failed=La nuova password non &egrave; stata accettata. Scegliere una password che sia conforme ai criteri di password.
 error.saml.failed=Chiudi il browser e riprova.
 error_1=Verificare i dati inseriti.
@@ -296,7 +296,9 @@ recovery_questionnaire_reason_selection.instruction=Selezioni il motivo per cui
 recovery_start_info.banner.warning=Non &egrave; possibile utilizzare l&rsquo;account finch&eacute; il processo di ripristino non sar&agrave; concluso.
 recovery_start_info.instruction=Durante il processo di ripristino registrer&agrave; un nuovo fattore di login. Se il suo account contiene informazioni verificate, potrebbe dover effettuare anche un processo di verificazione per completare il ripristino.
 recovery_start_info.title=Sta per iniziare il processo di ripristino
-reject.button.label=Rifiuti
+reject.button.label=Rifiuta
+signup.button.label=Iscriviti
+skip.button.label=Salta
 submit.button.label=Continua
 tan.sent=Inserisci il codice di sicurezza che &egrave; stato inviato al tuo telefono cellulare.
 title.login=Login
@@ -307,6 +309,7 @@ title.oauth.consent=Autorizzazione del client
 title.pwchange.label=Cambiare Password
 title.pwreset=Password Dimenticata
 title.saml.failed=Error
+title.signup=Crea un account
 title.timeout.page=Logout
 user_input.invalid.email=Inserire un'e-mail valida.
 user_input.invalid.email.required=Campo obbligatorio

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/Recovery_mobile_nless_auth.groovy

@@ -50,3 +50,4 @@ if (inargs.containsKey('onReload')) {
     clearFidoUAFSession()
     response.setResult('default')
 }
+

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/SendSamlResponseWithError.groovy

@@ -21,4 +21,4 @@ def agovLoginCookie = "agovLogin=deleted; Domain=${parameters.get('cookie.domain
 response.setHeader('Set-Cookie', agovLoginCookie)
 
 response.setStatus(AuthResponse.AUTH_ERROR)
-return
+return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/askMobileNumber.groovy

@@ -1,109 +1,109 @@
-import ch.nevis.esauth.auth.engine.AuthResponse
-import ch.nevis.idm.client.IdmRestClient
-import ch.nevis.idm.client.IdmRestClientFactory
-import ch.nevis.idm.client.HTTPRequestWrapper
-
-import groovy.json.JsonSlurper
-import groovy.xml.XmlSlurper
-
-def getHeader(String name) {
-    def inctx = request.getLoginContext()
-    // case-insensitive lookup of HTTP headers
-    def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
-    map.putAll(inctx)
-    return map['connection.HttpHeader.' + name]
-}
-
-
-// Accounting
-def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
-def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
-def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
-def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
-def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
-
-IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
-
-String clientExtId = session.get('ch.adnovum.nevisidm.user.clientExtId')
-String userExtId = session.get('ch.adnovum.nevisidm.user.extId')
-String mobile = session.get('ch.nevis.idm.User.mobile')
-
-String baseUrl = parameters.get('baseUrl')
-String endPoint = "${baseUrl}/core/v1/${clientExtId}/users/${userExtId}"
-
-
-if (!(parameters.get('ask_mobile_number_enabled')?.toLowerCase()?.trim() == "true")) {
-    LOG.debug("Feature 'ask mobile number' is disabled")
-    response.setResult('done')
-    return
-}
-
-if (mobile) {
-    LOG.debug("User '${user}' has already registered a mobile number")
-    response.setResult('done')
-    return
-}
-
-def agovSkipAskingMobileCookieValue = 'missing'
-
-if (getHeader('cookie') != null) {
-    def cookies = getHeader('cookie')
-    if (cookies.matches('^.*agovSkipAskingMobile=([^;]+).*$')) {
-        agovSkipAskingMobileCookieValue = cookies.replaceAll('^.*agovSkipAskingMobile=([^;]+).*$', '$1')
-    }
-}
-if (agovSkipAskingMobileCookieValue == 'true') {
-    // Don't aske the user again...
-    LOG.info("Event='SKIPPEDMOBILENUMBER', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
-    response.setResult('done')
-    return
-}
-
-
-if (!inargs['submit'] && (!inargs['mobile'] || !inargs['mobile'].isEmpty()) && inargs['language'] && inargs['language'] != session['ch.nevis.session.user.language']) {
-    // language switch, nothing else to do, just display again the GUI
-    response.setStatus(AuthResponse.AUTH_CONTINUE)
-    return
-}
-
-if (inargs['submit'] && (!inargs['mobile'] || inargs['mobile'].isEmpty()) && inargs['skip']) {
-    // no mobile, and user wants to skip it
-
-    LOG.info("Event='NOMOBILENUMBER', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', Persistent='${ inargs['skip'] == 'persistent' ? true : false }'")
-    
-    if (inargs['skip'] == 'persistent') {
-        // persistent cookie for 30d;
-        def agovSkipAskingMobileCookie = "agovSkipAskingMobile=true; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=2592000; SameSite=Strict; Secure; HttpOnly"
-        // setHeader doesn't support multiple headers with the same name, so we use
-        // a different one, and rewrite it in the proxy with Lua
-        response.setHeader('Set-Cookie2', agovSkipAskingMobileCookie)
-    }
-
-    response.setResult('done')
-    return
-}
-
-
-
-if (inargs['submit'] && inargs['mobile'] && !inargs['mobile'].isEmpty()) {
-    // IMPORTANT/haburger/2024-DEC-09: the pattern must be the same as ch.adnovum.agov.common.util.InputPatterns.PHONE_NUMBER_PATTERN
-    if (!inargs['mobile'].replaceAll('\\s', '').matches('^(?:\\+[0-9]+)?$')) {
-        LOG.warn("Event='MOBILEFAILED', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='User provided invalid number (${inargs['mobile']})'")
-      response.setResult('done')
-      return
-    }
-    String result
-    // mobile is also stored without spaces
-    def patchBdy = "{\"contacts\":{\"mobile\":\"${inargs['mobile'].replaceAll('\\s', '')}\"},\"modificationComment\":\"added mobile number from user during request ${requestId}\"}"
-    try {
-        result = idmRestClient.patch(endPoint, patchBdy)
-    } catch(Exception e) {
-        LOG.warn("Event='MOBILEFAILED', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='failed to save number (${e})'")
-    }
-    response.setResult('done')
-    return
-}
-
-
-// we should ask the user
-response.setStatus(AuthResponse.AUTH_CONTINUE)
+import ch.nevis.esauth.auth.engine.AuthResponse
+import ch.nevis.idm.client.IdmRestClient
+import ch.nevis.idm.client.IdmRestClientFactory
+import ch.nevis.idm.client.HTTPRequestWrapper
+
+import groovy.json.JsonSlurper
+import groovy.xml.XmlSlurper
+
+def getHeader(String name) {
+    def inctx = request.getLoginContext()
+    // case-insensitive lookup of HTTP headers
+    def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
+    map.putAll(inctx)
+    return map['connection.HttpHeader.' + name]
+}
+
+
+// Accounting
+def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
+
+String clientExtId = session.get('ch.adnovum.nevisidm.user.clientExtId')
+String userExtId = session.get('ch.adnovum.nevisidm.user.extId')
+String mobile = session.get('ch.nevis.idm.User.mobile')
+
+String baseUrl = parameters.get('baseUrl')
+String endPoint = "${baseUrl}/core/v1/${clientExtId}/users/${userExtId}"
+
+
+if (!(parameters.get('ask_mobile_number_enabled')?.toLowerCase()?.trim() == "true")) {
+    LOG.debug("Feature 'ask mobile number' is disabled")
+    response.setResult('done')
+    return
+}
+
+if (mobile) {
+    LOG.debug("User '${user}' has already registered a mobile number")
+    response.setResult('done')
+    return
+}
+
+def agovSkipAskingMobileCookieValue = 'missing'
+
+if (getHeader('cookie') != null) {
+    def cookies = getHeader('cookie')
+    if (cookies.matches('^.*agovSkipAskingMobile=([^;]+).*$')) {
+        agovSkipAskingMobileCookieValue = cookies.replaceAll('^.*agovSkipAskingMobile=([^;]+).*$', '$1')
+    }
+}
+if (agovSkipAskingMobileCookieValue == 'true') {
+    // Don't aske the user again...
+    LOG.info("Event='SKIPPEDMOBILENUMBER', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+    response.setResult('done')
+    return
+}
+
+
+if (!inargs['submit'] && (!inargs['mobile'] || !inargs['mobile'].isEmpty()) && inargs['language'] && inargs['language'] != session['ch.nevis.session.user.language']) {
+    // language switch, nothing else to do, just display again the GUI
+    response.setStatus(AuthResponse.AUTH_CONTINUE)
+    return
+}
+
+if (inargs['submit'] && (!inargs['mobile'] || inargs['mobile'].isEmpty()) && inargs['skip']) {
+    // no mobile, and user wants to skip it
+
+    LOG.info("Event='NOMOBILENUMBER', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', Persistent='${ inargs['skip'] == 'persistent' ? true : false }'")
+    
+    if (inargs['skip'] == 'persistent') {
+        // persistent cookie for 30d;
+        def agovSkipAskingMobileCookie = "agovSkipAskingMobile=true; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=2592000; SameSite=Strict; Secure; HttpOnly"
+        // setHeader doesn't support multiple headers with the same name, so we use
+        // a different one, and rewrite it in the proxy with Lua
+        response.setHeader('Set-Cookie2', agovSkipAskingMobileCookie)
+    }
+
+    response.setResult('done')
+    return
+}
+
+
+
+if (inargs['submit'] && inargs['mobile'] && !inargs['mobile'].isEmpty()) {
+    // IMPORTANT/haburger/2024-DEC-09: the pattern must be the same as ch.adnovum.agov.common.util.InputPatterns.PHONE_NUMBER_PATTERN
+    if (!inargs['mobile'].replaceAll('\\s', '').matches('^(?:\\+[0-9]+)?$')) {
+        LOG.warn("Event='MOBILEFAILED', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='User provided invalid number (${inargs['mobile']})'")
+      response.setResult('done')
+      return
+    }
+    String result
+    // mobile is also stored without spaces
+    def patchBdy = "{\"contacts\":{\"mobile\":\"${inargs['mobile'].replaceAll('\\s', '')}\"},\"modificationComment\":\"added mobile number from user during request ${requestId}\"}"
+    try {
+        result = idmRestClient.patch(endPoint, patchBdy)
+    } catch(Exception e) {
+        LOG.warn("Event='MOBILEFAILED', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='failed to save number (${e})'")
+    }
+    response.setResult('done')
+    return
+}
+
+
+// we should ask the user
+response.setStatus(AuthResponse.AUTH_CONTINUE)

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/authorization.groovy

@@ -1,180 +1,180 @@
-boolean isEnabled() {
-    def paths = parameters.get("paths")
-    if (paths && !paths.isEmpty()) {
-        for (path in paths.split(',')) {
-            String url = request.currentResource
-            if (url.matches(path)) {
-                return true
-            }
-        }
-    }
-    return false
-}
-
-boolean isLevel(String role) {
-    if (role != null && role.isNumber()) {
-        def number = Integer.parseInt(role)
-        if (number > 0 && number <= 9) {
-            return true
-        }
-    }
-    return false
-}
-
-int getCurrentLevel() {
-    int level = 1 // level 1 is reached by definition on successful authentication
-    // levels are stored as roles once the authentication is done
-    for (String role : response.getActualRoles()) {
-        if (isLevel(role)) {
-            Integer number = Integer.parseInt(role)
-            if (number > level) {
-                level = number
-            }
-        }
-    }
-    LOG.debug("current level: $level")
-    return level
-}
-
-Integer getRequestedLevel() {
-    // try to determine required level based on SAML request (SP-initiated)
-    def context = session['ch.nevis.auth.saml.request.authnContextClassRef']
-    if (context == null) {
-        // this is expected for non-Nevis SAML partners
-        LOG.debug("unable to determine required authentication level: no AuthnContext")
-        return null
-    }
-    String prefix = 'urn:nevis:level:'
-    Integer level = null
-    if (context.contains(prefix)) {
-        def start = context.indexOf(prefix) // the prefix can appear anywhere in the context but only once
-        def remainder = context.substring(start + prefix.length())
-        for (String candidate : remainder.split(',')) {
-            if (!candidate.isNumber()) {
-                continue // must be an actual role
-            }
-            def number = Integer.parseInt(candidate)
-            if (level == null || number < level) {
-                level = number
-            }
-        }
-    }
-    if (level == null) {
-        // an AuthnContext has been sent but it does not contain the required authentication level
-        LOG.debug("unable to determine required authentication level from request: $context")
-    }
-    else {
-        LOG.info("extracted required authentication level from request: $context -> $level")
-    }
-    return level
-}
-
-Integer getRequiredLevel(levels, String issuer) {
-    // try to determine required level based on request
-    def level = getRequestedLevel()
-    if (level != null) {
-        LOG.info("required authentication level from request: $level")
-        return level
-    }
-    // else determine required level based on configuration (IDP-initiated or no authnContextClassRef sent)
-    if (issuer != null && levels.containsKey(issuer)) {
-        level = levels[issuer]
-        LOG.debug("required authentication level for issuer $issuer defined as $level")
-        return level
-    }
-    // else return null
-    LOG.debug("required authentication level for issuer $issuer is not defined")
-    return null
-}
-
-void setAuthnContext() {
-    def parts = [] as Set
-    def authLevel = response.getAuthLevel()
-    if (authLevel != null) {
-        if (isLevel(authLevel)) {
-            parts.add("urn:nevis:level:$authLevel")
-        }
-        else { // might be legacy auth.weak / auth.strong
-            parts.add(authLevel)
-        }
-    }
-    for (String role : response.getActualRoles()) {
-        if (isLevel(role)) { // previous authLevels might have been added to the roles already
-            parts.add("urn:nevis:level:$role")
-        }
-        // levels can also be normal roles so we add them always
-        parts.add(role)
-    }
-    def value = parts.sort().join(",")
-    LOG.debug("calculated AuthnContextClassRef for SAML Response: $value")
-    session['saml.idp.response.authncontext'] = value
-}
-
-boolean stepupRequired(levels, String issuer) {
-
-    Integer requiredLevel = getRequiredLevel(levels, issuer)
-    if (requiredLevel == null) {
-        LOG.info("unable to determine required authentication level for request from issuer $issuer")
-        setAuthnContext()
-        return false
-    }
-
-    Integer currentLevel = getCurrentLevel()
-    if (currentLevel >= requiredLevel) {
-        LOG.info("required authentication level $requiredLevel has been reached (current level $currentLevel)")
-        setAuthnContext()
-        return false
-    }
-
-    LOG.info("required authentication level $requiredLevel has not been reached (current level $currentLevel) - session upgrade needed")
-    request.setRequiredRoles("$requiredLevel")
-    return true
-}
-
-boolean hasAnyRequiredRole(i2r, issuer) {
-    if (issuer != null && i2r.containsKey(issuer)) {
-        def roles = i2r[issuer]
-        for (role in response.getActualRoles()) {
-            if (roles.contains(role)) {
-                return true
-            }
-        }
-    }
-}
-
-if (!isEnabled()) {
-    LOG.info("skipping SAML authorization checks.")
-    response.setResult('ok') // skip execution
-    return
-}
-
-// issuer set by IdentityProviderState (SP-initiated)
-def issuer = session['ch.nevis.auth.saml.request.issuer']
-
-// issuer to minimum required authentication level
-def i2l = [:]
-
-
-if (stepupRequired(i2l, issuer)) {
-    LOG.info("authentication level stepup required.")
-    response.setResult("stepup")
-    return // we are done for now
-}
-
-// issuer to list of required roles
-def i2r = [:]
-
-
-// issuer to ResultCond name
-def i2e = [:]
-i2e.put('https://trustbroker.agov-epr-lab.azure.adnovum.net', 'forbidden_0')
-i2e.put('https://trustbroker-idp.agov-epr-lab.azure.adnovum.net', 'forbidden_1')
-
-
-if (!i2r.isEmpty() && !hasAnyRequiredRole(i2r, issuer)) {
-    LOG.info("required roles check failed.")
-    response.setResult(i2e[issuer])
-    return // we are done
-}
-
+boolean isEnabled() {
+    def paths = parameters.get("paths")
+    if (paths && !paths.isEmpty()) {
+        for (path in paths.split(',')) {
+            String url = request.currentResource
+            if (url.matches(path)) {
+                return true
+            }
+        }
+    }
+    return false
+}
+
+boolean isLevel(String role) {
+    if (role != null && role.isNumber()) {
+        def number = Integer.parseInt(role)
+        if (number > 0 && number <= 9) {
+            return true
+        }
+    }
+    return false
+}
+
+int getCurrentLevel() {
+    int level = 1 // level 1 is reached by definition on successful authentication
+    // levels are stored as roles once the authentication is done
+    for (String role : response.getActualRoles()) {
+        if (isLevel(role)) {
+            Integer number = Integer.parseInt(role)
+            if (number > level) {
+                level = number
+            }
+        }
+    }
+    LOG.debug("current level: $level")
+    return level
+}
+
+Integer getRequestedLevel() {
+    // try to determine required level based on SAML request (SP-initiated)
+    def context = session['ch.nevis.auth.saml.request.authnContextClassRef']
+    if (context == null) {
+        // this is expected for non-Nevis SAML partners
+        LOG.debug("unable to determine required authentication level: no AuthnContext")
+        return null
+    }
+    String prefix = 'urn:nevis:level:'
+    Integer level = null
+    if (context.contains(prefix)) {
+        def start = context.indexOf(prefix) // the prefix can appear anywhere in the context but only once
+        def remainder = context.substring(start + prefix.length())
+        for (String candidate : remainder.split(',')) {
+            if (!candidate.isNumber()) {
+                continue // must be an actual role
+            }
+            def number = Integer.parseInt(candidate)
+            if (level == null || number < level) {
+                level = number
+            }
+        }
+    }
+    if (level == null) {
+        // an AuthnContext has been sent but it does not contain the required authentication level
+        LOG.debug("unable to determine required authentication level from request: $context")
+    }
+    else {
+        LOG.info("extracted required authentication level from request: $context -> $level")
+    }
+    return level
+}
+
+Integer getRequiredLevel(levels, String issuer) {
+    // try to determine required level based on request
+    def level = getRequestedLevel()
+    if (level != null) {
+        LOG.info("required authentication level from request: $level")
+        return level
+    }
+    // else determine required level based on configuration (IDP-initiated or no authnContextClassRef sent)
+    if (issuer != null && levels.containsKey(issuer)) {
+        level = levels[issuer]
+        LOG.debug("required authentication level for issuer $issuer defined as $level")
+        return level
+    }
+    // else return null
+    LOG.debug("required authentication level for issuer $issuer is not defined")
+    return null
+}
+
+void setAuthnContext() {
+    def parts = [] as Set
+    def authLevel = response.getAuthLevel()
+    if (authLevel != null) {
+        if (isLevel(authLevel)) {
+            parts.add("urn:nevis:level:$authLevel")
+        }
+        else { // might be legacy auth.weak / auth.strong
+            parts.add(authLevel)
+        }
+    }
+    for (String role : response.getActualRoles()) {
+        if (isLevel(role)) { // previous authLevels might have been added to the roles already
+            parts.add("urn:nevis:level:$role")
+        }
+        // levels can also be normal roles so we add them always
+        parts.add(role)
+    }
+    def value = parts.sort().join(",")
+    LOG.debug("calculated AuthnContextClassRef for SAML Response: $value")
+    session['saml.idp.response.authncontext'] = value
+}
+
+boolean stepupRequired(levels, String issuer) {
+
+    Integer requiredLevel = getRequiredLevel(levels, issuer)
+    if (requiredLevel == null) {
+        LOG.info("unable to determine required authentication level for request from issuer $issuer")
+        setAuthnContext()
+        return false
+    }
+
+    Integer currentLevel = getCurrentLevel()
+    if (currentLevel >= requiredLevel) {
+        LOG.info("required authentication level $requiredLevel has been reached (current level $currentLevel)")
+        setAuthnContext()
+        return false
+    }
+
+    LOG.info("required authentication level $requiredLevel has not been reached (current level $currentLevel) - session upgrade needed")
+    request.setRequiredRoles("$requiredLevel")
+    return true
+}
+
+boolean hasAnyRequiredRole(i2r, issuer) {
+    if (issuer != null && i2r.containsKey(issuer)) {
+        def roles = i2r[issuer]
+        for (role in response.getActualRoles()) {
+            if (roles.contains(role)) {
+                return true
+            }
+        }
+    }
+}
+
+if (!isEnabled()) {
+    LOG.info("skipping SAML authorization checks.")
+    response.setResult('ok') // skip execution
+    return
+}
+
+// issuer set by IdentityProviderState (SP-initiated)
+def issuer = session['ch.nevis.auth.saml.request.issuer']
+
+// issuer to minimum required authentication level
+def i2l = [:]
+
+
+if (stepupRequired(i2l, issuer)) {
+    LOG.info("authentication level stepup required.")
+    response.setResult("stepup")
+    return // we are done for now
+}
+
+// issuer to list of required roles
+def i2r = [:]
+
+
+// issuer to ResultCond name
+def i2e = [:]
+i2e.put('https://trustbroker.agov-epr-lab.azure.adnovum.net', 'forbidden_0')
+i2e.put('https://trustbroker-idp.agov-epr-lab.azure.adnovum.net', 'forbidden_1')
+
+
+if (!i2r.isEmpty() && !hasAnyRequiredRole(i2r, issuer)) {
+    LOG.info("required roles check failed.")
+    response.setResult(i2e[issuer])
+    return // we are done
+}
+
 response.setResult('ok')

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy

@@ -1,285 +1,285 @@
-import org.codehaus.groovy.runtime.StackTraceUtils
-import groovy.xml.XmlSlurper
-
-def getUserAGOVLoiRoles() {
-  // we take the roles from actualRoles
-  return request.getActualRoles().findAll { role -> role.startsWith('AGOV-Loi.') }.collect({ role -> role.substring(9) })
-}
-
-def getUserAGOVRecoveryRoles() {
-  // set attibutes from DTO: -> AGOV
-  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
-  return list.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-AccountStatus' }.collect({ node -> node.name.text() })
-}
-
-def getUserAGOVLoiIdVerification() {
-  // set attibutes from DTO: -> idVerification
-  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
-  return list.'**'.findAll {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text().contains('AGOV-Loi,')}.collect({ node -> node.value.text()})
-}
-
-def getUserAGOVLoiIdVerification(level) {
-  // set attibutes from DTO: -> idVerification
-  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
-  return list.'**'.findAll {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-Loi,level' + level}.collect({ node -> node.value.text()})
-}
-
-def getUserAGOVLoiValidFrom(level) {
-  // set attibutes from DTO: -> validFrom
-  def payload = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
-  return payload.'**'.find {node -> node.name() == 'authorizations' && node.role.name.text() == level}?.validFrom?.text()
-}
-
-def getUserAGOVLoiValidTo(level) {
-  // set attibutes from DTO: -> validTo
-  def payload = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
-  return payload.'**'.find {node -> node.name() == 'authorizations' && node.role.name.text() == level}?.validTo?.text()
-}
-
-def getUserIdVerificationForRecovery() {
-  // application is AGOV-AccountStatus
-  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
-  def result = list.'**'.find {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-AccountStatus,mustRecover'}?.value?.text()
-
-  if (!result) {
-    // fallback if not explicitly set
-    def currentLoaRole = getUserAGOVLoiRoles()?.sort()?.last() ?: 'level100'
-    def chDomicile = list.country.text() == 'ch'
-    def lastIdVerification = list.'**'.find {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-Loi,' + currentLoaRole}?.value?.text()
-    switch (currentLoaRole) {
-      case 'level100':
-        result = chDomicile ? 'SimpleLetter' : 'Video'
-        break
-      case 'level200':
-        result = chDomicile ? 'Bmid' : 'Video'
-        break
-      case 'level300':
-      case 'level400':
-        result = chDomicile ? lastIdVerification : 'Video'
-        break
-      default:
-        LOG.warn("unexpected loa on account: ${currentLoaRole}")
-        // safest default, should work in any case
-        result = 'Video'
-    }
-    LOG.warn("Recovery method not set, choosing ${result} (based on currentLoad: ${currentLoaRole}, CH-domicile: ${chDomicile}, last verification method: ${lastIdVerification})")
-  }
-  return result
-}
-
-def getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelNumber) {
-  def result = 'urn:qa.agov.ch:names:tc:ac:classes:'
-
-  switch (idVerification) {
-    case 'None':
-      result = result.concat('100')
-      break
-    case 'SimpleLetter':
-      result = result.concat('200')
-      break
-    case 'Video':
-    case 'VideoSelfPaid':
-    case 'Bmid':
-    case 'BmidSelfPaid':
-    case 'Counter':
-      result = result.concat((highestRoleLevelNumber == 400) ? '400' : '300')
-      break
-	case 'Eid':
-	  result = result.concat('400')
-	  break
-    default:
-      LOG.warn("unexpected idVerification for recovery on account: ${idVerification}")
-      // safest default, should work in any case
-      result = result.concat('' + highestRoleLevelNumber)
-  }
-
-  return result
-}
-
-def getUserMustRecoverValidFrom() {
-  // set attibutes from DTO: -> validFrom
-  def payload = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
-  def authzNode = payload.'**'.find {node -> node.name() == 'authorizations' && node.role.name.text() == 'mustRecover'}
-  return (authzNode) ? ((authzNode.validFrom && !authzNode.validFrom.text().isEmpty()) ? authzNode.validFrom?.text() : authzNode.ctlCreDat?.text()) : ''
-}
-
-// Accounting
-def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
-def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
-def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
-def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
-def credentialType = session['authenticatedWith'] ?: 'unknown'
-def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
-def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
-
-try {
-  // beef
-  def s = request.getAuthSession(true)
-  def highestRoleLevelNumber = 0
-
-  if (!session.get('agov.requestedRoleLevel')) {
-    LOG.error("IDP: internal error: agov.requestedRoleLevel not set in session")
-    response.setResult('error');
-    return
-  }
-  def requestedRoleLevelNumber = session.get('agov.requestedRoleLevel').toInteger()
-
-  def authenticationMethod = session.get('authenticatedWith')
-  if (!authenticationMethod) {
-    LOG.error("IDP: internal error: authenticationMethod not set in session")
-    response.setResult('error');
-    return
-  }
-
-  // data transformations needed for SAML and OIDC
-  // Transform sex to number
-  if(session.get('ch.nevis.idm.User.gender') == 'MALE'){
-    s.setAttribute('ch.nevis.idm.User.gender', '1')
-  }
-  if(session.get('ch.nevis.idm.User.gender') == 'FEMALE'){
-    s.setAttribute('ch.nevis.idm.User.gender', '2')
-  }
-  if(s.get('ch.nevis.idm.User.gender') == 'OTHER'){
-    s.setAttribute('ch.nevis.idm.User.gender', '3')
-  }
-
-
-  // handle accounts qa attributes, and set them in session
-  // account itself, only needed if not authenticated with e-ID
-  if (!'urn:qa.agov.ch:names:tc:authfactor:eid'.equalsIgnoreCase(authenticationMethod)) {
-    def idVerificationList = getUserAGOVLoiIdVerification()
-    def idVerification = 'None'
-    if (idVerificationList && !idVerificationList.isEmpty()) {
-      idVerification = idVerificationList.last()
-    }
-    s.setAttribute('idVerification', idVerification)
-
-    // contextClassRefToSet based on highest level-role assigned to default profile
-    for (String role : getUserAGOVLoiRoles()) {
-      if (role.startsWith('level')) {
-        def roleLevel = role.substring(5)
-        int roleLevelNumber = Integer.parseInt(roleLevel)
-
-        if (highestRoleLevelNumber< roleLevelNumber) {
-          highestRoleLevelNumber=roleLevelNumber
-        }
-      }
-    }
-
-    LOG.debug('CheckLoa: Highest role Level ' + highestRoleLevelNumber.toString() +' contextclassref ' + requestedRoleLevelNumber.toString())
-    LOG.debug('CheckLoa: Compare ' + (highestRoleLevelNumber>=requestedRoleLevelNumber))
-
-    //set attribute Actual Role Level
-    s.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
-    LOG.debug('CheckLoa: actual role level (agov) '+ highestRoleLevelNumber)
-
-    // set attribute ValidFrom and ValidTo (only for higher than 100)
-    if (highestRoleLevelNumber > 100) {
-      def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString()))
-      def validTo = getUserAGOVLoiValidTo('level'.concat(highestRoleLevelNumber.toString()))
-
-      LOG.debug('CheckLoa: ValidFrom :' + validFrom)
-      LOG.debug('CheckLoa: ValidTo :' + validTo)
-
-      if(validFrom != '') {
-        s.setAttribute('ValidFrom', '' + validFrom)
-      }
-      if(validTo != '') {
-        s.setAttribute('ValidTo', '' + validTo)
-      }
-    }
-    if (highestRoleLevelNumber > 0) {
-      // set attribute contextClassRefToSet
-      s.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:' .concat(highestRoleLevelNumber.toString()))
-    } else {
-      // by default 100
-      s.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:100' )
-    }
-  }
-  // address related, needed in any case (also e-ID)
-  def adressVerificationList = getUserAGOVLoiIdVerification('200')
-  def adressVerification = 'None'
-  if (adressVerificationList && !adressVerificationList.isEmpty()) {
-    adressVerification = adressVerificationList[0]
-  }
-  s.setAttribute('agov.adressVerification', '' + adressVerification)
-
-  if (!session.get('ch.adnovum.nevisidm.profileExtId')) {
-    LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='Account without Profile', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
-
-    // if the account has no profile, we must not return address or svnr
-    s.setAttribute('agov.appAddressRequired', 'false')
-    s.setAttribute('agov.appSvnrAllowed', 'false')
-
-    response.setResult('ok')
-    return
-  }
-
-  // no login for users with a recovery role (but onyl when not logging in with e-Id)
-  // TODO/haburger/2025-07-01: automatic recovery if logging in with e-Id
-  if (!'urn:qa.agov.ch:names:tc:authfactor:eid'.equalsIgnoreCase(authenticationMethod)) {
-    // no login for users with a recovery role
-    def recoveryRoleList = getUserAGOVRecoveryRoles()
-
-    if (recoveryRoleList.contains('mustRecover')) {
-      s.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
-      s.setAttribute('agov.recovery.authenticatedWith', session.get('authenticatedWith') ?: 'unknown' )
-
-      def origIdVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()) ?: 'None'
-      def idVerification = getUserIdVerificationForRecovery() ?: origIdVerification
-      s.setAttribute('agov.recovery.currentIdVerification', '' + idVerification )
-
-      // align currentAgovAq with the method selected for idVerification
-      def currentAgovAqForRecovery = getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelNumber)
-      s.setAttribute('agov.recovery.currentAgovAq', '' + currentAgovAqForRecovery)
-
-      def validFrom = getUserMustRecoverValidFrom() ?: ''
-      s.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + validFrom )
-
-      LOG.debug("CheckLoa: mustRecover: origIdVerification=${origIdVerification}, idVerification=${idVerification}, currentAgovAqForRecovery=${currentAgovAqForRecovery}")
-
-      response.setResult('exit.2')
-      return
-
-    } else if (recoveryRoleList.contains('recovery')) {
-      if (recoveryRoleList.contains('recoveryCascade')) {
-        s.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recoveryCascade')
-      } else {
-        s.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
-      }
-      s.setAttribute('agov.recovery.authenticatedWith', session.get('authenticatedWith') ?: 'unknown')
-      s.setAttribute('agov.recovery.currentAgovAq', session.get('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
-      LOG.debug('CheckLoa: idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
-      def idVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString())
-      s.setAttribute('agov.recovery.currentIdVerification', (idVerification.isEmpty() ? 'None' : idVerification.first()))
-      def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString())) ?: ''
-      s.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', validFrom)
-
-      response.setResult('exit.2')
-      return
-    }
-  } else {
-    // authenticated with e-ID, we adjust highestRoleLevelNumber to e-ID login
-    highestRoleLevelNumber = 500
-    s.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
-    LOG.debug('CheckLoa: actual role level (agov) '+ highestRoleLevelNumber)
-  }
-
-  // verifiy that AQ level is high enough
-  if (highestRoleLevelNumber>=requestedRoleLevelNumber) {
-    response.setResult('ok')
-    return;
-  } else {
-    // Insufficient_LoaInfo
-    response.setResult('exit.1');
-    return;
-  }
-} catch (Exception ex) {
-  LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='exception occured: ${ex}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
-  ex = StackTraceUtils.sanitize(ex)
-  def affectedLines = ex.stackTrace.findAll { it.className.startsWith('Script') }.collect { "${it.methodName}:${it.lineNumber}" }
-  LOG.error("FATAL: Script failure (at lines: ${affectedLines})", ex)
-  // AuthnFailed_Zero_RoleLvl
-  response.setResult('error');
-  return;
-}
+import org.codehaus.groovy.runtime.StackTraceUtils
+import groovy.xml.XmlSlurper
+
+def getUserAGOVLoiRoles() {
+  // we take the roles from actualRoles
+  return request.getActualRoles().findAll { role -> role.startsWith('AGOV-Loi.') }.collect({ role -> role.substring(9) })
+}
+
+def getUserAGOVRecoveryRoles() {
+  // set attibutes from DTO: -> AGOV
+  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  return list.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-AccountStatus' }.collect({ node -> node.name.text() })
+}
+
+def getUserAGOVLoiIdVerification() {
+  // set attibutes from DTO: -> idVerification
+  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  return list.'**'.findAll {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text().contains('AGOV-Loi,')}.collect({ node -> node.value.text()})
+}
+
+def getUserAGOVLoiIdVerification(level) {
+  // set attibutes from DTO: -> idVerification
+  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  return list.'**'.findAll {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-Loi,level' + level}.collect({ node -> node.value.text()})
+}
+
+def getUserAGOVLoiValidFrom(level) {
+  // set attibutes from DTO: -> validFrom
+  def payload = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  return payload.'**'.find {node -> node.name() == 'authorizations' && node.role.name.text() == level}?.validFrom?.text()
+}
+
+def getUserAGOVLoiValidTo(level) {
+  // set attibutes from DTO: -> validTo
+  def payload = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  return payload.'**'.find {node -> node.name() == 'authorizations' && node.role.name.text() == level}?.validTo?.text()
+}
+
+def getUserIdVerificationForRecovery() {
+  // application is AGOV-AccountStatus
+  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  def result = list.'**'.find {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-AccountStatus,mustRecover'}?.value?.text()
+
+  if (!result) {
+    // fallback if not explicitly set
+    def currentLoaRole = getUserAGOVLoiRoles()?.sort()?.last() ?: 'level100'
+    def chDomicile = list.country.text() == 'ch'
+    def lastIdVerification = list.'**'.find {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-Loi,' + currentLoaRole}?.value?.text()
+    switch (currentLoaRole) {
+      case 'level100':
+        result = chDomicile ? 'SimpleLetter' : 'Video'
+        break
+      case 'level200':
+        result = chDomicile ? 'Bmid' : 'Video'
+        break
+      case 'level300':
+      case 'level400':
+        result = chDomicile ? lastIdVerification : 'Video'
+        break
+      default:
+        LOG.warn("unexpected loa on account: ${currentLoaRole}")
+        // safest default, should work in any case
+        result = 'Video'
+    }
+    LOG.warn("Recovery method not set, choosing ${result} (based on currentLoad: ${currentLoaRole}, CH-domicile: ${chDomicile}, last verification method: ${lastIdVerification})")
+  }
+  return result
+}
+
+def getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelNumber) {
+  def result = 'urn:qa.agov.ch:names:tc:ac:classes:'
+
+  switch (idVerification) {
+    case 'None':
+      result = result.concat('100')
+      break
+    case 'SimpleLetter':
+      result = result.concat('200')
+      break
+    case 'Video':
+    case 'VideoSelfPaid':
+    case 'Bmid':
+    case 'BmidSelfPaid':
+    case 'Counter':
+      result = result.concat((highestRoleLevelNumber == 400) ? '400' : '300')
+      break
+	case 'Eid':
+	  result = result.concat('400')
+	  break
+    default:
+      LOG.warn("unexpected idVerification for recovery on account: ${idVerification}")
+      // safest default, should work in any case
+      result = result.concat('' + highestRoleLevelNumber)
+  }
+
+  return result
+}
+
+def getUserMustRecoverValidFrom() {
+  // set attibutes from DTO: -> validFrom
+  def payload = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  def authzNode = payload.'**'.find {node -> node.name() == 'authorizations' && node.role.name.text() == 'mustRecover'}
+  return (authzNode) ? ((authzNode.validFrom && !authzNode.validFrom.text().isEmpty()) ? authzNode.validFrom?.text() : authzNode.ctlCreDat?.text()) : ''
+}
+
+// Accounting
+def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def credentialType = session['authenticatedWith'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+try {
+  // beef
+  def s = request.getAuthSession(true)
+  def highestRoleLevelNumber = 0
+
+  if (!session.get('agov.requestedRoleLevel')) {
+    LOG.error("IDP: internal error: agov.requestedRoleLevel not set in session")
+    response.setResult('error');
+    return
+  }
+  def requestedRoleLevelNumber = session.get('agov.requestedRoleLevel').toInteger()
+
+  def authenticationMethod = session.get('authenticatedWith')
+  if (!authenticationMethod) {
+    LOG.error("IDP: internal error: authenticationMethod not set in session")
+    response.setResult('error');
+    return
+  }
+
+  // data transformations needed for SAML and OIDC
+  // Transform sex to number
+  if(session.get('ch.nevis.idm.User.gender') == 'MALE'){
+    s.setAttribute('ch.nevis.idm.User.gender', '1')
+  }
+  if(session.get('ch.nevis.idm.User.gender') == 'FEMALE'){
+    s.setAttribute('ch.nevis.idm.User.gender', '2')
+  }
+  if(s.get('ch.nevis.idm.User.gender') == 'OTHER'){
+    s.setAttribute('ch.nevis.idm.User.gender', '3')
+  }
+
+
+  // handle accounts qa attributes, and set them in session
+  // account itself, only needed if not authenticated with e-ID
+  if (!'urn:qa.agov.ch:names:tc:authfactor:eid'.equalsIgnoreCase(authenticationMethod)) {
+    def idVerificationList = getUserAGOVLoiIdVerification()
+    def idVerification = 'None'
+    if (idVerificationList && !idVerificationList.isEmpty()) {
+      idVerification = idVerificationList.last()
+    }
+    s.setAttribute('idVerification', idVerification)
+
+    // contextClassRefToSet based on highest level-role assigned to default profile
+    for (String role : getUserAGOVLoiRoles()) {
+      if (role.startsWith('level')) {
+        def roleLevel = role.substring(5)
+        int roleLevelNumber = Integer.parseInt(roleLevel)
+
+        if (highestRoleLevelNumber< roleLevelNumber) {
+          highestRoleLevelNumber=roleLevelNumber
+        }
+      }
+    }
+
+    LOG.debug('CheckLoa: Highest role Level ' + highestRoleLevelNumber.toString() +' contextclassref ' + requestedRoleLevelNumber.toString())
+    LOG.debug('CheckLoa: Compare ' + (highestRoleLevelNumber>=requestedRoleLevelNumber))
+
+    //set attribute Actual Role Level
+    s.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
+    LOG.debug('CheckLoa: actual role level (agov) '+ highestRoleLevelNumber)
+
+    // set attribute ValidFrom and ValidTo (only for higher than 100)
+    if (highestRoleLevelNumber > 100) {
+      def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString()))
+      def validTo = getUserAGOVLoiValidTo('level'.concat(highestRoleLevelNumber.toString()))
+
+      LOG.debug('CheckLoa: ValidFrom :' + validFrom)
+      LOG.debug('CheckLoa: ValidTo :' + validTo)
+
+      if(validFrom != '') {
+        s.setAttribute('ValidFrom', '' + validFrom)
+      }
+      if(validTo != '') {
+        s.setAttribute('ValidTo', '' + validTo)
+      }
+    }
+    if (highestRoleLevelNumber > 0) {
+      // set attribute contextClassRefToSet
+      s.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:' .concat(highestRoleLevelNumber.toString()))
+    } else {
+      // by default 100
+      s.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:100' )
+    }
+  }
+  // address related, needed in any case (also e-ID)
+  def adressVerificationList = getUserAGOVLoiIdVerification('200')
+  def adressVerification = 'None'
+  if (adressVerificationList && !adressVerificationList.isEmpty()) {
+    adressVerification = adressVerificationList[0]
+  }
+  s.setAttribute('agov.adressVerification', '' + adressVerification)
+
+  if (!session.get('ch.adnovum.nevisidm.profileExtId')) {
+    LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='Account without Profile', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+
+    // if the account has no profile, we must not return address or svnr
+    s.setAttribute('agov.appAddressRequired', 'false')
+    s.setAttribute('agov.appSvnrAllowed', 'false')
+
+    response.setResult('ok')
+    return
+  }
+
+  // no login for users with a recovery role (but onyl when not logging in with e-Id)
+  // TODO/haburger/2025-07-01: automatic recovery if logging in with e-Id
+  if (!'urn:qa.agov.ch:names:tc:authfactor:eid'.equalsIgnoreCase(authenticationMethod)) {
+    // no login for users with a recovery role
+    def recoveryRoleList = getUserAGOVRecoveryRoles()
+
+    if (recoveryRoleList.contains('mustRecover')) {
+      s.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
+      s.setAttribute('agov.recovery.authenticatedWith', session.get('authenticatedWith') ?: 'unknown' )
+
+      def origIdVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()) ?: 'None'
+      def idVerification = getUserIdVerificationForRecovery() ?: origIdVerification
+      s.setAttribute('agov.recovery.currentIdVerification', '' + idVerification )
+
+      // align currentAgovAq with the method selected for idVerification
+      def currentAgovAqForRecovery = getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelNumber)
+      s.setAttribute('agov.recovery.currentAgovAq', '' + currentAgovAqForRecovery)
+
+      def validFrom = getUserMustRecoverValidFrom() ?: ''
+      s.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + validFrom )
+
+      LOG.debug("CheckLoa: mustRecover: origIdVerification=${origIdVerification}, idVerification=${idVerification}, currentAgovAqForRecovery=${currentAgovAqForRecovery}")
+
+      response.setResult('exit.2')
+      return
+
+    } else if (recoveryRoleList.contains('recovery')) {
+      if (recoveryRoleList.contains('recoveryCascade')) {
+        s.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recoveryCascade')
+      } else {
+        s.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
+      }
+      s.setAttribute('agov.recovery.authenticatedWith', session.get('authenticatedWith') ?: 'unknown')
+      s.setAttribute('agov.recovery.currentAgovAq', session.get('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
+      LOG.debug('CheckLoa: idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
+      def idVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString())
+      s.setAttribute('agov.recovery.currentIdVerification', (idVerification.isEmpty() ? 'None' : idVerification.first()))
+      def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString())) ?: ''
+      s.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', validFrom)
+
+      response.setResult('exit.2')
+      return
+    }
+  } else {
+    // authenticated with e-ID, we adjust highestRoleLevelNumber to e-ID login
+    highestRoleLevelNumber = 500
+    s.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
+    LOG.debug('CheckLoa: actual role level (agov) '+ highestRoleLevelNumber)
+  }
+
+  // verifiy that AQ level is high enough
+  if (highestRoleLevelNumber>=requestedRoleLevelNumber) {
+    response.setResult('ok')
+    return;
+  } else {
+    // Insufficient_LoaInfo
+    response.setResult('exit.1');
+    return;
+  }
+} catch (Exception ex) {
+  LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='exception occured: ${ex}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+  ex = StackTraceUtils.sanitize(ex)
+  def affectedLines = ex.stackTrace.findAll { it.className.startsWith('Script') }.collect { "${it.methodName}:${it.lineNumber}" }
+  LOG.error("FATAL: Script failure (at lines: ${affectedLines})", ex)
+  // AuthnFailed_Zero_RoleLvl
+  response.setResult('error');
+  return;
+}

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/eid_account_linking_mobile_nless_auth.groovy

@@ -1,100 +1,100 @@
-import groovy.json.JsonBuilder
-import ch.nevis.esauth.auth.engine.AuthResponse
-
-
-def getHeader(String name) {
-    def inctx = request.getLoginContext()
-    // case-insensitive lookup of HTTP headers
-    def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
-    map.putAll(inctx)
-    return map['connection.HttpHeader.' + name]
-}
-
-def clearFidoUAFSession() {
-    LOG.debug("start new FIDO UAF session (skipping ${session['ch.nevis.auth.fido.uaf.fidouafsessionid']}")
-    def s = request.getAuthSession(true)
-    s.removeAttribute('ch.nevis.auth.fido.uaf.fidouafsessionid')
-    inargs.remove('fallback')
-}
-
-
-def clearIdmSessionAttributes() {
-  def s = request.getAuthSession(true)
-  def sessionKeySet = new HashSet(session.keySet()) 
-  sessionKeySet.each { key -> 
-    if ( key ==~ /ch.nevis.idm.*/ || key ==~ /ch.adnovum.nevisidm.*/ ) {
-      s.removeAttribute(key)
-    }
-  }
-}
-
-
-def sess = request.getAuthSession(true)
-
-// dispatch AJAX calls and form POST when operation is done
-if (inargs['fidoUafDone'] == 'true' ||
-    inargs.containsKey('o.fidoUafSessionId.v') ||
-    getHeader('Content-Type') == 'application/json') {
-
-    if (inargs.containsKey('o.fidoUafSessionId.v') && (inargs['o.fidoUafSessionId.v'] != session['ch.nevis.auth.fido.uaf.fidouafsessionid'])) {
-        // received polling for wrong fido session; make sure, that stops
-        LOG.debug("received polling for wrong fido session ${inargs['o.fidoUafSessionId.v']} (correct: ${session['ch.nevis.auth.fido.uaf.fidouafsessionid']})")
-        def json = new JsonBuilder()
-        json {
-            "status" "unknown"
-            "timestamp" org.joda.time.DateTime.now().toString()
-        }
-        String body = json.toString()
-
-        response.setContent(body)
-        response.setContentType('application/json')
-        response.setHttpStatusCode(200)
-        response.setIsDirectResponse(true)
-        response.setStatus(AuthResponse.AUTH_CONTINUE)
-        return
-    }
-
-  if (inargs['fidoUafDone'] == 'true') {
-    // get clean state, before validating user in IDM
-    LOG.debug("clear IDM session attributes")
-    clearIdmSessionAttributes()
-  }
-
-    // continue with OutOfBandFidoUafAuthState
-    response.setResult('ok')
-}
-
-// dispatch form post with fallback input field : transition to FIDO Token authentication
-if (inargs['fallback'] == 'fallback') {
-    sess.setAttribute("eid.placeholder.text", "Fido2 login not implemented yet")
-    response.setResult('fido2')
-}
-
-// dispatch to recovery
-if (inargs['fallback'] == 'recovery') {
-    response.addOutArg('nevis.transfer.destination', parameters.get('recoveryurl'))
-    response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE) 
-    response.setIsRedirectTransfer(true)
-    // Remove existing cookies before redirecting to RECOVERY
-    def agovRecoveryCookie = "agovRecovery=deleted; Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Strict; Secure; HttpOnly"
-    response.setHeader('Set-Cookie', agovRecoveryCookie)
-    return
-}
-
-// dispatch form post with fallback input field : go to registration with right loa
-if (inargs['fallback'] == 'register') {
-    sess.setAttribute("eid.placeholder.text", "Registration should not be called here?")
-    response.setResult('registration')
-}
-
-// cancel and go back to login
-if (inargs['fallback'] == 'back') {
-    response.setResult('back')
-}
-
-
-// dispatch form post with onReload input field : refresh QR-code FIDO UAF
-if (inargs.containsKey('onReload')) {
-    clearFidoUAFSession()
-    response.setResult('default')
-}
+import groovy.json.JsonBuilder
+import ch.nevis.esauth.auth.engine.AuthResponse
+
+
+def getHeader(String name) {
+    def inctx = request.getLoginContext()
+    // case-insensitive lookup of HTTP headers
+    def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
+    map.putAll(inctx)
+    return map['connection.HttpHeader.' + name]
+}
+
+def clearFidoUAFSession() {
+    LOG.debug("start new FIDO UAF session (skipping ${session['ch.nevis.auth.fido.uaf.fidouafsessionid']}")
+    def s = request.getAuthSession(true)
+    s.removeAttribute('ch.nevis.auth.fido.uaf.fidouafsessionid')
+    inargs.remove('fallback')
+}
+
+
+def clearIdmSessionAttributes() {
+  def s = request.getAuthSession(true)
+  def sessionKeySet = new HashSet(session.keySet()) 
+  sessionKeySet.each { key -> 
+    if ( key ==~ /ch.nevis.idm.*/ || key ==~ /ch.adnovum.nevisidm.*/ ) {
+      s.removeAttribute(key)
+    }
+  }
+}
+
+
+def sess = request.getAuthSession(true)
+
+// dispatch AJAX calls and form POST when operation is done
+if (inargs['fidoUafDone'] == 'true' ||
+    inargs.containsKey('o.fidoUafSessionId.v') ||
+    getHeader('Content-Type') == 'application/json') {
+
+    if (inargs.containsKey('o.fidoUafSessionId.v') && (inargs['o.fidoUafSessionId.v'] != session['ch.nevis.auth.fido.uaf.fidouafsessionid'])) {
+        // received polling for wrong fido session; make sure, that stops
+        LOG.debug("received polling for wrong fido session ${inargs['o.fidoUafSessionId.v']} (correct: ${session['ch.nevis.auth.fido.uaf.fidouafsessionid']})")
+        def json = new JsonBuilder()
+        json {
+            "status" "unknown"
+            "timestamp" org.joda.time.DateTime.now().toString()
+        }
+        String body = json.toString()
+
+        response.setContent(body)
+        response.setContentType('application/json')
+        response.setHttpStatusCode(200)
+        response.setIsDirectResponse(true)
+        response.setStatus(AuthResponse.AUTH_CONTINUE)
+        return
+    }
+
+  if (inargs['fidoUafDone'] == 'true') {
+    // get clean state, before validating user in IDM
+    LOG.debug("clear IDM session attributes")
+    clearIdmSessionAttributes()
+  }
+
+    // continue with OutOfBandFidoUafAuthState
+    response.setResult('ok')
+}
+
+// dispatch form post with fallback input field : transition to FIDO Token authentication
+if (inargs['fallback'] == 'fallback') {
+    sess.setAttribute("eid.placeholder.text", "Fido2 login not implemented yet")
+    response.setResult('fido2')
+}
+
+// dispatch to recovery
+if (inargs['fallback'] == 'recovery') {
+    response.addOutArg('nevis.transfer.destination', parameters.get('recoveryurl'))
+    response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE) 
+    response.setIsRedirectTransfer(true)
+    // Remove existing cookies before redirecting to RECOVERY
+    def agovRecoveryCookie = "agovRecovery=deleted; Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Strict; Secure; HttpOnly"
+    response.setHeader('Set-Cookie', agovRecoveryCookie)
+    return
+}
+
+// dispatch form post with fallback input field : go to registration with right loa
+if (inargs['fallback'] == 'register') {
+    sess.setAttribute("eid.placeholder.text", "Registration should not be called here?")
+    response.setResult('registration')
+}
+
+// cancel and go back to login
+if (inargs['fallback'] == 'back') {
+    response.setResult('back')
+}
+
+
+// dispatch form post with onReload input field : refresh QR-code FIDO UAF
+if (inargs.containsKey('onReload')) {
+    clearFidoUAFSession()
+    response.setResult('default')
+}

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/eid_account_linking_redirect_to_agovme.groovy

@@ -1,23 +1,23 @@
-if(outargs.containsKey('saml.SAMLResponse')) {
-     // Accounting
-     def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
-     def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
-     def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
-     def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
-     def credentialType = session['agov.authenticatedWith'] ?: 'unknown'
-     def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
-     def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
-
-     LOG.info("Event='GOTOEIDLINKING', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")     
-     
-     // Redirect
-     response.addOutArg('nevis.transfer.destination', parameters.get('agovmedirecturl'))
-     response.addOutArg('nevis.transfer.field.SAMLResponse', outargs.getProperty('saml.SAMLResponse').bytes.encodeBase64().toString())
-     response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE) 
-     response.setIsRedirectTransfer(false)
-
-     response.removeOutArg('saml.SAMLResponse')
-}
-else {
-    response.setResult('ok')
+if(outargs.containsKey('saml.SAMLResponse')) {
+     // Accounting
+     def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+     def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+     def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+     def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+     def credentialType = session['agov.authenticatedWith'] ?: 'unknown'
+     def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+     def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+     LOG.info("Event='GOTOEIDLINKING', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")     
+     
+     // Redirect
+     response.addOutArg('nevis.transfer.destination', parameters.get('agovmedirecturl'))
+     response.addOutArg('nevis.transfer.field.SAMLResponse', outargs.getProperty('saml.SAMLResponse').bytes.encodeBase64().toString())
+     response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE) 
+     response.setIsRedirectTransfer(false)
+
+     response.removeOutArg('saml.SAMLResponse')
+}
+else {
+    response.setResult('ok')
 }

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/eid_compare_and_update_idm_attributes.groovy

@@ -1,158 +1,159 @@
-import java.text.SimpleDateFormat
-import groovy.text.SimpleTemplateEngine
-
-import ch.nevis.idm.client.IdmRestClient
-import ch.nevis.idm.client.IdmRestClientFactory
-
-def getDateWithoutTimestamp(String date){
-    def result = date
-    if(date.matches('^[0-9-]+[+]{1}.*')){
-        result = date.replaceAll('[+]{1}.*', "")
-    }
-    return result
-}
-
-// NOTE/aca/2025/06/19: We could also reload the data from idm after the update instead of updating the session variables manualy -> probably better and less error-prone
-def compareAndUpdateSessionVariables(sess, keys, isProperty){
-    def updatedKeys = []
-    for(key in keys){
-        def idmkey = isProperty ? "ch.nevis.idm.User.prop.$key" : "ch.nevis.idm.User.$key"
-        def eidValue = session["agov.eid.User.$key"] ?: ""
-        def idmValue = session[idmkey] ?: ""
-        if(!idmValue || eidValue != idmValue){
-            sess.setAttribute(idmkey, eidValue)
-            updatedKeys.add(key)
-        }
-    }
-    return updatedKeys
-}
-
-// TODO/haburger/2025-07-01: we should also set the verificationMethod, etc. of the level400 role
-String user_update_dto_template = '''
-{
-    "name": {
-        "firstName": "$firstName",
-        "familyName": "$familyName"
-    },
-    "properties": {
-        "svnr": "$svnr",
-        "placeOfBirth": "$placeOfBirth",
-        "nationality": "$nationality",
-        "eIdNumber": "$eIdNumber"
-    },
-    "gender": "$gender",
-    "birthDate": "$birthDate",
-
-    "modificationComment": "updated user information with eid attributes during request $request"
-}
-'''
-
-// Accounting
-def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
-def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
-def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
-def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
-def credentialType = session['authenticatedWith'] ?: 'unknown'
-def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
-def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
-
-
-
-def sess = request.getAuthSession(true)
-
-// Convert EID gender format to IDM
-if(sess.get('agov.eid.User.gender') == '1'){
-    sess.setAttribute('agov.eid.User.gender', 'MALE')
-}
-if(sess.get('agov.eid.User.gender') == '2'){
-    sess.setAttribute('agov.eid.User.gender', 'FEMALE')
-}
-if(sess.get('agov.eid.User.gender') == '3'){
-    sess.setAttribute('agov.eid.User.gender', 'OTHER')
-}
-
-// Compare eid and idm attributes + update idm session variables if they differ 
-def attributesToAudit = compareAndUpdateSessionVariables(sess, ["firstName", "lastName", "gender"], false)
-// NOTE/aca/2025/06/14/: Potentally Throw a DATA ERROR if the properties are different? -> should the svnr number ever change?
-def propertiesToAudit = compareAndUpdateSessionVariables(sess, ["svnr", "eIdNumber", "nationality", "placeOfBirth"], true)
-
-
-// Handle birthdate seperately, since it can contain a timestamp -> we probably don't want to update if only the timestamp is wrong
-String eidBirthdate = getDateWithoutTimestamp(session["agov.eid.User.birthDate"] ?: "")
-String idmBirthdate = getDateWithoutTimestamp(session["ch.nevis.idm.User.birthDate"] ?: "")
-LOG.debug("eidBirthdate: $eidBirthdate    idmBirthdate: $idmBirthdate")
-if(eidBirthdate != idmBirthdate){
-    sess.setAttribute("ch.nevis.idm.User.birthDate", eidBirthdate)
-    // For some reson IdmGetPropertyState uses a different date format than IdmSetPropertyState?
-    //def date = new SimpleDateFormat('yyyy-MM-dd').parse(eidBirthdate)
-    //def idmFromatedBirthDate = new SimpleDateFormat('dd.MM.yyyy').format(date) 
-    //sess.setAttribute("ch.nevis.idm.User.birthDate.idmFormat", idmFromatedBirthDate)
-    attributesToAudit.add("birthDate") 
-}
-
-// Check if we need to update IDM
-def auditedRequired = attributesToAudit.size() > 0 || propertiesToAudit.size() > 0
-
-if(auditedRequired){
-    // update attributes in idm & transition to User notification
-    IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
-
-    String baseUrl = parameters.get("baseUrl")
-    String clientExtId = parameters.get("clientExtId")
-    String endPoint = "$baseUrl/api/core/v1"
-    String userExtId = sess.getAttribute("ch.nevis.idm.User.extId")
-
-    String requestUrl = "$endPoint/$clientExtId/users/$userExtId"
-
-
-    
-    def binding = [
-        "firstName":        sess.getAttribute('agov.eid.User.firstName'), 
-        "familyName":       sess.getAttribute('agov.eid.User.lastName'),
-        "svnr":             sess.getAttribute('agov.eid.User.svnr'),
-        "placeOfBirth":     sess.getAttribute('agov.eid.User.placeOfBirth'),
-        "nationality":      sess.getAttribute('agov.eid.User.nationality'),
-        "eIdNumber":        sess.getAttribute('agov.eid.User.eIdNumber'),
-        "gender":           sess.getAttribute('agov.eid.User.gender').toLowerCase(),
-        "birthDate":        sess.getAttribute('agov.eid.User.birthDate'),
-        "request":          requestId
-        ]
-
-    def templateEngine = new SimpleTemplateEngine()
-    def userUpdateDto = templateEngine.createTemplate(user_update_dto_template).make(binding).toString()
-
-    try {
-        idmRestClient.patch(requestUrl, userUpdateDto)
-    
-    }catch(Exception e) {
-        LOG.error("Failed to update User data in IDM: ${e}")
-        LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to update User data in IDM'")
-        response.setResult('error')
-        return
-    }
-    String printKeys = attributesToAudit.toListString()
-    LOG.debug("AuditedAttributes: $printKeys")
- 
-    // Transform gender back to number
-    if(sess.get('ch.nevis.idm.User.gender') == 'MALE'){
-        sess.setAttribute('ch.nevis.idm.User.gender', '1')
-    }
-    if(sess.get('ch.nevis.idm.User.gender') == 'FEMALE'){
-        sess.setAttribute('ch.nevis.idm.User.gender', '2')
-    }
-    if(sess.get('ch.nevis.idm.User.gender') == 'OTHER'){
-        sess.setAttribute('ch.nevis.idm.User.gender', '3')
-    }
-
-    response.setResult('audited')
-}else{
-    // Attributes match & no notification needed => continue by updating the linking credential and sending the saml assertion
-    // NOTE/aca/2025/06/19: We skip checking the account state, recovery code, mobile number and LoA
-     LOG.debug("No Audit Required: Logging user in")
-    response.setResult('noChange')
-}
-
-
-
-
-
+import java.text.SimpleDateFormat
+import groovy.text.SimpleTemplateEngine
+
+import ch.nevis.idm.client.IdmRestClient
+import ch.nevis.idm.client.IdmRestClientFactory
+
+def getDateWithoutTimestamp(String date){
+    def result = date
+    if(date.matches('^[0-9-]+[+]{1}.*')){
+        result = date.replaceAll('[+]{1}.*', "")
+    }
+    return result
+}
+
+// NOTE/aca/2025/06/19: We could also reload the data from idm after the update instead of updating the session variables manualy -> probably better and less error-prone
+def compareAndUpdateSessionVariables(sess, keys, isProperty){
+    def updatedKeys = []
+    for(key in keys){
+        def idmkey = isProperty ? "ch.nevis.idm.User.prop.$key" : "ch.nevis.idm.User.$key"
+        def eidValue = session["agov.eid.User.$key"] ?: ""
+        def idmValue = session[idmkey] ?: ""
+        if(!idmValue || eidValue != idmValue){
+            sess.setAttribute(idmkey, eidValue)
+            updatedKeys.add(key)
+        }
+    }
+    return updatedKeys
+}
+
+// TODO/haburger/2025-07-01: we should also set the verificationMethod, etc. of the level400 role
+String user_update_dto_template = '''
+{
+    "name": {
+        "firstName": "$firstName",
+        "familyName": "$familyName"
+    },
+    "properties": {
+        "svnr": "$svnr",
+        "placeOfBirth": "$placeOfBirth",
+        "nationality": "$nationality",
+        "eIdNumber": "$eIdNumber"
+    },
+    "gender": "$gender",
+    "birthDate": "$birthDate",
+
+    "modificationComment": "updated user information with eid attributes during request $request"
+}
+'''
+
+// Accounting
+def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def credentialType = session['authenticatedWith'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+
+
+def sess = request.getAuthSession(true)
+
+// Convert EID gender format to IDM
+if(sess.get('agov.eid.User.gender') == '1'){
+    sess.setAttribute('agov.eid.User.gender', 'MALE')
+}
+if(sess.get('agov.eid.User.gender') == '2'){
+    sess.setAttribute('agov.eid.User.gender', 'FEMALE')
+}
+if(sess.get('agov.eid.User.gender') == '3'){
+    sess.setAttribute('agov.eid.User.gender', 'OTHER')
+}
+
+// Compare eid and idm attributes + update idm session variables if they differ 
+def attributesToAudit = compareAndUpdateSessionVariables(sess, ["firstName", "lastName", "gender"], false)
+// NOTE/aca/2025/06/14/: Potentally Throw a DATA ERROR if the properties are different? -> should the svnr number ever change?
+def propertiesToAudit = compareAndUpdateSessionVariables(sess, ["svnr", "eIdNumber", "nationality", "placeOfBirth"], true)
+
+
+// Handle birthdate seperately, since it can contain a timestamp -> we probably don't want to update if only the timestamp is wrong
+String eidBirthdate = getDateWithoutTimestamp(session["agov.eid.User.birthDate"] ?: "")
+String idmBirthdate = getDateWithoutTimestamp(session["ch.nevis.idm.User.birthDate"] ?: "")
+LOG.debug("eidBirthdate: $eidBirthdate    idmBirthdate: $idmBirthdate")
+if(eidBirthdate != idmBirthdate){
+    sess.setAttribute("ch.nevis.idm.User.birthDate", eidBirthdate)
+    // For some reson IdmGetPropertyState uses a different date format than IdmSetPropertyState?
+    //def date = new SimpleDateFormat('yyyy-MM-dd').parse(eidBirthdate)
+    //def idmFromatedBirthDate = new SimpleDateFormat('dd.MM.yyyy').format(date) 
+    //sess.setAttribute("ch.nevis.idm.User.birthDate.idmFormat", idmFromatedBirthDate)
+    attributesToAudit.add("birthDate") 
+}
+
+// Check if we need to update IDM
+def auditedRequired = attributesToAudit.size() > 0 || propertiesToAudit.size() > 0
+
+if(auditedRequired){
+    // update attributes in idm & transition to User notification
+    IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
+
+    String baseUrl = parameters.get("baseUrl")
+    String clientExtId = parameters.get("clientExtId")
+    String endPoint = "$baseUrl/api/core/v1"
+    String userExtId = sess.getAttribute("ch.nevis.idm.User.extId")
+
+    String requestUrl = "$endPoint/$clientExtId/users/$userExtId"
+
+
+    
+    def binding = [
+        "firstName":        sess.getAttribute('agov.eid.User.firstName'), 
+        "familyName":       sess.getAttribute('agov.eid.User.lastName'),
+        "svnr":             sess.getAttribute('agov.eid.User.svnr'),
+        "placeOfBirth":     sess.getAttribute('agov.eid.User.placeOfBirth'),
+        "nationality":      sess.getAttribute('agov.eid.User.nationality'),
+        "eIdNumber":        sess.getAttribute('agov.eid.User.eIdNumber'),
+        "gender":           sess.getAttribute('agov.eid.User.gender').toLowerCase(),
+        "birthDate":        sess.getAttribute('agov.eid.User.birthDate'),
+        "request":          requestId
+        ]
+
+    def templateEngine = new SimpleTemplateEngine()
+    def userUpdateDto = templateEngine.createTemplate(user_update_dto_template).make(binding).toString()
+
+    try {
+        idmRestClient.patch(requestUrl, userUpdateDto)
+    
+    }catch(Exception e) {
+        LOG.error("Failed to update User data in IDM: ${e}")
+        LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to update User data in IDM'")
+        response.setResult('error')
+        return
+    }
+    String printKeys = attributesToAudit.toListString()
+    LOG.debug("AuditedAttributes: $printKeys")
+ 
+    // Transform gender back to number
+    if(sess.get('ch.nevis.idm.User.gender') == 'MALE'){
+        sess.setAttribute('ch.nevis.idm.User.gender', '1')
+    }
+    if(sess.get('ch.nevis.idm.User.gender') == 'FEMALE'){
+        sess.setAttribute('ch.nevis.idm.User.gender', '2')
+    }
+    if(sess.get('ch.nevis.idm.User.gender') == 'OTHER'){
+        sess.setAttribute('ch.nevis.idm.User.gender', '3')
+    }
+
+    response.setResult('audited')
+}else{
+    // Attributes match & no notification needed => continue by updating the linking credential and sending the saml assertion
+    // NOTE/aca/2025/06/19: We skip checking the account state, recovery code, mobile number and LoA
+     LOG.debug("No Audit Required: Logging user in")
+    response.setResult('noChange')
+}
+
+
+
+
+
+

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/eid_fetch_linked_accounts.groovy

@@ -1,200 +1,201 @@
-import ch.nevis.esauth.auth.engine.AuthResponse
-import ch.nevis.idm.client.IdmRestClient
-import ch.nevis.idm.client.IdmRestClientFactory
-import ch.nevis.idm.client.HTTPRequestWrapper
-
-import groovy.json.JsonSlurper
-import groovy.json.JsonBuilder
-
-def getHeader(String name) {
-	def inctx = request.getLoginContext()
-	// case-insensitive lookup of HTTP headers
-	def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
-	map.putAll(inctx)
-	return map['connection.HttpHeader.' + name]
-}
-
-def clearEidSession(){
-    def s = request.getAuthSession(true)
-    s.removeAttribute('agov.eid.verification')
-    s.removeAttribute('agov.eid.verification.id')
-    s.removeAttribute('agov.eid.verification.link')
-    s.removeAttribute('agov.eid.linkedAccountsDto')
-    s.removeAttribute('agov.eid.User.birthDate')
-    s.removeAttribute('agov.eid.User.eIdNumber')
-    s.removeAttribute('agov.eid.User.firstName')
-    s.removeAttribute('agov.eid.User.lastName')
-    s.removeAttribute('agov.eid.User.gender')
-    s.removeAttribute('agov.eid.User.nationality')
-    s.removeAttribute('agov.eid.User.placeOfBirth')
-    s.removeAttribute('agov.eid.User.svnr')
-    s.removeAttribute('agov.eid.User.origin')
-}
-
-def getAccounts(json, String svnr) {
-    String svnrWithPrefix = "urn:ch-agov-eid:$svnr"
-    def idm_users_dto = json["Resources"]
-    def accounts = [:]
-    def frontend_dto = []
-
-    for(user in idm_users_dto){
-
-        def credentials_dto = user["urn:nevis:idm:scim:schemas:v1:extension:User"]["credentials"]
-        if(!credentials_dto){
-            LOG.warn("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${extId}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='AGOV account has no credentials'")
-        }
-
-        for(cred in credentials_dto){
-			def foundCredential = false
-            def extId = user["externalId"]
-            //TODO/aca/2025/06/11: Can we have multiple email adresses? -> if yes search for primary
-            String email = user["emails"][0]["value"]
-			if(cred["type"] == "SAMLFEDERATION" && ( cred["issuerNameId"] == svnr || cred["issuerNameId"] == svnrWithPrefix )){
-                // we found more than one federation credential in one AGOV account -> Throw data error
-                if(foundCredential){
-                    LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${extId}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Multiple EId linking credentials found in one AGOV account'")
-                    return [null,null]
-                }
-
-                // extract login info
-                def firstLogin = true
-                if(cred["credentialLoginInfo"]){
-                    if(cred["credentialLoginInfo"]["lastLogin"] && cred["credentialLoginInfo"]["lastLogin"] != ""){
-                        firstLogin = false
-                    }
-                }
-
-                //NOTE/aca/2025/06/11: Assume that this is sanitized when registered.
-				def accountName = cred['subjectNameId']
-                def credentialExtId = cred['extId']
-                 
-                accounts.put(email, [ "extId": extId, "credentialExtId": cred['extId'], "firstLogin": firstLogin ] )
-                frontend_dto.add(["email": email, "description": accountName])
-
-                foundCredential=true
-			}
-        }
-    }
-    return [ accounts, [ "accounts": frontend_dto ] ]
-}
-
-def sess = request.getAuthSession(true)
-IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
-
-// Accounting
-def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
-def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
-def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
-def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
-def credentialType = session['authenticatedWith'] ?: 'unknown'
-def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
-def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
-
-
-if(inargs['submit'] && inargs['login'] && inargs['login'] != ''){
-    LOG.debug("Account with email: ${inargs['login']} was selceted -> Continuing")
-    
-    def accounts = new JsonSlurper().parseText(session['agov.eid.linkedAccountsDto'])
-    def account = accounts.get( inargs['login'].trim() )
-
-    sess.setAttribute('agov.eid.linkingCredentialExtId', account["credentialExtId"])
-    sess.setAttribute('agov.eid.linkedAccountExtId', account["extId"])
-
-    if(account["firstLogin"]){
-        response.setResult('firstLogin')
-        return
-    }
-
-    response.setResult('ok')
-    return
-}
-
-if(inargs['cancelEid'] && inargs['cancelEid'] == 'cancel'){
-    LOG.debug("Account selection was canceled: back to initial login screen")
-    clearEidSession()
-    response.setResult('backToVerification')
-    return
-}
-
-
-if(getHeader('Content-Type') == 'application/json'){
-    String account_selection_dto = session['agov.eid.linkedAccountsFrontendDto']
-
-    response.setContent(account_selection_dto.toString())
-	response.setContentType('application/json')
-	response.setHttpStatusCode(200)
-	response.setIsDirectResponse(true)
-	response.setStatus(AuthResponse.AUTH_CONTINUE)
-	return
-}
-
-
-String baseUrl = parameters.get("baseUrl")
-String clientExtId = parameters.get("clientExtId")
-String endPoint = "$baseUrl/api/scim/v1/$clientExtId/Users"
-
-// Fetch account identifier
-String svnr = sess.getAttribute("agov.eid.User.svnr")
-LOG.debug("search for accounts with SVNR: $svnr")
-
-// Pepare GET request
-String attributes = "externalId,emails,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.type,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.issuerNameId,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.subjectNameId,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.extId,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.credentialLoginInfo.lastLogin"
-String filter = "urn:nevis:idm:scim:schemas:v1:extension:User.credentials.type=='SAMLFEDERATION'%20AND%20%28%20urn:nevis:idm:scim:schemas:v1:extension:User.credentials.issuerNameId%20==%20'$svnr'%20OR%20urn:nevis:idm:scim:schemas:v1:extension:User.credentials.issuerNameId%20==%20'urn:ch-agov-eid:$svnr'%29"
-
-String requestUrl = "$endPoint?count=20&attributes=$attributes&filter=$filter"
-
-String scimResponse
-try {
-
-    scimResponse = idmRestClient.get(requestUrl)
-    
-    //TODO/aca/2025/06/11: Fetch more pages if more than 20 entries have been found
-
-    LOG.debug("SCIM Response: $scimResponse")
-
-    def json = new JsonSlurper().parseText(scimResponse)
-    def (accounts, frontend_dto) = getAccounts(json, svnr)
-
-    // unrecoverable DATA ERROR happend
-    if(accounts == null){
-        response.setResult('error')
-        return
-    }
-
-    def numAccounts = accounts.size()
-
-    LOG.debug("Linked accounts found: " + frontend_dto.toString())
-
-    if(numAccounts == 0){
-        // No account found => show account linking dialog options
-        response.setResult('noAccount')
-        return
-    }else if(numAccounts == 1){
-        // One account found -> continue with loading attributes from idm (+ notification if it is the first login)
-        def account = accounts.values().first()
-        sess.setAttribute('agov.eid.linkingCredentialExtId', account["credentialExtId"])
-        sess.setAttribute('agov.eid.linkedAccountExtId', account["extId"])
-
-        if(account["firstLogin"]){
-            response.setResult('firstLogin')
-            return
-        }
-
-        response.setResult('ok')
-        return
-    }else{
-        // Multiple accounts found -> Dispatch the account selection screen
-        sess.setAttribute('agov.eid.linkedAccountsDto', new JsonBuilder(accounts).toString())
-        sess.setAttribute('agov.eid.linkedAccountsFrontendDto', new JsonBuilder(frontend_dto).toString())
-
-        LOG.debug("Show GUI")
-        response.setStatus(AuthResponse.AUTH_CONTINUE)
-        return
-    }
-    
-} catch(Exception e) {
-    LOG.error("Fetching Agov Accounts Failed: ${e}")
-    sess.setAttribute("eid.placeholder.text", "EId: An exception occured while fetching the AGOV accounts\n: ${e}")
-    response.setResult('error')
-    return
-}
+import ch.nevis.esauth.auth.engine.AuthResponse
+import ch.nevis.idm.client.IdmRestClient
+import ch.nevis.idm.client.IdmRestClientFactory
+import ch.nevis.idm.client.HTTPRequestWrapper
+
+import groovy.json.JsonSlurper
+import groovy.json.JsonBuilder
+
+def getHeader(String name) {
+	def inctx = request.getLoginContext()
+	// case-insensitive lookup of HTTP headers
+	def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
+	map.putAll(inctx)
+	return map['connection.HttpHeader.' + name]
+}
+
+def clearEidSession(){
+    def s = request.getAuthSession(true)
+    s.removeAttribute('agov.eid.verification')
+    s.removeAttribute('agov.eid.verification.id')
+    s.removeAttribute('agov.eid.verification.link')
+    s.removeAttribute('agov.eid.linkedAccountsDto')
+    s.removeAttribute('agov.eid.User.birthDate')
+    s.removeAttribute('agov.eid.User.eIdNumber')
+    s.removeAttribute('agov.eid.User.firstName')
+    s.removeAttribute('agov.eid.User.lastName')
+    s.removeAttribute('agov.eid.User.gender')
+    s.removeAttribute('agov.eid.User.nationality')
+    s.removeAttribute('agov.eid.User.placeOfBirth')
+    s.removeAttribute('agov.eid.User.svnr')
+    s.removeAttribute('agov.eid.User.origin')
+}
+
+def getAccounts(json, String svnr) {
+    String svnrWithPrefix = "urn:ch-agov-eid:$svnr"
+    def idm_users_dto = json["Resources"]
+    def accounts = [:]
+    def frontend_dto = []
+
+    for(user in idm_users_dto){
+
+        def credentials_dto = user["urn:nevis:idm:scim:schemas:v1:extension:User"]["credentials"]
+        if(!credentials_dto){
+            LOG.warn("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${extId}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='AGOV account has no credentials'")
+        }
+
+        for(cred in credentials_dto){
+			def foundCredential = false
+            def extId = user["externalId"]
+            //TODO/aca/2025/06/11: Can we have multiple email adresses? -> if yes search for primary
+            String email = user["emails"][0]["value"]
+			if(cred["type"] == "SAMLFEDERATION" && ( cred["issuerNameId"] == svnr || cred["issuerNameId"] == svnrWithPrefix )){
+                // we found more than one federation credential in one AGOV account -> Throw data error
+                if(foundCredential){
+                    LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${extId}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Multiple EId linking credentials found in one AGOV account'")
+                    return [null,null]
+                }
+
+                // extract login info
+                def firstLogin = true
+                if(cred["credentialLoginInfo"]){
+                    if(cred["credentialLoginInfo"]["lastLogin"] && cred["credentialLoginInfo"]["lastLogin"] != ""){
+                        firstLogin = false
+                    }
+                }
+
+                //NOTE/aca/2025/06/11: Assume that this is sanitized when registered.
+				def accountName = cred['subjectNameId']
+                def credentialExtId = cred['extId']
+                 
+                accounts.put(email, [ "extId": extId, "credentialExtId": cred['extId'], "firstLogin": firstLogin ] )
+                frontend_dto.add(["email": email, "description": accountName])
+
+                foundCredential=true
+			}
+        }
+    }
+    return [ accounts, [ "accounts": frontend_dto ] ]
+}
+
+def sess = request.getAuthSession(true)
+IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
+
+// Accounting
+def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def credentialType = session['authenticatedWith'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+
+if(inargs['submit'] && inargs['login'] && inargs['login'] != ''){
+    LOG.debug("Account with email: ${inargs['login']} was selceted -> Continuing")
+    
+    def accounts = new JsonSlurper().parseText(session['agov.eid.linkedAccountsDto'])
+    def account = accounts.get( inargs['login'].trim() )
+
+    sess.setAttribute('agov.eid.linkingCredentialExtId', account["credentialExtId"])
+    sess.setAttribute('agov.eid.linkedAccountExtId', account["extId"])
+
+    if(account["firstLogin"]){
+        response.setResult('firstLogin')
+        return
+    }
+
+    response.setResult('ok')
+    return
+}
+
+if(inargs['cancelEid'] && inargs['cancelEid'] == 'cancel'){
+    LOG.debug("Account selection was canceled: back to initial login screen")
+    clearEidSession()
+    response.setResult('backToVerification')
+    return
+}
+
+
+if(getHeader('Content-Type') == 'application/json'){
+    String account_selection_dto = session['agov.eid.linkedAccountsFrontendDto']
+
+    response.setContent(account_selection_dto.toString())
+	response.setContentType('application/json')
+	response.setHttpStatusCode(200)
+	response.setIsDirectResponse(true)
+	response.setStatus(AuthResponse.AUTH_CONTINUE)
+	return
+}
+
+
+String baseUrl = parameters.get("baseUrl")
+String clientExtId = parameters.get("clientExtId")
+String endPoint = "$baseUrl/api/scim/v1/$clientExtId/Users"
+
+// Fetch account identifier
+String svnr = sess.getAttribute("agov.eid.User.svnr")
+LOG.debug("search for accounts with SVNR: $svnr")
+
+// Pepare GET request
+String attributes = "externalId,emails,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.type,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.issuerNameId,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.subjectNameId,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.extId,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.credentialLoginInfo.lastLogin"
+String filter = "urn:nevis:idm:scim:schemas:v1:extension:User.credentials.type=='SAMLFEDERATION'%20AND%20%28%20urn:nevis:idm:scim:schemas:v1:extension:User.credentials.issuerNameId%20==%20'$svnr'%20OR%20urn:nevis:idm:scim:schemas:v1:extension:User.credentials.issuerNameId%20==%20'urn:ch-agov-eid:$svnr'%29"
+
+String requestUrl = "$endPoint?count=20&attributes=$attributes&filter=$filter"
+
+String scimResponse
+try {
+
+    scimResponse = idmRestClient.get(requestUrl)
+    
+    //TODO/aca/2025/06/11: Fetch more pages if more than 20 entries have been found
+
+    LOG.debug("SCIM Response: $scimResponse")
+
+    def json = new JsonSlurper().parseText(scimResponse)
+    def (accounts, frontend_dto) = getAccounts(json, svnr)
+
+    // unrecoverable DATA ERROR happend
+    if(accounts == null){
+        response.setResult('error')
+        return
+    }
+
+    def numAccounts = accounts.size()
+
+    LOG.debug("Linked accounts found: " + frontend_dto.toString())
+
+    if(numAccounts == 0){
+        // No account found => show account linking dialog options
+        response.setResult('noAccount')
+        return
+    }else if(numAccounts == 1){
+        // One account found -> continue with loading attributes from idm (+ notification if it is the first login)
+        def account = accounts.values().first()
+        sess.setAttribute('agov.eid.linkingCredentialExtId', account["credentialExtId"])
+        sess.setAttribute('agov.eid.linkedAccountExtId', account["extId"])
+
+        if(account["firstLogin"]){
+            response.setResult('firstLogin')
+            return
+        }
+
+        response.setResult('ok')
+        return
+    }else{
+        // Multiple accounts found -> Dispatch the account selection screen
+        sess.setAttribute('agov.eid.linkedAccountsDto', new JsonBuilder(accounts).toString())
+        sess.setAttribute('agov.eid.linkedAccountsFrontendDto', new JsonBuilder(frontend_dto).toString())
+
+        LOG.debug("Show GUI")
+        response.setStatus(AuthResponse.AUTH_CONTINUE)
+        return
+    }
+    
+} catch(Exception e) {
+    LOG.error("Fetching Agov Accounts Failed: ${e}")
+    sess.setAttribute("eid.placeholder.text", "EId: An exception occured while fetching the AGOV accounts\n: ${e}")
+    response.setResult('error')
+    return
+}
+

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/eid_notify_user_first_login.groovy

@@ -1,38 +1,38 @@
-import ch.nevis.idm.client.IdmRestClient
-import ch.nevis.idm.client.IdmRestClientFactory
-
-
-String user_notification_dto = '''
-{
-    "clientExtId": "{{clientExtId}}",
-    "userExtId": "{{userExtId}}",
-    "notificationType": "userNotification4",
-    "sendingMethod": [
-        "Email"
-    ],
-    "async": false
-}
-'''
-
-IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
-def sess = request.getAuthSession(true)
-
-String baseUrl = parameters.get("baseUrl")
-String clientExtId = parameters.get("clientExtId")
-String endPoint = "$baseUrl/api/notification/v1/"
-
-String userExtId = sess.getAttribute("agov.eid.linkedAccountExtId")
-
-String restRequest = user_notification_dto.replaceAll("\\{\\{clientExtId}}", clientExtId).replaceAll("\\{\\{userExtId}}", userExtId)
-
-try {
-    idmRestClient.post(endPoint, restRequest)
-    
-}catch(Exception e) {
-    LOG.error("Failed to send User Notification: First Login: ${e}")
-    response.setResult('error')
-    return
-}
-
-response.setResult('ok')
+import ch.nevis.idm.client.IdmRestClient
+import ch.nevis.idm.client.IdmRestClientFactory
+
+
+String user_notification_dto = '''
+{
+    "clientExtId": "{{clientExtId}}",
+    "userExtId": "{{userExtId}}",
+    "notificationType": "userNotification4",
+    "sendingMethod": [
+        "Email"
+    ],
+    "async": false
+}
+'''
+
+IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
+def sess = request.getAuthSession(true)
+
+String baseUrl = parameters.get("baseUrl")
+String clientExtId = parameters.get("clientExtId")
+String endPoint = "$baseUrl/api/notification/v1/"
+
+String userExtId = sess.getAttribute("agov.eid.linkedAccountExtId")
+
+String restRequest = user_notification_dto.replaceAll("\\{\\{clientExtId}}", clientExtId).replaceAll("\\{\\{userExtId}}", userExtId)
+
+try {
+    idmRestClient.post(endPoint, restRequest)
+    
+}catch(Exception e) {
+    LOG.error("Failed to send User Notification: First Login: ${e}")
+    response.setResult('error')
+    return
+}
+
+response.setResult('ok')
 return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/eid_notify_user_idm_change.groovy

@@ -1,38 +1,38 @@
-import ch.nevis.idm.client.IdmRestClient
-import ch.nevis.idm.client.IdmRestClientFactory
-
-
-String user_notification_dto = '''
-{
-    "clientExtId": "{{clientExtId}}",
-    "userExtId": "{{userExtId}}",
-    "notificationType": "userNotification3",
-    "sendingMethod": [
-        "Email"
-    ],
-    "async": false
-}
-'''
-
-IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
-def sess = request.getAuthSession(true)
-
-String baseUrl = parameters.get("baseUrl")
-String clientExtId = parameters.get("clientExtId")
-String endPoint = "$baseUrl/api/notification/v1/"
-
-String userExtId = sess.getAttribute("ch.nevis.idm.User.extId")
-
-String restRequest = user_notification_dto.replaceAll("\\{\\{clientExtId}}", clientExtId).replaceAll("\\{\\{userExtId}}", userExtId)
-
-try {
-    idmRestClient.post(endPoint, restRequest)
-    
-}catch(Exception e) {
-    LOG.error("Failed to send User Notification: Idm Update with EId data: ${e}")
-    response.setResult('error')
-    return
-}
-
-response.setResult('ok')
+import ch.nevis.idm.client.IdmRestClient
+import ch.nevis.idm.client.IdmRestClientFactory
+
+
+String user_notification_dto = '''
+{
+    "clientExtId": "{{clientExtId}}",
+    "userExtId": "{{userExtId}}",
+    "notificationType": "userNotification3",
+    "sendingMethod": [
+        "Email"
+    ],
+    "async": false
+}
+'''
+
+IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
+def sess = request.getAuthSession(true)
+
+String baseUrl = parameters.get("baseUrl")
+String clientExtId = parameters.get("clientExtId")
+String endPoint = "$baseUrl/api/notification/v1/"
+
+String userExtId = sess.getAttribute("ch.nevis.idm.User.extId")
+
+String restRequest = user_notification_dto.replaceAll("\\{\\{clientExtId}}", clientExtId).replaceAll("\\{\\{userExtId}}", userExtId)
+
+try {
+    idmRestClient.post(endPoint, restRequest)
+    
+}catch(Exception e) {
+    LOG.error("Failed to send User Notification: Idm Update with EId data: ${e}")
+    response.setResult('error')
+    return
+}
+
+response.setResult('ok')
 return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/eid_registration.groovy

@@ -1,17 +1,17 @@
-import ch.nevis.esauth.auth.engine.AuthResponse
-
-if(inargs['cancel']){
-    LOG.debug("Account registration canceled: Send response with error")
-    response.setResult('back')
-    return
-}
-
-if(inargs['register'] == "agov"){
-    LOG.debug("AGOV account registration was selected")
-    response.setResult('register')
-    return
-}
-
-LOG.debug("Show GUI")
-response.setStatus(AuthResponse.AUTH_CONTINUE)
+import ch.nevis.esauth.auth.engine.AuthResponse
+
+if(inargs['cancel']){
+    LOG.debug("Account registration canceled: Send response with error")
+    response.setResult('back')
+    return
+}
+
+if(inargs['register'] == "agov"){
+    LOG.debug("AGOV account registration was selected")
+    response.setResult('register')
+    return
+}
+
+LOG.debug("Show GUI")
+response.setStatus(AuthResponse.AUTH_CONTINUE)
 return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/eid_start_account_linking.groovy

@@ -1,27 +1,27 @@
-import ch.nevis.esauth.auth.engine.AuthResponse
-
-def sess = request.getAuthSession(true)
-
-if(inargs['cancelEid']){
-    LOG.debug("Account registration canceled: Send response with error")
-    response.setResult('cancel')
-    return
-}
-
-if(inargs['continue'] == 'link_account'){
-    LOG.debug("AGOV account linking")
-    //sess.setAttribute("eid.placeholder.text", "EId: Implicit account linking not implemented yet")
-    response.setResult('link')
-    return
-}
-
-if(inargs['continue'] == 'register_account'){
-    LOG.debug("AGOV account registration was selected")
-    sess.setAttribute("eid.placeholder.text", "EId: Account registration with implicit linking not implemented yet")
-    response.setResult('register')
-    return
-}
-
-LOG.debug("Show GUI")
-response.setStatus(AuthResponse.AUTH_CONTINUE)
+import ch.nevis.esauth.auth.engine.AuthResponse
+
+def sess = request.getAuthSession(true)
+
+if(inargs['cancelEid']){
+    LOG.debug("Account registration canceled: Send response with error")
+    response.setResult('cancel')
+    return
+}
+
+if(inargs['continue'] == 'link_account'){
+    LOG.debug("AGOV account linking")
+    //sess.setAttribute("eid.placeholder.text", "EId: Implicit account linking not implemented yet")
+    response.setResult('link')
+    return
+}
+
+if(inargs['continue'] == 'register_account'){
+    LOG.debug("AGOV account registration was selected")
+    sess.setAttribute("eid.placeholder.text", "EId: Account registration with implicit linking not implemented yet")
+    response.setResult('register')
+    return
+}
+
+LOG.debug("Show GUI")
+response.setStatus(AuthResponse.AUTH_CONTINUE)
 return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/eid_update_login_info.groovy

@@ -1,36 +1,36 @@
-import ch.nevis.idm.client.IdmRestClient
-import ch.nevis.idm.client.IdmRestClientFactory
-
-
-String login_info_update_dto = '''
-{
-    "success": true,
-    "credentialExtId": "{{credentialExtId}}"
-}
-'''
-
-IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
-def sess = request.getAuthSession(true)
-
-String baseUrl = parameters.get("baseUrl")
-String clientExtId = parameters.get("clientExtId")
-String endPoint = "$baseUrl/api/core/v1"
-
-String userExtId = sess.getAttribute("ch.nevis.idm.User.extId")
-String linkingCredentialExtId = sess.getAttribute("agov.eid.linkingCredentialExtId")
-
-String requestUrl = "$endPoint/$clientExtId/users/$userExtId/login-info"
-
-String restRequest = login_info_update_dto.replaceAll("\\{\\{credentialExtId}}", linkingCredentialExtId)
-
-try {
-    idmRestClient.post(requestUrl, restRequest)
-    
-}catch(Exception e) {
-    LOG.error("Failed to Update Linking Credential info: ${e}")
-    response.setResult('error')
-    return
-}
-
-response.setResult('ok')
+import ch.nevis.idm.client.IdmRestClient
+import ch.nevis.idm.client.IdmRestClientFactory
+
+
+String login_info_update_dto = '''
+{
+    "success": true,
+    "credentialExtId": "{{credentialExtId}}"
+}
+'''
+
+IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
+def sess = request.getAuthSession(true)
+
+String baseUrl = parameters.get("baseUrl")
+String clientExtId = parameters.get("clientExtId")
+String endPoint = "$baseUrl/api/core/v1"
+
+String userExtId = sess.getAttribute("ch.nevis.idm.User.extId")
+String linkingCredentialExtId = sess.getAttribute("agov.eid.linkingCredentialExtId")
+
+String requestUrl = "$endPoint/$clientExtId/users/$userExtId/login-info"
+
+String restRequest = login_info_update_dto.replaceAll("\\{\\{credentialExtId}}", linkingCredentialExtId)
+
+try {
+    idmRestClient.post(requestUrl, restRequest)
+    
+}catch(Exception e) {
+    LOG.error("Failed to Update Linking Credential info: ${e}")
+    response.setResult('error')
+    return
+}
+
+response.setResult('ok')
 return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/eid_verification_auth.groovy

@@ -1,455 +1,456 @@
-import ch.nevis.esauth.auth.engine.AuthResponse
-import ch.nevis.esauth.sess.Session
-import ch.nevis.esauth.util.httpclient.api.HttpClient
-import groovy.json.JsonSlurper
-import io.opentelemetry.api.trace.Span
-
-import java.time.LocalDate
-import java.time.ZoneId
-import java.time.ZoneOffset
-
-import com.fasterxml.uuid.Generators
-
-def getHeader(String name) {
-	def inctx = request.getLoginContext()
-	// case-insensitive lookup of HTTP headers
-	def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
-	map.putAll(inctx)
-	return map['connection.HttpHeader.' + name]
-}
-
-// returns true on success and false on failure
-def getNewVerification(Session sess, HttpClient httpClient, String verification_request_template, String traceparent){
-	// Initialize the verification session on the verifier
-	def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications"
-
-	try {
-		def httpResponse = Http.post()
-				.url(endPoint)
-				.header("Accept", "application/json")
-				.header("traceparent", traceparent)
-				.entity(Http.entity()
-						.content(verification_request_template.replaceAll("\\{\\{UUID}}", UUID.randomUUID().toString()))
-						.contentType("application/json")
-						.build())
-				.build()
-				.send(httpClient)
-
-
-		if (httpResponse.code() != 200) {
-			LOG.debug("Result: ${httpResponse}")
-			return false
-		}
-
-		def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
-		LOG.debug("Result: ${json}")
-
-		sess.setAttribute('agov.eid.verification', 'true')
-		sess.setAttribute('agov.eid.verification.id', json.id)
-		sess.setAttribute('agov.eid.verification.link', json.verification_url)
-
-
-        //  TODO/aca/2025-04-04:This could probably also be INITIATED, once the verifier supports this status
-		if (json.state != 'PENDING') {
-			return false
-		}
-	}
-	catch (Exception e) {
-		LOG.error("Eid verification failed: $e")
-		return false
-	}
-    return true
-}
-
-def clearEidSession(){
-    def s = request.getAuthSession(true)
-    s.removeAttribute('agov.eid.verification')
-    s.removeAttribute('agov.eid.verification.id')
-    s.removeAttribute('agov.eid.verification.link')
-}
-
-def verification_request_template = '''
-{ "presentation_definition": {
-    "id": "{{UUID}}",
-    "name": "AGOV Verification",
-    "purpose": "AGOV Login",
-    "format": {
-      "vc+sd-jwt": {
-        "sd-jwt_alg_values": [
-          "ES256"
-        ],
-        "kb-jwt_alg_values": [
-          "ES256"
-        ]
-      }
-    },
-    "input_descriptors": [
-      {
-        "id": "agov-all-attributes",
-        "name": "AGOV Identity Verification",
-        "purpose": "verification and authentication",
-        "format": {
-          "vc+sd-jwt": {
-            "sd-jwt_alg_values": [
-              "ES256"
-            ],
-            "kb-jwt_alg_values": [
-              "ES256"
-            ]
-          }
-        },
-        "constraints": {
-          "fields": [
-            {
-              "path": [
-                "$.family_name"
-              ]
-            },
-            {
-              "path": [
-                "$.given_name"
-              ]
-            },
-            {
-              "path": [
-                "$.birth_date"
-              ]
-            },
-            {
-              "path": [
-                "$.sex"
-              ]
-            },
-            {
-              "path": [
-                "$.place_of_origin"
-              ]
-            },
-            {
-              "path": [
-                "$.birth_place"
-              ]
-            },
-            {
-              "path": [
-                "$.nationality"
-              ]
-            },
-            {
-              "path": [
-                "$.personal_administrative_number"
-              ]
-            },
-            {
-              "path": [
-                "$.document_number"
-              ]
-            },
-            {
-              "path": [
-                "$.issuance_date"
-              ]
-            },
-            {
-              "path": [
-                "$.expiry_date"
-              ]
-            },
-            {
-              "path": [
-                "$.issuing_authority"
-              ]
-            },
-            {
-              "path": [
-                "$.issuing_country"
-              ]
-            }
-          ]
-        }
-      }
-    ]
-  }
-}
-'''
-
-def ERROR_CODE_TO_STATUS_MAPPER = [
-		'CREDENTIAL_INVALID'               : 'FAILED',
-		'JWT_EXPIRED'                      : 'ERROR',
-		'INVALID_FORMAT'                   : 'ERROR',
-		'CREDENTIAL_EXPIRED'               : 'FAILED',
-		'MISSING_NONCE'                    : 'ERROR',
-		'UNSUPPORTED_FORMAT'               : 'ERROR',
-		'CREDENTIAL_REVOKED'               : 'FAILED',
-		'CREDENTIAL_SUSPENDED'             : 'FAILED',
-		'HOLDER_BINDING_MISMATCH'          : 'ERROR',
-		'CREDENTIAL_MISSING_DATA'          : 'FAILED',
-		'UNRESOLVABLE_STATUS_LIST'         : 'ERROR',
-		'PUBLIC_KEY_OF_ISSUER_UNRESOLVABLE': 'ERROR',
-		'CLIENT_REJECTED'                  : 'CANCELED',
-		'ISSUER_NOT_ACCEPTED'              : 'ERROR'
-]
-
-// ---------------
-// check, whether we are still processing the correct AuthnRequest
-// or if the frontend requested a timeout
-if ( (inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])) || inargs['oid4vp'] == 'TIMEOUT') {
-	// wrong request, "force" a timeout
-	LOG.debug('authentication timeout enforced, due to concurrent requests (authRequestId missmatch) -> return a 408')
-
-	response.setIsDirectResponse(true)
-	response.setContentType('text/html; charset=UTF-8')
-	response.setContent('Timeout')
-	response.setHttpStatusCode(205)
-	response.setHeader('IDP-AUTH', 'Timeout')
-
-	// CONTINUE to keep the other request beeing processed
-	response.setStatus(AuthResponse.AUTH_CONTINUE)
-	return
-}
-
-def sess = request.getAuthSession(true)
-
-if (inargs['oid4vp'] == 'ERROR') {
-    LOG.debug("oid4vp error")
-	response.setResult('error')
-	return
-}
-
-if (inargs['oid4vp'] == 'SUCCEEDED') {
-    LOG.debug("oid4vp succeeded")
-	response.setResult('ok')
-	return
-}
-
-// switch to access App
-if (inargs['accessApp'] == 'accessApp') {
-    //TODO/aca/2025/06/19: In theory we could also land here when we send 'SUCCESS' to the frontend -> would be better to  clear all session vaiables that can be set in this Authstate
-    //TODO/aca/2025/06/19: Should we here rather set the LOGINMETHOD cookie and send an error assertion, since otherwise we might swich states too often and Nevis will kill the session?
-    clearEidSession()
-    LOG.debug("Switch to Access App")
-    sess.setAttribute('agov.lastLoginMethod', 'accessApp')
-	response.setResult('agovLogin')
-	return
-}
-
-// switch to fido2
-if (inargs['securityKey'] == 'securityKey') {
-    clearEidSession()
-    LOG.debug("Switch to Security Key")
-    sess.setAttribute('agov.lastLoginMethod', 'securityKey')
-	response.setResult('agovLogin')
-	return
-}
-
-// switch to registration
-if (inargs['fallback'] == 'register') {
-    clearEidSession()
-    LOG.debug("Switch to registration")
-	response.setResult('register')
-	return
-}
-
-
-HttpClient httpClient = HttpClients.create(parameters)
-def spanCtxt = Span.current().getSpanContext()
-def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
-
-
-if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.v')) {
-    LOG.debug("Request Status Update")
-	// request for a status update from the verifier
-	def result
-
-    // FE requested a new verification
-    if (inargs['o.id.v'] == 'NEW' || inargs['o.id.v'] == 'RESET') {
-        LOG.debug("Initializing new verification")
-	    if(!getNewVerification(sess, httpClient, verification_request_template, traceparent)){
-            response.setResult('error') 
-            return
-        }
-    }
-
-	def idvalue = (!inargs['o.id.v'] || inargs['o.id.v'] == 'NEW' || inargs['o.id.v'] == 'RESET') ? session['agov.eid.verification.id'] : inargs['o.id.v']
-
-    LOG.error("IDValSent: " + idvalue)
-
-    // check, whether we are still processing the same verification request or if a new one was generated in e.g. another Tab
-    if(inargs['o.id.v'] && inargs['o.id.v'] != 'NEW' && inargs['o.id.v'] != 'RESET' && inargs['o.id.v'] != session['agov.eid.verification.id']){
-        // wrong request, tell fe to stop polling and request a timeout
-        LOG.debug('authentication timeout enforced, due to concurrent requests (verificationRequest missmatch) -> Notify FE & then return a 408')
-        result = """{
-				"oid4vp": {
-					"status": "TIMEOUT",
-					"verification_url": "${session['agov.eid.verification.link']}",
-					"id": "${idvalue}",
-					"error_code": "REQUEST-MISMATCH",
-					"error_message": "Request Mismatch Detected: Forcing Timeout"
-				}}"""
-
-        response.setContent(result.toString())
-	    response.setContentType('application/json')
-	    response.setHttpStatusCode(200)
-	    response.setIsDirectResponse(true)
-	    response.setStatus(AuthResponse.AUTH_CONTINUE)
-	    return
-    }
-
-	try {
-		def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications/${idvalue}"
-
-		def httpResponse = Http.get()
-				.url(endPoint)
-				.header("Accept", "application/json")
-				.header("traceparent", traceparent)
-				.build()
-				.send(httpClient)
-
-
-        // 404 -> request a new verification
-        if(httpResponse.code() == 404){
-            // Frontend should know that we are starting a new request and not recieve an error
-            def status = "FAILED"
-            // Delete session variable to start a new verification
-            sess.removeAttribute('agov.eid.verification')
-
-            result = """{
-				"oid4vp": {
-					"status": "${status}",
-					"verification_url": "",
-					"id": "",
-					"error_code": "HTTP-ERROR",
-					"error_message": "Faild to verify status of verification, http status: ${httpResponse.code()}"
-				}}"""
-			LOG.warn("<== Response: ${httpResponse.code()}")
-		}
-		else if (httpResponse.code() != 200) {
-			LOG.debug("Result: ${httpResponse}")
-            
-            def status = "ERROR"
-            
-			result = """{
-				"oid4vp": {
-					"status": "${status}",
-					"verification_url": "${session['agov.eid.verification.link']}",
-					"id": "${idvalue}",
-					"error_code": "HTTP-ERROR",
-					"error_message": "failed to verify status of verification ${idvalue}, http status: ${httpResponse.code()}"
-				}}"""
-			LOG.warn("<== Response: ${httpResponse.code()}")
-		}
-		else {
-
-			def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
-            LOG.debug(httpResponse.bodyAsString())
-			if (json.state == 'SUCCESS') {
-				def claims = json.wallet_response.credential_subject_data
-                LOG.debug("Store user data in session")
-				
-                def validFrom = LocalDate.parse(claims.issuance_date, DateTimeFormatter.ISO_LOCAL_DATE).atStartOfDay(ZoneId.systemDefault()).format(DateTimeFormatter.ISO_OFFSET_DATE_TIME)
-                def validTo = LocalDate.parse(claims.expiry_date, DateTimeFormatter.ISO_LOCAL_DATE).atTime(23,59,59).atOffset(ZoneOffset.systemDefault()).format(DateTimeFormatter.ISO_OFFSET_DATE_TIME)
-
-                sess.setAttribute('agov.eid.User.firstName', claims.given_name)
-				sess.setAttribute('agov.eid.User.lastName', claims.family_name)
-				sess.setAttribute('agov.eid.User.birthDate', claims.birth_date)
-				sess.setAttribute('agov.eid.User.gender', claims.sex)
-				sess.setAttribute('agov.eid.User.svnr', claims.personal_administrative_number.replace('.',''))
-				sess.setAttribute('agov.eid.User.placeOfBirth', claims.birth_place)
-				sess.setAttribute('agov.eid.User.placeOfOrigin', claims.place_of_origin)
-				sess.setAttribute('agov.eid.User.eIdNumber', claims.document_number)
-                // Simpler for later comparison -> Is converted again to upper case in the saml assertion
-				sess.setAttribute('agov.eid.User.nationality', claims.nationality.toString().toLowerCase())
-
-				sess.setAttribute('ValidFrom', validFrom)
-				sess.setAttribute('ValidTo', validTo)
-				sess.setAttribute('authenticatedWith', "urn:qa.agov.ch:names:tc:authfactor:eid")
-				sess.setAttribute('idVerification', "Eid")
-
-                // BUNDBITBK-5203 Dynamic aq levels
-                def requestedRoleLevel = session['agov.requestedRoleLevel']
-                if(requestedRoleLevel == "600"){
-                    sess.setAttribute('contextClassRefToSet', "urn:qa.agov.ch:names:tc:ac:classes:600")
-                }else{
-                    sess.setAttribute('contextClassRefToSet', "urn:qa.agov.ch:names:tc:ac:classes:500")
-                }
-
-                // subjectUUID v5
-                def namespace = UUID.fromString(parameters.get('eidUUIDNamespace'))
-                def uuid = Generators.nameBasedGenerator(namespace).generate(claims.personal_administrative_number)
-                 LOG.debug("UUID derived from svnr: ${uuid}")
-                String uuidString = uuid.toString()
-                sess.setAttribute('agov.subjectUUID', '' + uuidString)
-
-				response.setUserId(uuidString)
-                sess.setAttribute('ch.adnovum.nevisidm.user.extId', uuidString)
-				response.setLoginId(claims.document_number)
-				response.setAuthLevel("EID")
-
-				result = """{
-				"oid4vp": {
-					"status": "SUCCEEDED",
-					"verification_url": "${session['agov.eid.verification.link']}",
-					"id": "${idvalue}",
-					"error_code": "NONE"
-				}}"""
-			}
-			else if (json.state == 'FAILED') {
-				LOG
-						.error("Eid verification failed: ${json.wallet_response.error_code} (${json.wallet_response.error_description})")
-                       
-                def status = ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] ?: 'ERROR'
-
-                // Send new request & return variables with new id and url
-                if(status == 'FAILED' || status == 'CANCELED'){
-                    // Delete session variable to start a new verification
-                    sess.removeAttribute('agov.eid.verification')
-
-                    // Clear variables for for a cleaner result
-                    sess.removeAttribute('agov.eid.verification.link')
-                }
-
-				result = """{
-				"oid4vp": {
-					"status": "${status}",
-					"verification_url": "${session['agov.eid.verification.link']}",
-					"id": "${idvalue}",
-					"error_code": "${json.wallet_response.error_code}",
-					"error_message": "${json.wallet_response.error_description}"
-				}}"""
-			}
-			else {
-				result = """{
-				"oid4vp": {
-					"status": "${inargs['o.id.v'] == 'NEW' || inargs['o.id.v'] == 'RESET' ? 'INITIATED' : 'PENDING'}",
-					"verification_url": "${session['agov.eid.verification.link']}",
-					"id": "${idvalue}",
-					"error_code": "NONE"
-				}}"""
-			}
-		}
-
-	}
-	catch (Exception e) {
-		LOG.error("Eid verification failed: ${e}")
-		result = """{
-				"oid4vp": {
-					"status": "ERROR",
-					"verification_url": "${session['agov.eid.verification.link']}",
-					"id": "${idvalue}",
-					"error_code": "HTTP-ERROR",
-					"error_message": "failed to verify status of verification ${idvalue}, http exception"
-				}}"""
-	}
-
-	response.setContent(result.toString())
-	response.setContentType('application/json')
-	response.setHttpStatusCode(200)
-	response.setIsDirectResponse(true)
-	response.setStatus(AuthResponse.AUTH_CONTINUE)
-	return
-}
-
-// if we reach this place, display GUI
-LOG.debug("Show GUI")
-response.setStatus(AuthResponse.AUTH_CONTINUE)
-return
+import ch.nevis.esauth.auth.engine.AuthResponse
+import ch.nevis.esauth.sess.Session
+import ch.nevis.esauth.util.httpclient.api.HttpClient
+import groovy.json.JsonSlurper
+import io.opentelemetry.api.trace.Span
+
+import java.time.LocalDate
+import java.time.ZoneId
+import java.time.ZoneOffset
+
+import com.fasterxml.uuid.Generators
+
+def getHeader(String name) {
+	def inctx = request.getLoginContext()
+	// case-insensitive lookup of HTTP headers
+	def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
+	map.putAll(inctx)
+	return map['connection.HttpHeader.' + name]
+}
+
+// returns true on success and false on failure
+def getNewVerification(Session sess, HttpClient httpClient, String verification_request_template, String traceparent){
+	// Initialize the verification session on the verifier
+	def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications"
+
+	try {
+		def httpResponse = Http.post()
+				.url(endPoint)
+				.header("Accept", "application/json")
+				.header("traceparent", traceparent)
+				.entity(Http.entity()
+						.content(verification_request_template.replaceAll("\\{\\{UUID}}", UUID.randomUUID().toString()))
+						.contentType("application/json")
+						.build())
+				.build()
+				.send(httpClient)
+
+
+		if (httpResponse.code() != 200) {
+			LOG.debug("Result: ${httpResponse}")
+			return false
+		}
+
+		def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
+		LOG.debug("Result: ${json}")
+
+		sess.setAttribute('agov.eid.verification', 'true')
+		sess.setAttribute('agov.eid.verification.id', json.id)
+		sess.setAttribute('agov.eid.verification.link', json.verification_url)
+
+
+        //  TODO/aca/2025-04-04:This could probably also be INITIATED, once the verifier supports this status
+		if (json.state != 'PENDING') {
+			return false
+		}
+	}
+	catch (Exception e) {
+		LOG.error("Eid verification failed: $e")
+		return false
+	}
+    return true
+}
+
+def clearEidSession(){
+    def s = request.getAuthSession(true)
+    s.removeAttribute('agov.eid.verification')
+    s.removeAttribute('agov.eid.verification.id')
+    s.removeAttribute('agov.eid.verification.link')
+}
+
+def verification_request_template = '''
+{ "presentation_definition": {
+    "id": "{{UUID}}",
+    "name": "AGOV Verification",
+    "purpose": "AGOV Login",
+    "format": {
+      "vc+sd-jwt": {
+        "sd-jwt_alg_values": [
+          "ES256"
+        ],
+        "kb-jwt_alg_values": [
+          "ES256"
+        ]
+      }
+    },
+    "input_descriptors": [
+      {
+        "id": "agov-all-attributes",
+        "name": "AGOV Identity Verification",
+        "purpose": "verification and authentication",
+        "format": {
+          "vc+sd-jwt": {
+            "sd-jwt_alg_values": [
+              "ES256"
+            ],
+            "kb-jwt_alg_values": [
+              "ES256"
+            ]
+          }
+        },
+        "constraints": {
+          "fields": [
+            {
+              "path": [
+                "$.family_name"
+              ]
+            },
+            {
+              "path": [
+                "$.given_name"
+              ]
+            },
+            {
+              "path": [
+                "$.birth_date"
+              ]
+            },
+            {
+              "path": [
+                "$.sex"
+              ]
+            },
+            {
+              "path": [
+                "$.place_of_origin"
+              ]
+            },
+            {
+              "path": [
+                "$.birth_place"
+              ]
+            },
+            {
+              "path": [
+                "$.nationality"
+              ]
+            },
+            {
+              "path": [
+                "$.personal_administrative_number"
+              ]
+            },
+            {
+              "path": [
+                "$.document_number"
+              ]
+            },
+            {
+              "path": [
+                "$.issuance_date"
+              ]
+            },
+            {
+              "path": [
+                "$.expiry_date"
+              ]
+            },
+            {
+              "path": [
+                "$.issuing_authority"
+              ]
+            },
+            {
+              "path": [
+                "$.issuing_country"
+              ]
+            }
+          ]
+        }
+      }
+    ]
+  }
+}
+'''
+
+def ERROR_CODE_TO_STATUS_MAPPER = [
+		'CREDENTIAL_INVALID'               : 'FAILED',
+		'JWT_EXPIRED'                      : 'ERROR',
+		'INVALID_FORMAT'                   : 'ERROR',
+		'CREDENTIAL_EXPIRED'               : 'FAILED',
+		'MISSING_NONCE'                    : 'ERROR',
+		'UNSUPPORTED_FORMAT'               : 'ERROR',
+		'CREDENTIAL_REVOKED'               : 'FAILED',
+		'CREDENTIAL_SUSPENDED'             : 'FAILED',
+		'HOLDER_BINDING_MISMATCH'          : 'ERROR',
+		'CREDENTIAL_MISSING_DATA'          : 'FAILED',
+		'UNRESOLVABLE_STATUS_LIST'         : 'ERROR',
+		'PUBLIC_KEY_OF_ISSUER_UNRESOLVABLE': 'ERROR',
+		'CLIENT_REJECTED'                  : 'CANCELED',
+		'ISSUER_NOT_ACCEPTED'              : 'ERROR'
+]
+
+// ---------------
+// check, whether we are still processing the correct AuthnRequest
+// or if the frontend requested a timeout
+if ( (inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])) || inargs['oid4vp'] == 'TIMEOUT') {
+	// wrong request, "force" a timeout
+	LOG.debug('authentication timeout enforced, due to concurrent requests (authRequestId missmatch) -> return a 408')
+
+	response.setIsDirectResponse(true)
+	response.setContentType('text/html; charset=UTF-8')
+	response.setContent('Timeout')
+	response.setHttpStatusCode(205)
+	response.setHeader('IDP-AUTH', 'Timeout')
+
+	// CONTINUE to keep the other request beeing processed
+	response.setStatus(AuthResponse.AUTH_CONTINUE)
+	return
+}
+
+def sess = request.getAuthSession(true)
+
+if (inargs['oid4vp'] == 'ERROR') {
+    LOG.debug("oid4vp error")
+	response.setResult('error')
+	return
+}
+
+if (inargs['oid4vp'] == 'SUCCEEDED') {
+    LOG.debug("oid4vp succeeded")
+	response.setResult('ok')
+	return
+}
+
+// switch to access App
+if (inargs['accessApp'] == 'accessApp') {
+    //TODO/aca/2025/06/19: In theory we could also land here when we send 'SUCCESS' to the frontend -> would be better to  clear all session vaiables that can be set in this Authstate
+    //TODO/aca/2025/06/19: Should we here rather set the LOGINMETHOD cookie and send an error assertion, since otherwise we might swich states too often and Nevis will kill the session?
+    clearEidSession()
+    LOG.debug("Switch to Access App")
+    sess.setAttribute('agov.lastLoginMethod', 'accessApp')
+	response.setResult('agovLogin')
+	return
+}
+
+// switch to fido2
+if (inargs['securityKey'] == 'securityKey') {
+    clearEidSession()
+    LOG.debug("Switch to Security Key")
+    sess.setAttribute('agov.lastLoginMethod', 'securityKey')
+	response.setResult('agovLogin')
+	return
+}
+
+// switch to registration
+if (inargs['fallback'] == 'register') {
+    clearEidSession()
+    LOG.debug("Switch to registration")
+	response.setResult('register')
+	return
+}
+
+
+HttpClient httpClient = HttpClients.create(parameters)
+def spanCtxt = Span.current().getSpanContext()
+def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
+
+
+if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.v')) {
+    LOG.debug("Request Status Update")
+	// request for a status update from the verifier
+	def result
+
+    // FE requested a new verification
+    if (inargs['o.id.v'] == 'NEW' || inargs['o.id.v'] == 'RESET') {
+        LOG.debug("Initializing new verification")
+	    if(!getNewVerification(sess, httpClient, verification_request_template, traceparent)){
+            response.setResult('error') 
+            return
+        }
+    }
+
+	def idvalue = (!inargs['o.id.v'] || inargs['o.id.v'] == 'NEW' || inargs['o.id.v'] == 'RESET') ? session['agov.eid.verification.id'] : inargs['o.id.v']
+
+    LOG.error("IDValSent: " + idvalue)
+
+    // check, whether we are still processing the same verification request or if a new one was generated in e.g. another Tab
+    if(inargs['o.id.v'] && inargs['o.id.v'] != 'NEW' && inargs['o.id.v'] != 'RESET' && inargs['o.id.v'] != session['agov.eid.verification.id']){
+        // wrong request, tell fe to stop polling and request a timeout
+        LOG.debug('authentication timeout enforced, due to concurrent requests (verificationRequest missmatch) -> Notify FE & then return a 408')
+        result = """{
+				"oid4vp": {
+					"status": "TIMEOUT",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "REQUEST-MISMATCH",
+					"error_message": "Request Mismatch Detected: Forcing Timeout"
+				}}"""
+
+        response.setContent(result.toString())
+	    response.setContentType('application/json')
+	    response.setHttpStatusCode(200)
+	    response.setIsDirectResponse(true)
+	    response.setStatus(AuthResponse.AUTH_CONTINUE)
+	    return
+    }
+
+	try {
+		def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications/${idvalue}"
+
+		def httpResponse = Http.get()
+				.url(endPoint)
+				.header("Accept", "application/json")
+				.header("traceparent", traceparent)
+				.build()
+				.send(httpClient)
+
+
+        // 404 -> request a new verification
+        if(httpResponse.code() == 404){
+            // Frontend should know that we are starting a new request and not recieve an error
+            def status = "FAILED"
+            // Delete session variable to start a new verification
+            sess.removeAttribute('agov.eid.verification')
+
+            result = """{
+				"oid4vp": {
+					"status": "${status}",
+					"verification_url": "",
+					"id": "",
+					"error_code": "HTTP-ERROR",
+					"error_message": "Faild to verify status of verification, http status: ${httpResponse.code()}"
+				}}"""
+			LOG.warn("<== Response: ${httpResponse.code()}")
+		}
+		else if (httpResponse.code() != 200) {
+			LOG.debug("Result: ${httpResponse}")
+            
+            def status = "ERROR"
+            
+			result = """{
+				"oid4vp": {
+					"status": "${status}",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "HTTP-ERROR",
+					"error_message": "failed to verify status of verification ${idvalue}, http status: ${httpResponse.code()}"
+				}}"""
+			LOG.warn("<== Response: ${httpResponse.code()}")
+		}
+		else {
+
+			def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
+            LOG.debug(httpResponse.bodyAsString())
+			if (json.state == 'SUCCESS') {
+				def claims = json.wallet_response.credential_subject_data
+                LOG.debug("Store user data in session")
+				
+                def validFrom = LocalDate.parse(claims.issuance_date, DateTimeFormatter.ISO_LOCAL_DATE).atStartOfDay(ZoneId.systemDefault()).format(DateTimeFormatter.ISO_OFFSET_DATE_TIME)
+                def validTo = LocalDate.parse(claims.expiry_date, DateTimeFormatter.ISO_LOCAL_DATE).atTime(23,59,59).atOffset(ZoneOffset.systemDefault()).format(DateTimeFormatter.ISO_OFFSET_DATE_TIME)
+
+                sess.setAttribute('agov.eid.User.firstName', claims.given_name)
+				sess.setAttribute('agov.eid.User.lastName', claims.family_name)
+				sess.setAttribute('agov.eid.User.birthDate', claims.birth_date)
+				sess.setAttribute('agov.eid.User.gender', claims.sex)
+				sess.setAttribute('agov.eid.User.svnr', claims.personal_administrative_number.replace('.',''))
+				sess.setAttribute('agov.eid.User.placeOfBirth', claims.birth_place)
+				sess.setAttribute('agov.eid.User.placeOfOrigin', claims.place_of_origin)
+				sess.setAttribute('agov.eid.User.eIdNumber', claims.document_number)
+                // Simpler for later comparison -> Is converted again to upper case in the saml assertion
+				sess.setAttribute('agov.eid.User.nationality', claims.nationality.toString().toLowerCase())
+
+				sess.setAttribute('ValidFrom', validFrom)
+				sess.setAttribute('ValidTo', validTo)
+				sess.setAttribute('authenticatedWith', "urn:qa.agov.ch:names:tc:authfactor:eid")
+				sess.setAttribute('idVerification', "Eid")
+
+                // BUNDBITBK-5203 Dynamic aq levels
+                def requestedRoleLevel = session['agov.requestedRoleLevel']
+                if(requestedRoleLevel == "600"){
+                    sess.setAttribute('contextClassRefToSet', "urn:qa.agov.ch:names:tc:ac:classes:600")
+                }else{
+                    sess.setAttribute('contextClassRefToSet', "urn:qa.agov.ch:names:tc:ac:classes:500")
+                }
+
+                // subjectUUID v5
+                def namespace = UUID.fromString(parameters.get('eidUUIDNamespace'))
+                def uuid = Generators.nameBasedGenerator(namespace).generate(claims.personal_administrative_number)
+                 LOG.debug("UUID derived from svnr: ${uuid}")
+                String uuidString = uuid.toString()
+                sess.setAttribute('agov.subjectUUID', '' + uuidString)
+
+				response.setUserId(uuidString)
+                sess.setAttribute('ch.adnovum.nevisidm.user.extId', uuidString)
+				response.setLoginId(claims.document_number)
+				response.setAuthLevel("EID")
+
+				result = """{
+				"oid4vp": {
+					"status": "SUCCEEDED",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "NONE"
+				}}"""
+			}
+			else if (json.state == 'FAILED') {
+				LOG
+						.error("Eid verification failed: ${json.wallet_response.error_code} (${json.wallet_response.error_description})")
+                       
+                def status = ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] ?: 'ERROR'
+
+                // Send new request & return variables with new id and url
+                if(status == 'FAILED' || status == 'CANCELED'){
+                    // Delete session variable to start a new verification
+                    sess.removeAttribute('agov.eid.verification')
+
+                    // Clear variables for for a cleaner result
+                    sess.removeAttribute('agov.eid.verification.link')
+                }
+
+				result = """{
+				"oid4vp": {
+					"status": "${status}",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "${json.wallet_response.error_code}",
+					"error_message": "${json.wallet_response.error_description}"
+				}}"""
+			}
+			else {
+				result = """{
+				"oid4vp": {
+					"status": "${inargs['o.id.v'] == 'NEW' || inargs['o.id.v'] == 'RESET' ? 'INITIATED' : 'PENDING'}",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "NONE"
+				}}"""
+			}
+		}
+
+	}
+	catch (Exception e) {
+		LOG.error("Eid verification failed: ${e}")
+		result = """{
+				"oid4vp": {
+					"status": "ERROR",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "HTTP-ERROR",
+					"error_message": "failed to verify status of verification ${idvalue}, http exception"
+				}}"""
+	}
+
+	response.setContent(result.toString())
+	response.setContentType('application/json')
+	response.setHttpStatusCode(200)
+	response.setIsDirectResponse(true)
+	response.setStatus(AuthResponse.AUTH_CONTINUE)
+	return
+}
+
+// if we reach this place, display GUI
+LOG.debug("Show GUI")
+response.setStatus(AuthResponse.AUTH_CONTINUE)
+return
+

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/ensureRecoveryCode.groovy

@@ -122,4 +122,4 @@ if (inargs['submit']) {
 }
 
 // show the GUI
-response.setStatus(AuthResponse.AUTH_CONTINUE)
+response.setStatus(AuthResponse.AUTH_CONTINUE)

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/env.conf

@@ -13,8 +13,9 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevisauth/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2411.3,service.instance.id=$HOSTNAME"
+    "-Dotel.resource.attributes=service.version=8.2505.5,service.instance.id=$HOSTNAME"
     "-Djavax.net.ssl.trustStore=/var/opt/keys/trust/auth-idp-extended-truststore/truststore.p12"
     "-Djavax.net.ssl.trustStorePassword=\${exec:/var/opt/keys/trust/auth-idp-extended-truststore/keypass}"
 )
 
+

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml

@@ -5,6 +5,8 @@
     <SessionCoordinator sessionInitialInactivityTimeout="600" sessionInactivityTimeout="28800" sessionMaxLifetime="28800" sessionIdPreGenerate="true">
         <!-- source: pattern://7022472ae407577ae604bbb8 -->
         <LocalSessionStore maxSessions="100000"/>
+        <!-- source: pattern://b7b59e97b3fd18bb60178573 -->
+        <RemoteSessionStore connectionUser="pipe:///var/opt/nevisauth/default/conf/credentials/dbUser" connectionPassword="pipe:///var/opt/nevisauth/default/conf/credentials/dbPassword" connectionUrl="jdbc:mariadb://mariadb-session-store-service.adn-agov-nevisidm-ob-01-uat:3306/nevisauth?serverTimezone=UTC&amp;sslMode=disable&amp;autocommit=true" connectionMaxLifeTime="1800000" connectionMaxIdleTime="600000" connectionMinPoolSize="10" connectionMaxPoolSize="10" connectionAutomaticDbSchemaSetup="false" storeUnauthenticatedSessions="true"/>
         <!-- source: pattern://7022472ae407577ae604bbb8 -->
         <TokenAssembler name="DefaultTokenAssembler">
             <Selector default="true"/>
@@ -45,6 +47,8 @@
                 <!-- source: pattern://94e0b7b92ff2593f958c1eec -->
                 <field src="session" key="ch.adnovum.nevisidm.clientId" as="clientId"/>
                 <!-- source: pattern://94e0b7b92ff2593f958c1eec -->
+                <field src="session" key="ch.nevis.session.domain" as="domain"/>
+                <!-- source: pattern://94e0b7b92ff2593f958c1eec -->
                 <field src="request" key="ActualRoles" as="roles"/>
             </TokenSpec>
             <!-- source: pattern://94e0b7b92ff2593f958c1eec -->
@@ -65,6 +69,8 @@
                 <!-- source: pattern://94e0b7b92ff2593f958c1eec -->
                 <field src="session" key="ch.adnovum.nevisidm.clientId" as="clientId"/>
                 <!-- source: pattern://94e0b7b92ff2593f958c1eec -->
+                <field src="session" key="ch.nevis.session.domain" as="domain"/>
+                <!-- source: pattern://94e0b7b92ff2593f958c1eec -->
                 <field src="request" key="ActualRoles" as="roles"/>
             </TokenSpec>
             <!-- source: pattern://94e0b7b92ff2593f958c1eec -->
@@ -128,6 +134,11 @@
             <!-- source: pattern://8dbec5bb024707d73fca93ef -->
             <KeyObject name="https://trustbroker-idp.agov-w.azure.adnovum.net" certificate="/var/opt/keys/trust/idp-pem-atb/truststore.jks"/>
         </KeyStore>
+        <!-- source: pattern://b09a3092a59797b317c06ae4 -->
+        <KeyStore name="EncryptionKeys">
+            <!-- source: pattern://b09a3092a59797b317c06ae4 -->
+            <KeyObject name="DefaultEncryptionKey" certificate="/var/opt/keys/trust/idp-pem-atb-enc/truststore.jks"/>
+        </KeyStore>
         <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
         <KeyStore name="Auth_Realm_Mobile_FIDO_UAFKeyStore">
             <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
@@ -146,8 +157,8 @@
             <KeyObject name="internal_tls_Truststore" certificate="/var/opt/keys/trust/env-ca/truststore.jks"/>
         </KeyStore>
     </SessionCoordinator>
-    <!-- source: pattern://7022472ae407577ae604bbb8 -->
-    <LocalOutOfContextDataStore reaperPeriod="60"/>
+    <!-- source: pattern://b7b59e97b3fd18bb60178573 -->
+    <RemoteOutOfContextDataStore connectionUser="pipe:///var/opt/nevisauth/default/conf/credentials/dbUser" connectionPassword="pipe:///var/opt/nevisauth/default/conf/credentials/dbPassword" connectionUrl="jdbc:mariadb://mariadb-session-store-service.adn-agov-nevisidm-ob-01-uat:3306/nevisauth?serverTimezone=UTC&amp;sslMode=disable&amp;autocommit=true" connectionMaxLifeTime="1800000" connectionMaxIdleTime="600000" connectionMinPoolSize="10" connectionMaxPoolSize="10" connectionAutomaticDbSchemaSetup="false"/>
     <!-- source: pattern://204c22beaccdfd22727af378, pattern://06aeae2d799e492f5580d03b, pattern://7022472ae407577ae604bbb8, pattern://7022472ae407577ae604bbb8, pattern://9a8294b080ea769d22924af0, pattern://f393012a278e525956a362d3, pattern://c686c1bdd5355351f7f98cc8, pattern://7fb39bfd6c34685866a22180, pattern://b8bdab6e4634a1d81f20e5bb, pattern://cb8c63274fe346280de0ffd5, pattern://9a1d3c6052019748d3510261, pattern://ae023be7e097522c74e31d17, pattern://81ae3547acc02160f787a546, pattern://0327ca909dfcaf2d332da104, pattern://584964c837512845d7940809, pattern://e0fda9336be9c69dafc9b69e, pattern://7022472ae407577ae604bbb8, pattern://cb8c63274fe346280de0ffd5, pattern://204c22beaccdfd22727af378, pattern://06aeae2d799e492f5580d03b, pattern://7022472ae407577ae604bbb8 -->
     <AuthEngine useLiteralDictionary="true" literalDictionaryLanguages="en,de,fr,it" inputLanguageCookie="LANG" compatLevel="none" addAutheLevelToSecRoles="true" classPath="/var/opt/nevisauth/default/plugin:/opt/nevisidmcl/nevisauth/lib:/opt/nevisfidocl/nevisauth/lib:/opt/nevisauth/plugin" propagateSession="false">
         <!-- source: pattern://4fcfadb4a5c946ead7e6e995 -->
@@ -420,6 +431,8 @@
             <!-- source: pattern://73efd00d67082ff1eb927922 -->
             <ResultCond name="main" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
             <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <ResultCond name="main_secure" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
             <Response value="AUTH_CONTINUE">
                 <!-- source: pattern://73efd00d67082ff1eb927922 -->
                 <Gui name="saml_dispatcher" label="title.saml.failed">
@@ -847,6 +860,10 @@
             <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
             <property name="logoutTrigger" value="#{request['currentResource'].contains('logout') || inargs.containsKey('logout') || inargs.containsKey('SAMLLogout')}"/>
             <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="in.verify" value="Assertion, AuthnRequest, ArtifactResolve, ArtifactResponse"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="in.prospectVerification" value="ArtifactResolve"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
             <property name="out.binding" value="http-post"/>
             <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
             <property name="out.post.relayStateEncoding" value="HTML"/>
@@ -933,6 +950,19 @@
             <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
             <property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/op/conversationId" value="${inctx:connection.HttpHeader.traceparent:^([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)$:$2}"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="false">
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="default" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_post"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="useArtifact" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_artifact"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                <Gui name="AuthErrorDialog"/>
+            </Response>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="condition:useArtifact" value="${sess:agov.idp.use.artifact:^true$}"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_ReturnTimeoutButKeepSession" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
             <!-- source: pattern://826166d230a6a4849f2837ae -->
             <Response value="AUTH_CONTINUE">
@@ -1188,6 +1218,100 @@
                 <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
             </Response>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_post" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                <Gui name="saml_idp" label="title.saml.failed">
+                    <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <propertyRef name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2SEC/"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.binding" value="http-post"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.post.relayStateEncoding" value="HTML"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt" value="none"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt.keystoreref" value="EncryptionKeys"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt.keyobjectref" value="DefaultEncryptionKey"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_artifact" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                <Gui name="saml_idp" label="title.saml.failed">
+                    <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <propertyRef name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2SEC/"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.binding" value="http-artifact"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.post.relayStateEncoding" value="HTML"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt" value="none"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt.keystoreref" value="EncryptionKeys"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt.keyobjectref" value="DefaultEncryptionKey"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Fido_Email_Verify" class="ch.nevis.idm.authstate.IdmUserVerifyState" final="false" resumeState="false">
             <!-- source: pattern://7fb39bfd6c34685866a22180 -->
             <ResultCond name="clientNotFound" next="Auth_Realm_Main_IDP_AuthnFailed_Client_NotFound"/>
@@ -3282,8 +3406,6 @@
             <!-- source: pattern://e0fda9336be9c69dafc9b69e -->
             <ResultCond name="SOAP:showGui" next="NotUsed_Auth_Realm_Prepare_Done"/>
             <!-- source: pattern://e0fda9336be9c69dafc9b69e -->
-            <ResultCond name="default" next="NotUsed_Auth_Realm_Prepare_Done"/>
-            <!-- source: pattern://e0fda9336be9c69dafc9b69e -->
             <ResultCond name="ok" next="NotUsed_Auth_Realm_Prepare_Done" startOver="true"/>
             <!-- source: pattern://e0fda9336be9c69dafc9b69e -->
             <ResultCond name="showGui" next="NotUsed_Auth_Realm_NotUsed_Pwd_Login-IdmPostProcessing"/>
@@ -3302,6 +3424,12 @@
             <property name="detaillevel.default" value="EXCLUDE"/>
             <!-- source: pattern://e0fda9336be9c69dafc9b69e -->
             <property name="detaillevel.user" value="MEDIUM"/>
+            <!-- source: pattern://e0fda9336be9c69dafc9b69e -->
+            <property name="detaillevel.profile" value="MEDIUM"/>
+            <!-- source: pattern://e0fda9336be9c69dafc9b69e -->
+            <property name="detaillevel.role" value="LOW"/>
+            <!-- source: pattern://e0fda9336be9c69dafc9b69e -->
+            <property name="forceDataReload" value="true"/>
         </AuthState>
         <AuthState name="NotUsed_Auth_Realm_NotUsed_Pwd_Login-IdmPasswordChange" class="ch.nevis.idm.authstate.IdmChangePasswordState" final="false">
             <!-- source: pattern://e0fda9336be9c69dafc9b69e -->
@@ -3379,7 +3507,7 @@
                     <!-- source: pattern://e0fda9336be9c69dafc9b69e -->
                     <GuiElem name="isiwebnewpw2" type="pw-text" label="prompt.newpassword.confirm"/>
                     <!-- source: pattern://e0fda9336be9c69dafc9b69e -->
-                    <GuiElem name="submit" type="submit" label="button.submit"/>
+                    <GuiElem name="submit" type="submit" label="submit.button.label"/>
                 </Gui>
             </Response>
             <propertyRef name="nevisIDM_Connector"/>
@@ -3442,4 +3570,21 @@
         <!-- source: pattern://ab5a82719993921822e95751 -->
         <property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
     </WebService>
+    <!-- source: pattern://14efdcb489f3f295fcbdf811 -->
+    <WebService name="IDP_AGOV_SEC_ARS" class="ch.nevis.esauth.auth.adapter.saml.ArtifactResolutionService" uri="/nevisauth/services/ars/sec" SSODomain="Auth_Realm_Main_IDP">
+        <!-- source: pattern://14efdcb489f3f295fcbdf811 -->
+        <property name="issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2SEC/"/>
+        <!-- source: pattern://14efdcb489f3f295fcbdf811 -->
+        <property name="out.keystoreref" value="Store_IDP_AGOV"/>
+        <!-- source: pattern://14efdcb489f3f295fcbdf811 -->
+        <property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
+        <!-- source: pattern://14efdcb489f3f295fcbdf811 -->
+        <property name="in.keystoreref" value="Store_IDP_AGOV"/>
+        <!-- source: pattern://14efdcb489f3f295fcbdf811 -->
+        <property name="in.verify" value="ArtifactResolve"/>
+        <!-- source: pattern://14efdcb489f3f295fcbdf811 -->
+        <property name="in.prospectVerification" value=""/>
+    </WebService>
+    <!-- source: pattern://7022472ae407577ae604bbb8 -->
+    <RESTService name="ManagementService" class="ch.nevis.esauth.rest.service.session.ManagementService"/>
 </esauth-server>

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/fetch_country_name.groovy

@@ -1,39 +1,39 @@
-import groovy.json.JsonSlurper
-import io.opentelemetry.api.trace.Span
-
-def sess = request.getAuthSession(true)
-
-def spanCtxt = Span.current().getSpanContext()
-def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
-def jsonSlurper = new JsonSlurper()
-
-
-def lang = (session['ch.nevis.idm.User.language']?:'DE').trim()
-def endppoint = "${parameters.get('baseurl')}/api/v1/countries?lang=${lang.toUpperCase()}"
-def countryCode = (session['ch.nevis.idm.User.country']?:'CH').trim().toLowerCase()
-
-try {
-  LOG.debug("UTILITY: Countries: Request url: ${endppoint}")
-
-  def httpClient = HttpClients.create(parameters)
-  def httpResponse = Http.get().url(endppoint).header('traceparent', traceparent).build().send(httpClient)
-
-  LOG.debug('UTILITY: Countries: Response Message: ' + httpResponse.reasonPhrase())
-  LOG.debug('UTILITY: Countries: Response Status Code: ' + httpResponse.code())
-  LOG.debug('UTILITY: Countries: Response: ' + httpResponse.bodyAsString())
-
-  if (httpResponse.code() == 200) {
-    def json = jsonSlurper.parseText(httpResponse.bodyAsString())
-    // {"country.af":"Afghanistan","country.al":"Albanie"... }
-    def countryName = json["country.${countryCode}"]
-    LOG.debug("UTILITY: Countries: countryName for ${countryCode}: ${countryName}")
-    if (countryName) {
-      sess.setAttribute('agov.countryName', countryName)
-    }
-  } else {
-    LOG.warn("UTILITY: Countries: Failed to fetch country translations. (httpResponse.code: ${httpResponse.code()})")
-  }
-} catch (Exception e) {
-  LOG.warn("UTILITY: Countries: Failed to fetch country translations. (${e})")
-}
+import groovy.json.JsonSlurper
+import io.opentelemetry.api.trace.Span
+
+def sess = request.getAuthSession(true)
+
+def spanCtxt = Span.current().getSpanContext()
+def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
+def jsonSlurper = new JsonSlurper()
+
+
+def lang = (session['ch.nevis.idm.User.language']?:'DE').trim()
+def endppoint = "${parameters.get('baseurl')}/api/v1/countries?lang=${lang.toUpperCase()}"
+def countryCode = (session['ch.nevis.idm.User.country']?:'CH').trim().toLowerCase()
+
+try {
+  LOG.debug("UTILITY: Countries: Request url: ${endppoint}")
+
+  def httpClient = HttpClients.create(parameters)
+  def httpResponse = Http.get().url(endppoint).header('traceparent', traceparent).build().send(httpClient)
+
+  LOG.debug('UTILITY: Countries: Response Message: ' + httpResponse.reasonPhrase())
+  LOG.debug('UTILITY: Countries: Response Status Code: ' + httpResponse.code())
+  LOG.debug('UTILITY: Countries: Response: ' + httpResponse.bodyAsString())
+
+  if (httpResponse.code() == 200) {
+    def json = jsonSlurper.parseText(httpResponse.bodyAsString())
+    // {"country.af":"Afghanistan","country.al":"Albanie"... }
+    def countryName = json["country.${countryCode}"]
+    LOG.debug("UTILITY: Countries: countryName for ${countryCode}: ${countryName}")
+    if (countryName) {
+      sess.setAttribute('agov.countryName', countryName)
+    }
+  } else {
+    LOG.warn("UTILITY: Countries: Failed to fetch country translations. (httpResponse.code: ${httpResponse.code()})")
+  }
+} catch (Exception e) {
+  LOG.warn("UTILITY: Countries: Failed to fetch country translations. (${e})")
+}
 response.setResult('ok')

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/fido2_fetchcaptchainfos.groovy

@@ -1,38 +1,38 @@
-import groovy.json.JsonSlurper
-import io.opentelemetry.api.trace.Span
-
-def url = parameters.get('url')
-def realIpHttpHeaderName = parameters.get('realIpHttpHeaderName') ?: 'X-Real-IP'
-def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
-
-try {
-  def spanCtxt = Span.current().getSpanContext()
-  def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
-
-  def jsonSlurper = new JsonSlurper()
-  def httpClient = HttpClients.create(parameters)
-  def httpResponse = Http.get().url(url).header('traceparent', traceparent)
-                         .header(realIpHttpHeaderName, ip).build().send(httpClient)
-
-  LOG.debug('Response Status Code: ' + httpResponse.code())
-  LOG.debug('Response: ' + httpResponse.bodyAsString())
-
-  if (httpResponse.code() == 200) {
-    def json = jsonSlurper.parseText(httpResponse.bodyAsString())
-
-    response.setSessionAttribute('agov.fido2.captchaSettings.enabled', String.valueOf(json.friendlyCaptureClientSettings.enabled))
-    response.setSessionAttribute('agov.fido2.captchaSettings.siteKey', json.friendlyCaptureClientSettings.siteKey)
-    response.setSessionAttribute('agov.fido2.captchaSettings.puzzleUrl', json.friendlyCaptureClientSettings.puzzleUrl)
-
-    response.setResult('ok')
-  } else {
-    LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
-    response.setResult('error')
-    response.setError(1, 'Unexpected HTTP reponse')
-  }
-} catch (all) {
-  // Handle exception and set the transition
-  LOG.error('error: ' + all, all)
-  response.setResult('error')
-  response.setError(1, 'Exception during HTTP call')
+import groovy.json.JsonSlurper
+import io.opentelemetry.api.trace.Span
+
+def url = parameters.get('url')
+def realIpHttpHeaderName = parameters.get('realIpHttpHeaderName') ?: 'X-Real-IP'
+def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+
+try {
+  def spanCtxt = Span.current().getSpanContext()
+  def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
+
+  def jsonSlurper = new JsonSlurper()
+  def httpClient = HttpClients.create(parameters)
+  def httpResponse = Http.get().url(url).header('traceparent', traceparent)
+                         .header(realIpHttpHeaderName, ip).build().send(httpClient)
+
+  LOG.debug('Response Status Code: ' + httpResponse.code())
+  LOG.debug('Response: ' + httpResponse.bodyAsString())
+
+  if (httpResponse.code() == 200) {
+    def json = jsonSlurper.parseText(httpResponse.bodyAsString())
+
+    response.setSessionAttribute('agov.fido2.captchaSettings.enabled', String.valueOf(json.friendlyCaptureClientSettings.enabled))
+    response.setSessionAttribute('agov.fido2.captchaSettings.siteKey', json.friendlyCaptureClientSettings.siteKey)
+    response.setSessionAttribute('agov.fido2.captchaSettings.puzzleUrl', json.friendlyCaptureClientSettings.puzzleUrl)
+
+    response.setResult('ok')
+  } else {
+    LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
+    response.setResult('error')
+    response.setError(1, 'Unexpected HTTP reponse')
+  }
+} catch (all) {
+  // Handle exception and set the transition
+  LOG.error('error: ' + all, all)
+  response.setResult('error')
+  response.setError(1, 'Exception during HTTP call')
 }

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/fido2_fetchcaptcharesult.groovy

@@ -1,63 +1,63 @@
-import io.opentelemetry.api.trace.Span
-
-def url = parameters.get('url')
-
-def email = inargs['userInputValue_prompt.email']
-def token = inargs['captcha_response']?: 'MISSING'
-def enabled = (session['agov.fido2.captchaSettings.enabled']?:'true').toBoolean()
-
-def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
-def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
-
-def payload = "{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }"
-
-LOG.debug('Token: ' + token)
-LOG.debug('Payload: ' + payload)
-
-try {
-
-  if (!enabled) {
-    LOG.info("FriendlyCAPTCHA is disabled, allowing operation for ${payload}")
-    response.setResult('ok')
-    return
-  }
-
-  def spanCtxt = Span.current().getSpanContext()
-  def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
-
-  def httpClient = HttpClients.create(parameters)
-  def httpResponse = Http.post()
-          .url(url)
-          .header("Accept", "application/json")
-          .header("X-FriendlyCAPTCHA-Token", token)
-          .header("traceparent", traceparent)
-          .entity(Http.entity()
-                  .content(payload)
-                  .contentType("application/json")
-                  .build())
-          .build()
-          .send(httpClient)
-
-  LOG.debug('Response Status Code: ' + httpResponse.code())
-  LOG.debug('Response: ' + httpResponse.bodyAsString())
-
-  if (httpResponse.code() == 200) {
-      if (httpResponse.bodyAsString().contains('SUCCESSFUL')) {
-          response.setResult('ok')
-          return
-       } else {
-       LOG.warn("Friendly captcha not successful for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }'")
-       response.setResult('exit.1')
-       return      
-     }
-  } else {
-    LOG.error("Friendly captcha failed with statuscode ${httpResponse.code()} for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }'")
-    response.setResult('error')
-    response.setError(1, 'Unexpected HTTP reponse')
-  }
-} catch (all) {
-  // Handle exception and set the transition
-  LOG.error("Friendly captcha failed with a general error '${all}' for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }', service-url: ${url}")
-  response.setResult('error')
-  response.setError(1, 'Exception during HTTP call')
-}
+import io.opentelemetry.api.trace.Span
+
+def url = parameters.get('url')
+
+def email = inargs['userInputValue_prompt.email']
+def token = inargs['captcha_response']?: 'MISSING'
+def enabled = (session['agov.fido2.captchaSettings.enabled']?:'true').toBoolean()
+
+def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+def payload = "{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }"
+
+LOG.debug('Token: ' + token)
+LOG.debug('Payload: ' + payload)
+
+try {
+
+  if (!enabled) {
+    LOG.info("FriendlyCAPTCHA is disabled, allowing operation for ${payload}")
+    response.setResult('ok')
+    return
+  }
+
+  def spanCtxt = Span.current().getSpanContext()
+  def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
+
+  def httpClient = HttpClients.create(parameters)
+  def httpResponse = Http.post()
+          .url(url)
+          .header("Accept", "application/json")
+          .header("X-FriendlyCAPTCHA-Token", token)
+          .header("traceparent", traceparent)
+          .entity(Http.entity()
+                  .content(payload)
+                  .contentType("application/json")
+                  .build())
+          .build()
+          .send(httpClient)
+
+  LOG.debug('Response Status Code: ' + httpResponse.code())
+  LOG.debug('Response: ' + httpResponse.bodyAsString())
+
+  if (httpResponse.code() == 200) {
+      if (httpResponse.bodyAsString().contains('SUCCESSFUL')) {
+          response.setResult('ok')
+          return
+       } else {
+       LOG.warn("Friendly captcha not successful for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }'")
+       response.setResult('exit.1')
+       return      
+     }
+  } else {
+    LOG.error("Friendly captcha failed with statuscode ${httpResponse.code()} for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }'")
+    response.setResult('error')
+    response.setError(1, 'Unexpected HTTP reponse')
+  }
+} catch (all) {
+  // Handle exception and set the transition
+  LOG.error("Friendly captcha failed with a general error '${all}' for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }', service-url: ${url}")
+  response.setResult('error')
+  response.setError(1, 'Exception during HTTP call')
+}

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/handleRedirect.groovy

@@ -24,3 +24,4 @@ else {
 
 
 
+

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/handleRedirectRecovery.groovy

@@ -20,4 +20,4 @@ if(outargs.containsKey('saml.SAMLResponse')) {
 }
 else {
     response.setResult('ok')
-}
+}

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/handleRedirectRegistration.groovy

@@ -32,3 +32,4 @@ else {
 
 
 
+

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_dispatcher.groovy

@@ -1,168 +1,197 @@
-import groovy.xml.XmlSlurper
-import groovy.xml.slurpersupport.GPathResult
-import groovy.xml.slurpersupport.NodeChild
-
-import java.util.zip.Inflater
-import java.util.zip.InflaterInputStream
-
-/**
- * Gets the value of the Referer header.
- * If the header is missing the fallback is returned
- *
- * This method is used when SAML IDP / Dispatch Error Redirect is not set
- *
- * @param fallback - value to return if the Referer header is missing
- * @return value of header or fallback
- */
-def getReferer(String fallback) {
-    return request.getHttpHeader('Referer') ?: fallback
-}
-
-def redirect(String url) {
-    outargs.put('nevis.transfer.type', 'redirect')
-    outargs.put('nevis.transfer.destination', url)
-}
-
-/**
- * Extracts the content of the Issuer element from a parsed SAML message.
- * The Issuer is optional according to SAML specification but we need it for dispatching.
- *
- * @param xml - as parsed by Groovy XmlSlurper
- * @return text content of Issuer element converted or null
- */
-String getIssuer(GPathResult xml) {
-    return xml.depthFirst().find { GPathResult node -> {
-        node.name().endsWith(":Issuer") || node.name().equalsIgnoreCase("Issuer")
-      }
-    }?.text()
-}
-
-String getIssuer(String value) {
-    if (value == null) {
-        return
-    }
-    String text
-    byte[] decoded
-    def parser = new XmlSlurper()
-    // if value is raw xml then continue otherwise try to parse the base64 encoding
-    if (value.startsWith("<")) {
-        text = new String(value)
-    }
-    else {
-        decoded = value.decodeBase64()
-        text = new String(decoded)
-        LOG.info("received SAML request $value")
-    }
-
-    // after decoded, if redirect binding, we need to parse string to xml
-    if (text.startsWith("<")) {
-        LOG.debug("assuming POST/SOAP binding")
-        // plain String (POST/SOAP parameter)
-        def xml = parser.parseText(text)
-        return getIssuer(xml)
-    }
-    else {
-        LOG.debug("assuming redirect binding")
-        // should be deflate encoded (query parameter)
-        def is = new InflaterInputStream(new ByteArrayInputStream(decoded), new Inflater(true))
-        def xml = parser.parse(is)
-        return getIssuer(xml)
-    }
-}
-
-def dispatchIssuer(i2s, String issuer) {
-    def result = i2s.get(issuer)
-    if (result == null) {
-        LOG.info("No SP found for issuer '$issuer'. Hint: check SAML SP Connector patterns.")
-    }
-    
-    // dispatch different idp if artifact binding is enabled
-    if(parameters.get('epdMode') == 'artifact' && result == 'epd'){
-        LOG.debug("EPD: Artifact mode")
-        result = result + "_artifact"
-    }else{
-        LOG.debug("EPD: POST mode")
-    }
-    response.setResult(result)
-    session.put("saml.inbound.issuer", issuer)
-    session.put('saml.idp.result', result) // remember decision for sub-sequent requests without a SAML message
-    
-}
-
-def dispatchMessage(i2s, String message) {
-    def issuer = getIssuer(message)
-    if (issuer == null) {
-        LOG.info("No issuer found in incoming SAML message. Giving up.")
-    }
-    session.put("saml.inbound.issuer", issuer)
-    dispatchIssuer(i2s, issuer)
-}
-
-if (parameters.get('logoutConfirmation') == 'true' && "stepup" == request.getMethod()) {
-    String url = request.currentResource
-    def path = new URL(url).getPath()
-    if (path.endsWith("/logout")) {
-        // next AuthState will show a logout confirmation GUI
-        response.setResult('confirm')
-        return
-    }
-}
-
-// ensure session exists
-if (request.getSession(false) == null) {
-    session = request.getSession(true).getData()
-}
-
-// issuer (any case) -> ResultCond name
-def i2s = new TreeMap<String, String>(String.CASE_INSENSITIVE_ORDER)
-
-
-i2s.put(parameters.get('atb'), 'main')
-i2s.put(parameters.get('epd_atb'), 'epd')
-
-if (parameters.get('spInitiated') == 'true' && inargs.containsKey('SAMLRequest')) { // SP-initiated authentication
-    LOG.debug("found SAMLRequest parameter for SP-initiated authentication")
-    String message = inargs.get('SAMLRequest')
-    dispatchMessage(i2s, message)
-    return
-}
-
-if (inargs.containsKey('SAMLResponse')) { // response to IDP-initiated SAML Logout
-    LOG.debug("found SAMLResponse parameter")
-    String message = inargs.get('SAMLResponse')
-    dispatchMessage(i2s, message)
-    return
-}
-
-if (parameters.get('spInitiated') == 'true' && inargs.containsKey('soapheader')) { // SP-initiated SOAP with soapheader
-    LOG.debug("found soapheader parameter for SP-initiated")
-    String message = inargs.get('soapheader')
-    dispatchMessage(i2s, message)
-    return
-}
-
-if (parameters.get('spInitiated') == 'true' && inargs.containsKey('')) { // SP-initiated SOAP with empty
-    LOG.debug("found empty parameter for SP-initiated SOAP message")
-    String message = inargs.get('')
-    dispatchMessage(i2s, message)
-    return
-}
-
-String issuer = inargs['Issuer'] ?: inargs['issuer']
-if (parameters.get('idpInitiated') == 'true' && issuer != null) { // IDP-initiated authentication
-    LOG.debug("found Issuer parameter for IDP-initiated authentication")
-    dispatchIssuer(i2s, issuer)
-    return
-}
-
-// used as fallback in case of ?logout (we need an IdentityProviderState)
-if (inargs.containsKey("logout") && session.containsKey('saml.idp.result')) {
-    def result = session.get('saml.idp.result')
-    LOG.debug("dispatching to last used ResultCond: $result")
-    response.setResult(result)
-    return
-}
-
-def location = getReferer('/')
-LOG.info("Unable to dispatch request. Giving up and redirecting (back) to $location")
+import groovy.xml.XmlSlurper
+import groovy.xml.slurpersupport.GPathResult
+import groovy.xml.slurpersupport.NodeChild
+
+import java.util.zip.Inflater
+import java.util.zip.InflaterInputStream
+
+/**
+ * Gets the value of the Referer header.
+ * If the header is missing the fallback is returned
+ *
+ * This method is used when SAML IDP / Dispatch Error Redirect is not set
+ *
+ * @param fallback - value to return if the Referer header is missing
+ * @return value of header or fallback
+ */
+def getReferer(String fallback) {
+    return request.getHttpHeader('Referer') ?: fallback
+}
+
+def redirect(String url) {
+    outargs.put('nevis.transfer.type', 'redirect')
+    outargs.put('nevis.transfer.destination', url)
+}
+
+String getNormalisedSamlMessage(String parameter) {
+    if (parameter == null) {
+        return
+    }
+    String text
+    byte[] decoded
+
+    // if parameter is raw xml then continue otherwise try to parse the base64 encoding
+    if (parameter.startsWith("<")) {
+        text = new String(parameter)
+    }
+    else {
+        decoded = parameter.decodeBase64()
+        text = new String(decoded)
+    }
+    return text
+}
+
+
+String getNodeText(GPathResult xml, String nodeName) {
+    return xml.depthFirst().find { GPathResult node -> {
+        node.name().endsWith(":${nodeName}") || node.name().equalsIgnoreCase(nodeName)
+      }
+    }?.text()?.trim()
+}
+
+String getAttribute(GPathResult xml, String attributeName) {
+    return xml.depthFirst().find { GPathResult node -> {
+        node.attributes().containsKey(attributeName)
+      }
+    }?.attributes()?.get(attributeName)
+}
+
+String getNodeText(String parameter, String nodeName) {
+    String samlMessage = getNormalisedSamlMessage(parameter)
+    if (samlMessage == null) {
+        return
+    }
+    def parser = new XmlSlurper()
+    def xml = parser.parseText(samlMessage)
+    return getNodeText(xml, nodeName)
+}
+
+String getAttribute(String parameter, String attributeName) {
+    String samlMessage = getNormalisedSamlMessage(parameter)
+    if (samlMessage == null) {
+        return
+    }
+    def parser = new XmlSlurper()
+    def xml = parser.parseText(samlMessage)
+    return getAttribute(xml, attributeName)
+}
+
+String getIssuer(String value) {
+  return getNodeText(value, 'Issuer')
+}
+
+String getAttributeConsumingServiceIndex(String value) {
+  return getAttribute(value, 'AttributeConsumingServiceIndex')
+}
+
+String getProtocolBinding(String value) {
+  return getAttribute(value, 'ProtocolBinding')
+}
+
+def dispatchIssuer(i2s, String issuer, boolean secureMode) {
+    def result = i2s.get(issuer)
+    if (result == null) {
+        LOG.info("No SP found for issuer '$issuer'. Hint: check SAML SP Connector patterns.")
+    }
+    
+    // dispatch different idp if artifact binding is enabled
+    if(parameters.get('epdMode') == 'artifact' && result == 'epd'){
+        LOG.debug("EPD: Artifact mode")
+        result = result + "_artifact"
+    } else if (result == 'main' && secureMode) {
+        LOG.debug("AGOV: Secure mode requested")
+        result =  result + "_secure"
+    } 
+    response.setResult(result)
+    session.put('saml.inbound.issuer', issuer)
+    session.put('saml.idp.result', result) // remember decision for sub-sequent requests without a SAML message
+    
+}
+
+def dispatchIssuer(i2s, String issuer) {
+  dispatchIssuer(i2s, issuer, false)
+}
+
+def dispatchMessage(i2s, String message) {
+    def issuer = getIssuer(message)
+    def secureMode = (getAttributeConsumingServiceIndex(message) == '10101')
+    def useArtifact = ('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact' == getProtocolBinding(message))
+
+    LOG.info("secureMode requested: ${secureMode}")
+
+    if (issuer == null) {
+        LOG.info("No issuer found in incoming SAML message. Giving up.")
+    }
+    session.put('saml.inbound.issuer', issuer)
+    session.put('agov.idp.use.artifact', '' + useArtifact)
+    dispatchIssuer(i2s, issuer, secureMode)
+}
+
+if (parameters.get('logoutConfirmation') == 'true' && "stepup" == request.getMethod()) {
+    String url = request.currentResource
+    def path = new URL(url).getPath()
+    if (path.endsWith("/logout")) {
+        // next AuthState will show a logout confirmation GUI
+        response.setResult('confirm')
+        return
+    }
+}
+
+// ensure session exists
+if (request.getSession(false) == null) {
+    session = request.getSession(true).getData()
+}
+
+// issuer (any case) -> ResultCond name
+def i2s = new TreeMap<String, String>(String.CASE_INSENSITIVE_ORDER)
+
+
+i2s.put(parameters.get('atb'), 'main')
+i2s.put(parameters.get('epd_atb'), 'epd')
+
+if (parameters.get('spInitiated') == 'true' && inargs.containsKey('SAMLRequest')) { // SP-initiated authentication
+    LOG.debug("found SAMLRequest parameter for SP-initiated authentication")
+    String message = inargs.get('SAMLRequest')
+    dispatchMessage(i2s, message)
+    return
+}
+
+if (inargs.containsKey('SAMLResponse')) { // response to IDP-initiated SAML Logout
+    LOG.debug("found SAMLResponse parameter")
+    String message = inargs.get('SAMLResponse')
+    dispatchMessage(i2s, message)
+    return
+}
+
+if (parameters.get('spInitiated') == 'true' && inargs.containsKey('soapheader')) { // SP-initiated SOAP with soapheader
+    LOG.debug("found soapheader parameter for SP-initiated")
+    String message = inargs.get('soapheader')
+    dispatchMessage(i2s, message)
+    return
+}
+
+if (parameters.get('spInitiated') == 'true' && inargs.containsKey('')) { // SP-initiated SOAP with empty
+    LOG.debug("found empty parameter for SP-initiated SOAP message")
+    String message = inargs.get('')
+    dispatchMessage(i2s, message)
+    return
+}
+
+String issuer = inargs['Issuer'] ?: inargs['issuer']
+if (parameters.get('idpInitiated') == 'true' && issuer != null) { // IDP-initiated authentication
+    LOG.debug("found Issuer parameter for IDP-initiated authentication")
+    dispatchIssuer(i2s, issuer)
+    return
+}
+
+// used as fallback in case of ?logout (we need an IdentityProviderState)
+if (inargs.containsKey("logout") && session.containsKey('saml.idp.result')) {
+    def result = session.get('saml.idp.result')
+    LOG.debug("dispatching to last used ResultCond: $result")
+    response.setResult(result)
+    return
+}
+
+def location = getReferer('/')
+LOG.info("Unable to dispatch request. Giving up and redirecting (back) to $location")
 redirect(location)

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/initializeRecovery.groovy

@@ -1,33 +1,33 @@
-if (inargs['authRequestId'] && (!session['ch.nevis.auth.saml.request.id'] || inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])) {
-    // make sure we start from scratch
-    def mInargs = request.getInArgs()
-    mInargs.remove('email')
-    mInargs.remove('recaptcha_sitekey')
-    mInargs.remove('recaptcha_response')
-    mInargs.remove('continue')
-    mInargs.remove('authRequestId')
-    mInargs.remove('cancel')
-}
-
-if (inargs['cd'] && session['agov.recovery.code']) {
-  // we are called with a new URL --> make sure we start from scratch
-  def s = request.getAuthSession(true)
-  def sessionKeySet = new HashSet(session.keySet()) 
-  sessionKeySet.each { key -> 
-    if ( key ==~ /ch.nevis.idm.*/ || key ==~ /ch.adnovum.nevisidm.*/ || key ==~ /agov.recovery.*/ ) {
-      s.removeAttribute(key)
-    }
-  }
-}
-
-if (!session['ch.nevis.auth.saml.request.id']) {
-    response.setSessionAttribute('ch.nevis.auth.saml.request.id', java.util.UUID.randomUUID().toString())
-}
-
-def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
-def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
-
-response.setSessionAttribute('agov.recovery.ip', '' + sourceIp)
-response.setSessionAttribute('agov.recovery.userAgent', '' + userAgent)
-
+if (inargs['authRequestId'] && (!session['ch.nevis.auth.saml.request.id'] || inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])) {
+    // make sure we start from scratch
+    def mInargs = request.getInArgs()
+    mInargs.remove('email')
+    mInargs.remove('recaptcha_sitekey')
+    mInargs.remove('recaptcha_response')
+    mInargs.remove('continue')
+    mInargs.remove('authRequestId')
+    mInargs.remove('cancel')
+}
+
+if (inargs['cd'] && session['agov.recovery.code']) {
+  // we are called with a new URL --> make sure we start from scratch
+  def s = request.getAuthSession(true)
+  def sessionKeySet = new HashSet(session.keySet()) 
+  sessionKeySet.each { key -> 
+    if ( key ==~ /ch.nevis.idm.*/ || key ==~ /ch.adnovum.nevisidm.*/ || key ==~ /agov.recovery.*/ ) {
+      s.removeAttribute(key)
+    }
+  }
+}
+
+if (!session['ch.nevis.auth.saml.request.id']) {
+    response.setSessionAttribute('ch.nevis.auth.saml.request.id', java.util.UUID.randomUUID().toString())
+}
+
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+response.setSessionAttribute('agov.recovery.ip', '' + sourceIp)
+response.setSessionAttribute('agov.recovery.userAgent', '' + userAgent)
+
 response.setResult('default')

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/logRecoveryReason.groovy

@@ -1,10 +1,10 @@
-def requester = 'unknown'
-def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
-def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
-def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
-def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
-def reason = session['agov.recovery.reason'] ?: 'unknown'
-
-LOG.info("Event='RECOVERY-REASON', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', Reason='${reason}'")
-
+def requester = 'unknown'
+def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+def reason = session['agov.recovery.reason'] ?: 'unknown'
+
+LOG.info("Event='RECOVERY-REASON', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', Reason='${reason}'")
+
 response.setResult('ok')

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/logging.yml

@@ -16,16 +16,12 @@ Configuration:
       level: "INFO"
     - name: "EsAuthStart"
       level: "INFO"
-    - name: "org.apache.catalina.loader.WebappClassLoader"
-      level: "FATAL"
-    - name: "org.apache.catalina.startup.HostConfig"
-      level: "ERROR"
-    - name: "ch.nevis.esauth.events"
-      level: "FATAL"
     - name: "AGOV-ACCT"
       level: "DEBUG"
     - name: "AgovCaptcha"
       level: "DEBUG"
+    - name: "ArtifactResolutionService"
+      level: "DEBUG"
     - name: "AuthEngine"
       level: "INFO"
     - name: "AuthPerf"
@@ -33,9 +29,11 @@ Configuration:
     - name: "IdmAuth"
       level: "DEBUG"
     - name: "OpTrace"
-      level: "DEBUG"
+      level: "INFO"
     - name: "Recovery"
       level: "DEBUG"
+    - name: "Saml"
+      level: "DEBUG"
     - name: "Script"
       level: "DEBUG"
     - name: "SessCoord"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/logout_confirm.groovy

@@ -1,64 +1,64 @@
-def redirect(location) {
-    outargs.put('nevis.transfer.type', 'redirect')
-    outargs.put('nevis.transfer.destination', location)
-}
-
-def getReturnURL() {
-    if (inargs.containsKey('return')) {
-        return inargs.get('return')
-    }
-    // determine returnURL based on Referer header (if present and not pointing to this page)
-    def referer = request.getHttpHeader('Referer')
-    if (referer == null) {
-        LOG.debug('no Referer header found')
-        return null
-    }
-    // strip query String for comparison
-    String previous = referer.contains('?') ? referer.substring(0, referer.indexOf("?")) : referer
-    def current = request.getCurrentResource()
-    if (current.startsWith(previous)) {
-        LOG.debug("Referer header $referer cannot be used as return URL - cyclic redirect")
-        return null
-    }
-    return referer
-}
-
-if (inargs.containsKey('logout-confirm')) {
-    def current = request.getCurrentResource()
-    // user has confirmed logout -> replace /logout with /?logout
-    String location
-    if (current.contains('?')) {
-        location = current.replace("/logout?", "/?logout&")
-    }
-    else {
-        location = current.replace("/logout", "/?logout")
-    }
-    redirect(location)
-    return
-}
-
-if (inargs.containsKey('logout-abort')) {
-    // user has aborted logout -> redirect to stored return URL
-    def location = session.get('logout-abort-url')
-    redirect(location)
-    return
-}
-
-// user has not clicked any button -> render GUI
-response.setGuiName('saml_logout_confirm')
-response.setGuiLabel('title.logout.confirmation')
-// not setting a target as the API has been removed
-response.addInfoGuiField('info', 'info.logout.confirmation', null)
-response.addButtonGuiField('logout-confirm', 'continue.button.label', 'true')
-
-def returnURL = getReturnURL()
-
-if (returnURL != null) {
-    // store return URL in session
-    session.put('logout-abort-url', returnURL)
-}
-
-if (session.containsKey('logout-abort-url')) {
-    // add cancel button to go back
-    response.addButtonGuiField('logout-abort', 'cancel.button.label', 'true')
+def redirect(location) {
+    outargs.put('nevis.transfer.type', 'redirect')
+    outargs.put('nevis.transfer.destination', location)
+}
+
+def getReturnURL() {
+    if (inargs.containsKey('return')) {
+        return inargs.get('return')
+    }
+    // determine returnURL based on Referer header (if present and not pointing to this page)
+    def referer = request.getHttpHeader('Referer')
+    if (referer == null) {
+        LOG.debug('no Referer header found')
+        return null
+    }
+    // strip query String for comparison
+    String previous = referer.contains('?') ? referer.substring(0, referer.indexOf("?")) : referer
+    def current = request.getCurrentResource()
+    if (current.startsWith(previous)) {
+        LOG.debug("Referer header $referer cannot be used as return URL - cyclic redirect")
+        return null
+    }
+    return referer
+}
+
+if (inargs.containsKey('logout-confirm')) {
+    def current = request.getCurrentResource()
+    // user has confirmed logout -> replace /logout with /?logout
+    String location
+    if (current.contains('?')) {
+        location = current.replace("/logout?", "/?logout&")
+    }
+    else {
+        location = current.replace("/logout", "/?logout")
+    }
+    redirect(location)
+    return
+}
+
+if (inargs.containsKey('logout-abort')) {
+    // user has aborted logout -> redirect to stored return URL
+    def location = session.get('logout-abort-url')
+    redirect(location)
+    return
+}
+
+// user has not clicked any button -> render GUI
+response.setGuiName('saml_logout_confirm')
+response.setGuiLabel('title.logout.confirmation')
+// not setting a target as the API has been removed
+response.addInfoGuiField('info', 'info.logout.confirmation', null)
+response.addButtonGuiField('logout-confirm', 'continue.button.label', 'true')
+
+def returnURL = getReturnURL()
+
+if (returnURL != null) {
+    // store return URL in session
+    session.put('logout-abort-url', returnURL)
+}
+
+if (session.containsKey('logout-abort-url')) {
+    // add cancel button to go back
+    response.addButtonGuiField('logout-abort', 'cancel.button.label', 'true')
 }

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/otel.properties

@@ -1,4 +1,5 @@
 otel.service.name = auth
+otel.traces.sampler = always_on
 otel.traces.exporter = none
 otel.metrics.exporter = none
 otel.logs.exporter = none

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/questionnaireLfProcessing.groovy

@@ -1,25 +1,25 @@
-import ch.nevis.esauth.auth.engine.AuthResponse
-
-if (inargs['cancel'] && inargs['cancel'] == 'cancel') {
-  def s = request.getAuthSession(true)
-  s.removeAttribute('agov.recovery.moreThanOneLf')
-
-  response.setResult('doCancel')
-  return
-}
-
-if (inargs['continue'] && inargs['continue'] == 'yes') {
-  response.setSessionAttribute('agov.recovery.moreThanOneLf', 'yes')
-  response.setResult('loginFactorYes')
-  return
-}
-
-if (inargs['continue'] && inargs['continue'] == 'no') {
-  response.setSessionAttribute('agov.recovery.moreThanOneLf', 'no')
-  response.setResult('loginFactorNo')
-  return
-}
-
-// if we reach this, display the GUI again
-response.setStatus(AuthResponse.AUTH_CONTINUE)
+import ch.nevis.esauth.auth.engine.AuthResponse
+
+if (inargs['cancel'] && inargs['cancel'] == 'cancel') {
+  def s = request.getAuthSession(true)
+  s.removeAttribute('agov.recovery.moreThanOneLf')
+
+  response.setResult('doCancel')
+  return
+}
+
+if (inargs['continue'] && inargs['continue'] == 'yes') {
+  response.setSessionAttribute('agov.recovery.moreThanOneLf', 'yes')
+  response.setResult('loginFactorYes')
+  return
+}
+
+if (inargs['continue'] && inargs['continue'] == 'no') {
+  response.setSessionAttribute('agov.recovery.moreThanOneLf', 'no')
+  response.setResult('loginFactorNo')
+  return
+}
+
+// if we reach this, display the GUI again
+response.setStatus(AuthResponse.AUTH_CONTINUE)
 return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/questionnaireReasonProcessing.groovy

@@ -1,28 +1,28 @@
-import ch.nevis.esauth.auth.engine.AuthResponse
-
-if (inargs['reason']) {
-  response.setSessionAttribute('agov.recovery.reason', '' + inargs['reason'])
-}
-
-if (inargs['cancel'] && inargs['cancel'] == 'cancel') {
-  def s = request.getAuthSession(true)
-  s.removeAttribute('agov.recovery.moreThanOneLf')
-  s.removeAttribute('agov.recovery.reason')
-
-  response.setResult('doCancel')
-  return
-}
-
-if (inargs['continue'] && inargs['continue'] == 'yes') {
-  response.setResult('validReasons')
-  return
-}
-
-if (inargs['continue'] && inargs['continue'] == 'no') {
-  response.setResult('invalidReasons')
-  return
-}
-
-// if we reach this, display the GUI again
-response.setStatus(AuthResponse.AUTH_CONTINUE)
+import ch.nevis.esauth.auth.engine.AuthResponse
+
+if (inargs['reason']) {
+  response.setSessionAttribute('agov.recovery.reason', '' + inargs['reason'])
+}
+
+if (inargs['cancel'] && inargs['cancel'] == 'cancel') {
+  def s = request.getAuthSession(true)
+  s.removeAttribute('agov.recovery.moreThanOneLf')
+  s.removeAttribute('agov.recovery.reason')
+
+  response.setResult('doCancel')
+  return
+}
+
+if (inargs['continue'] && inargs['continue'] == 'yes') {
+  response.setResult('validReasons')
+  return
+}
+
+if (inargs['continue'] && inargs['continue'] == 'no') {
+  response.setResult('invalidReasons')
+  return
+}
+
+// if we reach this, display the GUI again
+response.setStatus(AuthResponse.AUTH_CONTINUE)
 return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-checkAccount.groovy

@@ -76,4 +76,4 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
               response.setResult('error')
               return
 
-// new
+// new

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-prepareRedirect.groovy

@@ -1,22 +1,22 @@
-if (session['agov.recovery.redirectDone']) {
-  // user navigated back from AGOV.me, go again for the code
-
-  // clean up SAML state first, 
-  // IdentityProviderState sets session attributes as follows
-  //   <IDP-State-Name>-session-participants.<SAML-RP-ISSUER> = <ACS-URL>
-  // State name contains the name of the pattern 'Recovery_redirectAgovMe'
-  def s = request.getAuthSession(true)
-  def sessionKeySet = new HashSet(session.keySet()) 
-  sessionKeySet.each { key -> 
-    if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) {
-      LOG.debug("Deleted session attribute '${key}'")
-      s.removeAttribute(key)
-    }
-  }
-  s.removeAttribute('agov.recovery.redirectDone')
-  response.setResult('back')
-} else {
-  // redirect
-  response.setSessionAttribute('agov.recovery.redirectDone', 'true')
-  response.setResult('redirect')
-}
+if (session['agov.recovery.redirectDone']) {
+  // user navigated back from AGOV.me, go again for the code
+
+  // clean up SAML state first, 
+  // IdentityProviderState sets session attributes as follows
+  //   <IDP-State-Name>-session-participants.<SAML-RP-ISSUER> = <ACS-URL>
+  // State name contains the name of the pattern 'Recovery_redirectAgovMe'
+  def s = request.getAuthSession(true)
+  def sessionKeySet = new HashSet(session.keySet()) 
+  sessionKeySet.each { key -> 
+    if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) {
+      LOG.debug("Deleted session attribute '${key}'")
+      s.removeAttribute(key)
+    }
+  }
+  s.removeAttribute('agov.recovery.redirectDone')
+  response.setResult('back')
+} else {
+  // redirect
+  response.setSessionAttribute('agov.recovery.redirectDone', 'true')
+  response.setResult('redirect')
+}

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-processing.groovy

@@ -1,267 +1,267 @@
-import groovy.json.JsonSlurper
-import groovy.xml.XmlSlurper
-import org.codehaus.groovy.runtime.StackTraceUtils
-
-import ch.nevis.idm.client.IdmRestClient
-import ch.nevis.idm.client.IdmRestClientFactory
-
-
-// AGOVaq conversion
-def maxLoiRoleToCtxClssConvertorMap = [
-    "level100": "urn:qa.agov.ch:names:tc:ac:classes:100",
-    "level200": "urn:qa.agov.ch:names:tc:ac:classes:200",
-    "level300": "urn:qa.agov.ch:names:tc:ac:classes:300",
-    "level400": "urn:qa.agov.ch:names:tc:ac:classes:400",
-    "level500": "urn:qa.agov.ch:names:tc:ac:classes:500"
-]
-
-// https://docs.nevis.net/nevisidm/Developer-Guide/SOAP-Interface/Interface-specification/Value-types#enum-value-types
-def blockingCredentialStates = ['DISABLED', 'EXPIRED', 'LOCKED', 'ARCHIVED', 'RESET_CODE']
-
-def getUserIdVerificationForRecovery(currentLoaRole) {
-  // application is AGOV-AccountStatus
-  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
-  def result = list.'**'.find {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-AccountStatus,mustRecover'}?.value?.text()
-
-  if (!result) {
-    // fallback if not explicitly set
-    def chDomicile = list.country.text() == 'ch'
-    def lastIdVerification = list.'**'.find {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-Loi,' + currentLoaRole}?.value?.text() ?: 'missing'
-    switch (currentLoaRole) {
-      case 'level100':
-        result = chDomicile ? 'SimpleLetter' : 'Video'
-        break
-      case 'level200':
-        result = chDomicile ? 'Bmid' : 'Video'
-        break
-      case 'level300':
-      case 'level400':
-        result = chDomicile ? lastIdVerification : 'Video'
-        break
-      default:
-        LOG.warn("unexpected loa on account: ${currentLoaRole}")
-        // safest default, should work in any case
-        result = 'Video'
-    }
-    LOG.warn("Recovery method not set, choosing ${result} (based on currentLoad: ${currentLoaRole}, CH-domicile: ${chDomicile}, last verification method: ${lastIdVerification})")
-  }
-  return result
-}
-
-def getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevel) {
-  def result = 'level'
-
-  switch (idVerification) {
-    case 'None':
-      result = result.concat('100')
-      break
-    case 'SimpleLetter':
-      result = result.concat('200')
-      break
-    case 'Video':
-    case 'VideoSelfPaid':
-    case 'Bmid':
-    case 'BmidSelfPaid':
-    case 'Counter':
-      result = result.concat((highestRoleLevel == 'level400') ? '400' : '300')
-      break
-    default:
-      LOG.warn("unexpected idVerification for recovery on account: ${idVerification}")
-      // safest default, should work in any case
-      result = highestRoleLevel
-  }
-
-  return result
-}
-
-def getUserMustRecoverValidFrom() {
-  // set attibutes from DTO: -> validFrom
-  def payload = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
-  def authzNode = payload.'**'.find {node -> node.name() == 'authorizations' && node.role.name.text() == 'mustRecover'}
-  return (authzNode) ? ((authzNode.validFrom && !authzNode.validFrom.text().isEmpty()) ? authzNode.validFrom?.text() : authzNode.ctlCreDat?.text()) : ''
-}
-
-def userHasNewLoginFactor() {
-  IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
-
-  String baseUrl = parameters.get('baseUrl')
-  String clientExtId = session.get('ch.adnovum.nevisidm.user.clientExtId')
-  String userExtId = session.get('ch.adnovum.nevisidm.user.extId')
-  String baseEndPoint = "$baseUrl/api/core/v1/$clientExtId/users/$userExtId"
-
-  response.setSessionAttribute('agov.recovery.newLoginFactor', 'NONE')
-
-  try {
-     def credInfoArray = new JsonSlurper().parseText(idmRestClient.get("$baseEndPoint/generic-credentials"))
-
-     def accessApp = credInfoArray['items'].find( it -> it.stateName == "active")
-     if (accessApp) {
-       response.setSessionAttribute('agov.recovery.accessapp', accessApp.properties.fidouaf_name)
-       response.setSessionAttribute('agov.recovery.accessapp.dispatchTargetId', accessApp.identification.replaceAll('dispatch_target_', ''))
-       response.setSessionAttribute('agov.recovery.newLoginFactor', 'ACCESS_APP')
-       return true
-     }
-
-     credInfoArray = new JsonSlurper().parseText(idmRestClient.get("$baseEndPoint/fido2"))
-
-     def fido2Key = credInfoArray['items'].find( it -> it.stateName == "active")
-     if (fido2Key) {
-       response.setSessionAttribute('agov.recovery.securityKey', fido2Key.userFriendlyName)
-       response.setSessionAttribute('agov.recovery.newLoginFactor', 'FIDO2')
-       return true
-     }
-
-  } catch(Exception e) {
-    LOG.error(e.toString())
-  }
-  return false
-}
-
-
-// for autditing
-def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
-def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
-def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
-def maxLoi = null
-
-
-// new
-if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null) {
-  try {
-    def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto'])
-    def userState = userDto.state
-    def recoveryCode = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.context.text() == 'RECOVERY'}
-
-    LOG.debug("Recovery: Dto is '${userDto}")
-    LOG.debug("Recovery: state is '${userState}")
-    LOG.debug("Recovery: RecoveryCode is '${recoveryCode ? recoveryCode : 'none'}'") 
-
-    if (userState == 'ACTIVE') {
-
-      response.setSessionAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
-      response.setSessionAttribute('agov.recovery.authenticatedWith', 'urn:qa.agov.ch:names:tc:authfactor:email')
-      response.setSessionAttribute('agov.recovery.codeStatus', 'notNeeded')
-      response.setSessionAttribute('agov.recovery.codeDetailStatus', 'n/a')
-      response.setSessionAttribute('agov.recovery.newLoginFactor', 'NONE')
-
-      def maxLoiList =   userDto.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-Loi' }.collect({ node -> node.name.text() })
-      maxLoi = (maxLoiList == null || maxLoiList.isEmpty()) ? null : maxLoiList.sort().last()
-
-      def idVerification = null
-      def agovAqValidFrom = null
-      if (maxLoi) {
-        if (maxLoi != 'level100') {
-          response.setSessionAttribute('agov.recovery.codeDetailStatus', '' + maxLoi)
-        }
-
-        idVerification = userDto.'**'.find { node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-Loi,' + maxLoi}?.value?.text()
-        idVerification = idVerification ?: 'None'
-        agovAqValidFrom = userDto.'**'.find { node -> node.name() == 'authorizations' && node.role.name.text() == maxLoi}?.validFrom?.text()
-        agovAqValidFrom = agovAqValidFrom?: userDto.'**'.find { node -> node.name() == 'authorizations' && node.role.name.text() == maxLoi}?.ctlCreDat?.text()
-      }
-
-      def mustRecover =   userDto.'**'.find { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-AccountStatus' && node.name.text() == 'mustRecover' }
-
-      def hasRecoveryRole = userDto.'**'.find { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-AccountStatus' && node.name.text() == 'recovery' }
-
-      def hasRecoveryCascadeRole = userDto.'**'.find { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-AccountStatus' && node.name.text() == 'recoveryCascade' }
-
-      def hasNewLoginFactor = hasRecoveryRole && userHasNewLoginFactor()
-
-      if (mustRecover) {
-        // attributes are defined over the mustRecover authorization
-        response.setSessionAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
-        response.setSessionAttribute('agov.recovery.codeDetailStatus', 'mustRecover')
-
-        idVerification = getUserIdVerificationForRecovery(maxLoi ?: 'level100') ?: idVerification
-
-        agovAqValidFrom = getUserMustRecoverValidFrom()
-
-        maxLoi = getAqLevelBasedOnIdVerificationForRecovery(idVerification, maxLoi)
-      } else if (hasRecoveryCascadeRole && hasNewLoginFactor) {
-        response.setSessionAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recoveryCascade')
-      }
-
-      LOG.debug("Recovery: MaxLoi is '${maxLoi}'")
-      LOG.debug("Recovery: IdVerification is  ${idVerification}")
-      LOG.debug("Recovery: agovAqValidFrom is ${agovAqValidFrom}")
-      LOG.debug("Recovery: mustRecover is '${mustRecover}'")
-      LOG.debug("Recovery: hasRecoveryRole is '${hasRecoveryRole}'")
-      LOG.debug("Recovery: hasNewLoginFactor is '${hasNewLoginFactor}'")
-
-      if (maxLoi != null) {       
-        if (maxLoiRoleToCtxClssConvertorMap.containsKey(maxLoi)) {
-          LOG.debug("Recovery: MaxLoiMapping is " + maxLoiRoleToCtxClssConvertorMap[maxLoi])
-          response.setSessionAttribute('agov.recovery.currentAgovAq', '' + maxLoiRoleToCtxClssConvertorMap[maxLoi])
-          response.setSessionAttribute('agov.recovery.currentIdVerification', '' + idVerification)
-          response.setSessionAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + agovAqValidFrom)
-
-          if ((maxLoi == 'level100') && (mustRecover == null) && !hasNewLoginFactor) {
-            // AQ100 accounts need to use the recovery code, if they can
-            // check the status of recoveryCode credential
-            if (recoveryCode && !blockingCredentialStates.contains(recoveryCode.state.text())) {
-              LOG.debug("Recovery: emailAndCode")
-              response.setResult('needCode')
-              return
-            } else {
-              LOG.warn("AGOVaq100 recovery: skipped Recovery-Code check '${recoveryCode ? recoveryCode.state.text() : 'MISSING'}'")
-              response.setSessionAttribute('agov.recovery.codeStatus', 'skipped')
-              response.setSessionAttribute('agov.recovery.codeDetailStatus', "unusable (state: ${recoveryCode ? recoveryCode.state.text() : 'MISSING'})")
-              response.setResult('ok')
-              return
-            }
-
-          } else if ((maxLoi == 'level100') && hasNewLoginFactor) {
-            LOG.debug("Recovery: new Login Factor")
-            response.setSessionAttribute('agov.recovery.codeStatus', 'skipped')
-            response.setSessionAttribute('agov.recovery.codeDetailStatus', "new login factor already registered (${session['agov.recovery.newLoginFactor']})")
-            response.setResult('ok')
-            return
-
-          } else {
-            LOG.debug("Recovery: email")
-            response.setResult('ok')
-            return
-          }
-
-        } else {
-          LOG.error("Recovery: Failed to convert '${maxLoi}' to AGOVaq")
-          response.setResult('error')
-          return
-        }
-      } else {
-        // maxLoi is null
-        LOG.debug("Recovery: no 'AGOV-Loi'-role assigned to user ${user}")
-        if ((hasRecoveryRole != null) && (mustRecover == null)) {
-          response.setResult('notFullyRegistered')
-          return
-        } else {
-          LOG.error("Recovery: no 'AGOV-Loi'-role assigned to user ${user} and no recovery role ")
-          response.setResult('error')
-          return
-        }
-      }
-    } else {
-      // state != ACTIVE and no lasterror should not happen
-      LOG.error("Recovery: state='${userState}' but not lasterror set")
-      response.setNote('lasterror', '9909')
-      response.setNote('lasterrorinfo', 'internal error')
-      response.setResult('error')
-      return
-    }
-  } catch (Exception e) {
-    e = StackTraceUtils.sanitize(e)
-    def affectedLines = e.stackTrace.findAll { it.className.startsWith('Script') }.collect { "${it.methodName}:${it.lineNumber}" }
-    LOG.error("FATAL: Recovery processing failed (at lines: ${affectedLines})", e)
-    response.setNote('lasterror', '9909')
-    response.setNote('lasterrorinfo', 'internal error')
-    response.setResult('error')
-    return
-  }
-}
-
-LOG.error("Recovery: userDto missing or failure before (lasterror='${notes.getProperty('lasterror', '-')}')")
-response.setNote('lasterror', '9909')
-response.setNote('lasterrorinfo', 'internal error')
-response.setResult('error')
-return
+import groovy.json.JsonSlurper
+import groovy.xml.XmlSlurper
+import org.codehaus.groovy.runtime.StackTraceUtils
+
+import ch.nevis.idm.client.IdmRestClient
+import ch.nevis.idm.client.IdmRestClientFactory
+
+
+// AGOVaq conversion
+def maxLoiRoleToCtxClssConvertorMap = [
+    "level100": "urn:qa.agov.ch:names:tc:ac:classes:100",
+    "level200": "urn:qa.agov.ch:names:tc:ac:classes:200",
+    "level300": "urn:qa.agov.ch:names:tc:ac:classes:300",
+    "level400": "urn:qa.agov.ch:names:tc:ac:classes:400",
+    "level500": "urn:qa.agov.ch:names:tc:ac:classes:500"
+]
+
+// https://docs.nevis.net/nevisidm/Developer-Guide/SOAP-Interface/Interface-specification/Value-types#enum-value-types
+def blockingCredentialStates = ['DISABLED', 'EXPIRED', 'LOCKED', 'ARCHIVED', 'RESET_CODE']
+
+def getUserIdVerificationForRecovery(currentLoaRole) {
+  // application is AGOV-AccountStatus
+  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  def result = list.'**'.find {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-AccountStatus,mustRecover'}?.value?.text()
+
+  if (!result) {
+    // fallback if not explicitly set
+    def chDomicile = list.country.text() == 'ch'
+    def lastIdVerification = list.'**'.find {node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-Loi,' + currentLoaRole}?.value?.text() ?: 'missing'
+    switch (currentLoaRole) {
+      case 'level100':
+        result = chDomicile ? 'SimpleLetter' : 'Video'
+        break
+      case 'level200':
+        result = chDomicile ? 'Bmid' : 'Video'
+        break
+      case 'level300':
+      case 'level400':
+        result = chDomicile ? lastIdVerification : 'Video'
+        break
+      default:
+        LOG.warn("unexpected loa on account: ${currentLoaRole}")
+        // safest default, should work in any case
+        result = 'Video'
+    }
+    LOG.warn("Recovery method not set, choosing ${result} (based on currentLoad: ${currentLoaRole}, CH-domicile: ${chDomicile}, last verification method: ${lastIdVerification})")
+  }
+  return result
+}
+
+def getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevel) {
+  def result = 'level'
+
+  switch (idVerification) {
+    case 'None':
+      result = result.concat('100')
+      break
+    case 'SimpleLetter':
+      result = result.concat('200')
+      break
+    case 'Video':
+    case 'VideoSelfPaid':
+    case 'Bmid':
+    case 'BmidSelfPaid':
+    case 'Counter':
+      result = result.concat((highestRoleLevel == 'level400') ? '400' : '300')
+      break
+    default:
+      LOG.warn("unexpected idVerification for recovery on account: ${idVerification}")
+      // safest default, should work in any case
+      result = highestRoleLevel
+  }
+
+  return result
+}
+
+def getUserMustRecoverValidFrom() {
+  // set attibutes from DTO: -> validFrom
+  def payload = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+  def authzNode = payload.'**'.find {node -> node.name() == 'authorizations' && node.role.name.text() == 'mustRecover'}
+  return (authzNode) ? ((authzNode.validFrom && !authzNode.validFrom.text().isEmpty()) ? authzNode.validFrom?.text() : authzNode.ctlCreDat?.text()) : ''
+}
+
+def userHasNewLoginFactor() {
+  IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
+
+  String baseUrl = parameters.get('baseUrl')
+  String clientExtId = session.get('ch.adnovum.nevisidm.user.clientExtId')
+  String userExtId = session.get('ch.adnovum.nevisidm.user.extId')
+  String baseEndPoint = "$baseUrl/api/core/v1/$clientExtId/users/$userExtId"
+
+  response.setSessionAttribute('agov.recovery.newLoginFactor', 'NONE')
+
+  try {
+     def credInfoArray = new JsonSlurper().parseText(idmRestClient.get("$baseEndPoint/generic-credentials"))
+
+     def accessApp = credInfoArray['items'].find( it -> it.stateName == "active")
+     if (accessApp) {
+       response.setSessionAttribute('agov.recovery.accessapp', accessApp.properties.fidouaf_name)
+       response.setSessionAttribute('agov.recovery.accessapp.dispatchTargetId', accessApp.identification.replaceAll('dispatch_target_', ''))
+       response.setSessionAttribute('agov.recovery.newLoginFactor', 'ACCESS_APP')
+       return true
+     }
+
+     credInfoArray = new JsonSlurper().parseText(idmRestClient.get("$baseEndPoint/fido2"))
+
+     def fido2Key = credInfoArray['items'].find( it -> it.stateName == "active")
+     if (fido2Key) {
+       response.setSessionAttribute('agov.recovery.securityKey', fido2Key.userFriendlyName)
+       response.setSessionAttribute('agov.recovery.newLoginFactor', 'FIDO2')
+       return true
+     }
+
+  } catch(Exception e) {
+    LOG.error(e.toString())
+  }
+  return false
+}
+
+
+// for autditing
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+def maxLoi = null
+
+
+// new
+if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null) {
+  try {
+    def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto'])
+    def userState = userDto.state
+    def recoveryCode = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.context.text() == 'RECOVERY'}
+
+    LOG.debug("Recovery: Dto is '${userDto}")
+    LOG.debug("Recovery: state is '${userState}")
+    LOG.debug("Recovery: RecoveryCode is '${recoveryCode ? recoveryCode : 'none'}'") 
+
+    if (userState == 'ACTIVE') {
+
+      response.setSessionAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
+      response.setSessionAttribute('agov.recovery.authenticatedWith', 'urn:qa.agov.ch:names:tc:authfactor:email')
+      response.setSessionAttribute('agov.recovery.codeStatus', 'notNeeded')
+      response.setSessionAttribute('agov.recovery.codeDetailStatus', 'n/a')
+      response.setSessionAttribute('agov.recovery.newLoginFactor', 'NONE')
+
+      def maxLoiList =   userDto.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-Loi' }.collect({ node -> node.name.text() })
+      maxLoi = (maxLoiList == null || maxLoiList.isEmpty()) ? null : maxLoiList.sort().last()
+
+      def idVerification = null
+      def agovAqValidFrom = null
+      if (maxLoi) {
+        if (maxLoi != 'level100') {
+          response.setSessionAttribute('agov.recovery.codeDetailStatus', '' + maxLoi)
+        }
+
+        idVerification = userDto.'**'.find { node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-Loi,' + maxLoi}?.value?.text()
+        idVerification = idVerification ?: 'None'
+        agovAqValidFrom = userDto.'**'.find { node -> node.name() == 'authorizations' && node.role.name.text() == maxLoi}?.validFrom?.text()
+        agovAqValidFrom = agovAqValidFrom?: userDto.'**'.find { node -> node.name() == 'authorizations' && node.role.name.text() == maxLoi}?.ctlCreDat?.text()
+      }
+
+      def mustRecover =   userDto.'**'.find { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-AccountStatus' && node.name.text() == 'mustRecover' }
+
+      def hasRecoveryRole = userDto.'**'.find { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-AccountStatus' && node.name.text() == 'recovery' }
+
+      def hasRecoveryCascadeRole = userDto.'**'.find { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-AccountStatus' && node.name.text() == 'recoveryCascade' }
+
+      def hasNewLoginFactor = hasRecoveryRole && userHasNewLoginFactor()
+
+      if (mustRecover) {
+        // attributes are defined over the mustRecover authorization
+        response.setSessionAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
+        response.setSessionAttribute('agov.recovery.codeDetailStatus', 'mustRecover')
+
+        idVerification = getUserIdVerificationForRecovery(maxLoi ?: 'level100') ?: idVerification
+
+        agovAqValidFrom = getUserMustRecoverValidFrom()
+
+        maxLoi = getAqLevelBasedOnIdVerificationForRecovery(idVerification, maxLoi)
+      } else if (hasRecoveryCascadeRole && hasNewLoginFactor) {
+        response.setSessionAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recoveryCascade')
+      }
+
+      LOG.debug("Recovery: MaxLoi is '${maxLoi}'")
+      LOG.debug("Recovery: IdVerification is  ${idVerification}")
+      LOG.debug("Recovery: agovAqValidFrom is ${agovAqValidFrom}")
+      LOG.debug("Recovery: mustRecover is '${mustRecover}'")
+      LOG.debug("Recovery: hasRecoveryRole is '${hasRecoveryRole}'")
+      LOG.debug("Recovery: hasNewLoginFactor is '${hasNewLoginFactor}'")
+
+      if (maxLoi != null) {       
+        if (maxLoiRoleToCtxClssConvertorMap.containsKey(maxLoi)) {
+          LOG.debug("Recovery: MaxLoiMapping is " + maxLoiRoleToCtxClssConvertorMap[maxLoi])
+          response.setSessionAttribute('agov.recovery.currentAgovAq', '' + maxLoiRoleToCtxClssConvertorMap[maxLoi])
+          response.setSessionAttribute('agov.recovery.currentIdVerification', '' + idVerification)
+          response.setSessionAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + agovAqValidFrom)
+
+          if ((maxLoi == 'level100') && (mustRecover == null) && !hasNewLoginFactor) {
+            // AQ100 accounts need to use the recovery code, if they can
+            // check the status of recoveryCode credential
+            if (recoveryCode && !blockingCredentialStates.contains(recoveryCode.state.text())) {
+              LOG.debug("Recovery: emailAndCode")
+              response.setResult('needCode')
+              return
+            } else {
+              LOG.warn("AGOVaq100 recovery: skipped Recovery-Code check '${recoveryCode ? recoveryCode.state.text() : 'MISSING'}'")
+              response.setSessionAttribute('agov.recovery.codeStatus', 'skipped')
+              response.setSessionAttribute('agov.recovery.codeDetailStatus', "unusable (state: ${recoveryCode ? recoveryCode.state.text() : 'MISSING'})")
+              response.setResult('ok')
+              return
+            }
+
+          } else if ((maxLoi == 'level100') && hasNewLoginFactor) {
+            LOG.debug("Recovery: new Login Factor")
+            response.setSessionAttribute('agov.recovery.codeStatus', 'skipped')
+            response.setSessionAttribute('agov.recovery.codeDetailStatus', "new login factor already registered (${session['agov.recovery.newLoginFactor']})")
+            response.setResult('ok')
+            return
+
+          } else {
+            LOG.debug("Recovery: email")
+            response.setResult('ok')
+            return
+          }
+
+        } else {
+          LOG.error("Recovery: Failed to convert '${maxLoi}' to AGOVaq")
+          response.setResult('error')
+          return
+        }
+      } else {
+        // maxLoi is null
+        LOG.debug("Recovery: no 'AGOV-Loi'-role assigned to user ${user}")
+        if ((hasRecoveryRole != null) && (mustRecover == null)) {
+          response.setResult('notFullyRegistered')
+          return
+        } else {
+          LOG.error("Recovery: no 'AGOV-Loi'-role assigned to user ${user} and no recovery role ")
+          response.setResult('error')
+          return
+        }
+      }
+    } else {
+      // state != ACTIVE and no lasterror should not happen
+      LOG.error("Recovery: state='${userState}' but not lasterror set")
+      response.setNote('lasterror', '9909')
+      response.setNote('lasterrorinfo', 'internal error')
+      response.setResult('error')
+      return
+    }
+  } catch (Exception e) {
+    e = StackTraceUtils.sanitize(e)
+    def affectedLines = e.stackTrace.findAll { it.className.startsWith('Script') }.collect { "${it.methodName}:${it.lineNumber}" }
+    LOG.error("FATAL: Recovery processing failed (at lines: ${affectedLines})", e)
+    response.setNote('lasterror', '9909')
+    response.setNote('lasterrorinfo', 'internal error')
+    response.setResult('error')
+    return
+  }
+}
+
+LOG.error("Recovery: userDto missing or failure before (lasterror='${notes.getProperty('lasterror', '-')}')")
+response.setNote('lasterror', '9909')
+response.setNote('lasterrorinfo', 'internal error')
+response.setResult('error')
+return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_fetchcaptchainfos.groovy

@@ -1,39 +1,39 @@
-import groovy.json.JsonSlurper
-import io.opentelemetry.api.trace.Span
-
-def url = parameters.get('url')
-def realIpHttpHeaderName = parameters.get('realIpHttpHeaderName') ?: 'X-Real-IP'
-def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
-
-try {
-  def spanCtxt = Span.current().getSpanContext()
-  def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
-
-  def jsonSlurper = new JsonSlurper()
-  def httpClient = HttpClients.create(parameters)
-  def httpResponse = Http.get().url(url).header('traceparent', traceparent)
-                         .header(realIpHttpHeaderName, ip).build().send(httpClient)
-
-  LOG.debug('Response Status Code: ' + httpResponse.code())
-  LOG.debug('Response: ' + httpResponse.bodyAsString())
-
-  if (httpResponse.code() == 200) {
-    def json = jsonSlurper.parseText(httpResponse.bodyAsString())
-
-    response.setSessionAttribute('agov.recovery.captchaSettings.enabled', String.valueOf(json.friendlyCaptureClientSettings.enabled))
-    response.setSessionAttribute('agov.recovery.captchaSettings.siteKey', json.friendlyCaptureClientSettings.siteKey)
-    response.setSessionAttribute('agov.recovery.captchaSettings.puzzleUrl', json.friendlyCaptureClientSettings.puzzleUrl)
-
-
-    response.setResult('ok')
-  } else {
-    LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
-    response.setResult('error')
-    response.setError(1, 'Unexpected HTTP reponse')
-  }
-} catch (all) {
-  // Handle exception and set the transition
-  LOG.error('error: ' + all, all)
-  response.setResult('error')
-  response.setError(1, 'Exception during HTTP call')
+import groovy.json.JsonSlurper
+import io.opentelemetry.api.trace.Span
+
+def url = parameters.get('url')
+def realIpHttpHeaderName = parameters.get('realIpHttpHeaderName') ?: 'X-Real-IP'
+def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+
+try {
+  def spanCtxt = Span.current().getSpanContext()
+  def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
+
+  def jsonSlurper = new JsonSlurper()
+  def httpClient = HttpClients.create(parameters)
+  def httpResponse = Http.get().url(url).header('traceparent', traceparent)
+                         .header(realIpHttpHeaderName, ip).build().send(httpClient)
+
+  LOG.debug('Response Status Code: ' + httpResponse.code())
+  LOG.debug('Response: ' + httpResponse.bodyAsString())
+
+  if (httpResponse.code() == 200) {
+    def json = jsonSlurper.parseText(httpResponse.bodyAsString())
+
+    response.setSessionAttribute('agov.recovery.captchaSettings.enabled', String.valueOf(json.friendlyCaptureClientSettings.enabled))
+    response.setSessionAttribute('agov.recovery.captchaSettings.siteKey', json.friendlyCaptureClientSettings.siteKey)
+    response.setSessionAttribute('agov.recovery.captchaSettings.puzzleUrl', json.friendlyCaptureClientSettings.puzzleUrl)
+
+
+    response.setResult('ok')
+  } else {
+    LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
+    response.setResult('error')
+    response.setError(1, 'Unexpected HTTP reponse')
+  }
+} catch (all) {
+  // Handle exception and set the transition
+  LOG.error('error: ' + all, all)
+  response.setResult('error')
+  response.setError(1, 'Exception during HTTP call')
 }

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_fetchcaptcharesult.groovy

@@ -60,4 +60,4 @@ try {
   LOG.error("Friendly captcha failed with a general error '${all}' for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }', service-url: ${url}")
   response.setResult('error')
   response.setError(1, 'Exception during HTTP call')
-}
+}

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_handlecode.groovy

@@ -21,4 +21,4 @@ if (inargs['cd'] != null) {
 if (inargs['cd'] == null && session['agov.recovery.code'] != null) {
      response.setResult('exit.1')
      return
-}
+}

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_ongoing.groovy

@@ -1,22 +1,22 @@
-import ch.nevis.esauth.auth.engine.AuthResponse
-
-if (inargs['recovery'] != null && inargs['recovery'] == 'recovery' ) {
-  // clean up SAML state, to make sure the redirect will really be processed 
-  // IdentityProviderState sets session attributes as follows
-  //   <IDP-State-Name>-session-participants.<SAML-RP-ISSUER> = <ACS-URL>
-  // State name contains the name of the pattern 'Recovery_redirectAgovMe'
-  def s = request.getAuthSession(true)
-  def sessionKeySet = new HashSet(session.keySet()) 
-  sessionKeySet.each { key -> 
-    if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) {
-      LOG.debug("Deleted session attribute '${key}'")
-      s.removeAttribute(key)
-    }
-  }
-  response.setResult('ok')
-  return
-}
-
-// if we reach this, display the GUI again
-response.setStatus(AuthResponse.AUTH_CONTINUE)
+import ch.nevis.esauth.auth.engine.AuthResponse
+
+if (inargs['recovery'] != null && inargs['recovery'] == 'recovery' ) {
+  // clean up SAML state, to make sure the redirect will really be processed 
+  // IdentityProviderState sets session attributes as follows
+  //   <IDP-State-Name>-session-participants.<SAML-RP-ISSUER> = <ACS-URL>
+  // State name contains the name of the pattern 'Recovery_redirectAgovMe'
+  def s = request.getAuthSession(true)
+  def sessionKeySet = new HashSet(session.keySet()) 
+  sessionKeySet.each { key -> 
+    if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) {
+      LOG.debug("Deleted session attribute '${key}'")
+      s.removeAttribute(key)
+    }
+  }
+  response.setResult('ok')
+  return
+}
+
+// if we reach this, display the GUI again
+response.setStatus(AuthResponse.AUTH_CONTINUE)
 return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_sendemail031.groovy

@@ -1,41 +1,41 @@
-import io.opentelemetry.api.trace.Span
-
-def url = parameters.get('url')
-def email = inargs['email']
-def language = session['ch.nevis.session.user.language'] ?: 'en'
-def payload = '{ "email": "' + email + '", "language": "' + language + '"}'
-
-try {
-  def spanCtxt = Span.current().getSpanContext()
-  def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
-
-  def httpClient = HttpClients.create(parameters)
-  def httpResponse = Http.post()
-          .url(url)
-          .header("Accept", "application/json")
-          .header("traceparent", traceparent)
-          .entity(Http.entity()
-                  .content(payload)
-                  .contentType("application/json")
-               //   .charSet("utf-8")
-                  .build())
-          .build()
-          .send(httpClient)
-
-  LOG.info('Response Message: ' + httpResponse.reasonPhrase())
-  LOG.info('Response Status Code: ' + httpResponse.code())
-  LOG.info('Response: ' + httpResponse.bodyAsString())
-
-  if (httpResponse.code() == 200) {
-    response.setResult('ok')
-  } else {
-    LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
-    response.setResult('error')
-    response.setError(1, 'Unexpected HTTP reponse')
-  }
-} catch (all) {
-  // Handle exception and set the transition
-  LOG.error('error: ' + all, all)
-  response.setResult('error')
-  response.setError(1, 'Exception during HTTP call')
+import io.opentelemetry.api.trace.Span
+
+def url = parameters.get('url')
+def email = inargs['email']
+def language = session['ch.nevis.session.user.language'] ?: 'en'
+def payload = '{ "email": "' + email + '", "language": "' + language + '"}'
+
+try {
+  def spanCtxt = Span.current().getSpanContext()
+  def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
+
+  def httpClient = HttpClients.create(parameters)
+  def httpResponse = Http.post()
+          .url(url)
+          .header("Accept", "application/json")
+          .header("traceparent", traceparent)
+          .entity(Http.entity()
+                  .content(payload)
+                  .contentType("application/json")
+               //   .charSet("utf-8")
+                  .build())
+          .build()
+          .send(httpClient)
+
+  LOG.info('Response Message: ' + httpResponse.reasonPhrase())
+  LOG.info('Response Status Code: ' + httpResponse.code())
+  LOG.info('Response: ' + httpResponse.bodyAsString())
+
+  if (httpResponse.code() == 200) {
+    response.setResult('ok')
+  } else {
+    LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
+    response.setResult('error')
+    response.setError(1, 'Unexpected HTTP reponse')
+  }
+} catch (all) {
+  // Handle exception and set the transition
+  LOG.error('error: ' + all, all)
+  response.setResult('error')
+  response.setError(1, 'Exception during HTTP call')
 }

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/returnTimeoutButKeepSession.groovy

@@ -8,4 +8,4 @@ response.setHeader('IDP-AUTH', 'Timeout')
 
 // CONTINUE to keep the other request beeing processed
 response.setStatus(AuthResponse.AUTH_CONTINUE)
-return
+return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/sanitizeAndDispatchEmailInput.groovy

@@ -29,3 +29,4 @@ if ( inargs['submit'] && inargs['submit'] == 'submit' ) {
 
 response.setResult('stay')
 return
+

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/sanitizeAndDispatchRecoveryEmailInput.groovy

@@ -22,4 +22,4 @@ if ( inargs['continue'] && inargs['continue'] == 'continue' ) {
 }
 
 response.setResult('stay')
-return
+return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/etc/nevis/k8s-fido-uaf-instance-ca92034f995b39fde562293c.yaml

@@ -11,8 +11,8 @@ metadata:
 spec:
   type: "NevisFIDO"
   replicas: 1
-  version: "8.2411.2"
-  gitInitVersion: "1.3.0"
+  version: "8.2505.5"
+  gitInitVersion: "1.4.0"
   runAsNonRoot: true
   ports:
     rest: 9443
@@ -40,18 +40,19 @@ spec:
     management:
       httpGet:
         path: "/nevisfido/health"
+      initialDelaySeconds: 30
       periodSeconds: 5
       timeoutSeconds: 6
-      failureThreshold: 50
+      failureThreshold: 30
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-0a95034444af9c2e5b4a8c12cc3a0f444f6b0447"
+    tag: "r-484395a405f9f7123da379fa8df82e197d2dbd71"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf"
     credentials: "git-credentials"
   database:
     name: "fido-uaf"
-    requiredVersion: "8.2411.1"
+    requiredVersion: "8.2505.5"
   keystores:
   - "fido-uaf-default-server-identity"
   - "fido-uaf-default-client-identity"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/etc/nevis/k8s-fido-uaf-internal-idp-auth-signer-trust-ca92034f995b39fde562293c.yaml

@@ -10,7 +10,7 @@ metadata:
     patternId: "ca92034f995b39fde562293c"
 spec:
   keystores:
-  - name: "auth-sh4r3d-internal-idp-auth-signer"
-    namespace: "adn-agov-nevisidm-01-uat"
   - name: "auth-sts-sh4r3d-internal-idp-auth-signer"
     namespace: "adn-agov-nevisidm-01-uat"
+  - name: "auth-sh4r3d-internal-idp-auth-signer"
+    namespace: "adn-agov-nevisidm-01-uat"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/etc/nevis/k8s-nevisfido-uaf-database-9385d1b33aefe975fb1c5914.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisFIDO"
   databaseType: "MariaDB"
-  version: "8.2411.2"
+  version: "8.2505.5"
   url: "mariadb-session-store-service.adn-agov-nevisidm-ob-01-uat"
   port: 3306
   database: "nevisfido_uaf"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/agov-test-f666836d3cb4.json

@@ -9,4 +9,4 @@
   "token_uri": "https://oauth2.googleapis.com/token",
   "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
   "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/agov-dev%40agov-test.iam.gserviceaccount.com"
-}
+}

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/env.conf

@@ -7,5 +7,5 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevisfido/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2411.2,service.instance.id=$HOSTNAME"
-)
+    "-Dotel.resource.attributes=service.version=8.2505.5,service.instance.id=$HOSTNAME"
+)

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/metadata/metadata.json

@@ -3,14 +3,13 @@
     "aaid" : "F1D0#0001",
     "description" : "Android NEVIS Mobile Authentication PIN Authenticator",
     "assertionScheme" : "UAFV1TLV",
-    "attestationRootCertificates" : [
-      "MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk",
-      "MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAzNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnuXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83Uh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cnoL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2okQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vAD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAImMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoWFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09ojm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUBZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCHex0SdDrx+tWUDqG8At2JHA==",
-      "MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMxMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTGzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/TQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiLZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0bHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7wlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7mD/vFDkzF+wm7cyWpQpCVQ==",
-      "MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgwNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGICW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2GtkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkxoSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mFmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPzlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVwn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1EuzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHovaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHnw1IdYIg2Wxg7yHcQZemFQg==",
-      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc=",
-      "MIIC8jCCAdqgAwIBAgIGAZFrJblQMA0GCSqGSIb3DQEBCwUAMDoxDTALBgNVBAMMBHRlc3QxCzAJBgNVBAYTAkNIMRwwGgYJKoZIhvcNAQkBFg1mYWtlQGFjbWUuY29tMB4XDTI0MDgxOTE0NTg0MFoXDTI1MDgxOTE0NTg0MFowOjENMAsGA1UEAwwEdGVzdDELMAkGA1UEBhMCQ0gxHDAaBgkqhkiG9w0BCQEWDWZha2VAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcWDBNmdq13fYHnhsmLndAW+MfbI6PeU4OenqfbrTtQUxqpyqhP6QccPYKX2SK3JeQo5uuF1jRD/9i9vAXI9NyiMMHSItjt9LjRs7bWnY4lokYGCAcSZooR9fGZX63dBSQo73V7MC8LDFGy5rw6dGDOmh0ktKxFzaT/nav8/Mx8FyG7M9+b5OPIBo2yze5Rd5cdErGJuUYa9No93BBr5tq+JfnmR/gwgCOke97ovhNj+sMu5bt946AxC6t00wNyPNVlJHKi1os0c/pWztTQkoRAx/w0JYKS9Afl0ZnGWQQ5PNLHHecp2GzriBpQAPXq81QTbOh5H7SzvhkaFQ4oxstAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD8GOaeMDqj2mzMmCqR6Cr3ChkbDAkdsBa5lOAikMKs7/tJyaw8iA5yH0nyobC58Jb61IATuxABPUALhP3RiNsUhnQQF/Dh+6CnCTD/2wsZmr8vUvNqyCLom+xkMT6Wayd9LYW4UONARv1qCLVI4RhiAr5kcomwqZnuj2DRF697lbSQDoz3iuKrCyBYSCBhS+k7UXpqpMyB2D6quRuPqh7JNtMjGSeMiNpMXhx5f4kl1YWb8NU93LDwHFR2kwnGmPA3M272VitcJC4dz3itGRKm9EYGd6d5D7kdC6lqpZPSIopChvXDyVrXjQgckvgtSGKscs6AvYgjthJGsR2z3Eao=",
-      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc="
+    "attestationRootCertificates" : [],
+    "supportedExtensions" : [
+      {
+        "id" : "ch.nevis.auth.fido.uaf.google-attestation-root-keys",
+        "fail_if_unknown" : false,
+        "data" : "[ \"MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAQ==\" ]"
+      }
     ],
     "attestationTypes" : [ 15879, 15880 ],
     "upv" : [ {
@@ -34,14 +33,13 @@
     "aaid" : "F1D0#0002",
     "description" : "Android NEVIS Mobile Authentication Fingerprint Authenticator",
     "assertionScheme" : "UAFV1TLV",
-    "attestationRootCertificates" : [
-      "MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk",
-      "MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAzNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnuXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83Uh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cnoL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2okQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vAD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAImMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoWFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09ojm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUBZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCHex0SdDrx+tWUDqG8At2JHA==",
-      "MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMxMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTGzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/TQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiLZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0bHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7wlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7mD/vFDkzF+wm7cyWpQpCVQ==",
-      "MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgwNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGICW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2GtkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkxoSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mFmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPzlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVwn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1EuzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHovaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHnw1IdYIg2Wxg7yHcQZemFQg==",
-      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc=",
-      "MIIC8jCCAdqgAwIBAgIGAZFrJblQMA0GCSqGSIb3DQEBCwUAMDoxDTALBgNVBAMMBHRlc3QxCzAJBgNVBAYTAkNIMRwwGgYJKoZIhvcNAQkBFg1mYWtlQGFjbWUuY29tMB4XDTI0MDgxOTE0NTg0MFoXDTI1MDgxOTE0NTg0MFowOjENMAsGA1UEAwwEdGVzdDELMAkGA1UEBhMCQ0gxHDAaBgkqhkiG9w0BCQEWDWZha2VAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcWDBNmdq13fYHnhsmLndAW+MfbI6PeU4OenqfbrTtQUxqpyqhP6QccPYKX2SK3JeQo5uuF1jRD/9i9vAXI9NyiMMHSItjt9LjRs7bWnY4lokYGCAcSZooR9fGZX63dBSQo73V7MC8LDFGy5rw6dGDOmh0ktKxFzaT/nav8/Mx8FyG7M9+b5OPIBo2yze5Rd5cdErGJuUYa9No93BBr5tq+JfnmR/gwgCOke97ovhNj+sMu5bt946AxC6t00wNyPNVlJHKi1os0c/pWztTQkoRAx/w0JYKS9Afl0ZnGWQQ5PNLHHecp2GzriBpQAPXq81QTbOh5H7SzvhkaFQ4oxstAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD8GOaeMDqj2mzMmCqR6Cr3ChkbDAkdsBa5lOAikMKs7/tJyaw8iA5yH0nyobC58Jb61IATuxABPUALhP3RiNsUhnQQF/Dh+6CnCTD/2wsZmr8vUvNqyCLom+xkMT6Wayd9LYW4UONARv1qCLVI4RhiAr5kcomwqZnuj2DRF697lbSQDoz3iuKrCyBYSCBhS+k7UXpqpMyB2D6quRuPqh7JNtMjGSeMiNpMXhx5f4kl1YWb8NU93LDwHFR2kwnGmPA3M272VitcJC4dz3itGRKm9EYGd6d5D7kdC6lqpZPSIopChvXDyVrXjQgckvgtSGKscs6AvYgjthJGsR2z3Eao=",
-      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc="
+    "attestationRootCertificates" : [],
+    "supportedExtensions" : [
+      {
+        "id" : "ch.nevis.auth.fido.uaf.google-attestation-root-keys",
+        "fail_if_unknown" : false,
+        "data" : "[ \"MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAQ==\" ]"
+      }
     ],
     "attestationTypes" : [ 15879, 15880 ],
     "upv" : [ {
@@ -65,14 +63,13 @@
     "aaid" : "F1D0#0003",
     "description" : "Android NEVIS Mobile Authentication Biometric Authenticator",
     "assertionScheme" : "UAFV1TLV",
-    "attestationRootCertificates" : [
-      "MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk",
-      "MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAzNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnuXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83Uh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cnoL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2okQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vAD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAImMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoWFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09ojm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUBZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCHex0SdDrx+tWUDqG8At2JHA==",
-      "MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMxMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTGzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/TQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiLZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0bHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7wlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7mD/vFDkzF+wm7cyWpQpCVQ==",
-      "MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgwNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGICW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2GtkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkxoSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mFmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPzlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVwn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1EuzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHovaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHnw1IdYIg2Wxg7yHcQZemFQg==",
-      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc=",
-      "MIIC8jCCAdqgAwIBAgIGAZFrJblQMA0GCSqGSIb3DQEBCwUAMDoxDTALBgNVBAMMBHRlc3QxCzAJBgNVBAYTAkNIMRwwGgYJKoZIhvcNAQkBFg1mYWtlQGFjbWUuY29tMB4XDTI0MDgxOTE0NTg0MFoXDTI1MDgxOTE0NTg0MFowOjENMAsGA1UEAwwEdGVzdDELMAkGA1UEBhMCQ0gxHDAaBgkqhkiG9w0BCQEWDWZha2VAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcWDBNmdq13fYHnhsmLndAW+MfbI6PeU4OenqfbrTtQUxqpyqhP6QccPYKX2SK3JeQo5uuF1jRD/9i9vAXI9NyiMMHSItjt9LjRs7bWnY4lokYGCAcSZooR9fGZX63dBSQo73V7MC8LDFGy5rw6dGDOmh0ktKxFzaT/nav8/Mx8FyG7M9+b5OPIBo2yze5Rd5cdErGJuUYa9No93BBr5tq+JfnmR/gwgCOke97ovhNj+sMu5bt946AxC6t00wNyPNVlJHKi1os0c/pWztTQkoRAx/w0JYKS9Afl0ZnGWQQ5PNLHHecp2GzriBpQAPXq81QTbOh5H7SzvhkaFQ4oxstAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD8GOaeMDqj2mzMmCqR6Cr3ChkbDAkdsBa5lOAikMKs7/tJyaw8iA5yH0nyobC58Jb61IATuxABPUALhP3RiNsUhnQQF/Dh+6CnCTD/2wsZmr8vUvNqyCLom+xkMT6Wayd9LYW4UONARv1qCLVI4RhiAr5kcomwqZnuj2DRF697lbSQDoz3iuKrCyBYSCBhS+k7UXpqpMyB2D6quRuPqh7JNtMjGSeMiNpMXhx5f4kl1YWb8NU93LDwHFR2kwnGmPA3M272VitcJC4dz3itGRKm9EYGd6d5D7kdC6lqpZPSIopChvXDyVrXjQgckvgtSGKscs6AvYgjthJGsR2z3Eao=",
-      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc="
+    "attestationRootCertificates" : [],
+    "supportedExtensions" : [
+      {
+        "id" : "ch.nevis.auth.fido.uaf.google-attestation-root-keys",
+        "fail_if_unknown" : false,
+        "data" : "[ \"MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAQ==\" ]"
+      }
     ],
     "attestationTypes" : [ 15879, 15880 ],
     "upv" : [ {
@@ -96,14 +93,13 @@
     "aaid" : "F1D0#0004",
     "description" : "Android NEVIS Mobile Authentication Device Passcode Authenticator",
     "assertionScheme" : "UAFV1TLV",
-    "attestationRootCertificates" : [
-      "MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk",
-      "MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAzNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnuXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83Uh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cnoL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2okQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vAD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAImMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoWFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09ojm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUBZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCHex0SdDrx+tWUDqG8At2JHA==",
-      "MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMxMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTGzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/TQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiLZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0bHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7wlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7mD/vFDkzF+wm7cyWpQpCVQ==",
-      "MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgwNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGICW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2GtkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkxoSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mFmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPzlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVwn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1EuzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHovaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHnw1IdYIg2Wxg7yHcQZemFQg==",
-      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc=",
-      "MIIC8jCCAdqgAwIBAgIGAZFrJblQMA0GCSqGSIb3DQEBCwUAMDoxDTALBgNVBAMMBHRlc3QxCzAJBgNVBAYTAkNIMRwwGgYJKoZIhvcNAQkBFg1mYWtlQGFjbWUuY29tMB4XDTI0MDgxOTE0NTg0MFoXDTI1MDgxOTE0NTg0MFowOjENMAsGA1UEAwwEdGVzdDELMAkGA1UEBhMCQ0gxHDAaBgkqhkiG9w0BCQEWDWZha2VAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcWDBNmdq13fYHnhsmLndAW+MfbI6PeU4OenqfbrTtQUxqpyqhP6QccPYKX2SK3JeQo5uuF1jRD/9i9vAXI9NyiMMHSItjt9LjRs7bWnY4lokYGCAcSZooR9fGZX63dBSQo73V7MC8LDFGy5rw6dGDOmh0ktKxFzaT/nav8/Mx8FyG7M9+b5OPIBo2yze5Rd5cdErGJuUYa9No93BBr5tq+JfnmR/gwgCOke97ovhNj+sMu5bt946AxC6t00wNyPNVlJHKi1os0c/pWztTQkoRAx/w0JYKS9Afl0ZnGWQQ5PNLHHecp2GzriBpQAPXq81QTbOh5H7SzvhkaFQ4oxstAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD8GOaeMDqj2mzMmCqR6Cr3ChkbDAkdsBa5lOAikMKs7/tJyaw8iA5yH0nyobC58Jb61IATuxABPUALhP3RiNsUhnQQF/Dh+6CnCTD/2wsZmr8vUvNqyCLom+xkMT6Wayd9LYW4UONARv1qCLVI4RhiAr5kcomwqZnuj2DRF697lbSQDoz3iuKrCyBYSCBhS+k7UXpqpMyB2D6quRuPqh7JNtMjGSeMiNpMXhx5f4kl1YWb8NU93LDwHFR2kwnGmPA3M272VitcJC4dz3itGRKm9EYGd6d5D7kdC6lqpZPSIopChvXDyVrXjQgckvgtSGKscs6AvYgjthJGsR2z3Eao=",
-      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc="
+    "attestationRootCertificates" : [],
+    "supportedExtensions" : [
+      {
+        "id" : "ch.nevis.auth.fido.uaf.google-attestation-root-keys",
+        "fail_if_unknown" : false,
+        "data" : "[ \"MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAQ==\" ]"
+      }
     ],
     "attestationTypes" : [ 15879, 15880 ],
     "upv" : [ {
@@ -127,14 +123,13 @@
     "aaid" : "F1D0#0005",
     "description" : "Android NEVIS Mobile Authentication Password Authenticator",
     "assertionScheme" : "UAFV1TLV",
-    "attestationRootCertificates" : [
-      "MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk",
-      "MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAzNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnuXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83Uh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cnoL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2okQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vAD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAImMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoWFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09ojm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUBZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCHex0SdDrx+tWUDqG8At2JHA==",
-      "MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMxMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTGzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/TQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiLZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0bHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7wlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7mD/vFDkzF+wm7cyWpQpCVQ==",
-      "MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgwNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGICW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2GtkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkxoSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mFmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPzlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVwn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1EuzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHovaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHnw1IdYIg2Wxg7yHcQZemFQg==",
-      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc=",
-      "MIIC8jCCAdqgAwIBAgIGAZFrJblQMA0GCSqGSIb3DQEBCwUAMDoxDTALBgNVBAMMBHRlc3QxCzAJBgNVBAYTAkNIMRwwGgYJKoZIhvcNAQkBFg1mYWtlQGFjbWUuY29tMB4XDTI0MDgxOTE0NTg0MFoXDTI1MDgxOTE0NTg0MFowOjENMAsGA1UEAwwEdGVzdDELMAkGA1UEBhMCQ0gxHDAaBgkqhkiG9w0BCQEWDWZha2VAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcWDBNmdq13fYHnhsmLndAW+MfbI6PeU4OenqfbrTtQUxqpyqhP6QccPYKX2SK3JeQo5uuF1jRD/9i9vAXI9NyiMMHSItjt9LjRs7bWnY4lokYGCAcSZooR9fGZX63dBSQo73V7MC8LDFGy5rw6dGDOmh0ktKxFzaT/nav8/Mx8FyG7M9+b5OPIBo2yze5Rd5cdErGJuUYa9No93BBr5tq+JfnmR/gwgCOke97ovhNj+sMu5bt946AxC6t00wNyPNVlJHKi1os0c/pWztTQkoRAx/w0JYKS9Afl0ZnGWQQ5PNLHHecp2GzriBpQAPXq81QTbOh5H7SzvhkaFQ4oxstAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD8GOaeMDqj2mzMmCqR6Cr3ChkbDAkdsBa5lOAikMKs7/tJyaw8iA5yH0nyobC58Jb61IATuxABPUALhP3RiNsUhnQQF/Dh+6CnCTD/2wsZmr8vUvNqyCLom+xkMT6Wayd9LYW4UONARv1qCLVI4RhiAr5kcomwqZnuj2DRF697lbSQDoz3iuKrCyBYSCBhS+k7UXpqpMyB2D6quRuPqh7JNtMjGSeMiNpMXhx5f4kl1YWb8NU93LDwHFR2kwnGmPA3M272VitcJC4dz3itGRKm9EYGd6d5D7kdC6lqpZPSIopChvXDyVrXjQgckvgtSGKscs6AvYgjthJGsR2z3Eao=",
-      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc="
+    "attestationRootCertificates" : [],
+    "supportedExtensions" : [
+      {
+        "id" : "ch.nevis.auth.fido.uaf.google-attestation-root-keys",
+        "fail_if_unknown" : false,
+        "data" : "[ \"MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAQ==\" ]"
+      }
     ],
     "attestationTypes" : [ 15879, 15880 ],
     "upv" : [ {
@@ -268,4 +263,5 @@
     "publicKeyAlgAndEncodings" : [ 257 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
-  }]
+  }
+]

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/nevisfido.yml

@@ -37,7 +37,7 @@ fido-uaf:
     max-text-length: 2000
   metadata:
     path: "conf/metadata/metadata.json"
-  idm-connection-type: "soap"
+  idm-connection-type: "rest"
   dispatchers:
   - type: "firebase-cloud-messaging"
     dry-run: false
@@ -45,6 +45,7 @@ fido-uaf:
     registration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/registration"
     authentication-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/authentication"
     deregistration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/deregistration"
+    message-ttl: "180s"
   - type: "png-qr-code"
     registration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/registration"
     authentication-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/authentication"
@@ -54,8 +55,11 @@ fido-uaf:
     authentication-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/authentication"
     deregistration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/deregistration"
     base-url: "ch.agov.access-t://x-callback-url/authenticate"
-  basic-full-attestation:
-    android-verification-level: "strict"
+  full-basic-attestation:
+    android-verification-level: "default"
+    android-permissive-mode-enabled: true
+    android-attestation-key-revocation:
+      reload-interval: "21600s"
   authorization:
     registration:
       type: "sectoken"
@@ -95,18 +99,18 @@ fido-uaf:
 session-repository:
   type: "sql"
   jdbc-url: "jdbc:mariadb://mariadb-session-store-service.adn-agov-nevisidm-ob-01-uat:3306/nevisfido_uaf?sslMode=disable&autocommit=true"
-  max-connection-lifetime: "10m"
   user: "${exec:/var/opt/nevisfido/default/conf/credentials/dbUser}"
   password: "${exec:/var/opt/nevisfido/default/conf/credentials/dbPassword}"
-  schema-user: ""
-  schema-user-password: ""
   automatic-db-schema-setup: false
+  max-connection-lifetime: "1800s"
+  connection-timeout: "30s"
+  min-connection-pool-size: 10
+  max-connection-pool-size: 10
+  max-connection-idle-time: "600s"
 credential-repository:
   type: "nevisidm"
   client-id: "cfa9c9b9-119f-4dff-9bb8-86d7c0cf2720"
   user-attribute: "extId"
-  administration-url: "https://idm.adn-agov-nevisidm-admin-01-uat:8989/nevisidm/services/v1_46/AdminService"
-  admin-service-version: "v1_46"
   rest-url: "https://idm.adn-agov-nevisidm-admin-01-uat:8989/nevisidm"
   keystore: "/var/opt/keys/own/fido-uaf-default-client-identity/keystore.p12"
   keystore-type: "pkcs12"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/otel.properties

@@ -1,4 +1,5 @@
 otel.service.name = fido-uaf
+otel.traces.sampler = always_on
 otel.traces.exporter = none
 otel.metrics.exporter = none
 otel.logs.exporter = none

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/policy/biometrics_only.json

@@ -21,4 +21,4 @@
       }
     ]
   ]
-}
+}

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/policy/default.json

@@ -41,4 +41,4 @@
       }
     ]
   ]
-}
+}

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/policy/pin_only.json

@@ -11,4 +11,4 @@
       }
     ]
   ]
-}
+}

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/status.py

@@ -44,4 +44,4 @@ if is_nevisfido_healthy():
     sys.exit(0)
 else:
     raise_last_error_in_log()
-    sys.exit(1)
+    sys.exit(1)

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/etc/nevis/k8s-nevisfido2-087f275433f3973a1421318f.yaml

@@ -11,8 +11,8 @@ metadata:
 spec:
   type: "NevisFIDO"
   replicas: 1
-  version: "8.2411.2"
-  gitInitVersion: "1.3.0"
+  version: "8.2505.5"
+  gitInitVersion: "1.4.0"
   runAsNonRoot: true
   ports:
     management: 9089
@@ -40,13 +40,14 @@ spec:
     management:
       httpGet:
         path: "/nevisfido/health"
+      initialDelaySeconds: 30
       periodSeconds: 5
       timeoutSeconds: 6
-      failureThreshold: 50
+      failureThreshold: 30
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-317ed268556b37656f27fb58fcffd4797cea27e4"
+    tag: "r-484395a405f9f7123da379fa8df82e197d2dbd71"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2"
     credentials: "git-credentials"
   keystores:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/var/opt/nevisfido/default/conf/env.conf

@@ -6,5 +6,5 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevisfido/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2411.2,service.instance.id=$HOSTNAME"
-)
+    "-Dotel.resource.attributes=service.version=8.2505.5,service.instance.id=$HOSTNAME"
+)

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/var/opt/nevisfido/default/conf/nevisfido.yml

@@ -1,3 +1,21 @@
+fido2:
+  enabled: true
+  user-presence-requirement: "always"
+  rp-name: "AGOV-RelPartName"
+  rp-id: "adnovum.net"
+  origins:
+  - "https://ob.agov-w.azure.adnovum.net"
+  - "https://auth.agov-w.azure.adnovum.net"
+  - "https://nevisidm.agov-w.azure.adnovum.net"
+  signature-algorithms:
+  - "ES256"
+  - "EdDSA"
+  display-name-source: "email"
+  metadata:
+    allow-listing-enabled: false
+  timeout:
+    user-verification: "300s"
+    no-user-verification: "120s"
 server:
   port: 9443
   protocol: "https"
@@ -24,27 +42,5 @@ credential-repository:
   truststore-passphrase: "${exec:/var/opt/keys/trust/fido2-idp-extended-truststore/keypass}"
   truststore-type: "pkcs12"
   user-attribute: "extId"
-fido2:
-  enabled: true
-  rp-name: "AGOV-RelPartName"
-  rp-id: "adnovum.net"
-  origins:
-  - "https://ob.agov-w.azure.adnovum.net"
-  - "https://auth.agov-w.azure.adnovum.net"
-  - "https://nevisidm.agov-w.azure.adnovum.net"
-  signature-algorithms:
-  - "RS1"
-  - "RS256"
-  - "RS384"
-  - "RS512"
-  - "ES256"
-  - "ES384"
-  - "ES512"
-  display-name-source: "email"
-  metadata:
-    allow-listing-enabled: false
-  timeout:
-    user-verification: "300s"
-    no-user-verification: "120s"
 session-repository:
   type: "in-memory"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/var/opt/nevisfido/default/conf/otel.properties

@@ -1,4 +1,5 @@
 otel.service.name = fido2
+otel.traces.sampler = always_on
 otel.traces.exporter = none
 otel.metrics.exporter = none
 otel.logs.exporter = none

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/var/opt/nevisfido/default/conf/status.py

@@ -44,4 +44,4 @@ if is_nevisfido_healthy():
     sys.exit(0)
 else:
     raise_last_error_in_log()
-    sys.exit(1)
+    sys.exit(1)

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/etc/nevis/k8s-nevislogrend-097929211988398a87bcbb0c.yaml

@@ -11,8 +11,8 @@ metadata:
 spec:
   type: "NevisLogrend"
   replicas: 1
-  version: "8.2411.2"
-  gitInitVersion: "1.3.0"
+  version: "8.2505.5"
+  gitInitVersion: "1.4.0"
   runAsNonRoot: true
   ports:
     server: 8988
@@ -38,13 +38,14 @@ spec:
   startupProbe:
     server:
       tcpSocket: true
+      initialDelaySeconds: 30
       periodSeconds: 5
       timeoutSeconds: 4
-      failureThreshold: 50
+      failureThreshold: 30
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-e157935e7f17a778cb613627a645fe400a85af4d"
+    tag: "r-5e17b7ae74eadb8800587a4f4db74406a7e21e95"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend"
     credentials: "git-credentials"
   podSecurity:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/conf/env.conf

@@ -10,5 +10,5 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevislogrend/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2411.2,service.instance.id=$HOSTNAME"
-)
+    "-Dotel.resource.attributes=service.version=8.2505.5,service.instance.id=$HOSTNAME"
+)

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/conf/mimetype.properties

@@ -1,3 +1,5 @@
+
 ico=image/x-icon
+json=application/json
 woff=font/woff
-woff2=font/woff2
+woff2=font/woff2

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/conf/otel.properties

@@ -1,4 +1,5 @@
 otel.service.name = logrend
+otel.traces.sampler = always_on
 otel.traces.exporter = none
 otel.metrics.exporter = none
 otel.logs.exporter = none

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/resources/conf/text.properties

@@ -9,7 +9,6 @@ agov-ident.invalid-url.message=Link kann nicht verarbeitet werden
 agov-ident.invalid-url.title=Ungültiger Link
 agov-ident.onboarding=Registrierung & Verifikation
 agov-ident.retry=Versuchen Sie es erneut
-button.submit=Senden
 darkModeSwitch.aria.label=Dark-Mode-Schalter
 error.policy.failed=Das neue Passwort stimmt nicht mit der Richtlinie überein.
 error_1=Bitte überprüfen Sie Ihre Eingaben.
@@ -246,6 +245,7 @@ recovery_questionnaire_reason_selection.instruction=Bitte wählen Sie einen
 recovery_start_info.banner.warning=Sie können Ihr Konto nicht nutzen, bis der Wiederherstellungsprozess abgeschlossen ist.
 recovery_start_info.instruction=Während des Wiederherstellungsprozesses werden Sie einen neuen Login-Faktor registrieren. Wenn Ihr Konto verifizierte Informationen enthält, müssen Sie zum Abschluss des Wiederherstellungsprozesses möglicherweise auch einen Verifikationsprozess durchlaufen.
 recovery_start_info.title=Sie sind dabei, den Wiederherstellungsprozess zu starten
+submit.button.label=Senden
 title=NEVIS SSO Portal
 title.login=Login
 title.pwchange.label=Passwort ändern

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/resources/conf/text_de.properties

@@ -9,7 +9,6 @@ agov-ident.invalid-url.message=Link kann nicht verarbeitet werden
 agov-ident.invalid-url.title=Ungültiger Link
 agov-ident.onboarding=Registrierung & Verifikation
 agov-ident.retry=Versuchen Sie es erneut
-button.submit=Senden
 darkModeSwitch.aria.label=Dark-Mode-Schalter
 error.policy.failed=Das neue Passwort stimmt nicht mit der Richtlinie überein.
 error_1=Bitte überprüfen Sie Ihre Eingaben.
@@ -246,6 +245,7 @@ recovery_questionnaire_reason_selection.instruction=Bitte wählen Sie einen
 recovery_start_info.banner.warning=Sie können Ihr Konto nicht nutzen, bis der Wiederherstellungsprozess abgeschlossen ist.
 recovery_start_info.instruction=Während des Wiederherstellungsprozesses werden Sie einen neuen Login-Faktor registrieren. Wenn Ihr Konto verifizierte Informationen enthält, müssen Sie zum Abschluss des Wiederherstellungsprozesses möglicherweise auch einen Verifikationsprozess durchlaufen.
 recovery_start_info.title=Sie sind dabei, den Wiederherstellungsprozess zu starten
+submit.button.label=Senden
 title=NEVIS SSO Portal
 title.login=Login
 title.pwchange.label=Passwort ändern

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/resources/conf/text_en.properties

@@ -9,7 +9,6 @@ agov-ident.invalid-url.message=Link can't be processed
 agov-ident.invalid-url.title=Invalid Link
 agov-ident.onboarding=Registration & Verification
 agov-ident.retry=Try again
-button.submit=Submit
 darkModeSwitch.aria.label=Dark mode toggle
 error.policy.failed=The new password does not comply with the policy.
 error_1=Please check your input.
@@ -246,6 +245,7 @@ recovery_questionnaire_reason_selection.instruction=Please select the reason you
 recovery_start_info.banner.warning=You will not be able to use your account until the recovery process has been concluded.
 recovery_start_info.instruction=During the recovery process you will register a new login factor. If  your account contains any verified information you might also have to go through a verification process to finish the recovery.
 recovery_start_info.title=You are about to start the recovery process
+submit.button.label=Submit
 title=NEVIS SSO Portal
 title.login=Login
 title.pwchange.label=Password Change

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/resources/conf/text_fr.properties

@@ -9,7 +9,6 @@ agov-ident.invalid-url.message=Le lien ne peut pas être traité
 agov-ident.invalid-url.title=Lien non valide
 agov-ident.onboarding=Enregistrement et vérification
 agov-ident.retry=Essayez à nouveau
-button.submit=Envoyer
 darkModeSwitch.aria.label=Activer l'apparence sombre
 error.policy.failed=Votre nouveau mot de passe ne conforme pas aux mesures de sécurité
 error_1=Veuillez vérifier votre saisie.
@@ -246,6 +245,7 @@ recovery_questionnaire_reason_selection.instruction=Veuillez sélectionner
 recovery_start_info.banner.warning=Vous ne pourrez pas utiliser votre compte tant que le processus de récupération n'aura pas été terminé.
 recovery_start_info.instruction=Le processus de récupération nécessitera l’enregistrement d’un nouveau facteur d’authentification. Si votre compte contient des informations ayant déjà été vérifiées, il se peut que vous deviez les faire vérifier à nouveau pour terminer la récupération.
 recovery_start_info.title=Vous êtes sur le point de démarrer le processus de récupération.
+submit.button.label=Envoyer
 title=NEVIS SSO Portal
 title.login=Login
 title.pwchange.label=Changer mot de passe

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/resources/conf/text_it.properties

@@ -9,7 +9,6 @@ agov-ident.invalid-url.message=Il link non può essere elaborato
 agov-ident.invalid-url.title=Link non valido
 agov-ident.onboarding=Registrazione e verifica
 agov-ident.retry=Riprova
-button.submit=Continua
 darkModeSwitch.aria.label=Attivare la modalità scura
 error.policy.failed=La nuova password non è stata accettata. Scegliere una password che sia conforme ai criteri di password.
 error_1=Verificare i dati inseriti.
@@ -246,6 +245,7 @@ recovery_questionnaire_reason_selection.instruction=Selezioni il motivo per cui
 recovery_start_info.banner.warning=Non è possibile utilizzare l’account finché il processo di ripristino non sarà concluso.
 recovery_start_info.instruction=Durante il processo di ripristino registrerà un nuovo fattore di login. Se il suo account contiene informazioni verificate, potrebbe dover effettuare anche un processo di verificazione per completare il ripristino.
 recovery_start_info.title=Sta per iniziare il processo di ripristino
+submit.button.label=Continua
 title=NEVIS SSO Portal
 title.login=Login
 title.pwchange.label=Cambiare Password

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/resources/apple.svg

@@ -0,0 +1,10 @@
+<svg width="19" height="18" viewBox="0 0 19 18" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0)">
+<path d="M13.9697 17.2808C12.9941 18.2276 11.9177 18.08 10.8917 17.6336C9.80091 17.1782 8.80371 17.1494 7.65171 17.6336C6.21711 18.2528 5.45571 18.0728 4.59171 17.2808C-0.28628 12.2588 0.433719 4.60879 5.97771 4.32079C7.32231 4.39279 8.26371 5.06419 9.05571 5.11999C10.2329 4.88059 11.3597 4.19479 12.6197 4.28479C14.1335 4.40719 15.2657 5.00479 16.0217 6.07938C12.9077 7.95138 13.6457 12.0554 16.5059 13.2074C15.9335 14.7104 15.1991 16.1954 13.9679 17.2934L13.9697 17.2808ZM8.94771 4.26679C8.80191 2.03479 10.6109 0.198798 12.6917 0.0187988C12.9779 2.59279 10.3517 4.51879 8.94771 4.26679Z" fill="#1F2F33"/>
+</g>
+<defs>
+<clipPath id="clip0">
+<rect width="15.156" height="18" fill="white" transform="translate(1.3335)"/>
+</clipPath>
+</defs>
+</svg>