import ch.nevis.esauth.auth.engine.AuthResponse

if (inargs['recovery'] != null && inargs['recovery'] == 'recovery' ) {
  // clean up SAML state, to make sure the redirect will really be processed 
  // IdentityProviderState sets session attributes as follows
  //   <IDP-State-Name>-session-participants.<SAML-RP-ISSUER> = <ACS-URL>
  // State name contains the name of the pattern 'Recovery_redirectAgovMe'
  def s = request.getAuthSession(true)
  def sessionKeySet = new HashSet(session.keySet()) 
  sessionKeySet.each { key -> 
    if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) {
      LOG.debug("Deleted session attribute '${key}'")
      s.removeAttribute(key)
    }
  }
  response.setResult('ok')
  return
}

// if we reach this, display the GUI again
response.setStatus(AuthResponse.AUTH_CONTINUE)
return