Merge branch 'feature/EID_connection' into 'nightlybuild'

Feature/eid connection See merge request egiz/eidas_at_proxy!2
author: Thomas Lenz <thomas.lenz@egiz.gv.at> 2020-12-15 18:21:07 +0100
committer: Thomas Lenz <thomas.lenz@egiz.gv.at> 2020-12-15 18:21:07 +0100
commit: 47e2b6c838233aec6482ae81db91d8d48f0d3ea3 (patch)
tree: 495db98e50d49f8170896df6a4577a8e480866d0
parent: 230e6c3890c7e63b286e9a08001e5ffd63743d2c (diff)
parent: 76bba5972cfa6d6272a73cbdf56a8705419c55c8 (diff)
download: National_eIDAS_Gateway-47e2b6c838233aec6482ae81db91d8d48f0d3ea3.tar.gz
National_eIDAS_Gateway-47e2b6c838233aec6482ae81db91d8d48f0d3ea3.tar.bz2
National_eIDAS_Gateway-47e2b6c838233aec6482ae81db91d8d48f0d3ea3.zip
29 files changed, 1519 insertions, 129 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 81a4a4dd..17655aa5 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,4 +1,5 @@
-image: maven:3.6-jdk-8
+#image: maven:3.6-jdk-8
+image: maven:latest
 
 variables:
   LC_ALL: "en_US.UTF-8"
@@ -9,6 +10,9 @@ variables:
   MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=${CI_PROJECT_DIR}/.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true"
   GIT_DEPTH: "2"
   SECURE_LOG_LEVEL: "debug"
+  JACOCO_CSV_LOCATION: '${CI_PROJECT_DIR}/build_reporting/target/site/jacoco-aggregate-ut/jacoco.csv'
+  JACOCO_XML_LOCATION: '${CI_PROJECT_DIR}/build_reporting/target/site/jacoco-aggregate-ut/jacoco.xml'
+  PROJECT_RELEASE_PACKAGE: '${CI_PROJECT_DIR}/target/*-dist.zip'
 
 include:
   - template: Dependency-Scanning.gitlab-ci.yml
@@ -31,7 +35,48 @@ assemble:
     - tags
   script: |
     mvn $MAVEN_CLI_OPTS generate-sources compile test
+  after_script:
+    - awk -F"," '{ instructions += $4 + $5; covered += $5 } END { print covered, "/", instructions, " instructions covered"; print 100*covered/instructions, "% covered" }' $JACOCO_CSV_LOCATION    
   artifacts:
     when: always
     reports:
       junit: "**/target/surefire-reports/TEST-*.xml"
+    paths:
+      - $JACOCO_CSV_LOCATION
+      - $JACOCO_XML_LOCATION
+
+
+buildDistributionPackage:
+  stage: package
+  except:
+    - tags
+  script: |
+    export VERSION=$(mvn -B help:evaluate -Dexpression=project.version -B | grep -v "\[INFO\]" | grep -Po "\d+\.\d+\.\d+((-\w*)+)?")
+    echo "Build full package of version $VERSION"
+    mvn $MAVEN_CLI_OPTS verify -DskipTests
+    echo "VERSION=$VERSION" >> variables.env
+  artifacts:
+    when: always
+    reports:
+      dotenv: variables.env
+    name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME"
+    paths:
+      - $PROJECT_RELEASE_PACKAGE
+
+release:
+  stage: release
+  image: registry.gitlab.com/gitlab-org/release-cli:latest
+  needs:
+    - job: buildDistributionPackage
+      artifacts: true
+  when: manual
+  only:
+    - master
+  script: |
+    echo "Releasing version $VERSION of $LIB_NAME"
+    echo "Publishing version $VERSION to public EGIZ maven"
+    mvn $MAVEN_CLI_OPTS deploy
+  artifacts:
+    name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME-EGIZ"
+    paths:
+      - $PROJECT_RELEASE_PACKAGE         
diff --git a/basicConfig/default_config.properties b/basicConfig/default_config.properties
index 483e9c97..fabfdfef 100644
--- a/basicConfig/default_config.properties
+++ b/basicConfig/default_config.properties
@@ -119,7 +119,7 @@ eidas.ms.sp.0.pvp2.metadata.truststore.password=
 
 ##only for advanced config
 eidas.ms.configuration.sp.disableRegistrationRequirement=
-eidas.ms.configuration.restrictions.baseID.spTransmission=
+#eidas.ms.configuration.restrictions.baseID.spTransmission=
 eidas.ms.configuration.auth.default.countrycode=
 eidas.ms.configuration.pvp.scheme.validation=
 eidas.ms.configuration.pvp.enable.entitycategories=
 \ No newline at end of file
diff --git a/build_reporting/pom.xml b/build_reporting/pom.xml
new file mode 100644
index 00000000..eca57a03
--- /dev/null
+++ b/build_reporting/pom.xml
@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>at.asitplus.eidas</groupId>
+    <artifactId>ms_specific</artifactId>
+    <version>1.1.1-SNAPSHOT</version>
+  </parent>
+  <artifactId>build_reporting</artifactId>
+  <packaging>pom</packaging>
+  <name>Reporting Module</name>
+
+  <dependencies>
+    <dependency>
+      <groupId>at.asitplus.eidas.ms_specific</groupId>
+      <artifactId>connector_lib</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.asitplus.eidas.ms_specific.modules</groupId>
+      <artifactId>authmodule-eIDAS-v2</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.asitplus.eidas.ms_specific</groupId>
+      <artifactId>ms_specific_connector</artifactId>
+      <type>war</type>
+    </dependency>      
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.jacoco</groupId>
+        <artifactId>jacoco-maven-plugin</artifactId>
+        <executions>
+          <!-- aggregated unit test coverage report -->
+          <execution>
+            <id>aggregate-reports-ut</id>
+            <phase>test</phase>
+            <goals>
+              <goal>report-aggregate</goal>
+            </goals>
+            <configuration>
+              <title>Maven Multimodule Coverage Demo: Coverage of Unit Tests</title>
+              <outputDirectory>${project.reporting.outputDirectory}/jacoco-aggregate-ut</outputDirectory>
+              <dataFileExcludes>
+                <!-- exclude coverage data of integration tests -->
+                <dataFileExclude>**/target/jacoco-it.exec</dataFileExclude>
+              </dataFileExcludes>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+      
+      <plugin>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-maven</artifactId>
+        <configuration>
+          <failBuildOnCVSS>11</failBuildOnCVSS>
+          <failOnError>false</failOnError>
+        </configuration>
+        <executions>
+          <execution>
+            <goals>
+              <goal>check</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      
+    </plugins>
+  </build>
+
+</project>
diff --git a/connector/checks/spotbugs-exclude.xml b/connector/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..5d4fd515
--- /dev/null
+++ b/connector/checks/spotbugs-exclude.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <!-- Write only application status into response. Should be removed if we switch to Spring Actuator -->
+      <Class name="at.asitplus.eidas.specific.connector.controller.MonitoringController" />
+      <Method name="startSingleTests" />
+      <Bug pattern="XSS_SERVLET" />               
+    </Match>
+    <Match>
+      <!-- CSFR protection is implemented by pendingRequestId that is an one-time token 
+           Endpoint for Metadata generation can be unrestrected by design -->
+      <OR>
+        <Class name="at.asitplus.eidas.specific.connector.controller.ProcessEngineSignalController" />
+        <Class name="at.asitplus.eidas.specific.connector.controller.Pvp2SProfileEndpoint" />
+      </OR>
+      <OR>
+        <Method name="performGenericAuthenticationProcess" />
+        <Method name="pvpMetadataRequest" />
+      </OR>
+      <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" />               
+    </Match>
+</FindBugsFilter>
diff --git a/connector/pom.xml b/connector/pom.xml
index 6621fb0f..3c2ddf07 100644
--- a/connector/pom.xml
+++ b/connector/pom.xml
@@ -156,6 +156,15 @@
         </executions>
       </plugin>
 
+      <plugin>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>${spotbugs-maven-plugin.version}</version>
+        <configuration>
+          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+        </configuration>
+      </plugin>
+
     </plugins>
   </build>
 </project>
diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java
index 13cceafb..c41660ce 100644
--- a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java
+++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java
@@ -25,70 +25,63 @@ package at.asitplus.eidas.specific.connector.builder;
 
 import java.util.Date;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Service;
-import org.w3c.dom.DOMException;
 
 import at.asitplus.eidas.specific.connector.MsEidasNodeConstants;
 import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions;
 import at.gv.egiz.eaaf.core.api.idp.IAuthData;
 import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
 import at.gv.egiz.eaaf.core.api.idp.auth.data.IAuthProcessDataContainer;
-import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException;
 import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException;
-import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
 import at.gv.egiz.eaaf.core.exceptions.EaafException;
-import at.gv.egiz.eaaf.core.exceptions.EaafParserException;
-import at.gv.egiz.eaaf.core.exceptions.XPathException;
 import at.gv.egiz.eaaf.core.impl.data.Pair;
 import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData;
 import at.gv.egiz.eaaf.core.impl.idp.auth.builder.AbstractAuthenticationDataBuilder;
 import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
+import lombok.extern.slf4j.Slf4j;
 
 @Service("AuthenticationDataBuilder")
+@Slf4j
 public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder {
-  private static final Logger log = LoggerFactory.getLogger(AuthenticationDataBuilder.class);
-
+  
   @Override
-  public IAuthData buildAuthenticationData(IRequest pendingReq) throws EaafAuthenticationException {
-
-    final IAuthProcessDataContainer authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
+  protected IAuthData buildDeprecatedAuthData(IRequest pendingReq) throws EaafException {        
+    final IAuthProcessDataContainer authProcessData =
+        pendingReq.getSessionData(AuthProcessDataWrapper.class);    
     AuthenticationData authData = new AuthenticationData();
-
-    boolean isEidModeNew = pendingReq.getServiceProviderConfiguration()
-        .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false);
-
-    if (isEidModeNew) {
-      authData = (AuthenticationData) super.buildAuthenticationData(pendingReq);
-    } else {
-      try {
-        generateDeprecatedBasicAuthData(authData, pendingReq, authProcessData);
-
-        // set specific informations
-        authData.setSsoSessionValidTo(
-            new Date(new Date().getTime() + MsEidasNodeConstants.DEFAULT_PVP_ASSERTION_VALIDITY * 60 * 1000));
-
-      } catch (EaafBuilderException | EaafParserException
-          | EaafConfigurationException | XPathException | DOMException e) {
-        log.warn("Can not build authentication data from auth. process information");
-        throw new EaafAuthenticationException("builder.11", new Object[]{e.getMessage()}, e);
-
-      }
-    }
+    
+    //set basis infos
+    super.generateDeprecatedBasicAuthData(authData, pendingReq, authProcessData);
+    
+    // set specific informations
+    authData.setSsoSessionValidTo(
+        new Date(new Date().getTime() + MsEidasNodeConstants.DEFAULT_PVP_ASSERTION_VALIDITY * 60 * 1000));
+    
     return authData;
-  }
-
-  @Override
-  protected IAuthData buildDeprecatedAuthData(IRequest arg0) throws EaafException {
-    return new AuthenticationData();
 
   }
 
   @Override
-  protected void buildServiceSpecificAuthenticationData(IAuthData arg0, IRequest arg1) throws EaafException {
-    // TODO Auto-generated method stub
-
+  protected void buildServiceSpecificAuthenticationData(IAuthData authData, IRequest pendingReq) 
+      throws EaafException {
+    if (authData instanceof AuthenticationData) {
+      ((AuthenticationData)authData).setGenericData(
+          ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME, 
+          pendingReq.getUniquePiiTransactionIdentifier());
+      log.trace("Inject piiTransactionId: {} into AuthData", pendingReq.getUniquePiiTransactionIdentifier());
+    
+      // set specific informations
+      ((AuthenticationData)authData).setSsoSessionValidTo(
+          new Date(new Date().getTime() + MsEidasNodeConstants.DEFAULT_PVP_ASSERTION_VALIDITY * 60 * 1000));
+
+      
+    } else {
+      throw new RuntimeException("Can not inject PiiTransactionId because AuthData is of unknown type: " 
+          + authData.getClass().getName());
+      
+    }
+        
   }
 
   @Override
@@ -100,8 +93,6 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder
   @Override
   protected Pair<String, String> buildOAspecificbPK(IRequest pendingReq, AuthenticationData authData)
       throws EaafBuilderException {
-    // TODO: check if bPK already exists
-
     return super.buildOAspecificbPK(pendingReq, authData);
 
   }
diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java
index aa45c836..f2d9fc8c 100644
--- a/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java
+++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java
@@ -34,6 +34,7 @@ import org.apache.commons.text.StringEscapeUtils;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.http.client.utils.URIBuilder;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -250,9 +251,9 @@ public class MonitoringController {
       }
 
       // create HTTP client
-      // TODO: update if we switch to openSAML3
-      CloseableHttpClient httpClient = httpClientFactory.getHttpClient();
-      HttpUriRequest request = new HttpGet(urlString);
+      CloseableHttpClient httpClient = httpClientFactory.getHttpClient();      
+      URIBuilder uriBuilder = new URIBuilder(urlString);      
+      HttpUriRequest request = new HttpGet(uriBuilder.build());
 
       final CloseableHttpResponse respCode = httpClient.execute(request);
       if (respCode.getStatusLine().getStatusCode() != 200) {
diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java
index 1721fe61..316dcb5f 100644
--- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java
+++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java
@@ -1,18 +1,15 @@
 package at.asitplus.eidas.specific.connector.test;
 
+import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE;
+
+import java.io.IOException;
+import java.security.PublicKey;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.xml.transform.TransformerException;
 
-import at.asitplus.eidas.specific.connector.builder.AuthenticationDataBuilder;
-import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
-import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants;
-import at.gv.egiz.eaaf.core.api.idp.IAuthData;
-import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
-import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException;
-import at.gv.egiz.eaaf.core.exceptions.EaafStorageException;
-import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
-import at.gv.egiz.eaaf.core.impl.idp.module.test.DummySpConfiguration;
-import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl;
-import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer;
-import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
 import org.apache.commons.lang3.RandomStringUtils;
 import org.junit.Assert;
 import org.junit.Before;
@@ -29,14 +26,32 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.context.web.WebAppConfiguration;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
+import org.w3c.dom.Element;
 
-import java.util.HashMap;
-import java.util.Map;
-
-import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE;
+import at.asitplus.eidas.specific.connector.builder.AuthenticationDataBuilder;
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
+import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants;
+import at.gv.egiz.eaaf.core.api.data.EaafConstants;
+import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions;
+import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions;
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink;
+import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException;
+import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException;
+import at.gv.egiz.eaaf.core.exceptions.EaafParserException;
+import at.gv.egiz.eaaf.core.exceptions.EaafStorageException;
+import at.gv.egiz.eaaf.core.impl.idp.auth.builder.BpkBuilder;
+import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
+import at.gv.egiz.eaaf.core.impl.idp.auth.data.SimpleIdentityLinkAssertionParser;
+import at.gv.egiz.eaaf.core.impl.idp.module.test.DummySpConfiguration;
+import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl;
+import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer;
+import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
 
 @RunWith(SpringJUnit4ClassRunner.class)
-@ContextConfiguration({"/applicationContext.xml", "/SpringTest_connector.beans.xml", "/eaaf_core.beans.xml", "/eaaf_pvp.beans.xml", "/eaaf_pvp_idp.beans.xml", "/spring/SpringTest-context_simple_storage.xml"})
+@ContextConfiguration({ "/applicationContext.xml", "/SpringTest_connector.beans.xml", "/eaaf_core.beans.xml",
+    "/eaaf_pvp.beans.xml", "/eaaf_pvp_idp.beans.xml", "/spring/SpringTest-context_simple_storage.xml" })
 @WebAppConfiguration
 public class AuthenticationDataBuilderTest {
 
@@ -55,11 +70,11 @@ public class AuthenticationDataBuilderTest {
   private String eidasBind;
   private String authBlock;
 
-
   @BeforeClass
   public static void classInitializer() throws InitializationException, ComponentInitializationException {
     final String current = new java.io.File(".").toURI().toString();
-    System.setProperty("eidas.ms.configuration", current + "src/test/resources/config/junit_config_3.properties");
+    System.setProperty("eidas.ms.configuration", current
+        + "src/test/resources/config/junit_config_3.properties");
 
     EaafOpenSaml3xInitializer.eaafInitialize();
   }
@@ -80,28 +95,258 @@ public class AuthenticationDataBuilderTest {
     pendingReq = new TestRequestImpl();
     pendingReq.setAuthUrl("https://localhost/ms_connector");
     pendingReq.setPendingReqId(RandomStringUtils.randomAlphanumeric(10));
+    pendingReq.setPiiTransactionId(RandomStringUtils.randomAlphanumeric(10));
     pendingReq.setSpConfig(oaParam);
-    pendingReq.getSessionData(AuthProcessDataWrapper.class).setEidProcess(true);
     authBlock = RandomStringUtils.randomAlphanumeric(20);
     eidasBind = RandomStringUtils.randomAlphanumeric(20);
-    pendingReq.getSessionData(AuthProcessDataWrapper.class).setGenericDataToSession(Constants.SZR_AUTHBLOCK, authBlock);
-    pendingReq.getSessionData(AuthProcessDataWrapper.class).setGenericDataToSession(Constants.EIDAS_BIND, eidasBind);
+    pendingReq.getSessionData(AuthProcessDataWrapper.class)
+        .setGenericDataToSession(Constants.SZR_AUTHBLOCK, authBlock);
+    pendingReq.getSessionData(AuthProcessDataWrapper.class)
+        .setGenericDataToSession(Constants.EIDAS_BIND, eidasBind);
+    pendingReq.getSessionData(AuthProcessDataWrapper.class)
+        .setQaaLevel(EaafConstants.EIDAS_LOA_PREFIX + RandomStringUtils.randomAlphabetic(5));
+    pendingReq.getSessionData(AuthProcessDataWrapper.class).setGenericDataToSession(
+        PvpAttributeDefinitions.EID_ISSUING_NATION_NAME,
+        RandomStringUtils.randomAlphabetic(2));
+
     LocaleContextHolder.resetLocaleContext();
+
   }
 
   @Test
-  public void first() throws EaafAuthenticationException {
+  public void eidMode() throws EaafAuthenticationException {
+    // initialize state
+    pendingReq.getSessionData(AuthProcessDataWrapper.class).setEidProcess(true);
+
+    // execute
     IAuthData authData = authenticationDataBuilder.buildAuthenticationData(pendingReq);
 
+    // validate state
     Assert.assertNotNull("AuthData null", authData);
     Assert.assertNotNull("authBlock null", authData.getGenericData(Constants.SZR_AUTHBLOCK, String.class));
     Assert.assertNotNull("eidasBind null", authData.getGenericData(Constants.EIDAS_BIND, String.class));
-    Assert.assertNotNull("eidasBind null", authData.getEidasQaaLevel());
+    Assert.assertNotNull("LoA null", authData.getEidasQaaLevel());
+
     String authBlock = authData.getGenericData(Constants.SZR_AUTHBLOCK, String.class);
     String eidasBind = authData.getGenericData(Constants.EIDAS_BIND, String.class);
 
-    Assert.assertEquals("authBlock not equal", authBlock, this.authBlock);
-    Assert.assertEquals("eidasBind not equal", eidasBind, this.eidasBind);
+    Assert.assertEquals("authBlock not equal", this.authBlock, authBlock);
+    Assert.assertEquals("eidasBind not equal", this.eidasBind, eidasBind);
+    Assert.assertEquals("piiTransactionId",
+        authData.getGenericData(ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME, String.class),
+        this.pendingReq.getUniquePiiTransactionIdentifier());
+    Assert.assertNotNull("assertion validTo", authData.getSsoSessionValidTo());
+    Assert.assertEquals("LoA", pendingReq.getSessionData(AuthProcessDataWrapper.class).getQaaLevel(),
+        authData.getEidasQaaLevel());
+    Assert.assertEquals("EID-ISSUING-NATION",
+        pendingReq.getSessionData(AuthProcessDataWrapper.class).getGenericDataFromSession(
+            PvpAttributeDefinitions.EID_ISSUING_NATION_NAME),
+        authData.getCiticenCountryCode());
+
+    Assert.assertNull("bPK", authData.getBpk());
+    Assert.assertNull("bPKType", authData.getBpkType());
+    Assert.assertNull("FamilyName", authData.getFamilyName());
+    Assert.assertNull("GivenName", authData.getGivenName());
+    Assert.assertNull("DateOfBirth", authData.getDateOfBirth());
+    Assert.assertNull("baseId", authData.getIdentificationValue());
+    Assert.assertNull("baseIdType", authData.getIdentificationType());
+    Assert.assertNull("IDL", authData.getIdentityLink());
+
+  }
+
+  @Test
+  public void moaIdMode() throws EaafAuthenticationException, EaafBuilderException {
+    //initialize state
+    pendingReq.getSessionData(AuthProcessDataWrapper.class).setEidProcess(false);
+    IIdentityLink idl = buildDummyIdl();
+    pendingReq.getSessionData(AuthProcessDataWrapper.class).setIdentityLink(idl);
+    
+    //execute
+    IAuthData authData = authenticationDataBuilder.buildAuthenticationData(pendingReq);
+
+    //validate state
+    Assert.assertNotNull("AuthData null", authData);
+    Assert.assertNull("authBlock null", authData.getGenericData(Constants.SZR_AUTHBLOCK, String.class));
+    Assert.assertNull("eidasBind null", authData.getGenericData(Constants.EIDAS_BIND, String.class));
+    Assert.assertNull("piiTransactionId", 
+        authData.getGenericData(ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME, String.class));
+    
+    
+    Assert.assertNotNull("assertion validTo", authData.getSsoSessionValidTo());
+    Assert.assertNotNull("LoA null", authData.getEidasQaaLevel());
+    Assert.assertEquals("LoA", pendingReq.getSessionData(AuthProcessDataWrapper.class).getQaaLevel(), 
+        authData.getEidasQaaLevel());
+    Assert.assertEquals("EID-ISSUING-NATION", 
+        pendingReq.getSessionData(AuthProcessDataWrapper.class).getGenericDataFromSession(
+            PvpAttributeDefinitions.EID_ISSUING_NATION_NAME), 
+        authData.getCiticenCountryCode());
+    
+    Assert.assertEquals("FamilyName", idl.getFamilyName(), authData.getFamilyName());
+    Assert.assertEquals("GivenName", idl.getGivenName(), authData.getGivenName());
+    Assert.assertEquals("DateOfBirth", idl.getDateOfBirth(), authData.getFormatedDateOfBirth());
+    Assert.assertEquals("bPK", 
+        BpkBuilder.generateAreaSpecificPersonIdentifier(
+            idl.getIdentificationValue(), EaafConstants.URN_PREFIX_CDID + "XX").getFirst(), 
+        authData.getBpk());
+    Assert.assertEquals("bPKType", EaafConstants.URN_PREFIX_CDID + "XX", authData.getBpkType());
+    Assert.assertNotNull("IDL", authData.getIdentityLink());
+    
+    
+  }
+
+  private IIdentityLink buildDummyIdl() {
+    return new IIdentityLink() {
+      
+      String familyName = RandomStringUtils.randomAlphabetic(10);
+      String givenName = RandomStringUtils.randomAlphabetic(10);
+      String dateOfBirth = "1955-02-03";
+      String baseId = RandomStringUtils.randomAlphanumeric(20);
+      String saml2Serialized = RandomStringUtils.randomAlphanumeric(150);
+
+     
+      
+      @Override
+      public void setSamlAssertion(Element arg0) throws TransformerException, IOException {
+     
+      }
+
+      @Override
+      public void setPublicKey(PublicKey[] arg0) {
+        // TODO Auto-generated method stub
+
+      }
+
+      @Override
+      public void setPrPerson(Element arg0) {
+        // TODO Auto-generated method stub
+
+      }
+
+      @Override
+      public void setIssueInstant(String arg0) {
+        // TODO Auto-generated method stub
+
+      }
+
+      @Override
+      public void setIdentificationValue(String arg0) {
+        // TODO Auto-generated method stub
+
+      }
+
+      @Override
+      public void setIdentificationType(String arg0) {
+        // TODO Auto-generated method stub
+
+      }
+
+      @Override
+      public void setGivenName(String arg0) {
+        // TODO Auto-generated method stub
+
+      }
+
+      @Override
+      public void setFamilyName(String arg0) {
+        // TODO Auto-generated method stub
+
+      }
+
+      @Override
+      public void setDsigReferenceTransforms(Element[] arg0) {
+        // TODO Auto-generated method stub
+
+      }
+
+      @Override
+      public void setDateOfBirth(String arg0) {
+        // TODO Auto-generated method stub
+
+      }
+
+      @Override
+      public String getSerializedSamlAssertion() {
+        return this.saml2Serialized;
+      }
+
+      @Override
+      public Element getSamlAssertion() {        
+        IIdentityLink fullIdl;
+        try {
+          fullIdl = new SimpleIdentityLinkAssertionParser(
+              AuthenticationDataBuilderTest.class.getResourceAsStream("/data/test_idl_1.xml")).parseIdentityLink();
+          return fullIdl.getSamlAssertion();
+        
+        } catch (EaafParserException e) {         
+          e.printStackTrace();
+        }
+        
+        return null;
+        
+      }
+
+      @Override
+      public PublicKey[] getPublicKey() {
+        // TODO Auto-generated method stub
+        return null;
+      }
+
+      @Override
+      public Element getPrPerson() {
+        // TODO Auto-generated method stub
+        return null;
+      }
+
+      @Override
+      public String getName() {
+        // TODO Auto-generated method stub
+        return null;
+      }
+
+      @Override
+      public Date getIssueInstantDate() {
+        // TODO Auto-generated method stub
+        return null;
+      }
+
+      @Override
+      public String getIssueInstant() {
+        // TODO Auto-generated method stub
+        return null;
+      }
+
+      @Override
+      public String getIdentificationValue() {
+        return this.baseId;
+      }
+
+      @Override
+      public String getIdentificationType() {
+        return EaafConstants.URN_PREFIX_BASEID;
+      }
+
+      @Override
+      public String getGivenName() {
+        return this.givenName;
+      }
+
+      @Override
+      public String getFamilyName() {
+        return this.familyName;
+      }
+
+      @Override
+      public Element[] getDsigReferenceTransforms() {
+        // TODO Auto-generated method stub
+        return null;
+      }
+
+      @Override
+      public String getDateOfBirth() {
+        return this.dateOfBirth;
+
+      }
+    };
   }
 
 }
diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/BasicConfigurationTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/BasicConfigurationTest.java
new file mode 100644
index 00000000..6e52f113
--- /dev/null
+++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/BasicConfigurationTest.java
@@ -0,0 +1,135 @@
+package at.asitplus.eidas.specific.connector.test;
+
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.security.cert.CertificateException;
+
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.opensaml.core.config.InitializationException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.annotation.DirtiesContext.ClassMode;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.context.web.WebAppConfiguration;
+
+import at.asitplus.eidas.specific.connector.config.ServiceProviderConfiguration;
+import at.gv.egiz.eaaf.core.api.data.EaafConstants;
+import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP;
+import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration({
+    "/applicationContext.xml",
+    "/specific_eIDAS_connector.beans.xml",
+    "/eaaf_core.beans.xml",
+    "/eaaf_pvp.beans.xml",
+    "/eaaf_pvp_idp.beans.xml",
+    "/spring/SpringTest-context_simple_storage.xml" })
+@WebAppConfiguration
+@DirtiesContext(classMode = ClassMode.BEFORE_CLASS)
+public class BasicConfigurationTest {
+
+  @Autowired private IConfigurationWithSP basicConfig;
+  
+  /**
+   * jUnit class initializer.
+   * @throws ComponentInitializationException In case of an error
+   * @throws InitializationException In case of an error
+   * @throws CertificateException 
+   * 
+   */
+  @BeforeClass
+  public static void classInitializer() throws InitializationException, 
+      ComponentInitializationException, CertificateException  {
+    final String current = new java.io.File(".").toURI().toString();
+    System.setProperty("eidas.ms.configuration", current + "src/test/resources/config/junit_config_1.properties");
+    
+  }
+  
+  
+  @Test
+  public void basicConfig() throws MalformedURLException, EaafException {    
+    Assert.assertEquals("validate req. URL", "http://localhost", 
+        basicConfig.validateIdpUrl(new URL("http://junit/test")));
+    
+    Assert.assertEquals("validate req. URL", "http://localhost", 
+        basicConfig.validateIdpUrl(new URL("http://localhost/test1/test")));
+    
+  }
+  
+  @Test
+  public void loadSpNotExist() throws EaafConfigurationException {
+    //check
+    ISpConfiguration sp = basicConfig.getServiceProviderConfiguration(
+        "https://not/exist");
+        
+    //validate state
+    Assert.assertNull("spConfig", sp);
+    
+    
+  }
+  
+  @Test
+  public void loadSpDefault() throws EaafConfigurationException {
+    //check
+    ISpConfiguration sp = basicConfig.getServiceProviderConfiguration(
+        "https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/metadata");
+        
+    //validate state
+    Assert.assertNotNull("spConfig", sp);
+    Assert.assertEquals("BaseId transfare restrication", true, sp.hasBaseIdTransferRestriction());
+    Assert.assertEquals("BaseId process restrication", false, sp.hasBaseIdInternalProcessingRestriction());
+    
+    Assert.assertEquals("req. LoA size", 1, sp.getRequiredLoA().size());
+    Assert.assertEquals("req. LoA", EaafConstants.EIDAS_LOA_HIGH, sp.getRequiredLoA().get(0));
+    Assert.assertEquals("LoA matching mode", 
+        EaafConstants.EIDAS_LOA_MATCHING_MINIMUM, sp.getLoAMatchingMode());
+    
+  }
+  
+  @Test
+  public void loadSpNoBaseIdTransferRestriction() throws EaafException {
+    //check
+    ServiceProviderConfiguration sp = basicConfig.getServiceProviderConfiguration(
+        "https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/metadata", ServiceProviderConfiguration.class);
+        
+    //validate state
+    Assert.assertNotNull("spConfig", sp);
+    Assert.assertNull("bPKTarget already set", sp.getAreaSpecificTargetIdentifier());
+        
+    //validate baseId transfer restriction
+    sp.setBpkTargetIdentifier(EaafConstants.URN_PREFIX_CDID + "ZP");   
+    Assert.assertEquals("BaseId restrication", false, sp.hasBaseIdTransferRestriction());    
+    Assert.assertEquals("bPKTarget", EaafConstants.URN_PREFIX_CDID + "ZP", sp.getAreaSpecificTargetIdentifier());
+    
+    sp.setBpkTargetIdentifier(EaafConstants.URN_PREFIX_WBPK_TARGET_WITH_X + "FN+123456h");   
+    Assert.assertEquals("BaseId restrication", true, sp.hasBaseIdTransferRestriction());
+    
+  }
+  
+  @Test
+  public void loadSpWithMsSpecificConfig() throws EaafConfigurationException {
+    //check
+    ServiceProviderConfiguration sp = basicConfig.getServiceProviderConfiguration(
+        "https://demo.egiz.gv.at/junit_test", ServiceProviderConfiguration.class);
+        
+    //validate state
+    Assert.assertNotNull("spConfig", sp);
+    Assert.assertEquals("friendlyName", "jUnit test", sp.getFriendlyName());
+    Assert.assertEquals("UniqueId", "https://demo.egiz.gv.at/junit_test", sp.getUniqueIdentifier());
+    Assert.assertEquals("BaseId restrication", true, sp.hasBaseIdTransferRestriction());
+    Assert.assertEquals("generic config value", false, 
+        sp.isConfigurationValue("policy.allowed.requested.targets"));
+    Assert.assertEquals("generic config value", "test", 
+        sp.getConfigurationValue("policy.allowed.requested.targets"));
+    Assert.assertEquals("not_exist_value", "true", sp.getConfigurationValue("not.exist", "true"));
+    
+  }
+}
diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/AuthBlockAttributeBuilderTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/AuthBlockAttributeBuilderTest.java
index b7c6cd44..f6d22c98 100644
--- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/AuthBlockAttributeBuilderTest.java
+++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/AuthBlockAttributeBuilderTest.java
@@ -13,6 +13,7 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 
 import at.asitplus.eidas.specific.connector.attributes.AuthBlockAttributeBuilder;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
+import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions;
 import at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder;
 import at.gv.egiz.eaaf.core.api.idp.IAuthData;
 import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
@@ -42,6 +43,19 @@ public class AuthBlockAttributeBuilderTest extends AbstractAttributeBuilderTest
   }
 
   @Test
+  public void checkName() {
+    Assert.assertEquals("Wrong attr. name", 
+        ExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_NAME, attrBuilde.getName());
+    
+  }
+  
+  @Test
+  public void checkEmptyAttribute() {
+    Assert.assertNull("empty attr.", attrBuilde.buildEmpty(gen));
+    
+  }
+  
+  @Test
   public void okTest() {
     log.info("starting: " + mTestName);
     try {
diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/EidasBindAttributeBuilderTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/EidasBindAttributeBuilderTest.java
index 254efb59..9a2c6cdc 100644
--- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/EidasBindAttributeBuilderTest.java
+++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/EidasBindAttributeBuilderTest.java
@@ -1,13 +1,7 @@
 package at.asitplus.eidas.specific.connector.test.attributes;
 
-import at.asitplus.eidas.specific.connector.attributes.EidasBindAttributeBuilder;
-import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions;
-import at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder;
-import at.gv.egiz.eaaf.core.api.idp.IAuthData;
-import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
-import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData;
-import at.gv.egiz.eaaf.core.impl.idp.auth.attributes.AbstractAttributeBuilderTest;
-import lombok.extern.slf4j.Slf4j;
+import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.EIDAS_BIND;
+
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Rule;
@@ -17,7 +11,14 @@ import org.junit.runner.RunWith;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 
-import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.EIDAS_BIND;
+import at.asitplus.eidas.specific.connector.attributes.EidasBindAttributeBuilder;
+import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions;
+import at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder;
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
+import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData;
+import at.gv.egiz.eaaf.core.impl.idp.auth.attributes.AbstractAttributeBuilderTest;
+import lombok.extern.slf4j.Slf4j;
 
 
 @Slf4j
@@ -36,6 +37,19 @@ public class EidasBindAttributeBuilderTest extends AbstractAttributeBuilderTest
   }
 
   @Test
+  public void checkName() {
+    Assert.assertEquals("Wrong attr. name", 
+        ExtendedPvpAttributeDefinitions.EID_EIDBIND_NAME, attrBuilde.getName());
+    
+  }
+  
+  @Test
+  public void checkEmptyAttribute() {
+    Assert.assertNull("empty attr.", attrBuilde.buildEmpty(gen));
+    
+  }
+  
+  @Test
   public void okTest() {
     log.info("starting: " + mTestName);
     try {
diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/saml2/Pvp2SProfileEndPointTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/saml2/Pvp2SProfileEndPointTest.java
new file mode 100644
index 00000000..81ee2625
--- /dev/null
+++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/saml2/Pvp2SProfileEndPointTest.java
@@ -0,0 +1,335 @@
+package at.asitplus.eidas.specific.connector.test.saml2;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.Timer;
+
+import javax.xml.transform.TransformerException;
+
+import org.joda.time.DateTime;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.opensaml.core.config.InitializationException;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.core.xml.io.MarshallingException;
+import org.opensaml.core.xml.io.UnmarshallingException;
+import org.opensaml.core.xml.util.XMLObjectSupport;
+import org.opensaml.saml.metadata.resolver.impl.ResourceBackedMetadataResolver;
+import org.opensaml.saml.saml2.core.RequestAbstractType;
+import org.opensaml.saml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml.saml2.metadata.RoleDescriptor;
+import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
+import org.opensaml.security.credential.Credential;
+import org.opensaml.security.x509.BasicX509Credential;
+import org.opensaml.xmlsec.signature.support.SignatureException;
+import org.opensaml.xmlsec.signature.support.SignatureValidator;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.core.io.ResourceLoader;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.annotation.DirtiesContext.ClassMode;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.util.Base64Utils;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+import at.asitplus.eidas.specific.connector.MsEidasNodeConstants;
+import at.asitplus.eidas.specific.connector.controller.Pvp2SProfileEndpoint;
+import at.asitplus.eidas.specific.connector.provider.PvpEndPointCredentialProvider;
+import at.asitplus.eidas.specific.connector.provider.PvpMetadataProvider;
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.IRequestStorage;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.utils.DomUtils;
+import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.OpenSaml3ResourceAdapter;
+import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
+import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
+import net.shibboleth.utilities.java.support.xml.XMLParserException;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration({
+    "/applicationContext.xml",
+    "/specific_eIDAS_connector.beans.xml",
+    "/eaaf_core.beans.xml",
+    "/eaaf_pvp.beans.xml",
+    "/eaaf_pvp_idp.beans.xml",
+    "/spring/SpringTest-context_simple_storage.xml" })
+@WebAppConfiguration
+@DirtiesContext(classMode = ClassMode.BEFORE_CLASS)
+public class Pvp2SProfileEndPointTest {
+
+
+  @Autowired private Pvp2SProfileEndpoint controller;
+  @Autowired private PvpEndPointCredentialProvider credentialProvider;
+  @Autowired private PvpMetadataProvider metadataProvider;
+  @Autowired private ResourceLoader resourceLoader;
+  @Autowired private IRequestStorage storage;
+  
+  private static CertificateFactory fact;
+    
+  
+  private MockHttpServletRequest httpReq;
+  private MockHttpServletResponse httpResp;
+
+  
+  /**
+   * jUnit class initializer.
+   * @throws ComponentInitializationException In case of an error
+   * @throws InitializationException In case of an error
+   * @throws CertificateException 
+   * 
+   */
+  @BeforeClass
+  public static void classInitializer() throws InitializationException, 
+      ComponentInitializationException, CertificateException  {
+    final String current = new java.io.File(".").toURI().toString();
+    System.setProperty("eidas.ms.configuration", current + "src/test/resources/config/junit_config_1.properties");
+    
+    EaafOpenSaml3xInitializer.eaafInitialize();
+    
+    fact = CertificateFactory.getInstance("X.509");
+    
+  }
+  
+  /**
+   * jUnit test set-up.
+   * @throws EaafException 
+   * 
+   */
+  @Before
+  public void initialize() throws EaafException {
+    httpReq = new MockHttpServletRequest("POST", "https://localhost/ms_connector");
+    httpResp = new MockHttpServletResponse();
+    RequestContextHolder.resetRequestAttributes();
+    RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp));
+    
+  }
+  
+  @Test
+  public void authnReqWrongEndpoint() throws EaafException, XMLParserException, UnmarshallingException, 
+      UnsupportedEncodingException, TransformerException, IOException, MarshallingException, 
+      ComponentInitializationException {
+    //initialize test
+    final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream(
+        XMLObjectProviderRegistrySupport.getParserPool(),
+        Pvp2SProfileEndPointTest.class.getResourceAsStream("/data/pvp2_authn_3.xml"));
+    authnReq.setIssueInstant(DateTime.now());    
+    RequestAbstractType signedAuthnReq = 
+        Saml2Utils.signSamlObject(authnReq, credentialProvider.getMetaDataSigningCredential(), true);           
+    String b64 = Base64Utils.encodeToString(DomUtils.serializeNode(
+          XMLObjectSupport.getMarshaller(signedAuthnReq).marshall(signedAuthnReq)).getBytes("UTF-8"));    
+    httpReq.setParameter("SAMLRequest", b64);
+            
+    final org.springframework.core.io.Resource resource = resourceLoader.getResource(
+        "classpath:/data/metadata_valid.xml");
+    Timer timer = new Timer("PVP metadata-resolver refresh");
+    ResourceBackedMetadataResolver fileSystemResolver = 
+        new ResourceBackedMetadataResolver(timer, new OpenSaml3ResourceAdapter(resource));
+    fileSystemResolver.setId("test");
+    fileSystemResolver.setParserPool(XMLObjectProviderRegistrySupport.getParserPool());
+    fileSystemResolver.initialize();                    
+    metadataProvider.addMetadataResolverIntoChain(fileSystemResolver);
+    
+    
+    //request SAML2 authentication
+    try {
+      controller.pvpIdpPostRequest(httpReq, httpResp);
+      Assert.fail("wrong AuthnRequest not detected");
+      
+    }catch (EaafException e) {
+      Assert.assertEquals("wrong errorId", "pvp2.22", e.getErrorId());      
+      
+    }   
+  }
+  
+  @Test
+  public void authnReqWrongSigned() throws EaafException, XMLParserException, UnmarshallingException, 
+      UnsupportedEncodingException, TransformerException, IOException, MarshallingException, 
+      ComponentInitializationException {
+    //initialize test
+    final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream(
+        XMLObjectProviderRegistrySupport.getParserPool(),
+        Pvp2SProfileEndPointTest.class.getResourceAsStream("/data/pvp2_authn_1.xml"));
+    authnReq.setIssueInstant(DateTime.now());    
+    RequestAbstractType signedAuthnReq = 
+        Saml2Utils.signSamlObject(authnReq, credentialProvider.getMetaDataSigningCredential(), true);           
+    String b64 = Base64Utils.encodeToString(DomUtils.serializeNode(
+          XMLObjectSupport.getMarshaller(signedAuthnReq).marshall(signedAuthnReq)).getBytes("UTF-8"));    
+    httpReq.setParameter("SAMLRequest", b64);
+            
+    final org.springframework.core.io.Resource resource = resourceLoader.getResource(
+        "classpath:/data/metadata_valid.xml");
+    Timer timer = new Timer("PVP metadata-resolver refresh");
+    ResourceBackedMetadataResolver fileSystemResolver = 
+        new ResourceBackedMetadataResolver(timer, new OpenSaml3ResourceAdapter(resource));
+    fileSystemResolver.setId("test");
+    fileSystemResolver.setParserPool(XMLObjectProviderRegistrySupport.getParserPool());
+    fileSystemResolver.initialize();                    
+    metadataProvider.addMetadataResolverIntoChain(fileSystemResolver);
+    
+    
+    //request SAML2 authentication
+    try {
+      controller.pvpIdpPostRequest(httpReq, httpResp);
+      Assert.fail("wrong AuthnRequest not detected");
+      
+    }catch (EaafException e) {
+      Assert.assertEquals("wrong errorId", "pvp2.21", e.getErrorId());      
+      
+    }   
+  }
+  
+  @Test
+  public void authnReqMetadataExpired() throws EaafException, XMLParserException, UnmarshallingException, 
+      UnsupportedEncodingException, TransformerException, IOException, MarshallingException, 
+      ComponentInitializationException {
+    //initialize test
+    final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream(
+        XMLObjectProviderRegistrySupport.getParserPool(),
+        Pvp2SProfileEndPointTest.class.getResourceAsStream("/data/pvp2_authn_1.xml"));
+    authnReq.setIssueInstant(DateTime.now());    
+    RequestAbstractType signedAuthnReq = 
+        Saml2Utils.signSamlObject(authnReq, credentialProvider.getMetaDataSigningCredential(), true);           
+    String b64 = Base64Utils.encodeToString(DomUtils.serializeNode(
+          XMLObjectSupport.getMarshaller(signedAuthnReq).marshall(signedAuthnReq)).getBytes("UTF-8"));    
+    httpReq.setParameter("SAMLRequest", b64);
+            
+    final org.springframework.core.io.Resource resource = resourceLoader.getResource(
+        "classpath:/data/metadata_expired.xml");
+    Timer timer = new Timer("PVP metadata-resolver refresh");
+    ResourceBackedMetadataResolver fileSystemResolver = 
+        new ResourceBackedMetadataResolver(timer, new OpenSaml3ResourceAdapter(resource));
+    fileSystemResolver.setId("test");
+    fileSystemResolver.setParserPool(XMLObjectProviderRegistrySupport.getParserPool());
+    fileSystemResolver.initialize();                    
+    metadataProvider.addMetadataResolverIntoChain(fileSystemResolver);
+    
+    
+    //request SAML2 authentication
+    try {
+      controller.pvpIdpPostRequest(httpReq, httpResp);
+      Assert.fail("wrong AuthnRequest not detected");
+      
+    }catch (EaafException e) {
+      Assert.assertEquals("wrong errorId", "pvp2.21", e.getErrorId());      
+      
+    }   
+  }
+  
+  @Test
+  public void authnReqValid() throws EaafException, XMLParserException, UnmarshallingException, 
+      UnsupportedEncodingException, TransformerException, IOException, MarshallingException, 
+      ComponentInitializationException {
+    //initialize test
+    final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream(
+        XMLObjectProviderRegistrySupport.getParserPool(),
+        Pvp2SProfileEndPointTest.class.getResourceAsStream("/data/pvp2_authn_1.xml"));
+    authnReq.setIssueInstant(DateTime.now());    
+    RequestAbstractType signedAuthnReq = 
+        Saml2Utils.signSamlObject(authnReq, credentialProvider.getMessageSigningCredential(), true);           
+    String b64 = Base64Utils.encodeToString(DomUtils.serializeNode(
+          XMLObjectSupport.getMarshaller(signedAuthnReq).marshall(signedAuthnReq)).getBytes("UTF-8"));    
+    httpReq.setParameter("SAMLRequest", b64);
+            
+    final org.springframework.core.io.Resource resource = resourceLoader.getResource(
+        "classpath:/data/metadata_valid.xml");
+    Timer timer = new Timer("PVP metadata-resolver refresh");
+    ResourceBackedMetadataResolver fileSystemResolver = 
+        new ResourceBackedMetadataResolver(timer, new OpenSaml3ResourceAdapter(resource));
+    fileSystemResolver.setId("test");
+    fileSystemResolver.setParserPool(XMLObjectProviderRegistrySupport.getParserPool());
+    fileSystemResolver.initialize();                    
+    metadataProvider.addMetadataResolverIntoChain(fileSystemResolver);
+    
+    
+    //request SAML2 authentication
+    controller.pvpIdpPostRequest(httpReq, httpResp);
+    
+    
+    //validate state
+    Assert.assertEquals("http statuscode", 200, httpResp.getStatus());
+    Assert.assertEquals("Wrong http ContentType", "text/html;charset=UTF-8", httpResp.getContentType());
+    
+    String html = httpResp.getContentAsString();
+    Assert.assertNotNull("html result is null", html);
+    Assert.assertFalse("html result is empty", html.isEmpty());    
+    Assert.assertTrue("Wrong page", html.contains("action=\"/myHomeCountry\""));
+       
+    String pattern = "<input  type=\"hidden\" name=\"pendingid\"  value=\"";
+    int pendingIdStart = html.indexOf(pattern) + pattern.length();
+    int pendingIdEnd = html.indexOf("\"", pendingIdStart);    
+    String pendingReqId = html.substring(pendingIdStart, pendingIdEnd);    
+    Assert.assertFalse("pendingReqId is empty", pendingReqId.isEmpty());
+    
+    IRequest pendingReq = storage.getPendingRequest(pendingReqId);
+    Assert.assertNotNull("pendingReq", pendingReq);    
+    Assert.assertNotNull("piiTransId", pendingReq.getUniquePiiTransactionIdentifier());
+    Assert.assertNotNull("piiTransId", pendingReq.getUniqueTransactionIdentifier());
+    
+    Assert.assertEquals("wrong OA Id", "https://demo.egiz.gv.at/demoportal-openID_demo", 
+        pendingReq.getRawData(MsEidasNodeConstants.DATA_REQUESTERID, String.class));
+    Assert.assertEquals("wrong bPK Target", "urn:publicid:gv.at:cdid+BF", 
+        pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier());
+   
+        
+  }
+  
+  @Test
+  public void checkSaml2Metadata() throws EaafException, UnsupportedEncodingException, XMLParserException, 
+      UnmarshallingException, CertificateException, SignatureException {
+    
+    //request SAML2 Metadata
+    controller.pvpMetadataRequest(httpReq, httpResp);
+    
+    //validate state
+    Assert.assertEquals("http statuscode", 200, httpResp.getStatus());
+    Assert.assertEquals("Wrong http ContentType", "application/xml", httpResp.getContentType());
+    
+    String html = httpResp.getContentAsString();
+    Assert.assertNotNull("html result is null", html);
+    Assert.assertFalse("html result is empty", html.isEmpty());    
+    
+
+    final EntityDescriptor entity = (EntityDescriptor) XMLObjectSupport.unmarshallFromInputStream(
+        XMLObjectProviderRegistrySupport.getParserPool(),
+        new ByteArrayInputStream(html.getBytes("UTF-8")));
+
+    Assert.assertNotNull("Unmarshalling failed", entity);
+    Assert.assertNotNull("EntityId is null", entity.getEntityID());
+
+    Assert.assertNotNull("Signature is null", entity.getSignature());
+    final SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator();
+    sigValidator.validate(entity.getSignature());
+
+    final Credential cred = new BasicX509Credential((X509Certificate) fact.generateCertificate(
+        Pvp2SProfileEndPointTest.class.getResourceAsStream("/config/keys/Metadata.pem")));
+    SignatureValidator.validate(entity.getSignature(), cred);
+    
+    Assert.assertEquals("wrong entityId", "http://localhost/pvp/metadata", entity.getEntityID());
+    Assert.assertNotNull("IDPSSODescr", entity.getRoleDescriptors(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
+    Assert.assertNotNull("SPSSODescr", entity.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
+    Assert.assertEquals("SPSSODescr. size", 0, 
+        entity.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME).size());
+    
+    List<RoleDescriptor> idp = entity.getRoleDescriptors(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
+    Assert.assertEquals("IDP descr. size", 1, idp.size());
+    Assert.assertEquals("IDP descr. endpoints", 2, idp.get(0).getEndpoints().size());
+    Assert.assertEquals("IDP descr. keyDescr", 1, idp.get(0).getKeyDescriptors().size());
+        
+  }
+  
+}
diff --git a/connector/src/test/resources/config/junit_config_1.properties b/connector/src/test/resources/config/junit_config_1.properties
index 3350f947..78981b6a 100644
--- a/connector/src/test/resources/config/junit_config_1.properties
+++ b/connector/src/test/resources/config/junit_config_1.properties
@@ -97,19 +97,27 @@ eidas.ms.pvp2.metadata.contact.surname=Mustermann
 eidas.ms.pvp2.metadata.contact.email=max@junit.test
 
 ## Service Provider configuration
-eidas.ms.sp.0.uniqueID=
+eidas.ms.sp.0.uniqueID=https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/metadata
 eidas.ms.sp.0.pvp2.metadata.truststore=keys/junit.jks
 eidas.ms.sp.0.pvp2.metadata.truststore.password=password
-
-#eidas.ms.sp.0.friendlyName=
+eidas.ms.sp.0.friendlyName=jUnit test
 #eidas.ms.sp.0.pvp2.metadata.url=
 #eidas.ms.sp.0.policy.allowed.requested.targets=.*
 #eidas.ms.sp.0.policy.hasBaseIdTransferRestriction=false
 
+## Service Provider configuration
+eidas.ms.sp.1.uniqueID=https://demo.egiz.gv.at/junit_test
+eidas.ms.sp.1.pvp2.metadata.truststore=keys/junit.jks
+eidas.ms.sp.1.pvp2.metadata.truststore.password=password
+eidas.ms.sp.1.friendlyName=jUnit test
+eidas.ms.sp.1.pvp2.metadata.url=http://junit.test/metadata
+eidas.ms.sp.1.policy.allowed.requested.targets=test
+eidas.ms.sp.1.policy.hasBaseIdTransferRestriction=true
+
 
 ##only for advanced config
 eidas.ms.configuration.sp.disableRegistrationRequirement=
-eidas.ms.configuration.restrictions.baseID.spTransmission=
+#eidas.ms.configuration.restrictions.baseID.spTransmission=
 eidas.ms.configuration.auth.default.countrycode=
 eidas.ms.configuration.pvp.scheme.validation=
 eidas.ms.configuration.pvp.enable.entitycategories=
 \ No newline at end of file
diff --git a/connector/src/test/resources/config/keys/Metadata.pem b/connector/src/test/resources/config/keys/Metadata.pem
new file mode 100644
index 00000000..b544c194
--- /dev/null
+++ b/connector/src/test/resources/config/keys/Metadata.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+jCCAeKgAwIBAgIEXjF+fTANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJB
+VDENMAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxETAPBgNVBAMMCE1ldGFk
+YXRhMB4XDTIwMDEyOTEyNDU0OVoXDTI2MDEyODEyNDU0OVowPzELMAkGA1UEBhMC
+QVQxDTALBgNVBAcMBEVHSVoxDjAMBgNVBAoMBWpVbml0MREwDwYDVQQDDAhNZXRh
+ZGF0YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK230G3dxNbNlSYA
+O5Kx/Js0aBAgxMt7q9m+dA35fK/dOvF/GjrqjWsMCnax+no9gLnq6x0gXiJclz6H
+rp/YDOfLrJjMpNL/r0FWT947vbnEj7eT8TdY5d6Yi8AZulZmjiCI5nbZh2zwrP4+
+WqRroLoPhXQj8mDyp26M4xHBBUhLMRc2HV4S+XH4uNZ/vTmb8vBg31XGHCY33gl7
+/KA54JNGxJdN8Dxv6yHYsm91ZfVrX39W0iYLUNhUCkolwuQmjDVfrExM8BTLIONb
+f+erJoCm3A9ghZyDYRQ/e69/UEUqDa6XOzykr88INkQscEiAXCDS+EBPMpKo+t3l
+PIA9r7kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh/2mg4S03bdZy1OVtEAudBT9
+YZb9OF34hxPtNbkB/V04wSIg1d4TBr5KDhV7CdiUOxPZzHpS8LUCgfGX306FB6NX
+zh/b67uTOPaE72AB4VIT/Np0fsM7k5WhG9k9NoprIGiqCz2lXcfpZiT+LtSO1vWS
+YI87wR9KOSWjcw/5i5qZIAJuwvLCQj5JtUsmrhHK75222J3TJf4dS/gfN4xfY2rW
+9vcXtH6//8WdWp/zx9V7Z1ZsDb8TDKtBCEGuFDgVeU5ScKtVq8qRoUKD3Ve76cZi
+purO3KrRrVAuZP2EfLkZdHEHqe8GPigNnZ5kTn8V2VJ3iRAQ73hpJRR98tFd0A==
+-----END CERTIFICATE-----
diff --git a/connector/src/test/resources/data/metadata_expired.xml b/connector/src/test/resources/data/metadata_expired.xml
new file mode 100644
index 00000000..16364c05
--- /dev/null
+++ b/connector/src/test/resources/data/metadata_expired.xml
@@ -0,0 +1,106 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_b67c160c0ad7b4ebd430581df167ac23" entityID="https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/metadata" validUntil="2020-12-12T20:41:20.635Z">
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="#_b67c160c0ad7b4ebd430581df167ac23">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue>00SaL0XjeknOb/DttutP50lTyAux1jaRPJIVdSupWvU=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>PfEBmLMX/ZgL6ViXghyWtal5MaMoW8k3zjw+54+WK1OAtVsVgOsIDRJE0M/a/VXBbMSifgY6J1gN23xhr61jkrjRQEkbDzLpWZLzWAJ65YqqUQo8wsKI2Gz0j12yY5D8/GOamKOH9KDi5ba1veXR/fnxRINoy7nZo4tcUWZChdl8BWkMN5ugr6dORNIQg/Ym3GabQ/hR5z+9FmveAKphdH63MC6qW3EgM9EMvOVkrLBTP92sNMAAJeaawui9tlxi9anVQ0OqwZsgKLvI7fyV4CM/0sd/ELjeReIlWlHk07Nz4eltMq3eOx3q1YurYvhE8XapHiQMehOtCS+Fzh10sw==</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH
+SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W
+ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w
+CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ
+RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq
+UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+
+M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F
+Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt
+1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq
+nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC
+VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq
+itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc
+2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O
+fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy
+4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIBbTCCARKgAwIBAgIEXjF+qTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJBVDEN
+MAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxEDAOBgNVBAMMB3NpZ25pbmcw
+HhcNMjAwMTI5MTI0NjMzWhcNMjcwMTI4MTI0NjMzWjA+MQswCQYDVQQGEwJBVDEN
+MAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxEDAOBgNVBAMMB3NpZ25pbmcw
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASRt7gZRrr4rSEE7Q922oKQJF+mlkwC
+LZnv8ZzHtH54s4VdyQFIBjQF1PPf9PTn+5tid8QJehZPndcoeD7J8fPJMAoGCCqG
+SM49BAMCA0kAMEYCIQDFUO0owvqMVRO2FmD+vb8mqJBpWCE6Cl5pEHaygTa5LwIh
+ANsmjI2azWiTSFjb7Ou5fnCfbeiJUP0s66m8qS4rYl9L</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:KeyDescriptor use="encryption">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH
+SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W
+ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w
+CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ
+RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq
+UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+
+M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F
+Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt
+1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq
+nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC
+VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq
+itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc
+2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O
+fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy
+4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/post" index="0" isDefault="true"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/redirect" index="1"/>
+    <md:AttributeConsumingService index="0" isDefault="true">
+      <md:ServiceName xml:lang="en">Default Service</md:ServiceName>
+      <md:RequestedAttribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
+      <md:RequestedAttribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
+      <md:RequestedAttribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
+      <md:RequestedAttribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
+      <md:RequestedAttribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
+      <md:RequestedAttribute FriendlyName="MANDATOR-LEGAL-PERSON-SOURCE-PIN-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.76" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
+      <md:RequestedAttribute FriendlyName="MANDATOR-LEGAL-PERSON-FULL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.84" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
+      <md:RequestedAttribute FriendlyName="MANDATE-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.68" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
+      <md:RequestedAttribute FriendlyName="MANDATOR-LEGAL-PERSON-SOURCE-PIN" Name="urn:oid:1.2.40.0.10.2.1.1.261.100" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
+      <md:RequestedAttribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
+      <md:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
+      <md:RequestedAttribute FriendlyName="MANDATE-TYPE-OID" Name="urn:oid:1.2.40.0.10.2.1.1.261.106" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
+      <md:RequestedAttribute FriendlyName="EID-IDENTITY-LINK" Name="urn:oid:1.2.40.0.10.2.1.1.261.38" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
+      <md:RequestedAttribute FriendlyName="EID-CITIZEN-QAA-EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
+    </md:AttributeConsumingService>
+  </md:SPSSODescriptor>
+  <md:Organization>
+    <md:OrganizationName xml:lang="de">EGIZ</md:OrganizationName>
+    <md:OrganizationDisplayName xml:lang="de">E-Government Innovationszentrum</md:OrganizationDisplayName>
+    <md:OrganizationURL xml:lang="de">http://www.egiz.gv.at</md:OrganizationURL>
+  </md:Organization>
+  <md:ContactPerson contactType="technical">
+    <md:Company>E-Government Innovationszentrum</md:Company>
+    <md:GivenName>Lenz</md:GivenName>
+    <md:SurName>Thomas</md:SurName>
+    <md:EmailAddress>thomas.lenz@egiz.gv.at</md:EmailAddress>
+    <md:TelephoneNumber>+43 316 873 5525</md:TelephoneNumber>
+  </md:ContactPerson>
+</md:EntityDescriptor>
diff --git a/connector/src/test/resources/data/metadata_valid.xml b/connector/src/test/resources/data/metadata_valid.xml
new file mode 100644
index 00000000..06e1e785
--- /dev/null
+++ b/connector/src/test/resources/data/metadata_valid.xml
@@ -0,0 +1,106 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_b67c160c0ad7b4ebd430581df167ac23" entityID="https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/metadata">
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="#_b67c160c0ad7b4ebd430581df167ac23">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue>00SaL0XjeknOb/DttutP50lTyAux1jaRPJIVdSupWvU=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>PfEBmLMX/ZgL6ViXghyWtal5MaMoW8k3zjw+54+WK1OAtVsVgOsIDRJE0M/a/VXBbMSifgY6J1gN23xhr61jkrjRQEkbDzLpWZLzWAJ65YqqUQo8wsKI2Gz0j12yY5D8/GOamKOH9KDi5ba1veXR/fnxRINoy7nZo4tcUWZChdl8BWkMN5ugr6dORNIQg/Ym3GabQ/hR5z+9FmveAKphdH63MC6qW3EgM9EMvOVkrLBTP92sNMAAJeaawui9tlxi9anVQ0OqwZsgKLvI7fyV4CM/0sd/ELjeReIlWlHk07Nz4eltMq3eOx3q1YurYvhE8XapHiQMehOtCS+Fzh10sw==</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH
+SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W
+ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w
+CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ
+RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq
+UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+
+M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F
+Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt
+1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq
+nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC
+VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq
+itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc
+2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O
+fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy
+4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIBbTCCARKgAwIBAgIEXjF+qTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJBVDEN
+MAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxEDAOBgNVBAMMB3NpZ25pbmcw
+HhcNMjAwMTI5MTI0NjMzWhcNMjcwMTI4MTI0NjMzWjA+MQswCQYDVQQGEwJBVDEN
+MAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxEDAOBgNVBAMMB3NpZ25pbmcw
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASRt7gZRrr4rSEE7Q922oKQJF+mlkwC
+LZnv8ZzHtH54s4VdyQFIBjQF1PPf9PTn+5tid8QJehZPndcoeD7J8fPJMAoGCCqG
+SM49BAMCA0kAMEYCIQDFUO0owvqMVRO2FmD+vb8mqJBpWCE6Cl5pEHaygTa5LwIh
+ANsmjI2azWiTSFjb7Ou5fnCfbeiJUP0s66m8qS4rYl9L</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:KeyDescriptor use="encryption">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH
+SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W
+ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w
+CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ
+RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq
+UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+
+M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F
+Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt
+1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq
+nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC
+VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq
+itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc
+2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O
+fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy
+4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/post" index="0" isDefault="true"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/redirect" index="1"/>
+    <md:AttributeConsumingService index="0" isDefault="true">
+      <md:ServiceName xml:lang="en">Default Service</md:ServiceName>
+      <md:RequestedAttribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
+      <md:RequestedAttribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
+      <md:RequestedAttribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
+      <md:RequestedAttribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
+      <md:RequestedAttribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
+      <md:RequestedAttribute FriendlyName="MANDATOR-LEGAL-PERSON-SOURCE-PIN-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.76" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
+      <md:RequestedAttribute FriendlyName="MANDATOR-LEGAL-PERSON-FULL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.84" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
+      <md:RequestedAttribute FriendlyName="MANDATE-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.68" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
+      <md:RequestedAttribute FriendlyName="MANDATOR-LEGAL-PERSON-SOURCE-PIN" Name="urn:oid:1.2.40.0.10.2.1.1.261.100" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
+      <md:RequestedAttribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
+      <md:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
+      <md:RequestedAttribute FriendlyName="MANDATE-TYPE-OID" Name="urn:oid:1.2.40.0.10.2.1.1.261.106" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
+      <md:RequestedAttribute FriendlyName="EID-IDENTITY-LINK" Name="urn:oid:1.2.40.0.10.2.1.1.261.38" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
+      <md:RequestedAttribute FriendlyName="EID-CITIZEN-QAA-EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
+    </md:AttributeConsumingService>
+  </md:SPSSODescriptor>
+  <md:Organization>
+    <md:OrganizationName xml:lang="de">EGIZ</md:OrganizationName>
+    <md:OrganizationDisplayName xml:lang="de">E-Government Innovationszentrum</md:OrganizationDisplayName>
+    <md:OrganizationURL xml:lang="de">http://www.egiz.gv.at</md:OrganizationURL>
+  </md:Organization>
+  <md:ContactPerson contactType="technical">
+    <md:Company>E-Government Innovationszentrum</md:Company>
+    <md:GivenName>Lenz</md:GivenName>
+    <md:SurName>Thomas</md:SurName>
+    <md:EmailAddress>thomas.lenz@egiz.gv.at</md:EmailAddress>
+    <md:TelephoneNumber>+43 316 873 5525</md:TelephoneNumber>
+  </md:ContactPerson>
+</md:EntityDescriptor>
diff --git a/connector/src/test/resources/data/pvp2_authn_1.xml b/connector/src/test/resources/data/pvp2_authn_1.xml
index ff5f08a5..1275b200 100644
--- a/connector/src/test/resources/data/pvp2_authn_1.xml
+++ b/connector/src/test/resources/data/pvp2_authn_1.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_27f4ce57e524e483446654a34cf886e2" IsPassive="false" IssueInstant="2019-12-11T10:50:19.032Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="http://localhost/pvp/post" ID="_27f4ce57e524e483446654a34cf886e2" IsPassive="false" IssueInstant="2019-12-11T10:50:19.032Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/metadata</saml2:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <ds:SignedInfo>
diff --git a/connector/src/test/resources/data/test_idl_1.xml b/connector/src/test/resources/data/test_idl_1.xml
new file mode 100644
index 00000000..8151468b
--- /dev/null
+++ b/connector/src/test/resources/data/test_idl_1.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:ecdsa="http://www.w3.org/2001/04/xmldsig-more#" xmlns:pr="http://reference.e-government.gv.at/namespace/persondata/20020228#" xmlns:si="http://www.w3.org/2001/XMLSchema-instance" AssertionID="szr.bmi.gv.at-AssertionID1467616845518699" IssueInstant="2016-07-04T09:20:45+01:00" Issuer="http://portal.bmi.gv.at/ref/szr/issuer" MajorVersion="1" MinorVersion="0">
+  <saml:AttributeStatement>
+    <saml:Subject>
+      <saml:SubjectConfirmation>
+        <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
+        <saml:SubjectConfirmationData>
+          <pr:Person si:type="pr:PhysicalPersonType"><pr:Identification><pr:Value>AT/CZ/xWE0vFWarzpzSL4LYlpst9b6vg0=</pr:Value><pr:Type>urn:publicid:gv.at:eidasid+AT+CZ</pr:Type></pr:Identification><pr:Name><pr:GivenName>XXXMaria-Theresia Kunigunda</pr:GivenName><pr:FamilyName primary="undefined">XXXHabsburg-Lothringen</pr:FamilyName></pr:Name><pr:DateOfBirth>1980-02-29</pr:DateOfBirth></pr:Person>
+        </saml:SubjectConfirmationData>
+      </saml:SubjectConfirmation>
+    </saml:Subject>
+  <saml:Attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2"><saml:AttributeValue><ecdsa:ECDSAKeyValue><ecdsa:DomainParameters><ecdsa:NamedCurve URN="urn:oid:1.2.840.10045.3.1.7"/></ecdsa:DomainParameters><ecdsa:PublicKey><ecdsa:X Value="49629022697474602497707473238246914610217535689798527313620157109614355242988" si:type="ecdsa:PrimeFieldElemType"/><ecdsa:Y Value="77111560713755914450736041751615112402310649832147731609221710465065501356492" si:type="ecdsa:PrimeFieldElemType"/></ecdsa:PublicKey></ecdsa:ECDSAKeyValue></saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2"><saml:AttributeValue><dsig:RSAKeyValue><dsig:Modulus>1BFOitiQUc1lAHDGksneXWZGKGaFBcu03HEiIFsjHjNt/IfRZ4IzqHotUKItxnCdNtsFc1MkMJg+
+g0AXHsuU6MNgcbcXPaPfmHp+8+BJh+amDF3FnAN4ceG8oFAGVEZteOgfdWk1r5RQ2SK+0PuXPuLp
+Tee7IzXtksReZkVEadUCxn/hiRXZa0dABgkFe3kSXbDr5tKXOF0FCtLKhZBI9z+NbX+aTSKOmAOq
+4jyymoo5EP3L+iPecrUwHijD0Bm89h1JjxP521fkYe3Si+0J40okrmCCQHBr+IzB1uX98pKhvs7X
+6rPjOJ6lBwP7XjK7D128P/cg4eH6v58cCfbLcQ==</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></saml:AttributeValue></saml:Attribute></saml:AttributeStatement>
+  
+<dsig:Signature Id="signature-1-1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference Id="reference-1-1" URI=""><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>E+BXH0C2F6EYHjdJrOUKr+DsKT8=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>Hvj40m9ridp2HOz81MTAqzf0q+sZC5YeKpJP43eK5G1HNH1/DNGU/r/6IVPibU9Y
+YGYJoXpznxRFibEQ6dFCHAaNPyADmdGHyJSWryI5ypAap4Y8MJnaUGSWY49IZbht
+PjfKWB2jUNzj1T2u6ebIifAThAK8ZqIE+e5uaR+qrrLicxIhXcSZoyScbKxMuT1Q
+p6zNsNBOHujbVAfKFUE8WmGInyvuoDgerUrA0XstWWg2M9ghytcDJwZpTYwXvmmo
+GV47ue0ITrtM+QqWVbt+dHO8369JFnGQ9h/6h/4j9iyNuxfG7u/EyHQiSuy0+FP8
+1lkLsg1YX+2pN0HElyXVqw==</dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509Certificate>MIIEqzCCBBSgAwIBAgIHANux81oNezANBgkqhkiG9w0BAQUFADBAMSIwIAYDVQQD
+ExlJQUlLIFRlc3QgSW50ZXJtZWRpYXRlIENBMQ0wCwYDVQQKEwRJQUlLMQswCQYD
+VQQGEwJBVDAeFw0xMzA5MjcwNTMzMzdaFw0yMzA5MjcwNTMzMzdaMIHkMQswCQYD
+VQQGEwJBVDENMAsGA1UEBxMER3JhejEmMCQGA1UEChMdR3JheiBVbml2ZXJzaXR5
+IG9mIFRlY2hub2xvZ3kxSDBGBgNVBAsTP0luc3RpdHV0ZSBmb3IgQXBwbGllZCBJ
+bmZvcm1hdGlvbiBQcm9jZXNzaW5nIGFuZCBDb21tdW5pY2F0aW9uczEUMBIGA1UE
+BBMLTU9BLVNTIFRlc3QxGDAWBgNVBCoTD0VHSVogVGVzdHBvcnRhbDEkMCIGA1UE
+AxMbRUdJWiBUZXN0cG9ydGFsIE1PQS1TUyBUZXN0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuDjOyf+mY+oQL2FQzzuaiC8C23vVKbq/n2Zi7BqSibZH
+mtqMJfmj4pT+hWSNHvVvWsaxFcx4KeNqdCMzwnw1r4P3Sf+2o5uFku5KHEMLMokR
+yYQG9VqY/KkB94ye7Pv6zT8gvKqxGFg96UamECep4swPaSZrA8AOER5WAtyGDzKI
+Tz+a5zfFaTXDoba7f98PCWR96yKiFjVOhzp38WVz4VJgz+b8ZSY7Xsv5Kn7DXjOL
+STX4MevFLki3rFPup3+4vGToaMBW3PEj67HXBdqR855Le6+E6rVxORqsXqlVwhsI
+6nuS0CO2LWYmBNR1IB0mXteeYH/HfxvuZc+7yDjdPQIDAQABo4IBhDCCAYAwDgYD
+VR0PAQH/BAQDAgbAMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFEmcH6VY4BG1EAGB
+TLoNR9vH/g6yMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jYS5pYWlrLnR1Z3Jh
+ei5hdC9jYXBzby9jcmxzL0lBSUtUZXN0X0ludGVybWVkaWF0ZUNBLmNybDCBqgYI
+KwYBBQUHAQEEgZ0wgZowSgYIKwYBBQUHMAGGPmh0dHA6Ly9jYS5pYWlrLnR1Z3Jh
+ei5hdC9jYXBzby9PQ1NQP2NhPUlBSUtUZXN0X0ludGVybWVkaWF0ZUNBMEwGCCsG
+AQUFBzAChkBodHRwOi8vY2EuaWFpay50dWdyYXouYXQvY2Fwc28vY2VydHMvSUFJ
+S1Rlc3RfSW50ZXJtZWRpYXRlQ0EuY2VyMCEGA1UdEQQaMBiBFnRob21hcy5sZW56
+QGVnaXouZ3YuYXQwHwYDVR0jBBgwFoAUaKJeEdreL4BrRES/jfplNoEkp28wDQYJ
+KoZIhvcNAQEFBQADgYEAlFGjUxXLs7SAT8NtXSrv2WrjlklaRnHTFHLQwyVo8JWb
+gvRkHHDUv2o8ofXUY2R2WJ38dxeDoccgbXrJb/Qhi8IY7YhCwv/TuIZDisyAqo8W
+ORKSip/6HWlGCSR/Vgoet1GtCmF0FoUxFUIGSAuQ2yyt4fIzt5GJrU1X5ujjI1w=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo></dsig:Signature></saml:Assertion>
+\ No newline at end of file
diff --git a/connector_lib/checks/spotbugs-exclude.xml b/connector_lib/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..90ca96f2
--- /dev/null
+++ b/connector_lib/checks/spotbugs-exclude.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <!-- View parameters are hard-coded values -->
+      <Class name="at.asitplus.eidas.specific.connector.gui.SpringMvcGuiFormBuilderImpl" />
+      <Method name="build" />
+      <Bug pattern="SPRING_FILE_DISCLOSURE" />               
+    </Match>  
+</FindBugsFilter>
diff --git a/connector_lib/pom.xml b/connector_lib/pom.xml
index 795096f9..9a187f7f 100644
--- a/connector_lib/pom.xml
+++ b/connector_lib/pom.xml
@@ -68,6 +68,15 @@
           </dependency>
         </dependencies>
       </plugin>
+      
+      <plugin>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>${spotbugs-maven-plugin.version}</version>
+        <configuration>
+          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+        </configuration>
+      </plugin>
 
     </plugins>
   </build>
diff --git a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/config/ServiceProviderConfiguration.java b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/config/ServiceProviderConfiguration.java
index 6f7eace3..362d0244 100644
--- a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/config/ServiceProviderConfiguration.java
+++ b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/config/ServiceProviderConfiguration.java
@@ -57,12 +57,14 @@ public class ServiceProviderConfiguration extends SpConfigurationImpl {
 
   }
 
+  
   @Override
   public boolean hasBaseIdTransferRestriction() {
     final Boolean spConfigPolicy = isConfigurationValue(
         MsEidasNodeConstants.PROP_CONFIG_SP_POLICY_BASEIDTRANSFER_RESTRICTION);
-    if (spConfigPolicy != null) {
+    if (spConfigPolicy) {
       return spConfigPolicy;
+
     } else {
       log.trace("SP configuration defines no baseID transfer restriction. Enforce default policy ...");
       for (final String el : getTargetsWithNoBaseIdTransferRestriction()) {
diff --git a/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml b/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..375f73f4
--- /dev/null
+++ b/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <!-- Do not check code generated by Apache CXF framework -->
+      <Class name="~szrservices.SZRException"/>
+    </Match>
+    <Match>
+      <!-- Logging of SAML2 responses in case of errors or for debugging is allowed -->
+      <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.EidasSignalServlet" />
+      <Method name="getPendingRequestId" />
+      <Bug pattern="CRLF_INJECTION_LOGS" />               
+    </Match>
+    <Match>
+      <!-- CSFR protection is implemented by pendingRequestId that is an one-time token -->
+      <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.EidasSignalServlet" />
+      <Method name="restoreEidasAuthProcess" />
+      <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" />               
+    </Match>
+    <Match>
+      <!-- File path is only loaded from configuration -->
+      <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry" />
+      <Method name="initialize" />
+      <Bug pattern="PATH_TRAVERSAL_IN" />               
+    </Match>
+    <Match>
+      <!-- Redirect URL is only loaded from configuration -->
+      <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.GenerateAuthnRequestTask" />
+      <Method name="execute" />
+      <Bug pattern="UNVALIDATED_REDIRECT" />               
+    </Match>  
+</FindBugsFilter>
diff --git a/eidas_modules/authmodule-eIDAS-v2/pom.xml b/eidas_modules/authmodule-eIDAS-v2/pom.xml
index b2e841fb..d8459f9e 100644
--- a/eidas_modules/authmodule-eIDAS-v2/pom.xml
+++ b/eidas_modules/authmodule-eIDAS-v2/pom.xml
@@ -251,22 +251,33 @@
       <plugin>
         <groupId>com.github.spotbugs</groupId>
         <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>${spotbugs-maven-plugin.version}</version>
+        <configuration>
+          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+        </configuration>
+      </plugin>
+
+      <plugin>
+        <groupId>org.jacoco</groupId>
+        <artifactId>jacoco-maven-plugin</artifactId>
         <executions>
           <execution>
-            <id>spotbugs_validate</id>
+            <id>post-unit-check</id>
             <phase>test</phase>
             <goals>
               <goal>check</goal>
             </goals>
+            <configuration>
+              <excludes>
+                <exclude>**/at/gv/e_government/reference/namespace/persondata/_20020228/*</exclude>
+                <exclude>**/org/w3/_2000/_09/*</exclude>
+                <exclude>**/szrservices/*</exclude>
+              </excludes>
+            </configuration>
           </execution>
         </executions>
-        <configuration>
-          <failOnError>true</failOnError>
-          <excludeFilterFile>spotbugs_exclude.xml</excludeFilterFile>
-        </configuration>
       </plugin>
 
-
       <!-- enable co-existence of testng and junit -->
       <plugin>
         <artifactId>maven-surefire-plugin</artifactId>
diff --git a/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml b/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml
deleted file mode 100644
index 90d418ff..00000000
--- a/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<FindBugsFilter>
-    <Match>
-        <Class name="~szrservices.SZRException"/>
-    </Match>
-</FindBugsFilter>
-\ No newline at end of file
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
index cfaecfbb..234d52dd 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
@@ -79,7 +79,8 @@ public class AuthBlockSigningService {
     EidasAuchBlock authBlock = new EidasAuchBlock();
     authBlock.setChallenge(UUID.randomUUID().toString());
     authBlock.setTimestamp(LocalDateTime.now().truncatedTo(ChronoUnit.SECONDS));
-    authBlock.setUniqueId(pendingReq.getRawData(MsEidasNodeConstants.DATA_REQUESTERID, String.class));    
+    authBlock.setUniqueId(pendingReq.getRawData(MsEidasNodeConstants.DATA_REQUESTERID, String.class)); 
+    authBlock.setPiiTransactionId(pendingReq.getUniquePiiTransactionIdentifier());
     String jwsPayload = mapper.writeValueAsString(authBlock);
     log.debug("Building and sign authBlock with data: {}", jwsPayload);
     
@@ -185,6 +186,9 @@ public class AuthBlockSigningService {
     @JsonProperty("appId")
     private String uniqueId;
     
+    @JsonProperty("piiTransactionId")
+    private String piiTransactionId;
+    
     
   }
 
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
index 69b993a4..6de5dae9 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
@@ -45,6 +45,7 @@ import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import javax.xml.XMLConstants;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.Marshaller;
 import javax.xml.namespace.QName;
@@ -58,8 +59,6 @@ import javax.xml.ws.BindingProvider;
 import javax.xml.ws.Dispatch;
 import javax.xml.ws.handler.Handler;
 
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.cxf.configuration.jsse.TLSClientParameters;
 import org.apache.cxf.endpoint.Client;
@@ -75,6 +74,9 @@ import org.springframework.stereotype.Service;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.LoggingHandler;
@@ -229,7 +231,7 @@ public class SzrClient {
 
     final String resp;
     try {
-      resp = this.szr.getStammzahlEncrypted(personInfo, false);
+      resp = this.szr.getStammzahlEncrypted(personInfo, true);
     } catch (SZRException_Exception e) {
       throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e);
     }
@@ -488,6 +490,7 @@ public class SzrClient {
 
   private byte[] sourceToByteArray(Source result) throws TransformerException {
     final TransformerFactory factory = TransformerFactory.newInstance();
+    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     final Transformer transformer = factory.newTransformer();
     transformer.setOutputProperty("omit-xml-declaration", "yes");
     transformer.setOutputProperty("method", "xml");
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
index f9142f8e..11f8fc04 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
@@ -162,6 +162,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
           //inject personal-data into session
           authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature);
           authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind);
+          authProcessData.setEidProcess(true);
                
         } else {
           //request SZR
@@ -182,6 +183,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
 
           //inject personal-data into session
           authProcessData.setIdentityLink(idlResult.getIdentityLink());  
+          authProcessData.setEidProcess(false);
           
           // set bPK and bPKType into auth session
           authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix(
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java
index dd485ee6..44fa01e8 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java
@@ -2,6 +2,8 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.test.tasks;
 
 import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE;
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
 import static org.powermock.api.mockito.PowerMockito.when;
 
 import java.io.IOException;
@@ -13,6 +15,7 @@ import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 
@@ -29,6 +32,7 @@ import org.junit.BeforeClass;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.mockito.ArgumentCaptor;
 import org.powermock.core.classloader.annotations.PrepareForTest;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.mock.web.MockHttpServletRequest;
@@ -39,18 +43,22 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
 
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.skjolberg.mockito.soap.SoapServiceRule;
 
 import at.asitplus.eidas.specific.connector.MsEidasNodeConstants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException;
-import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.AuthBlockSigningService;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.CreateIdentityLinkTask;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils.JwsResult;
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.IRequestStorage;
 import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants;
 import at.gv.egiz.eaaf.core.api.data.EaafConstants;
+import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions;
 import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
 import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
 import at.gv.egiz.eaaf.core.exceptions.EaafException;
@@ -64,11 +72,14 @@ import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
 import at.gv.egiz.eaaf.core.impl.idp.module.test.DummySpConfiguration;
 import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl;
 import at.gv.egiz.eaaf.core.impl.idp.process.ExecutionContextImpl;
+import at.gv.egiz.eaaf.core.impl.utils.Random;
 import eu.eidas.auth.commons.attribute.AttributeDefinition;
 import eu.eidas.auth.commons.attribute.ImmutableAttributeMap;
 import eu.eidas.auth.commons.attribute.PersonType;
 import eu.eidas.auth.commons.protocol.impl.AuthenticationResponse;
 import lombok.val;
+import szrservices.JwsHeaderParam;
+import szrservices.PersonInfoType;
 import szrservices.SZR;
 import szrservices.SignContentEntry;
 import szrservices.SignContentResponseType;
@@ -93,7 +104,7 @@ public class CreateIdentityLinkTaskEidNewTest {
   EaafKeyStoreFactory keyStoreFactory;
 
   @Autowired
-  private AuthBlockSigningService authBlockSigner;
+  private IRequestStorage requestStorage;
 
   final ExecutionContext executionContext = new ExecutionContextImpl();
   private MockHttpServletRequest httpReq;
@@ -110,6 +121,10 @@ public class CreateIdentityLinkTaskEidNewTest {
           AlgorithmIdentifiers.ECDSA_USING_P521_CURVE_AND_SHA512, AlgorithmIdentifiers.RSA_PSS_USING_SHA256,
           AlgorithmIdentifiers.RSA_PSS_USING_SHA512));
 
+  private static ObjectMapper mapper = new ObjectMapper();
+  
+  private AuthenticationResponse response;
+  
   @Rule
   public final SoapServiceRule soap = SoapServiceRule.newInstance();
 
@@ -143,7 +158,7 @@ public class CreateIdentityLinkTaskEidNewTest {
     oaParam = new DummySpConfiguration(spConfig, basicConfig);
     pendingReq = new TestRequestImpl();
 
-    final AuthenticationResponse response = buildDummyAuthResponse();
+    response = buildDummyAuthResponse();
 
     pendingReq.getSessionData(AuthProcessDataWrapper.class)
         .setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, response);
@@ -151,7 +166,8 @@ public class CreateIdentityLinkTaskEidNewTest {
     pendingReq.setPendingReqId(at.gv.egiz.eaaf.core.impl.utils.Random.nextProcessReferenceValue());
     pendingReq.setAuthUrl("http://test.com/");
     pendingReq.setTransactionId("avaasbav");
-
+    pendingReq.setPiiTransactionId(RandomStringUtils.randomAlphanumeric(10));
+        
     executionContext.put(MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY, "XX");
     executionContext.put(EaafConstants.PROCESS_ENGINE_REQUIRES_NO_POSTAUTH_REDIRECT, true);
 
@@ -161,32 +177,129 @@ public class CreateIdentityLinkTaskEidNewTest {
   @Test
   public void successfulProcess() throws Exception {
     //initialize test
-    when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(RandomStringUtils.randomNumeric(10));
+    String vsz = RandomStringUtils.randomNumeric(10);
+    when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(vsz);
     val signContentResp = new SignContentResponseType();
     final SignContentEntry signContentEntry = new SignContentEntry();
     signContentEntry.setValue(RandomStringUtils.randomAlphanumeric(10));
     signContentResp.getOut().add(signContentEntry);
     when(szrMock, "signContent", any(), any(), any()).thenReturn(signContentResp);
 
+    String randomTestSp = RandomStringUtils.randomAlphabetic(10);
+    pendingReq.setRawDataToTransaction(MsEidasNodeConstants.DATA_REQUESTERID, randomTestSp);
+    
     //perform test
     task.execute(pendingReq, executionContext);
 
-    //validate state
-    final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
+    //validate state    
+    // check if pendingRequest was stored
+    IRequest storedPendingReq = requestStorage.getPendingRequest(pendingReq.getPendingRequestId());
+    Assert.assertNotNull("pendingReq not stored", storedPendingReq);
+    
+    //check data in session
+    final AuthProcessDataWrapper authProcessData = storedPendingReq.getSessionData(AuthProcessDataWrapper.class);
     Assert.assertNotNull("AuthProcessData", authProcessData);
     Assert.assertNotNull("eidasBind", authProcessData.getGenericDataFromSession(Constants.EIDAS_BIND, String.class));
 
     String authBlock = authProcessData.getGenericDataFromSession(Constants.SZR_AUTHBLOCK, String.class);
     Assert.assertNotNull("AuthBlock", authBlock);
-
-    //check authblock signature
+    
+    Assert.assertTrue("EID process", authProcessData.isEidProcess());
+    Assert.assertTrue("foreigner process", authProcessData.isForeigner());
+    Assert.assertEquals("EID-ISSUING_NATION", "LU", 
+        authProcessData.getGenericDataFromSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, String.class));
+    Assert.assertNotNull("LoA is null", authProcessData.getQaaLevel());
+    Assert.assertEquals("LoA", response.getLevelOfAssurance(), 
+        authProcessData.getQaaLevel());
+        
+    
+    // check authblock signature
     final AlgorithmConstraints constraints = new AlgorithmConstraints(ConstraintType.PERMIT,
         BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.toArray(new String[BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.size()]));
     Pair<KeyStore, Provider> keyStore = getKeyStore();
     X509Certificate[] trustedCerts = EaafKeyStoreUtils
         .getPrivateKeyAndCertificates(keyStore.getFirst(), ALIAS, PW.toCharArray(), true, "junit").getSecond();
     JwsResult result = JoseUtils.validateSignature(authBlock, Arrays.asList(trustedCerts), constraints);
-    Assert.assertTrue("AuthBlock not valid", result.isValid());
+    Assert.assertTrue("AuthBlock not valid", result.isValid());        
+    JsonNode authBlockJson = mapper.readTree(result.getPayLoad());    
+    Assert.assertNotNull("deserialized AuthBlock", authBlockJson);
+    
+    Assert.assertNotNull("no piiTransactionId in pendingRequesdt", 
+        storedPendingReq.getUniquePiiTransactionIdentifier());
+    Assert.assertEquals("piiTransactionId", storedPendingReq.getUniquePiiTransactionIdentifier(), 
+        authBlockJson.get("piiTransactionId").asText());
+    Assert.assertEquals("appId", randomTestSp, authBlockJson.get("appId").asText());    
+    Assert.assertFalse("'challenge' is null", authBlockJson.get("challenge").asText().isEmpty());
+    Assert.assertFalse("'timestamp' is null", authBlockJson.get("timestamp").asText().isEmpty());
+    
+    
+    // check vsz request
+    ArgumentCaptor<PersonInfoType> argument4 = ArgumentCaptor.forClass(PersonInfoType.class);
+    ArgumentCaptor<Boolean> argument5 = ArgumentCaptor.forClass(Boolean.class);        
+    verify(szrMock, times(1)).getStammzahlEncrypted(argument4.capture(), argument5.capture());
+    
+    Boolean param5 = argument5.getValue();
+    Assert.assertTrue("insertERnP flag", param5);    
+    PersonInfoType person = argument4.getValue();
+    Assert.assertEquals("FamilyName", 
+        response.getAttributes().getAttributeValuesByFriendlyName("FamilyName").getFirstValue(
+            response.getAttributes().getDefinitionsByFriendlyName("FamilyName").iterator().next()), 
+        person.getPerson().getName().getFamilyName());
+    Assert.assertEquals("GivenName", 
+        response.getAttributes().getAttributeValuesByFriendlyName("FirstName").getFirstValue(
+            response.getAttributes().getDefinitionsByFriendlyName("FirstName").iterator().next()), 
+        person.getPerson().getName().getGivenName());
+    Assert.assertEquals("DateOfBirth", 
+        response.getAttributes().getAttributeValuesByFriendlyName("DateOfBirth").getFirstValue(
+            response.getAttributes().getDefinitionsByFriendlyName("DateOfBirth").iterator().next())
+            .toString().split("T")[0], 
+        person.getPerson().getDateOfBirth());
+    
+    Assert.assertEquals("CitizenCountry", "LU", person.getTravelDocument().getIssuingCountry());
+    Assert.assertEquals("DocumentType", "ELEKTR_DOKUMENT", person.getTravelDocument().getDocumentType());
+    
+    Assert.assertEquals("Identifier", 
+        response.getAttributes().getAttributeValuesByFriendlyName("PersonIdentifier").getFirstValue(
+            response.getAttributes().getDefinitionsByFriendlyName("PersonIdentifier").iterator().next())
+            .toString().split("/")[2], 
+        person.getTravelDocument().getDocumentNumber());
+           
+    // check bcBind singing request
+    ArgumentCaptor<Boolean> argument1 = ArgumentCaptor.forClass(Boolean.class);
+    ArgumentCaptor<List<JwsHeaderParam>> argument2 = ArgumentCaptor.forClass(List.class);
+    ArgumentCaptor<List<SignContentEntry>> argument3 = ArgumentCaptor.forClass(List.class);
+    verify(szrMock, times(1)).signContent(argument1.capture(), argument2.capture(), argument3.capture());
+    Boolean param1 = argument1.getValue();
+    Assert.assertFalse("addCert flag", param1);
+    
+    List<JwsHeaderParam> param2 = argument2.getValue();
+    Assert.assertNotNull("JWS Headers", param2); 
+    Assert.assertFalse("JWS Headers empty", param2.isEmpty());
+    Assert.assertEquals("Wrong JWS header size", 1, param2.size());
+    Assert.assertEquals("Missing JWS header key", "urn:at.gv.eid:bindtype", param2.get(0).getKey());
+    Assert.assertEquals("Missing JWS header value", "urn:at.gv.eid:eidasBind", param2.get(0).getValue());
+    
+    List<SignContentEntry> param3 = argument3.getValue();
+    Assert.assertNotNull("sign Payload", param3);
+    Assert.assertEquals("wrong sign-payload size", 1, param3.size());    
+    Assert.assertNotNull("payload", param3.get(0).getValue().getBytes());    
+    JsonNode bcBind = mapper.readTree(param3.get(0).getValue().getBytes());
+    Assert.assertNotNull("bcbind req", bcBind);
+    
+    Assert.assertEquals("vsz", vsz, bcBind.get("urn:eidgvat:attributes.vsz.value").asText());
+    Assert.assertEquals("eid status", "urn:eidgvat:eid.status.eidas", 
+        bcBind.get("urn:eidgvat:attributes.eid.status").asText());
+    Assert.assertTrue("pubKeys", bcBind.has("urn:eidgvat:attributes.user.pubkeys"));
+    Assert.assertTrue("pubKeys", bcBind.get("urn:eidgvat:attributes.user.pubkeys").isArray());    
+    Iterator<JsonNode> pubKeys = bcBind.get("urn:eidgvat:attributes.user.pubkeys").elements();
+    Assert.assertTrue("No PubKey", pubKeys.hasNext());
+    Assert.assertEquals("Wrong pubKey", 
+        "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxcB5jnrAwGn7xjgVFv1UBUv1pluwDRFQx7x5O6rSn7pblYfwaWeKa8y"
+        + "jS5BDDaZ00mhhnSlm2XByNrkg5yBGetTgBGtQVAxV5apfuAWN8TS3uSXgdZol7Khd6kraUITtnulvLe8tNaboom5P0zN6UxbJN"
+        + "NVLishVp80HiRXiDbplCTUk8b5cYtmivdb0+5JBTa7L5N/anRVnHHoJCXgNPTouO8daUHZbG1mPk0HgqD8rhZ+OBzE+APKH9No"
+        + "agedSrGRDLdIgZxkrg0mxmfsZQIi2wdJSi3y0PAjEps/s4j0nmw9bPRgCMNLBqqjxtN5JKC8E1yyLm7YefXv/nPaMwIDAQAB", 
+        pubKeys.next().asText());
+    Assert.assertFalse("More than one PubKey", pubKeys.hasNext());
     
   }
 
@@ -261,12 +374,19 @@ public class CreateIdentityLinkTaskEidNewTest {
         .attributeValueMarshaller("eu.eidas.auth.commons.attribute.impl.DateTimeAttributeValueMarshaller").build();
 
     final ImmutableAttributeMap attributeMap = ImmutableAttributeMap.builder()
-        .put(attributeDef, "de/st/" + RandomStringUtils.randomNumeric(64))
+        .put(attributeDef, "LU/ST/" + RandomStringUtils.randomNumeric(64))
         .put(attributeDef2, RandomStringUtils.randomAlphabetic(10))
         .put(attributeDef3, RandomStringUtils.randomAlphabetic(10)).put(attributeDef4, "2001-01-01").build();
 
     val b = new AuthenticationResponse.Builder();
-    return b.id("aasdf").issuer("asd").subject("asf").statusCode("200").inResponseTo("asdf").subjectNameIdFormat("afaf")
-        .attributes(attributeMap).build();
+    return b.id("_".concat(Random.nextHexRandom16()))
+        .issuer(RandomStringUtils.randomAlphabetic(10))
+        .subject(RandomStringUtils.randomAlphabetic(10))
+        .statusCode("200")
+        .inResponseTo("_".concat(Random.nextHexRandom16()))
+        .subjectNameIdFormat("afaf")
+        .levelOfAssurance(EaafConstants.EIDAS_LOA_PREFIX + RandomStringUtils.randomAlphabetic(5))
+        .attributes(attributeMap)
+        .build();
   }
 }
diff --git a/pom.xml b/pom.xml
index 2c8cb1e7..c360f910 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,29 +20,32 @@
     <egiz-spring-api>0.3</egiz-spring-api>
     <egiz-eventlog-slf4jBackend>0.4</egiz-eventlog-slf4jBackend>
     <eaaf-core.version>1.1.10</eaaf-core.version>
-    <org.springframework.version>5.2.9.RELEASE</org.springframework.version>
+    <org.springframework.version>5.2.12.RELEASE</org.springframework.version>
     <org.thymeleaf-spring5.version>3.0.11.RELEASE</org.thymeleaf-spring5.version>
-    <cxf.version>3.4.0</cxf.version>
+    <cxf.version>3.4.1</cxf.version>
 
     <org.apache.commons-lang3.version>3.11</org.apache.commons-lang3.version>
     <org.apache.commons-text.version>1.9</org.apache.commons-text.version>
     <commons-collections4.version>4.4</commons-collections4.version>
-    <com.google.guava.version>29.0-jre</com.google.guava.version>
-    <joda-time.version>2.10.6</joda-time.version>
+    <com.google.guava.version>30.0-jre</com.google.guava.version>
+    <joda-time.version>2.10.8</joda-time.version>
     <org.slf4j.version>1.7.30</org.slf4j.version>
-    <jackson-datatype-jsr310.version>2.11.3</jackson-datatype-jsr310.version>
-    
-        
+    <jackson-datatype-jsr310.version>2.12.0</jackson-datatype-jsr310.version>
+
+
     <!-- testing -->
-    <junit.version>4.13</junit.version>
+    <junit.version>4.13.1</junit.version>
     <surefire.version>2.22.2</surefire.version>
     <mockito-soap-cxf.version>1.0.5</mockito-soap-cxf.version>
 
     <!-- Code quality checks -->
     <jacoco-maven-plugin.version>0.8.6</jacoco-maven-plugin.version>
     <maven-checkstyle-plugin.version>3.1.1</maven-checkstyle-plugin.version>
-    <maven-pmd-plugin.version>3.13.0</maven-pmd-plugin.version>
-    <spotbugs-maven-plugin.version>4.0.4</spotbugs-maven-plugin.version>
+    <maven-pmd-plugin.version>3.14.0</maven-pmd-plugin.version>
+    <spotbugs-maven-plugin.version>4.1.4</spotbugs-maven-plugin.version>
+    <findsecbugs-plugin.version>1.11.0</findsecbugs-plugin.version>
+
+    <dependency-check-maven.version>6.0.3</dependency-check-maven.version>
 
     <license.outputDirectory>${project.build.directory}/thirdparty_licenses</license.outputDirectory>
     <pmw_rules_location>https://apps.egiz.gv.at/checkstyle/egiz_pmd_checks.xml</pmw_rules_location>
@@ -95,6 +98,7 @@
     <module>connector_lib</module>
     <module>connector</module>
     <module>eidas_modules</module>
+    <module>build_reporting</module>
   </modules>
 
   <dependencyManagement>
@@ -121,6 +125,12 @@
         <version>${eaaf-core.version}</version>
       </dependency>
       <dependency>
+        <groupId>at.asitplus.eidas.ms_specific</groupId>
+        <artifactId>ms_specific_connector</artifactId>
+        <type>war</type>
+        <version>${egiz.eidas.version}</version>
+      </dependency>
+      <dependency>
         <groupId>at.asitplus.eidas.ms_specific.modules</groupId>
         <artifactId>authmodule-eIDAS-v2</artifactId>
         <version>${egiz.eidas.version}</version>
@@ -303,6 +313,24 @@
           <version>${maven-assembly-plugin.version}</version>
         </plugin>
 
+        <plugin>
+          <groupId>org.owasp</groupId>
+          <artifactId>dependency-check-maven</artifactId>
+          <version>${dependency-check-maven.version}</version>
+          <configuration>
+            <failBuildOnCVSS>11</failBuildOnCVSS>
+            <failOnError>false</failOnError>
+          </configuration>
+          <executions>
+            <execution>
+              <goals>
+                <goal>check</goal>
+              </goals>
+            </execution>
+          </executions>
+        </plugin>
+
+
       </plugins>
     </pluginManagement>
     <plugins>
@@ -453,6 +481,13 @@
         </executions>
         <configuration>
           <failOnError>true</failOnError>
+          <plugins>
+            <plugin>
+              <groupId>com.h3xstream.findsecbugs</groupId>
+              <artifactId>findsecbugs-plugin</artifactId>
+              <version>${findsecbugs-plugin.version}</version>
+            </plugin>
+          </plugins>
         </configuration>
       </plugin>
     </plugins>
@@ -479,4 +514,4 @@
       </plugin>
     </plugins>
   </reporting>
-</project>
-\ No newline at end of file
+</project>
author	Thomas Lenz <thomas.lenz@egiz.gv.at>	2020-12-15 18:21:07 +0100
committer	Thomas Lenz <thomas.lenz@egiz.gv.at>	2020-12-15 18:21:07 +0100
commit	47e2b6c838233aec6482ae81db91d8d48f0d3ea3 (patch)
tree	495db98e50d49f8170896df6a4577a8e480866d0
parent	230e6c3890c7e63b286e9a08001e5ffd63743d2c (diff)
parent	76bba5972cfa6d6272a73cbdf56a8705419c55c8 (diff)
download	National_eIDAS_Gateway-47e2b6c838233aec6482ae81db91d8d48f0d3ea3.tar.gz National_eIDAS_Gateway-47e2b6c838233aec6482ae81db91d8d48f0d3ea3.tar.bz2 National_eIDAS_Gateway-47e2b6c838233aec6482ae81db91d8d48f0d3ea3.zip