Before Migration

patterns/1d81bd987455a8e1ee044ccf_authStatesFile/epd_idp.xml

@@ -60,9 +60,15 @@
     <property name="out.authnContextClassRef" value="${sess:contextClassRefToSet}"/>
     <property name="out.audienceRestriction" value="${var.idp_agov_epd-audience}"/>
            
-    <!-- SAML Attributes -->
+    <!-- Epd standart Attributes -->
     <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:ch.nevis.idm.User.firstName}"/>
     <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:ch.nevis.idm.User.lastName}"/>
     <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
     <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:ch.nevis.idm.User.birthDate:^(\d\d\d\d-\d\d-\d\d).*$}"/>
+
+    <!-- extra Attributes -->
+    <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="${sess:ch.nevis.idm.User.email}"/>
+    <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.svnr'] : ''}"/>
+
+    <property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/op/conversationId" value="${inctx:connection.HttpHeader.traceparent:^([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)$:$2}"/>
 </AuthState>

patterns/2cdd910036aa06b102863a4f_scriptFile/checkLoa.groovy

@@ -140,7 +140,7 @@ try {
     s.setAttribute('ch.nevis.idm.User.gender', '2')
   }
   if(s.get('ch.nevis.idm.User.gender') == 'OTHER'){
-    session.setAttribute('ch.nevis.idm.User.gender', '3')
+    s.setAttribute('ch.nevis.idm.User.gender', '3')
   }
 
 
@@ -223,7 +223,7 @@ try {
 
     if (recoveryRoleList.contains('mustRecover')) {
       s.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
-      s.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown' )
+      s.setAttribute('agov.recovery.authenticatedWith', session.get('authenticatedWith') ?: 'unknown' )
 
       def origIdVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()) ?: 'None'
       def idVerification = getUserIdVerificationForRecovery() ?: origIdVerification
@@ -247,8 +247,8 @@ try {
       } else {
         s.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
       }
-      s.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown')
+      s.setAttribute('agov.recovery.authenticatedWith', session.get('authenticatedWith') ?: 'unknown')
-      s.setAttribute('agov.recovery.currentAgovAq', session.getAttribute('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
+      s.setAttribute('agov.recovery.currentAgovAq', session.get('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
       LOG.debug('CheckLoa: idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
       def idVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString())
       s.setAttribute('agov.recovery.currentIdVerification', (idVerification.isEmpty() ? 'None' : idVerification.first()))

patterns/328e529ed345d17cacb4ec66_authStatesFile/eid_start_agov_account_linking.xml

@@ -0,0 +1,16 @@
+<AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+    <ResultCond name="link" next="${state.exit.1}"/>
+    <ResultCond name="register" next="${state.exit.2}"/>
+    <ResultCond name="cancel" next="${state.failed}"/>
+
+    <Response value="AUTH_CONTINUE">
+	    <Gui name="eid_linking_account">
+			<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
+            <GuiElem name="app_name" type="hidden" value="${sess:agov.appDisplayNameEN}" optional="true"/>
+            <GuiElem name="firstname" type="hidden" value="${sess:agov.eid.User.firstName}" optional="true"/>
+            <GuiElem name="lastname" type="hidden" value="${sess:agov.eid.User.lastName}" optional="true"/>
+	    </Gui>
+    </Response>
+
+    <property name="script" value="file:///var/opt/nevisauth/default/conf/eid_start_account_linking.groovy"/>
+ </AuthState>

patterns/328e529ed345d17cacb4ec66_resources/eid_start_account_linking.groovy

@@ -0,0 +1,27 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+
+def sess = request.getAuthSession(true)
+
+if(inargs['cancelEid']){
+    LOG.debug("Account registration canceled: Send response with error")
+    response.setResult('cancel')
+    return
+}
+
+if(inargs['continue'] == 'link_account'){
+    LOG.debug("AGOV account linking")
+    //sess.setAttribute("eid.placeholder.text", "EId: Implicit account linking not implemented yet")
+    response.setResult('link')
+    return
+}
+
+if(inargs['continue'] == 'register_account'){
+    LOG.debug("AGOV account registration was selected")
+    sess.setAttribute("eid.placeholder.text", "EId: Account registration with implicit linking not implemented yet")
+    response.setResult('register')
+    return
+}
+
+LOG.debug("Show GUI")
+response.setStatus(AuthResponse.AUTH_CONTINUE)
+return

patterns/359792ce61c28c723ab7d354_authStatesFile/eid_account_linking_redirect_to_agovme.xml

@@ -0,0 +1,61 @@
+<AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="false">
+	<ResultCond name="ok" next="${state.entry}_Handle_Redirect"/>
+    <!-- Change to AUTH_CONTINUE when we redirect back from agov me -->
+	<Response value="AUTH_ERROR">
+		<Gui name="internal_error">
+			<GuiElem name="transferId" type="hidden" value="${request:traceId}" optional="true"/>
+		</Gui>
+	</Response>
+	<property name="in.binding" value="none"/>
+	<property name="out.binding" value="internal"/>
+	<property name="out.sign" value="Response Assertion"/>
+	<property name="out.signatureKeyInfo" value="Certificate"/>
+	<!-- assertion validity time -->
+	<property name="out.ttl" value="${param.assertionValidityTime}"/>
+	<!-- subject confirmation: Bearer -->
+	<property name="out.extension.Bearer" value="ch.nevis.esauth.auth.states.saml.extensions.SubjectConfirmationExtender"/>
+	<property name="Bearer.ttl" value="${param.assertionValidityTime}"/>
+	<property name="out.keystoreref" value="Store_IDP_AGOV"/>
+	<property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
+	<property name="spURL" value="${param.agovmedirecturl}"/>
+	<property name="acsUrlWhitelist.uris" value="not used"/>
+
+
+	<!-- attributes -->
+
+	<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/authenticatedWith" value="${sess:agov.authenticatedWith}"/>
+    <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/requestedRoleLevel" value="${sess:agov.requestedRoleLevel}"/>
+    <property name="out.attribute.http://schemas.agov.ch/ws/2023/09/identity/claim/rpEntityId" value="${sess:agov.rpEntityId}"/>
+    
+    <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:agov.eid.User.firstName}"/>
+    <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:agov.eid.User.lastName}"/>
+    <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="${sess:agov.eid.User.svnr}"/>
+    <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/placeOfBirth" value="${sess:agov.eid.User.placeOfBirth}"/>
+    <property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/placeOfOrigin" value="${sess:agov.eid.User.placeOfOrigin}"/>
+    <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:agov.eid.User.birthDate}"/>
+    <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/nationality" value="${sess:agov.eid.User.nationality}"/>
+    <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/eIdNumber" value="${sess:agov.eid.User.eIdNumber}"/>
+    <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:agov.eid.User.gender}"/>
+
+    <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/dateOfVerification" value="${sess:ValidFrom}"/>
+    <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/validTillDate" value="${sess:ValidTo}"/>
+
+    <property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/op/conversationId" value="${inctx:connection.HttpHeader.traceparent:^([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)$:$2}"/>
+    <property name="out.authnContextClassRef" value="${sess:agov.authnContextClassRef}"/>
+	<property name="out.subject" value="${sess:ch.adnovum.nevisidm.user.extId}"/> <!-- extId of the account to be linked -->
+	<property name="out.subject.format" value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+	<property name="out.issuer" value="${param.issuer}"/>
+    <property name="out.attributeDelimiter" value=",\s*" />
+	<property name="out.audienceRestriction" value="${param.directAudience}"/>
+
+</AuthState>
+
+<AuthState name="${state.entry}_Handle_Redirect" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+	<ResultCond name="ok" next="${state.done}"/>
+	<Response value="AUTH_CONTINUE">
+		<Gui name="not_used"/>
+	</Response>
+    <property name="scriptTraceGroup" value="AGOV-ACCT"/>
+	<property name="parameter.agovmedirecturl" value="${param.agovmedirecturl}"/>
+	<property name="script" value="file:///var/opt/nevisauth/default/conf/eid_account_linking_redirect_to_agovme.groovy"/>
+</AuthState>

patterns/359792ce61c28c723ab7d354_resources/eid_account_linking_redirect_to_agovme.groovy

@@ -0,0 +1,23 @@
+if(outargs.containsKey('saml.SAMLResponse')) {
+     // Accounting
+     def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+     def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+     def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
+     def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+     def credentialType = session['agov.authenticatedWith'] ?: 'unknown'
+     def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+     def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+     LOG.info("Event='GOTOEIDLINKING', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")     
+     
+     // Redirect
+     response.addOutArg('nevis.transfer.destination', parameters.get('agovmedirecturl'))
+     response.addOutArg('nevis.transfer.field.SAMLResponse', outargs.getProperty('saml.SAMLResponse').bytes.encodeBase64().toString())
+     response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE) 
+     response.setIsRedirectTransfer(false)
+
+     response.removeOutArg('saml.SAMLResponse')
+}
+else {
+    response.setResult('ok')
+}

patterns/3a982aa242ff4f8ebd823693_script/countries_security_filter.lua

@@ -6,7 +6,7 @@ validLanguages["DE"]=true
 validLanguages["FR"]=true
 validLanguages["IT"]=true
 validLanguages["EN"]=true
-validLanguages["RS"]=true
+validLanguages["RM"]=true
 
 function inputHeader(req, resp)
   local trace = req:getTracer()

patterns/4f15bae09cbda04a7a515158_resources/eid_fetch_linked_accounts.groovy

@@ -6,8 +6,6 @@ import ch.nevis.idm.client.HTTPRequestWrapper
 import groovy.json.JsonSlurper
 import groovy.json.JsonBuilder
 
-
-
 def getHeader(String name) {
 	def inctx = request.getLoginContext()
 	// case-insensitive lookup of HTTP headers
@@ -34,6 +32,7 @@ def clearEidSession(){
 }
 
 def getAccounts(json, String svnr) {
+    String svnrWithPrefix = "urn:ch-agov-eid:$svnr"
     def idm_users_dto = json["Resources"]
     def accounts = [:]
     def frontend_dto = []
@@ -50,8 +49,8 @@ def getAccounts(json, String svnr) {
             def extId = user["externalId"]
             //TODO/aca/2025/06/11: Can we have multiple email adresses? -> if yes search for primary
             String email = user["emails"][0]["value"]
-			if(cred["type"] == "SAMLFEDERATION" && cred["issuerNameId"] == svnr){
+			if(cred["type"] == "SAMLFEDERATION" && ( cred["issuerNameId"] == svnr || cred["issuerNameId"] == svnrWithPrefix )){
-                // we found a second federation credential in one AGOV account -> Throw data error
+                // we found more than one federation credential in one AGOV account -> Throw data error
                 if(foundCredential){
                     LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${extId}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Multiple EId linking credentials found in one AGOV account'")
                     return [null,null]
@@ -140,7 +139,7 @@ LOG.debug("search for accounts with SVNR: $svnr")
 
 // Pepare GET request
 String attributes = "externalId,emails,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.type,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.issuerNameId,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.subjectNameId,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.extId,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.credentialLoginInfo.lastLogin"
-String filter = "urn:nevis:idm:scim:schemas:v1:extension:User.credentials.type=='SAMLFEDERATION'%20AND%20urn:nevis:idm:scim:schemas:v1:extension:User.credentials.issuerNameId=='$svnr'"
+String filter = "urn:nevis:idm:scim:schemas:v1:extension:User.credentials.type=='SAMLFEDERATION'%20AND%20%28%20urn:nevis:idm:scim:schemas:v1:extension:User.credentials.issuerNameId%20==%20'$svnr'%20OR%20urn:nevis:idm:scim:schemas:v1:extension:User.credentials.issuerNameId%20==%20'urn:ch-agov-eid:$svnr'%29"
 
 String requestUrl = "$endPoint?count=20&attributes=$attributes&filter=$filter"
 
@@ -157,7 +156,7 @@ try {
     def (accounts, frontend_dto) = getAccounts(json, svnr)
 
     // unrecoverable DATA ERROR happend
-    if(!accounts){
+    if(accounts == null){
         response.setResult('error')
         return
     }
@@ -167,9 +166,7 @@ try {
     LOG.debug("Linked accounts found: " + frontend_dto.toString())
 
     if(numAccounts == 0){
-        //TODO/aca/2025-06-10: Implement next step
+        // No account found => show account linking dialog options
-        // Redirect to an error page or linking page when that's ready and decided
-        sess.setAttribute("eid.placeholder.text", "EId: No AGOV Account found case not implemented yet")
         response.setResult('noAccount')
         return
     }else if(numAccounts == 1){

patterns/4f6692a69e4f33c8ed4c145f_script/responseHeaderPostProcessing.lua

@@ -2,11 +2,20 @@ function outputHeader(request, response)
     trace = request:getTracer()
 
     -- rename Set-Cookie2 header
-    local setCookieHeader = response:getHeader("Set-Cookie2")
+    local setCookieHeader2 = response:getHeader("Set-Cookie2")
-    if (setCookieHeader ~= nil) then 
+    if (setCookieHeader2 ~= nil) then 
-        trace:debug("Set a new cookie: " .. setCookieHeader)
+        trace:debug("Set a new cookie: " .. setCookieHeader2)
-        response:addHeader("Set-Cookie", setCookieHeader)
+        response:addHeader("Set-Cookie", setCookieHeader2)
         response:removeHeader("Set-Cookie2")
     end
 
+    -- BUNDBITBK-5688: We need to somtimes set 3 cookies with the new LOGINMETHOD cookie
+    -- rename Set-Cookie3 header
+    local setCookieHeader3 = response:getHeader("Set-Cookie3")
+    if (setCookieHeader3 ~= nil) then 
+        trace:debug("Set a new cookie: " .. setCookieHeader3)
+        response:addHeader("Set-Cookie", setCookieHeader3)
+        response:removeHeader("Set-Cookie3")
+    end
+
 end

patterns/5a75ffc73b91b88cfab6168e_authStatesFile/epd_artifact_idp.xml

@@ -64,11 +64,16 @@
     <property name="out.authnContextClassRef" value="${sess:contextClassRefToSet}"/>
     <property name="out.audienceRestriction" value="${var.idp_agov_epd-audience}"/>
            
-    <!-- SAML Attributes -->
+    <!-- EPD standard Attributes -->
     <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:ch.nevis.idm.User.firstName}"/>
     <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:ch.nevis.idm.User.lastName}"/>
     <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
-    <!--<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.svnr'] : ''}"/> -->
     <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:ch.nevis.idm.User.birthDate:^(\d\d\d\d-\d\d-\d\d).*$}"/>
 
+    <!-- extra Attributes -->
+    <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="${sess:ch.nevis.idm.User.email}"/>
+    <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.svnr'] : ''}"/>
+
+    <property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/op/conversationId" value="${inctx:connection.HttpHeader.traceparent:^([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)$:$2}"/>
+
 </AuthState>

patterns/68665057549fd887ea09fb86_scriptFile/requestedRoleLevel.groovy

@@ -105,7 +105,8 @@ try {
         session.setAttribute('agov.appDisplayNameFR', '' + json.displayNameFr)
         session.setAttribute('agov.appDisplayNameIT', '' + json.displayNameIt)
         session.setAttribute('agov.appDisplayNameEN', '' + json.displayNameEn)
-        session.setAttribute('agov.appDisplayNameRM', '' + ((json.appDisplayNameRM) ? json.appDisplayNameRM : json.appDisplayNameDE))
+        session.setAttribute('agov.appDisplayNameRM', '' + json.displayNameRm)
+        //session.setAttribute('agov.appDisplayNameRM', '' + ( (json.displayNameRm) ? json.displayNameDe : json.displayNameRm))
 
         // if aq500 or 600 is requested -> the only available login method is eid -> continue directly there
         // if eid is disabled -> show an error page

patterns/7702342f21437f3de530e10c_authStatesFile/eid_account_linking_check_account_state.xml

@@ -0,0 +1,55 @@
+<AuthState name="${state.entry}" class="ch.nevis.idm.authstate.IdmUserVerifyState" final="false" resumeState="false">
+	<ResultCond name="prospect" next="${state.entry}_getProperties"/>
+	<ResultCond name="default" next="${state.failed}"/>
+    <ResultCond name="failed" next="${state.failed}"/>
+	<ResultCond name="clientNotFound" next="${state.failed}"/>
+	<Response value="AUTH_CONTINUE">
+		<Gui name="internal_error">
+			<GuiElem name="transferId" type="hidden" value="${request:traceId}" optional="true"/>
+		</Gui>
+	</Response>
+	<propertyRef name="nevisIDM_Connector"/>
+	<property name="userExtId" value="${sess:ch.nevis.session.userid}"/>
+	<property name="clientExtId" value="${var.eid.idm.rest.clientExtId}"/>
+	<property name="presetNoteValues" value="false"/>
+    <property name="detaillevel.user" value="HIGH"/>
+	<property name="detaillevel.profile" value="HIGH"/>
+	<property name="detaillevel.role" value="MEDIUM"/>
+	<property name="detaillevel.authorization" value="HIGH"/>
+	<property name="detaillevel.dataroom" value="LOW"/>
+	<property name="detaillevel.credential" value="HIGH"/>
+	<property name="detaillevel.property" value="HIGH"/>
+	<property name="detaillevel.unit" value="LOW"/>
+	<property name="detaillevel.default" value="EXCLUDE"/>
+</AuthState>
+
+<!-- TODO/aca/2025/07/22 Adjust Detail Levels -->
+
+
+<AuthState name="${state.entry}_getProperties" final="false" class="ch.nevis.idm.authstate.IdmGetPropertiesState" resumeState="false">
+	<ResultCond name="ok" next="${state.done}"/>
+	<ResultCond name="default" next="${state.failed}"/>
+	<ResultCond name="clientNotFound" next="${state.failed}"/>
+	<Response value="AUTH_CONTINUE">
+		<Gui name="internal_error">
+			<GuiElem name="transferId" type="hidden" value="${request:traceId}" optional="true"/>
+		</Gui>
+	</Response>
+	<propertyRef name="nevisIDM_Connector"/>
+	
+	<property name="clientExtId" value="${var.eid.idm.rest.clientExtId}"/>
+	<property name="user.attributes" value="loginId,extId,firstName,name,email,mobile,birthDate, gender, language, street, houseNumber, postalCode, city, country"/>
+	<property name="user.properties" value="eIdNumber,nationality,placeOfBirth,svnr"/>
+	<property name="chooseDefaultProfile" value="true"/>
+	<property name="forceDataReload" value="false"/>
+	<property name="userExtId" value="${sess:ch.nevis.session.userid}"/>
+	<property name="detaillevel.user" value="HIGH"/>
+	<property name="detaillevel.profile" value="HIGH"/>
+	<property name="detaillevel.role" value="HIGH"/>
+	<property name="detaillevel.authorization" value="HIGH"/>
+	<property name="detaillevel.dataroom" value="HIGH"/>
+	<property name="detaillevel.credential" value="HIGH"/>
+	<property name="detaillevel.property" value="HIGH"/>
+	<property name="detaillevel.unit" value="LOW"/>
+	<property name="detaillevel.default" value="EXCLUDE"/>
+</AuthState>

patterns/7702342f21437f3de530e10c_resources/eid_account_linking_check_account_state.groovy

@@ -0,0 +1,40 @@
+import ch.nevis.idm.client.IdmRestClient
+import ch.nevis.idm.client.IdmRestClientFactory
+
+
+// TODO/aca/2025/08/15
+
+String user_notification_dto = '''
+{
+    "clientExtId": "{{clientExtId}}",
+    "userExtId": "{{userExtId}}",
+    "notificationType": "userNotification3",
+    "sendingMethod": [
+        "Email"
+    ],
+    "async": false
+}
+'''
+
+IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
+def sess = request.getAuthSession(true)
+
+String baseUrl = parameters.get("baseUrl")
+String clientExtId = parameters.get("clientExtId")
+String endPoint = "$baseUrl/api/notification/v1/"
+
+String userExtId = sess.getAttribute("ch.nevis.idm.User.extId")
+
+String restRequest = user_notification_dto.replaceAll("\\{\\{clientExtId}}", clientExtId).replaceAll("\\{\\{userExtId}}", userExtId)
+
+try {
+    idmRestClient.post(endPoint, restRequest)
+    
+}catch(Exception e) {
+    LOG.error("Failed to send User Notification: Idm Update with EId data: ${e}")
+    response.setResult('error')
+    return
+}
+
+response.setResult('ok')
+return

patterns/92cb6d5256008a32f12ceb93_authStatesFile/agov_idp.xml

@@ -71,6 +71,7 @@
             <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
             <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.svnr'] : ''}"/>
             <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/placeOfBirth" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.placeOfBirth'] : ''}"/>
+            <property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/placeOfOrigin" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['agov.eid.User.placeOfOrigin'] : ''}"/>
             <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/eIdNumber" value="${sess:ch.nevis.idm.User.prop.eIdNumber}"/>
             <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/dateOfVerification" value="${sess:ValidFrom}"/>
             <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/validTillDate" value="${sess:ValidTo}"/>
@@ -85,5 +86,5 @@
             <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/country" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.country'].toUpperCase() : '' }"/>
             <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/qa/verificationMethod" value="#{ (sess['agov.appAddressRequired'] == 'true') ? ''.concat(sess.get('agov.adressVerification')).replace('Location', 'Domicile') : '' }"/>
             <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/countryName" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['agov.countryName'] : ''}"/>
-            
+            <property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/op/conversationId" value="${inctx:connection.HttpHeader.traceparent:^([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)$:$2}"/>
         </AuthState>

patterns/DefaultErrorPages_ecf4381f4653b0aa9a69b417.yml

@@ -5,34 +5,66 @@ pattern:
   name: "DefaultErrorPages"
   label: "UTILS"
   properties:
-    filters: "<filter>\n     <filter-name>DefaultErrorFilter</filter-name>\n     <filter-class>ch::nevis::isiweb4::filter::error::ErrorFilter</filter-class>\n\
+    filters: |-
-      \     <init-param>\n         <param-name>StatusCode</param-name>\n         <param-value>\n\
+      <filter>
-      \       400:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/errorPages/404.vm?logrendresourcepath=/nevislogrend:keep-status-code\n\
+           <filter-name>DefaultErrorFilter</filter-name>
-      \       403:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/errorPages/403.vm?logrendresourcepath=/nevislogrend:keep-status-code\n\
+           <filter-class>ch::nevis::isiweb4::filter::error::ErrorFilter</filter-class>
-      \       404:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/errorPages/404.vm?logrendresourcepath=/nevislogrend:keep-status-code\n\
+           <init-param>
-      \       408:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/errorPages/timeout.vm?logrendresourcepath=/nevislogrend:keep-status-code\n\
+               <param-name>StatusCode</param-name>
-      \       500:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/errorPages/500.vm?logrendresourcepath=/nevislogrend:keep-status-code\n\
+               <param-value>
-      \       502:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/errorPages/502.vm?logrendresourcepath=/nevislogrend:keep-status-code\n\
+             400:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/webdata/template/404.vm?logrendresourcepath=/nevislogrend:keep-status-code
-      \         </param-value>\n     </init-param>\n     <init-param>\n         <param-name>CheckAcceptHeader</param-name>\n\
+             403:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/webdata/template/403.vm?logrendresourcepath=/nevislogrend:keep-status-code
-      \         <param-value>true</param-value>\n     </init-param>\n     <init-param>\n\
+             404:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/webdata/template/404.vm?logrendresourcepath=/nevislogrend:keep-status-code
-      \         <param-name>PlaceHolders</param-name>\n         <param-value>\n  \
+             408:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/webdata/template/timeout.vm?logrendresourcepath=/nevislogrend:keep-status-code
-      \           TransferIdHolder:TRANSFER_ID\n             TimestampHolder:TIMESTAMP\n\
+             500:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/webdata/template/500.vm?logrendresourcepath=/nevislogrend:keep-status-code
-      \         </param-value>\n     </init-param>\n</filter>\n<filter>\n     <filter-name>FallbackErrorFilter</filter-name>\n\
+             502:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/webdata/template/502.vm?logrendresourcepath=/nevislogrend:keep-status-code
-      \     <filter-class>ch::nevis::isiweb4::filter::error::ErrorFilter</filter-class>\n\
+               </param-value>
-      \     <init-param>\n         <param-name>StatusCode</param-name>\n         <param-value>\n\
+           </init-param>
-      \            500:file:/resources/errorPages/500.html:reset-header:reset-status-code\n\
+           <init-param>
-      \            502:file:/resources/errorPages/502.html:reset-header:reset-status-code\n\
+               <param-name>CheckAcceptHeader</param-name>
-      \            503:file:/resources/errorPages/500.html:reset-header:reset-status-code\n\
+               <param-value>true</param-value>
-      \            504:file:/resources/errorPages/500.html:reset-header:reset-status-code\n\
+           </init-param>
-      \         </param-value>\n     </init-param>\n     <init-param>\n         <param-name>CheckAcceptHeader</param-name>\n\
+           <init-param>
-      \         <param-value>true</param-value>\n     </init-param>\n     <init-param>\n\
+               <param-name>PlaceHolders</param-name>
-      \         <param-name>PlaceHolders</param-name>\n         <param-value>\n  \
+               <param-value>
-      \           TransferIdHolder:TRANSFER_ID\n             TimestampHolder:TIMESTAMP\n\
+                   TransferIdHolder:TRANSFER_ID
-      \         </param-value>\n     </init-param>\n</filter>\n<filter-mapping>\n\
+                   TimestampHolder:TIMESTAMP
-      \   <filter-name>DefaultErrorFilter</filter-name>\n   <url-pattern>/*</url-pattern>\n\
+               </param-value>
-      </filter-mapping>\n<filter-mapping>\n   <filter-name>FallbackErrorFilter</filter-name>\n\
+           </init-param>
-      \   <servlet-name>NevisLogrendConnector_${param.logrendInstancePatternName}</servlet-name>\n\
+      </filter>
-      </filter-mapping>"
+      <filter>
+           <filter-name>FallbackErrorFilter</filter-name>
+           <filter-class>ch::nevis::isiweb4::filter::error::ErrorFilter</filter-class>
+           <init-param>
+               <param-name>StatusCode</param-name>
+               <param-value>
+                  500:file:/resources/errorPages/500.html:reset-header:reset-status-code
+                  502:file:/resources/errorPages/502.html:reset-header:reset-status-code
+                  503:file:/resources/errorPages/500.html:reset-header:reset-status-code
+                  504:file:/resources/errorPages/500.html:reset-header:reset-status-code
+               </param-value>
+           </init-param>
+           <init-param>
+               <param-name>CheckAcceptHeader</param-name>
+               <param-value>true</param-value>
+           </init-param>
+           <init-param>
+               <param-name>PlaceHolders</param-name>
+               <param-value>
+                   TransferIdHolder:TRANSFER_ID
+                   TimestampHolder:TIMESTAMP
+               </param-value>
+           </init-param>
+      </filter>
+      <filter-mapping>
+         <filter-name>DefaultErrorFilter</filter-name>
+         <url-pattern>/*</url-pattern>
+         <exclude-url-regex>^/oidc4vp/.*$|^/resource/utility/.*$</exclude-url-regex>
+      </filter-mapping>
+      <filter-mapping>
+         <filter-name>FallbackErrorFilter</filter-name>
+         <servlet-name>NevisLogrendConnector_${param.logrendInstancePatternName}</servlet-name>
+      </filter-mapping>
     filterMappings: "manual"
     phase: "START"
     parameters: "logrendInstancePatternName: nevisLogrend"

patterns/EId_Account_Linking_Mobile_NLess_Auth_da38e049a1ff97663fb30a45.yml

@@ -0,0 +1,16 @@
+schemaVersion: "1.0"
+pattern:
+  id: "da38e049a1ff97663fb30a45"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
+  name: "EId_Account_Linking_Mobile_NLess_Auth"
+  label: "EID LINKING"
+  properties:
+    authStatesFile: "res://da38e049a1ff97663fb30a45#authStatesFile"
+    onSuccess:
+    - "pattern://359792ce61c28c723ab7d354"
+    nextSteps:
+    - "pattern://47f8f6ef24f62431fbe1b530"
+    - "pattern://4c65de021d362462324a3a5f"
+    resources: "res://da38e049a1ff97663fb30a45#resources"
+    keyObjects:
+    - "pattern://95220b3005deb118adeb01aa"

patterns/EId_Select_AGOV_Account_4f15bae09cbda04a7a515158.yml

@@ -11,7 +11,7 @@ pattern:
     onFailure:
     - "pattern://4c65de021d362462324a3a5f"
     nextSteps:
-    - "pattern://47f8f6ef24f62431fbe1b530"
+    - "pattern://328e529ed345d17cacb4ec66"
     - "pattern://e335f57d4c64dfc97223697a"
     resources: "res://4f15bae09cbda04a7a515158#resources"
     keyObjects:

patterns/IDP_OID4VP_Service_450d8070d6c0b395c98a013f.yml

@@ -2,9 +2,12 @@ schemaVersion: "1.0"
 pattern:
   id: "450d8070d6c0b395c98a013f"
   className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.RESTServiceAccess"
-  name: "IDP_OIDC4VP_Service"
+  name: "IDP_OID4VP_Service"
   properties:
     host:
     - "pattern://1f0702aaabef60a615abf41f"
-    path: "/oidc4vp/"
+    path: "/oid4vp/"
-    backends: "var://eid-oidc4vp-service-url"
+    backends: "var://eid-oid4vp-service-url"
+    hostHeader: "backend"
+    responseRewrite: "header"
+    jsonValidation: "disabled"

patterns/IDP_SP_Connector_27cefc3861bce987f6766342.yml

@@ -4,11 +4,11 @@ pattern:
   className: "ch.nevis.admin.v4.plugin.nevisauth.patterns.SamlSpConnector"
   name: "IDP_SP_Connector"
   label: "IDP"
-  notes: "- Subject NameID Format -> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\n\
+  notes: |-
-    - dateOfBirth: to have a date suitable for SAML and OIDC, we remove the TimeZone\
+    - Subject NameID Format -> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
-    \ charachter ('1993-03-03Z' --> '1993-03-03')\n- verificationMethod: BUNDBITBK-2892\
+    - dateOfBirth: to have a date suitable for SAML and OIDC, we remove the TimeZone charachter ('1993-03-03Z' --> '1993-03-03')
-    \ SelfPaid is only for internal use, we remove this from the public assertion\n\
+    - verificationMethod: BUNDBITBK-2892 SelfPaid is only for internal use, we remove this from the public assertion
-    - address.verificationMethod: BUNDBITBK-2921 avoid interface change for hotfix"
+    - address.verificationMethod: BUNDBITBK-2921 avoid interface change for hotfix
   link:
     sourceProjectKey: "DEFAULT-IAM-JAKOB"
     sourcePatternId: "27cefc3861bce987f6766342"
@@ -58,6 +58,9 @@ pattern:
         \ 'Domicile') : '' }"
     - http://schemas.agov.ch/ws/2024/02/identity/claims/address/countryName: "#{ (sess['agov.appAddressRequired']\
         \ == 'true') ? sess['agov.countryName'] : ''}"
+    - http://schemas.agov.ch/ws/2025/07/identity/claims/placeOfOrigin: "#{ (sess['agov.appSvnrAllowed']\\\
+        \         \\ == 'true') ? sess['agov.eid.User.placeOfOrigin'] : ''}"
+    - http://schemas.agov.ch/ws/2025/07/identity/claims/op/conversationId: "${inctx:connection.HttpHeader.traceparent:^([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)$:$2}"
     context: "PasswordProtectedTransport"
     assertionLifetime: "30s"
     sign:

patterns/_EId_Account_Linking_Check_Account_State_7702342f21437f3de530e10c.yml

@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "7702342f21437f3de530e10c"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
+  name: " EId_Account_Linking_Check_Account_State"
+  label: "EID LINKING"
+  properties:
+    authStatesFile: "res://7702342f21437f3de530e10c#authStatesFile"
+    resources: "res://7702342f21437f3de530e10c#resources"

patterns/_EId_Account_Linking_Redirect_To_Agovme_359792ce61c28c723ab7d354.yml

@@ -0,0 +1,10 @@
+schemaVersion: "1.0"
+pattern:
+  id: "359792ce61c28c723ab7d354"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
+  name: " EId_Account_Linking_Redirect_To_Agovme"
+  label: "EID LINKING"
+  properties:
+    authStatesFile: "res://359792ce61c28c723ab7d354#authStatesFile"
+    parameters: "var://service_provider_state-template-parameters"
+    resources: "res://359792ce61c28c723ab7d354#resources"

patterns/_EId_Start_AGOV_Account_Linking_328e529ed345d17cacb4ec66.yml

@@ -0,0 +1,14 @@
+schemaVersion: "1.0"
+pattern:
+  id: "328e529ed345d17cacb4ec66"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
+  name: " EId_Start_AGOV_Account_Linking"
+  label: "EID"
+  properties:
+    authStatesFile: "res://328e529ed345d17cacb4ec66#authStatesFile"
+    onFailure:
+    - "pattern://4c65de021d362462324a3a5f"
+    nextSteps:
+    - "pattern://da38e049a1ff97663fb30a45"
+    - "pattern://47f8f6ef24f62431fbe1b530"
+    resources: "res://328e529ed345d17cacb4ec66#resources"

patterns/b87d0d2b640e8e545ad70234_resources/SendSamlResponseWithAssertion.groovy

@@ -40,7 +40,7 @@ if(loa_str){
 
 // BUNDBITBK-5005: Set cookie to remember the last authentication method
 def agovAuthMethodCookie = "LOGINMETHOD=${AUTHENTICATON_URN_TO_COOKIE_MAPPER[session.getAttribute('authenticatedWith')]}; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=1800; SameSite=Strict; Secure; HttpOnly"
-response.setHeader('Set-Cookie2', agovAuthMethodCookie)
+response.setHeader('Set-Cookie3', agovAuthMethodCookie)
 
 // delete the login cookie
 def agovLoginCookie = "agovLogin=deleted; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=0; SameSite=Strict; Secure; HttpOnly"

patterns/da38e049a1ff97663fb30a45_authStatesFile/eid_account_linking_mobile_nless_auth.xml

@@ -0,0 +1,37 @@
+<AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+	<ResultCond name="registration" next="${state.exit.1}"/>
+    <ResultCond name="fido2" next="${state.exit.1}"/>
+    <ResultCond name="ok" next="${state.entry}_Processing"/>
+    <ResultCond name="back" next="${state.exit.2}"/>
+	<ResultCond name="default" next="${state.entry}"/>
+	<Response value="AUTH_CONTINUE">
+		<Gui name="eid_linking_mauth_usernameless">
+			<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
+			<GuiElem name="fallback" type="button" label="mobile_auth.cancel.button.label" value="true" optional="true"/>
+                         <GuiElem name="accessApp" type="hidden" value="${sess:agov.recovery.accessapp}" optional="true"/>
+		</Gui>
+	</Response>
+    <property name="scriptTraceGroup" value="AGOV-ACCT"/>
+	<property name="script" value="file:///var/opt/nevisauth/default/conf/eid_account_linking_mobile_nless_auth.groovy"/>
+	<property name="parameter.agovmeregistrationurl" value="${var.agovmeregistrationurl}"/>
+    <property name="parameter.recoveryurl" value="${var.recoveryurl}"/>
+</AuthState>
+
+<AuthState name="${state.entry}_Processing" class="ch.nevis.auth.fido.uaf.authstate.OutOfBandFidoUafAuthState" final="false" resumeState="false">
+	<ResultCond name="error" next="${state.entry}_Processing"/>
+	<ResultCond name="failed" next="${state.entry}"/>
+    <ResultCond name="dispatchFailed" next="${state.entry}_Processing"/>
+	<ResultCond name="ok" next="${state.entry}_PostProcessing" authLevel="2"/>
+	<Response value="AUTH_ERROR">
+		<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+	</Response>
+	<property name="fidoUafServerUrl" value="https://fido-uaf:9443/nevisfido"/>
+	<property name="dispatcher" value="link"/>
+	<property name="httpclient.tls.trustStoreRef" value="${keystore}"/>
+</AuthState>
+
+<AuthState name="${state.entry}_PostProcessing" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
+	<ResultCond name="default" next="${state.done}"/>
+	<Response value="AUTH_CONTINUE"/>
+	<property name="sess:eid.placeholder.text" value="EId: Redirection to AGOV me not implemented yet"/>
+</AuthState>

patterns/da38e049a1ff97663fb30a45_resources/eid_account_linking_mobile_nless_auth.groovy

@@ -0,0 +1,100 @@
+import groovy.json.JsonBuilder
+import ch.nevis.esauth.auth.engine.AuthResponse
+
+
+def getHeader(String name) {
+    def inctx = request.getLoginContext()
+    // case-insensitive lookup of HTTP headers
+    def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
+    map.putAll(inctx)
+    return map['connection.HttpHeader.' + name]
+}
+
+def clearFidoUAFSession() {
+    LOG.debug("start new FIDO UAF session (skipping ${session['ch.nevis.auth.fido.uaf.fidouafsessionid']}")
+    def s = request.getAuthSession(true)
+    s.removeAttribute('ch.nevis.auth.fido.uaf.fidouafsessionid')
+    inargs.remove('fallback')
+}
+
+
+def clearIdmSessionAttributes() {
+  def s = request.getAuthSession(true)
+  def sessionKeySet = new HashSet(session.keySet()) 
+  sessionKeySet.each { key -> 
+    if ( key ==~ /ch.nevis.idm.*/ || key ==~ /ch.adnovum.nevisidm.*/ ) {
+      s.removeAttribute(key)
+    }
+  }
+}
+
+
+def sess = request.getAuthSession(true)
+
+// dispatch AJAX calls and form POST when operation is done
+if (inargs['fidoUafDone'] == 'true' ||
+    inargs.containsKey('o.fidoUafSessionId.v') ||
+    getHeader('Content-Type') == 'application/json') {
+
+    if (inargs.containsKey('o.fidoUafSessionId.v') && (inargs['o.fidoUafSessionId.v'] != session['ch.nevis.auth.fido.uaf.fidouafsessionid'])) {
+        // received polling for wrong fido session; make sure, that stops
+        LOG.debug("received polling for wrong fido session ${inargs['o.fidoUafSessionId.v']} (correct: ${session['ch.nevis.auth.fido.uaf.fidouafsessionid']})")
+        def json = new JsonBuilder()
+        json {
+            "status" "unknown"
+            "timestamp" org.joda.time.DateTime.now().toString()
+        }
+        String body = json.toString()
+
+        response.setContent(body)
+        response.setContentType('application/json')
+        response.setHttpStatusCode(200)
+        response.setIsDirectResponse(true)
+        response.setStatus(AuthResponse.AUTH_CONTINUE)
+        return
+    }
+
+  if (inargs['fidoUafDone'] == 'true') {
+    // get clean state, before validating user in IDM
+    LOG.debug("clear IDM session attributes")
+    clearIdmSessionAttributes()
+  }
+
+    // continue with OutOfBandFidoUafAuthState
+    response.setResult('ok')
+}
+
+// dispatch form post with fallback input field : transition to FIDO Token authentication
+if (inargs['fallback'] == 'fallback') {
+    sess.setAttribute("eid.placeholder.text", "Fido2 login not implemented yet")
+    response.setResult('fido2')
+}
+
+// dispatch to recovery
+if (inargs['fallback'] == 'recovery') {
+    response.addOutArg('nevis.transfer.destination', parameters.get('recoveryurl'))
+    response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE) 
+    response.setIsRedirectTransfer(true)
+    // Remove existing cookies before redirecting to RECOVERY
+    def agovRecoveryCookie = "agovRecovery=deleted; Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Strict; Secure; HttpOnly"
+    response.setHeader('Set-Cookie', agovRecoveryCookie)
+    return
+}
+
+// dispatch form post with fallback input field : go to registration with right loa
+if (inargs['fallback'] == 'register') {
+    sess.setAttribute("eid.placeholder.text", "Registration should not be called here?")
+    response.setResult('registration')
+}
+
+// cancel and go back to login
+if (inargs['fallback'] == 'back') {
+    response.setResult('back')
+}
+
+
+// dispatch form post with onReload input field : refresh QR-code FIDO UAF
+if (inargs.containsKey('onReload')) {
+    clearFidoUAFSession()
+    response.setResult('default')
+}

patterns/e335f57d4c64dfc97223697a_resources/eid_verification_auth.groovy

@@ -355,6 +355,7 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
 				sess.setAttribute('agov.eid.User.gender', claims.sex)
 				sess.setAttribute('agov.eid.User.svnr', claims.personal_administrative_number.replace('.',''))
 				sess.setAttribute('agov.eid.User.placeOfBirth', claims.birth_place)
+				sess.setAttribute('agov.eid.User.placeOfOrigin', claims.place_of_origin)
 				sess.setAttribute('agov.eid.User.eIdNumber', claims.document_number)
                 // Simpler for later comparison -> Is converted again to upper case in the saml assertion
 				sess.setAttribute('agov.eid.User.nationality', claims.nationality.toString().toLowerCase())

patterns/f63c475c35b616b7c6c1901c_authStatesFile/Mobile_NLess_Auth.xml

@@ -10,6 +10,7 @@
                         <GuiElem name="agov.appDisplayNameFR" type="hidden" value="${sess:agov.appDisplayNameFR}" optional="true"/>
                         <GuiElem name="agov.appDisplayNameIT" type="hidden" value="${sess:agov.appDisplayNameIT}" optional="true"/>
                         <GuiElem name="agov.appDisplayNameEN" type="hidden" value="${sess:agov.appDisplayNameEN}" optional="true"/>
+                        <GuiElem name="agov.appDisplayNameRM" type="hidden" value="${sess:agov.appDisplayNameRM}" optional="true"/>
                         <GuiElem name="agov.appSamlRpEntityId" type="hidden" value="${var.appIconUrl}${sess:ch.nevis.auth.saml.request.scoping.requesterId}" optional="true"/>
 			<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
             <GuiElem name="lastLoginMethod" type="hidden" value="${sess:agov.lastLoginMethod}" optional="true"/>

variables.yml

@@ -90,11 +90,14 @@ variables:
     parameters:
       required: false
       syntax: "YAML"
-    value: "cert.source: \"#{request:actorCertAsString}\"\ntechuser.client.name: Default\n\
+    value: |-
-      accounts.client.name: agov\nshadow-accounts.client.name: AGOV-S\nsaml.assertion.audience:\
+      cert.source: "#{request:actorCertAsString}"
-      \ \"https://me.agov-d.azure.adnovum.net/account/api/saml2/service-provider-metadata/agovidpdirect\"\
+      techuser.client.name: Default
-      \nsaml.assertion.acsurl: \"https://me.agov-d.azure.adnovum.net/login/saml2/sso/agovidp\"\
+      accounts.client.name: agov
-      \nsaml.assertion.max_age: 30"
+      shadow-accounts.client.name: AGOV-S
+      saml.assertion.audience: "https://me.agov-d.azure.adnovum.net/account/api/saml2/service-provider-metadata/agovidpdirect"
+      saml.assertion.acsurl: "https://me.agov-d.azure.adnovum.net/login/saml2/sso/agovidp"
+      saml.assertion.max_age: 30
     requireOverloading: true
   auth_soap-backend-addresses:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.URLProperty"
@@ -112,7 +115,9 @@ variables:
     parameters:
       required: false
       syntax: "YAML"
-    value: "fido2.serviceAndPort: fido2:9443\nrpId: auth.agov.admin.ch"
+    value: |-
+      fido2.serviceAndPort: fido2:9443
+      rpId: auth.agov.admin.ch
     requireOverloading: true
   backendAppIconUrl:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.URLProperty"
@@ -159,7 +164,7 @@ variables:
         \ font-src 'self';"
     - param_report_only_csp: "none"
     requireOverloading: true
-  eid-oidc4vp-service-url:
+  eid-oid4vp-service-url:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.URLProperty"
     parameters:
       minRequired: 1
@@ -168,16 +173,19 @@ variables:
       hostNameInputMode: "REQUIRED"
       portInputMode: "OPTIONAL"
       pathInputMode: "OPTIONAL"
-    value: "http://eid-verifier-oid4vp.adn-agov-eid-01-dev:8081/api"
+    value: "http://eid-verifier-oid4vp.adn-agov-eid-01-dev:8081/oid4vp/"
     requireOverloading: true
   ensure_recovery_code-parameters:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
     parameters:
       required: false
       syntax: "YAML"
-    value: "utility-service.baseUrl: http://me-application-me-be.adn-agov-me-01-dev:8081/utility\n\
+    value: |-
-      token.algorithm: RS512\ntoken.time_to_live: 600\ntoken.keystoreref: DefaultKeyStore\n\
+      utility-service.baseUrl: http://me-application-me-be.adn-agov-me-01-dev:8081/utility
-      token.keyobjectref: DefaultSigner"
+      token.algorithm: RS512
+      token.time_to_live: 600
+      token.keystoreref: DefaultKeyStore
+      token.keyobjectref: DefaultSigner
     requireOverloading: true
   env_ca-trusted-certificates:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.AttachmentProperty"
@@ -224,9 +232,12 @@ variables:
     parameters:
       required: false
       syntax: "YAML"
-    value: "client.name: agov\nattributes: loginId,extId,firstName,name,email,gender,birthDate,language,sex,addressLine1,postalCode,city,country,street,houseNumber,locality,mobile\n\
+    value: |
-      properties: eIdNumber,placeOfBirth,svnr,nationality\nagov.unitExtId: 1000\n\
+      client.name: agov
-      agov.level100.roleExtid: aee52e9f-7084-4e55-9aea-9383ac7757f7\n"
+      attributes: loginId,extId,firstName,name,email,gender,birthDate,language,sex,addressLine1,postalCode,city,country,street,houseNumber,locality,mobile
+      properties: eIdNumber,placeOfBirth,svnr,nationality
+      agov.unitExtId: 1000
+      agov.level100.roleExtid: aee52e9f-7084-4e55-9aea-9383ac7757f7
     requireOverloading: false
   fido-session-store-database-host:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.HostPortProperty"
@@ -811,11 +822,12 @@ variables:
     parameters:
       required: false
       syntax: "YAML"
-    value: "issuer: https://me.agov-d.azure.adnovum.net/saml2/service-provider-metadata/agovidp\n\
+    value: |-
-      agovmedirecturl: https://me.agov-d.azure.adnovum.net/account/api/login/saml2/sso/agovidpdirect\n\
+      issuer: https://me.agov-d.azure.adnovum.net/saml2/service-provider-metadata/agovidp
-      directAudience: https://me.agov-d.azure.adnovum.net/account/api/saml2/service-provider-metadata/agovidpdirect\n\
+      agovmedirecturl: https://me.agov-d.azure.adnovum.net/account/api/login/saml2/sso/agovidpdirect
-      consumerURL: https://me.agov-d.azure.adnovum.net/login/saml2/sso/agovidp\nassertionValidityTime:\
+      directAudience: https://me.agov-d.azure.adnovum.net/account/api/saml2/service-provider-metadata/agovidpdirect
-      \ 20"
+      consumerURL: https://me.agov-d.azure.adnovum.net/login/saml2/sso/agovidp
+      assertionValidityTime: 20
     requireOverloading: true
   sts_saml-template-parameters:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
@@ -853,7 +865,9 @@ variables:
     parameters:
       required: false
       syntax: "YAML"
-    value: "client.name: AGOV-S\nattributes: loginId,extId\n"
+    value: |
+      client.name: AGOV-S
+      attributes: loginId,extId
     requireOverloading: true
   virtual_host-frontend-addresses:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.URLProperty"