diff --git a/patterns/1d38203c48e017b5b3812385_resources/recovery_ongoing.groovy b/patterns/1d38203c48e017b5b3812385_resources/recovery_ongoing.groovy
index fe86291..9cd8c3f 100644
--- a/patterns/1d38203c48e017b5b3812385_resources/recovery_ongoing.groovy
+++ b/patterns/1d38203c48e017b5b3812385_resources/recovery_ongoing.groovy
@@ -9,7 +9,7 @@ if (inargs['recovery'] != null && inargs['recovery'] == 'recovery' ) {
   def sessionKeySet = new HashSet(session.keySet()) 
   sessionKeySet.each { key -> 
     if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) {
-      LOG.info("Deleted session attribute '${key}'")
+      LOG.debug("Deleted session attribute '${key}'")
       s.removeAttribute(key)
     }
   }
diff --git a/patterns/584964c837512845d7940809_authStatesFile/recovery-preprocessing.xml b/patterns/584964c837512845d7940809_authStatesFile/recovery-preprocessing.xml
index c0a42d8..857581d 100644
--- a/patterns/584964c837512845d7940809_authStatesFile/recovery-preprocessing.xml
+++ b/patterns/584964c837512845d7940809_authStatesFile/recovery-preprocessing.xml
@@ -185,7 +185,7 @@
 	<property name="detaillevel.credential" value="HIGH"/>
 </AuthState>
 <AuthState name="${state.entry}_verifyUser" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
-	<ResultCond name="ok" next="${state.exit.1}"/>
+	<ResultCond name="ok" next="${state.entry}_prepareRedirect"/>
 	<ResultCond name="needCode" next="${state.entry}_IdmUserIdPasswordLogin"/>
 	<ResultCond name="error" next="${state.failed}"/>
 	<ResultCond name="alreadyInRecovery" next="${state.exit.3}"/>
@@ -230,14 +230,14 @@
 	<property name="client.name" value="agov"/>
 </AuthState>
 <AuthState name="${state.entry}_codeVerified" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
-	<ResultCond name="default" next="${state.exit.1}"/>
+	<ResultCond name="default" next="${state.entry}_prepareRedirect"/>
 	<Response value="AUTH_CONTINUE"/>
 	<property name="sess:agov.recovery.authenticatedWith" value="urn:qa.agov.ch:names:tc:authfactor:emailAndCode"/>
 	<property name="sess:agov.recovery.codeStatus" value="verified"/>
 	<property name="sess:agov.recovery.codeDetailStatus" value="n/a"/>
 </AuthState>
 <AuthState name="${state.entry}_codeSkipped" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
-	<ResultCond name="default" next="${state.exit.1}"/>
+	<ResultCond name="default" next="${state.entry}_prepareRedirect"/>
 	<Response value="AUTH_CONTINUE"/>
 	<property name="sess:agov.recovery.codeStatus" value="skipped"/>
 	<property name="${sess:agov.recovery.codeDetailStatus}==n/a?sess:agov.recovery.codeDetailStatus" value="directly skipped by user"/>
@@ -247,3 +247,11 @@
 	<Response value="AUTH_CONTINUE"/>
 	<property name="sess:agov.recovery.codeDetailStatus" value="${notes:lasterrorinfo} (${notes:lasterror})"/>
 </AuthState>
+<AuthState name="${state.entry}_prepareRedirect" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+	<!-- acts as resumeState, if the user comes back from agov.me -->
+	<ResultCond name="back" next="${state.entry}_IdmGetPropertiesStateTicket"/>
+	<ResultCond name="redirect" next="${state.exit.1}"/>
+	<Response value="AUTH_CONTINUE"/>
+	<property name="scriptTraceGroup" value="Recovery"/>
+	<property name="script" value="file:///var/opt/nevisauth/default/conf/recovery-prepareRedirect.groovy"/>
+</AuthState>
\ No newline at end of file
diff --git a/patterns/584964c837512845d7940809_resources/recovery-prepareRedirect.groovy b/patterns/584964c837512845d7940809_resources/recovery-prepareRedirect.groovy
new file mode 100644
index 0000000..a7d2576
--- /dev/null
+++ b/patterns/584964c837512845d7940809_resources/recovery-prepareRedirect.groovy
@@ -0,0 +1,22 @@
+if (session['agov.recovery.redirectDone']) {
+  // user navigated back from AGOV.me, go again for the code
+
+  // clean up SAML state first, 
+  // IdentityProviderState sets session attributes as follows
+  //   <IDP-State-Name>-session-participants.<SAML-RP-ISSUER> = <ACS-URL>
+  // State name contains the name of the pattern 'Recovery_redirectAgovMe'
+  def s = request.getAuthSession(true)
+  def sessionKeySet = new HashSet(session.keySet()) 
+  sessionKeySet.each { key -> 
+    if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) {
+      LOG.debug("Deleted session attribute '${key}'")
+      s.removeAttribute(key)
+    }
+  }
+  s.removeAttribute('agov.recovery.redirectDone')
+  response.setResult('back')
+} else {
+  // redirect
+  response.setSessionAttribute('agov.recovery.redirectDone', 'true')
+  response.setResult('redirect')
+}
diff --git a/patterns/584964c837512845d7940809_resources/recovery-processing.groovy b/patterns/584964c837512845d7940809_resources/recovery-processing.groovy
index b2cf851..e96be6e 100644
--- a/patterns/584964c837512845d7940809_resources/recovery-processing.groovy
+++ b/patterns/584964c837512845d7940809_resources/recovery-processing.groovy
@@ -16,7 +16,7 @@ def maxLoiRoleToCtxClssConvertorMap = [
 ]
 
 // https://docs.nevis.net/nevisidm/Developer-Guide/SOAP-Interface/Interface-specification/Value-types#enum-value-types
-def blockingCredentialStates = ['DISABLED', 'EXPIRED', 'LOCKED_TEMPORARY', 'LOCKED', 'ARCHIVED', 'RESET_CODE']
+def blockingCredentialStates = ['DISABLED', 'EXPIRED', 'LOCKED', 'ARCHIVED', 'RESET_CODE']
 
 def getUserIdVerificationForRecovery(currentLoaRole) {
   // application is AGOV-AccountStatus
diff --git a/patterns/f63c475c35b616b7c6c1901c_resources/mobile_nless_auth.groovy b/patterns/f63c475c35b616b7c6c1901c_resources/mobile_nless_auth.groovy
index e64b940..9eabed0 100644
--- a/patterns/f63c475c35b616b7c6c1901c_resources/mobile_nless_auth.groovy
+++ b/patterns/f63c475c35b616b7c6c1901c_resources/mobile_nless_auth.groovy
@@ -82,8 +82,9 @@ if (inargs['fidoUafDone'] == 'true' ||
 if (inargs['fallback'] == 'fallback') {
     response.setResult('fido2')
 }
-    // dispatch to recovery
-    if (inargs['fallback'] == 'recovery') {
+
+// dispatch to recovery
+if (inargs['fallback'] == 'recovery') {
     response.addOutArg('nevis.transfer.destination', parameters.get('recoveryurl'))
     response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE) 
     response.setIsRedirectTransfer(true)