diff --git a/DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-auth/etc/nevis/k8s-ob-auth-d00b0dcbe241793d30daf91c.yaml b/DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-auth/etc/nevis/k8s-ob-auth-d00b0dcbe241793d30daf91c.yaml
index 7c2d55f..acd044f 100644
--- a/DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-auth/etc/nevis/k8s-ob-auth-d00b0dcbe241793d30daf91c.yaml
+++ b/DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-auth/etc/nevis/k8s-ob-auth-d00b0dcbe241793d30daf91c.yaml
@@ -45,7 +45,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-606e2a54642c04bc9fe072c99a5140a462f628a6"
+    tag: "r-48ecba4dc24b65ae9719794f822a8e18ae620ca2"
     dir: "DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-auth"
     credentials: "git-credentials"
   keystores:
diff --git a/DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-auth/var/opt/nevisauth/default/conf/esauth4.xml b/DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-auth/var/opt/nevisauth/default/conf/esauth4.xml
index 2144afe..0687899 100644
--- a/DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-auth/var/opt/nevisauth/default/conf/esauth4.xml
+++ b/DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-auth/var/opt/nevisauth/default/conf/esauth4.xml
@@ -107,6 +107,8 @@
             <property name="script" value="file:///var/opt/nevisauth/default/conf/mock-me-processing.groovy"/>
             <!-- source: pattern://be8f8436b2ec70e9d601fdd3 -->
             <property name="parameter.idp-sso-url" value="https://auth.agov-w.azure.adnovum.net/SAML2/SSO/"/>
+            <!-- source: pattern://be8f8436b2ec70e9d601fdd3 -->
+            <property name="parameter.idp-recovery-url" value="https://auth.agov-w.azure.adnovum.net/AUTH/RECOVERY/"/>
         </AuthState>
         <AuthState name="ob-mock-me-realm_ob-mock-me-auth-processor_serviceProvider" class="ch.nevis.esauth.auth.states.saml.ServiceProviderState" final="false" resumeState="false">
             <!-- source: pattern://be8f8436b2ec70e9d601fdd3 -->
diff --git a/DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-auth/var/opt/nevisauth/default/conf/mock-me-processing.groovy b/DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-auth/var/opt/nevisauth/default/conf/mock-me-processing.groovy
index 0b35f8b..c99a499 100644
--- a/DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-auth/var/opt/nevisauth/default/conf/mock-me-processing.groovy
+++ b/DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-auth/var/opt/nevisauth/default/conf/mock-me-processing.groovy
@@ -10,7 +10,11 @@ if (inargs['SAMLResponse']) {
 
 if (inargs['back'] && inargs['back'] == 'go') {
   response.setStatus(AuthResponse.AUTH_ERROR)
-  response.setTransferDestination(parameters['idp-sso-url'])
+  if (session['saml.assertion.authnContextClassRef'] && session['saml.assertion.authnContextClassRef'] == 'urn:qa.agov.ch:names:tc:ac:classes:recovery') {
+    response.setTransferDestination(parameters['idp-recovery-url'])
+  } else {
+    response.setTransferDestination(parameters['idp-sso-url'])
+  }
   response.setIsRedirectTransfer(true)
   return
 }