From 8197ebd132d48cb1ec44feb7c2f1cc3b24ce713e Mon Sep 17 00:00:00 2001
From: aca <armon.carigiet@adnovum.ch>
Date: Mon, 31 Mar 2025 09:25:22 +0000
Subject: [PATCH] BUNDBITBK-4824: Fix

---
 .../SendSamlResponseWithAssertion.groovy           | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/patterns/b87d0d2b640e8e545ad70234_resources/SendSamlResponseWithAssertion.groovy b/patterns/b87d0d2b640e8e545ad70234_resources/SendSamlResponseWithAssertion.groovy
index ac87eef..956a024 100644
--- a/patterns/b87d0d2b640e8e545ad70234_resources/SendSamlResponseWithAssertion.groovy
+++ b/patterns/b87d0d2b640e8e545ad70234_resources/SendSamlResponseWithAssertion.groovy
@@ -10,6 +10,20 @@ def tAuth = System.currentTimeMillis() - (request.getSession(true).getCreationTi
 
 LOG.info("Event='AUTHENTICATION', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', tAuth=${tAuth}ms, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
 
+// BUNDBITBK-4824: Address was missing after bmid verification
+def session = request.getAuthSession(true)
+int loa = session.get('agov.actualRoleLevel') as int
+
+// Best Token Available only if account's AQlevel is high enough
+if ((session.getAttribute('agov.appAddressRequired') == 'true') && (loa < 200)) {
+    LOG.debug("Best Token: Address requested but account has to low AQ (${loa})")
+    session.setAttribute('agov.appAddressRequired', 'false')
+}
+if ((session.getAttribute('agov.appSvnrAllowed') == 'true') && (loa < 400)) {
+    LOG.debug("Best Token: SVNr requested but account has to low AQ (${loa})")
+    session.setAttribute('agov.appSvnrAllowed', 'false')
+}
+// BUNDBITBK-4824 END
 
 // delete the login cookie
 def agovLoginCookie = "agovLogin=deleted; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=0; SameSite=Strict; Secure; HttpOnly"