From 58b3c1c2d7a27775af8c0b7c9d12dea08aa575fa Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Tue, 19 Jan 2021 10:37:45 +0100
Subject: build 'requesterId' for private-sector SP's based on hashed unique
 AppIds set 'requesterId' and 'providerName' to static value for any type of
 SP

---
 basicConfig/default_config.properties | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'basicConfig/default_config.properties')

diff --git a/basicConfig/default_config.properties b/basicConfig/default_config.properties
index 8a1bc3a0..ad883284 100644
--- a/basicConfig/default_config.properties
+++ b/basicConfig/default_config.properties
@@ -31,6 +31,9 @@ eidas.ms.auth.eIDAS.szrclient.ssl.keyStore.password=
 eidas.ms.auth.eIDAS.szrclient.ssl.trustStore.path=
 eidas.ms.auth.eIDAS.szrclient.ssl.trustStore.password=
 
+## eIDAS Request configuration
+eidas.ms.auth.eIDAS.node_v2.staticProviderNameForPublicSPs=Austria
+
 
 ## E-AuthBlock configuration
 eidas.ms.auth.eIDAS.authblock.keystore.type=jks
-- 
cgit v1.2.3


From 2fabf6cfdc78fceac1302d45c88d08214fe4e9e3 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 20 Jan 2021 14:32:37 +0100
Subject: add README.md, release and update informations, and full handbook

---
 README.md                                          | 112 +++++++++++++++++++++
 basicConfig/default_config.properties              |   1 -
 connector/src/assembly/assembly_dir.xml            |   2 +
 connector/src/assembly/assembly_zip.xml            |   3 +
 .../src/main/resources/application.properties      |  20 ++--
 infos/handbook-work_in_progress.docx               | Bin 0 -> 44486 bytes
 infos/readme_1.2.0.md                              |  59 +++++++++++
 7 files changed, 183 insertions(+), 14 deletions(-)
 create mode 100644 README.md
 create mode 100644 infos/handbook-work_in_progress.docx
 create mode 100644 infos/readme_1.2.0.md

(limited to 'basicConfig/default_config.properties')

diff --git a/README.md b/README.md
new file mode 100644
index 00000000..e0914598
--- /dev/null
+++ b/README.md
@@ -0,0 +1,112 @@
+# Member-state specific eIDAS Application
+
+## Description
+
+The member-state specific eIDAS application (ms-specific eIDAS) implements the bridge between the eIDAS reference implementation provides by European commission and the national eID system. This application consists of two parts
+
+- **MS-specific Connector:** implements the bridge to connect a national service-provider to a foreign idenity-provider. 
+
+- **MS-specific Proxy-Service:** implements the bridge to connect a foreign service-provider to national eID system (ID Austria). This feature is not implemented yet.
+
+  
+
+### Building
+
+The application uses SpringBoot as core framework, but the default build-profile does not build an executable jar. There, the application has to be deployed into an application service, like Apache Tomcat
+
+The project can be build with :
+
+```
+mvn clean package
+```
+
+The resulting `war` file can be deployed into an application server
+
+Set Java System-Property _-Deidas.ms.configuration=/path/to/configuration..._ to set the configuration for this application
+
+
+
+If you like to build an executable SpringBoot application with embedded Tomcat then use:
+
+```
+mvn -P embbededTomcat clean package
+```
+
+The resulting `jar` file can be run with java:
+
+```
+java -jar ./connector/target/ms-connector.jar
+```
+
+But it is also directly executalbe
+
+```
+./connector/target/ms-connector.jar
+```
+
+In case of a executable application package, the configuration can be either set by Java System-Property _-Deidas.ms.configuration=/path/to/configuration..._  or by default SpringBoot configuration features.
+
+
+
+### Configuration
+
+A default configuration is located at _basicConfig/_
+
+
+
+## Generate a BM.I Release Package
+
+The full release packages for BM.I infrastructure will be automatically assembled by maven build-process.  Before release build, all release related information have to added into infos folder. To add release informations follow the steps outlined below.
+
+Add a file with release informations to:
+```
+./infos/readme_{version}.txt
+```
+
+Add additional eIDAS Node related information into:
+
+```
+./infos/eIDAS_Ref_Impl/
+```
+
+Add, remove, or update the application description in the handbook and store the handbook for the current release version as pdf. 
+
+```
+modify: ./infos/handbook-work_in_progress.docx
+store pdf to: ./infos/handbook/handbook-{version}.pdf
+```
+
+Generate a release package with:
+
+
+```
+mvn clean package
+```
+
+The full release package will be located add
+```
+./target/ms_specific_connector-{version}-dist.tar.gz
+```
+
+
+
+## Changelog
+
+**v1.2.0**
+
+- Anpassungen zur Anbindungen an das E-ID System
+- Update auf eIDAS Ref. Impl. 2.5.0 mit Apache Ignite Cache
+  https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS-Node+version+2.5
+- TODO:
+
+
+
+**v1.1.0**
+
+  - Update auf eIDAS Ref. Impl. 2.4.0 mit Apache Ignite Cache
+    https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS-Node+version+2.4
+  - Statischer Service-Provider Name für öffentliche Applikationen 
+  - Mindest LoA, welche für Requests an eIDAS Proxy-Services verwendet wird.
+  - Requested Attributes je Land konfigurierbar
+  - Neue Template-Engine mit i18n Unterstützung
+  - Neuer Algorithmus zur Generierung von Sessiontokens  
\ No newline at end of file
diff --git a/basicConfig/default_config.properties b/basicConfig/default_config.properties
index ad883284..725fac7c 100644
--- a/basicConfig/default_config.properties
+++ b/basicConfig/default_config.properties
@@ -1,6 +1,5 @@
 ## Basic service configuration
 eidas.ms.context.url.prefix=
-eidas.ms.context.url.request.validation=false
 eidas.ms.core.configRootDir=file:./
 
 
diff --git a/connector/src/assembly/assembly_dir.xml b/connector/src/assembly/assembly_dir.xml
index 37e05390..59437be6 100644
--- a/connector/src/assembly/assembly_dir.xml
+++ b/connector/src/assembly/assembly_dir.xml
@@ -43,7 +43,9 @@
       <includes>
         <!-- include>README.md</include-->
         <include>readme_${project.version}.txt</include>
+        <include>readme_${project.version}.md</include>
         <include>eIDAS_Ref_Impl/*</include>
+        <include>handbook/*</include>
       </includes>
     </fileSet>
   </fileSets>
diff --git a/connector/src/assembly/assembly_zip.xml b/connector/src/assembly/assembly_zip.xml
index 579da2e1..43877283 100644
--- a/connector/src/assembly/assembly_zip.xml
+++ b/connector/src/assembly/assembly_zip.xml
@@ -43,6 +43,9 @@
       <includes>
         <!-- include>README.md</include -->
         <include>readme_${project.version}.txt</include>
+        <include>readme_${project.version}.md</include>
+        <include>eIDAS_Ref_Impl/*</include>
+        <include>handbook/*</include>
       </includes>
     </fileSet>
   </fileSets>
diff --git a/connector/src/main/resources/application.properties b/connector/src/main/resources/application.properties
index b92102ed..9a4ae54f 100644
--- a/connector/src/main/resources/application.properties
+++ b/connector/src/main/resources/application.properties
@@ -17,9 +17,9 @@ spring.boot.admin.client.enabled=false
 
 #############################################################################
 ## MS-speccific eIDAS-Connector configuration
-#proxy.context.url.prefix=
+#eidas.ms.context.url.prefix=
 eidas.ms.context.url.request.validation=false
-#proxy.configRootDir=file:/.../config/
+#eidas.ms.configRootDir=file:/.../config/
 eidas.ms.context.use.clustermode=true
 eidas.ms.core.logging.level.info.errorcodes=auth.21
 
@@ -51,8 +51,7 @@ eidas.ms.auth.eIDAS.node_v2.entityId=ownSpecificConnector
 #eidas.ms.auth.eIDAS.node_v2.forward.endpoint=
 eidas.ms.auth.eIDAS.node_v2.forward.method=POST
 eidas.ms.auth.eIDAS.node_v2.countrycode=AT
-#eidas.ms.auth.eIDAS.node_v2.publicSectorTargets=urn:publicid:gv.at:cdid\+.*
-eidas.ms.auth.eIDAS.node_v2.publicSectorTargets=.*
+eidas.ms.auth.eIDAS.node_v2.publicSectorTargets=urn:publicid:gv.at:cdid\+.*
 
 ## use SAML2 requestId as transactionIdentifier to mitigate problems with SAML2 relaystate
 eidas.ms.auth.eIDAS.node_v2.workarounds.useRequestIdAsTransactionIdentifier=true
@@ -106,9 +105,6 @@ eidas.ms.auth.eIDAS.szrclient.debug.logfullmessages=false
 eidas.ms.auth.eIDAS.szrclient.debug.useDummySolution=false
 
 
-
-
-
 ##without mandates
 eidas.ms.auth.eIDAS.node_v2.attributes.requested.onlynatural.0=PersonIdentifier,true
 eidas.ms.auth.eIDAS.node_v2.attributes.requested.onlynatural.1=FamilyName,true
@@ -137,7 +133,7 @@ eidas.ms.auth.eIDAS.node_v2.attributes.requested.representation.5=LegalName,true
 #eidas.ms.pvp2.key.metadata.password=password
 #eidas.ms.pvp2.key.signing.alias=sig
 #eidas.ms.pvp2.key.signing.password=password
-#eidas.ms.pvp2.metadata.validity=24
+eidas.ms.pvp2.metadata.validity=24
 
 #eidas.ms.pvp2.metadata.organisation.name=JUnit
 #eidas.ms.pvp2.metadata.organisation.friendyname=For testing with jUnit
@@ -158,8 +154,6 @@ eidas.ms.auth.eIDAS.node_v2.attributes.requested.representation.5=LegalName,true
 
 
 ##only for advanced config
-eidas.ms.configuration.sp.disableRegistrationRequirement=
-#eidas.ms.configuration.restrictions.baseID.spTransmission=
-eidas.ms.configuration.auth.default.countrycode=
-eidas.ms.configuration.pvp.scheme.validation=
-eidas.ms.configuration.pvp.enable.entitycategories=
\ No newline at end of file
+eidas.ms.configuration.sp.disableRegistrationRequirement=false
+eidas.ms.configuration.pvp.scheme.validation=true
+eidas.ms.configuration.pvp.enable.entitycategories=false
\ No newline at end of file
diff --git a/infos/handbook-work_in_progress.docx b/infos/handbook-work_in_progress.docx
new file mode 100644
index 00000000..d311fa80
Binary files /dev/null and b/infos/handbook-work_in_progress.docx differ
diff --git a/infos/readme_1.2.0.md b/infos/readme_1.2.0.md
new file mode 100644
index 00000000..98e18ccb
--- /dev/null
+++ b/infos/readme_1.2.0.md
@@ -0,0 +1,59 @@
+# MS-Connector v1.2.0 Release vom xx.xx.2021
+
+Der MS-Connector implementiert eine Bridge zwischen dem österreichischen E-ID System und dem eIDAS Framework um ausländischen Benutzern eine Anmeldung am österreichischen Service-Providern zu ermöglichen.
+
+### Änderungen in dieser Version
+
+  - Erforderliche Anpassungen zur Integration in den ID Austria
+
+  - Update auf eIDAS Ref. Impl. 2.5.0 (Implementiert eIDAS Spezifikation 1.2)
+    https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS-Node+version+2.5
+
+  - Codestabilisierung 
+
+  - Monitoring und HealthChecks Verbesserungen
+
+  - Akutalisierung von Drittherstellerbibliotheken
+
+
+
+
+### Durchführen eines Updates 
+
+Nachfolgend finden Sie die erforderlichen Schritte für das Update eines bestehenden MS-specific eIDAS Connectors auf die aktuelle Version 1.2.0. Das vollständige Handbuch mit allen Konfigurationsparametern finden Sie im Releasepackage im Verzeichnis: _infos/handbook/_
+
+### Ausgehend von einer bestehenden Version 1.1.0 
+
+1. Stoppen Sie die *MS-Connector* Applikation und fertigen Sie eine Sicherungskopie Ihrer Applikation inklusive Konfiguration an
+2. Entpacken Sie das Releasepacket *ms_specific_connector-1.2.0-dist.zip* in ein temporäres Verzeichnis welches in weiterer Folge __MsConnectorPackage__ bezeichnet wird.
+3. Kopieren sie die Applikation __MsConnectorPackage__/ms_connector.war nach in das Applikationsverzeichnis ihres Applikationsservers
+4. Mit der Version 1.2.0 wurde die Konfiguration eine eine Minimalkonfiguration [`default_config.properties`](./../config/default_config.properties)  und eine in den MS-Connectorintegrierte Defaultkonfiguration aufgteilt. Die nachfolgende Aufzählung umfasst die neuen oder geänderten Konfigurationsparameter, beschreibt jedoch keine Aufteilung einer bestehenden Konfiguration in Minimal- und Defaultteil. Eine vollständige Beschreibung aller Konfigurationswerte finden Sie **hier**.
+5. Update bestehender Dateien . Die nachfolgenden Dateien wurden geändert und erfordern eine Anpassung oder eine Übernahme dem Releasepacket, sofern die Anpassung nicht bereits durchgeführt wurde
+
+   * __MsConnectorPackage__/config/templates/error_message.html
+6. Erstellung neuer Dateien
+   - _KeyStore für ID Austria AuthBlock:_ Erstellen eines KeyStore mit mit öffentlichem und privaten Schlüssel welcher für die JWS Signature des technischen ID Austria AuthBlocks verwendet werden soll.
+7. Neue Konfigurationsparameter
+   - *Allgemeine Konfiguration*
+     - ```eidas.ms.core.configRootDir```
+   - *ID Austria Umsetzung*
+     - ```eidas.ms.auth.eIDAS.authblock.keystore.type```
+     - ```eidas.ms.auth.eIDAS.authblock.keystore.path```
+     - ```eidas.ms.auth.eIDAS.authblock.keystore.password```
+     - ```eidas.ms.auth.eIDAS.authblock.key.alias```
+     - ```eidas.ms.auth.eIDAS.authblock.key.password```
+   - *Service-Provider Konfiguration Konfiguration*
+     - ```eidas.ms.sp.x.newEidMode```
+8. Gelöschte Konfigurationsparameter
+
+   - ```authhandler.modules.bindingservice.bpk.target```
+9. Neue optionale Konfigurationsparameter
+   - *Allgemeine Konfiguration*
+     - ```eidas.ms.core.logging.level.info.errorcodes```
+   - *eIDAS Node Kommunikation*
+     * ```eidas.ms.auth.eIDAS.node_v2.requesterId.useHashedForm```
+     * ```eidas.ms.auth.eIDAS.node_v2.requesterId.lu.useStaticRequesterForAll```
+     * ```eidas.ms.auth.eIDAS.node_v2.requesterId.useHashedForm```
+     * ```eidas.ms.auth.eIDAS.node_v2.requesterId.useHashedForm```
+   - *ID Austria Umsetzung*
+     - ```eidas.ms.auth.eIDAS.szrclient.eidasbind.mds.inject```
-- 
cgit v1.2.3


From c5c6344931f67ccaba335ffa476b5e8117948020 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Wed, 10 Mar 2021 12:25:10 +0100
Subject: switch to EAAF-components 1.1.13-SNAPSHOT to add
 EID-IDENTITY-STATUS-LEVEL attribute into SAML2 response

---
 basicConfig/default_config.properties              |   2 ++
 .../builder/AuthenticationDataBuilder.java         |  26 +++++++++++-----
 .../src/main/resources/application.properties      |   2 ++
 .../resources/specific_eIDAS_connector.beans.xml   |   6 ++++
 .../connector/test/FullStartUpAndProcessTest.java  |   7 +++--
 .../ProcessEngineSignalControllerTest.java         |   2 +-
 .../test/utils/AuthenticationDataBuilderTest.java  |  16 +++++++++-
 .../data/metadata_valid_without_encryption.xml     |   1 +
 .../spring/SpringTest_connector.beans.xml          |   6 ++++
 .../specific/modules/auth/eidas/v2/Constants.java  |   2 ++
 .../eidas/v2/tasks/ReceiveAuthnResponseTask.java   |   9 ++++--
 .../test/tasks/ReceiveEidasResponseTaskTest.java   |  34 +++++++++++++++++++--
 infos/handbook-work_in_progress.docx               | Bin 44486 -> 44445 bytes
 pom.xml                                            |   2 +-
 14 files changed, 98 insertions(+), 17 deletions(-)

(limited to 'basicConfig/default_config.properties')

diff --git a/basicConfig/default_config.properties b/basicConfig/default_config.properties
index 725fac7c..2ea12b17 100644
--- a/basicConfig/default_config.properties
+++ b/basicConfig/default_config.properties
@@ -18,6 +18,8 @@ eidas.ms.core.pendingrequestid.digist.secret=pendingReqIdSecret
 
 
 ## eIDAS Ref. Implementation connector ###
+eidas.ms.auth.eIDAS.eid.testidentity.default=false
+
 eidas.ms.auth.eIDAS.node_v2.entityId=ownSpecificConnector
 eidas.ms.auth.eIDAS.node_v2.forward.endpoint=
 
diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java
index c41660ce..3a93c1b8 100644
--- a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java
+++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java
@@ -30,6 +30,7 @@ import org.springframework.stereotype.Service;
 import at.asitplus.eidas.specific.connector.MsEidasNodeConstants;
 import at.gv.egiz.eaaf.core.api.IRequest;
 import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions;
+import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions.EidIdentityStatusLevelValues;
 import at.gv.egiz.eaaf.core.api.idp.IAuthData;
 import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
 import at.gv.egiz.eaaf.core.api.idp.auth.data.IAuthProcessDataContainer;
@@ -37,8 +38,9 @@ import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException;
 import at.gv.egiz.eaaf.core.exceptions.EaafException;
 import at.gv.egiz.eaaf.core.impl.data.Pair;
 import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData;
+import at.gv.egiz.eaaf.core.impl.idp.EidAuthenticationData;
 import at.gv.egiz.eaaf.core.impl.idp.auth.builder.AbstractAuthenticationDataBuilder;
-import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
+import at.gv.egiz.eaaf.core.impl.idp.auth.data.EidAuthProcessDataWrapper;
 import lombok.extern.slf4j.Slf4j;
 
 @Service("AuthenticationDataBuilder")
@@ -47,9 +49,9 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder
   
   @Override
   protected IAuthData buildDeprecatedAuthData(IRequest pendingReq) throws EaafException {        
-    final IAuthProcessDataContainer authProcessData =
-        pendingReq.getSessionData(AuthProcessDataWrapper.class);    
-    AuthenticationData authData = new AuthenticationData();
+    final EidAuthProcessDataWrapper authProcessData =
+        pendingReq.getSessionData(EidAuthProcessDataWrapper.class);    
+    EidAuthenticationData authData = new EidAuthenticationData();
     
     //set basis infos
     super.generateDeprecatedBasicAuthData(authData, pendingReq, authProcessData);
@@ -58,6 +60,9 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder
     authData.setSsoSessionValidTo(
         new Date(new Date().getTime() + MsEidasNodeConstants.DEFAULT_PVP_ASSERTION_VALIDITY * 60 * 1000));
     
+    authData.setEidStatus(authProcessData.isTestIdentity() 
+        ? EidIdentityStatusLevelValues.TESTIDENTITY : EidIdentityStatusLevelValues.IDENTITY);
+    
     return authData;
 
   }
@@ -65,16 +70,21 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder
   @Override
   protected void buildServiceSpecificAuthenticationData(IAuthData authData, IRequest pendingReq) 
       throws EaafException {
-    if (authData instanceof AuthenticationData) {
-      ((AuthenticationData)authData).setGenericData(
+    if (authData instanceof EidAuthenticationData) {
+      ((EidAuthenticationData)authData).setGenericData(
           ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME, 
           pendingReq.getUniquePiiTransactionIdentifier());
       log.trace("Inject piiTransactionId: {} into AuthData", pendingReq.getUniquePiiTransactionIdentifier());
     
       // set specific informations
-      ((AuthenticationData)authData).setSsoSessionValidTo(
+      ((EidAuthenticationData)authData).setSsoSessionValidTo(
           new Date(new Date().getTime() + MsEidasNodeConstants.DEFAULT_PVP_ASSERTION_VALIDITY * 60 * 1000));
 
+      //set E-ID status-level
+      final EidAuthProcessDataWrapper authProcessData =
+          pendingReq.getSessionData(EidAuthProcessDataWrapper.class);        
+      ((EidAuthenticationData)authData).setEidStatus(authProcessData.isTestIdentity() 
+          ? EidIdentityStatusLevelValues.TESTIDENTITY : EidIdentityStatusLevelValues.IDENTITY);
       
     } else {
       throw new RuntimeException("Can not inject PiiTransactionId because AuthData is of unknown type: " 
@@ -86,7 +96,7 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder
 
   @Override
   protected IAuthData getAuthDataInstance(IRequest arg0) throws EaafException {
-    return new AuthenticationData();
+    return new EidAuthenticationData();
 
   }
 
diff --git a/connector/src/main/resources/application.properties b/connector/src/main/resources/application.properties
index 9a4ae54f..2411fde3 100644
--- a/connector/src/main/resources/application.properties
+++ b/connector/src/main/resources/application.properties
@@ -48,6 +48,8 @@ eidas.ms.core.pendingrequestid.digist.algorithm=HmacSHA256
 
 ## eIDAS Ref. Implementation connector ###
 eidas.ms.auth.eIDAS.node_v2.entityId=ownSpecificConnector
+eidas.ms.auth.eIDAS.eid.testidentity.default=false
+
 #eidas.ms.auth.eIDAS.node_v2.forward.endpoint=
 eidas.ms.auth.eIDAS.node_v2.forward.method=POST
 eidas.ms.auth.eIDAS.node_v2.countrycode=AT
diff --git a/connector/src/main/resources/specific_eIDAS_connector.beans.xml b/connector/src/main/resources/specific_eIDAS_connector.beans.xml
index f6fdeefe..0f8511d5 100644
--- a/connector/src/main/resources/specific_eIDAS_connector.beans.xml
+++ b/connector/src/main/resources/specific_eIDAS_connector.beans.xml
@@ -49,6 +49,9 @@
     <property name="pvpIdpCredentials">
       <ref bean="PVPEndPointCredentialProvider" />
     </property>
+    <property name="metadataProvider">
+      <ref bean="PVPMetadataProvider" />
+    </property>   
   </bean>
 
   <bean id="AuthnRequestValidator"
@@ -69,6 +72,9 @@
     <property name="pvpIdpCredentials">
       <ref bean="PVPEndPointCredentialProvider" />
     </property>
+    <property name="metadataProvider">
+      <ref bean="PVPMetadataProvider" />
+    </property>     
   </bean>
 
   <bean id="eaafProtocolAuthenticationService"
diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/FullStartUpAndProcessTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/FullStartUpAndProcessTest.java
index fcb0e73a..f50829c7 100644
--- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/FullStartUpAndProcessTest.java
+++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/FullStartUpAndProcessTest.java
@@ -62,6 +62,7 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.EidasSignalServlet;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry;
 import at.gv.egiz.components.spring.api.SpringBootApplicationContextInitializer;
 import at.gv.egiz.eaaf.core.api.data.EaafConstants;
+import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions;
 import at.gv.egiz.eaaf.core.exceptions.EaafException;
 import at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController;
 import at.gv.egiz.eaaf.core.impl.utils.DomUtils;
@@ -99,7 +100,7 @@ import szrservices.SignContentResponseType;
 @ActiveProfiles(profiles = {"JUNIT", "jUnitTestMode"})
 public class FullStartUpAndProcessTest {
 
-  private static final String FINAL_REDIRECT = "http://localhost/finalizeAuthProtocol?pendingid=";
+  private static final String FINAL_REDIRECT = "http://localhost/public/secure/finalizeAuthProtocol?pendingid=";
   
   @Autowired private WebApplicationContext wac;
   @Autowired private PvpEndPointCredentialProvider credentialProvider;
@@ -379,7 +380,7 @@ public class FullStartUpAndProcessTest {
     Assert.assertEquals("SAML2 status", Constants.SUCCESS_URI, saml2.getStatus().getStatusCode().getValue());
     
     final AssertionAttributeExtractor extractor = new AssertionAttributeExtractor(saml2);
-    Assert.assertEquals("wrong resp attr. size", 6, extractor.getAllIncludeAttributeNames().size());
+    Assert.assertEquals("wrong resp attr. size", 7, extractor.getAllIncludeAttributeNames().size());
     Assert.assertEquals("Wrong attr: LoA ", "http://eidas.europa.eu/LoA/high", 
         extractor.getSingleAttributeValue("urn:oid:1.2.40.0.10.2.1.1.261.108"));
     Assert.assertEquals("Wrong attr: PVP_VERSION ", "2.2", 
@@ -392,6 +393,8 @@ public class FullStartUpAndProcessTest {
         extractor.getSingleAttributeValue("urn:eidgvat:attributes.authblock.signed"));
     Assert.assertNotNull("Wrong attr: piiTras.Id ", 
         extractor.getSingleAttributeValue("urn:eidgvat:attributes.piiTransactionId"));
+    Assert.assertEquals("Wrong attr:EID_STATUS_LEVEL ", "http://eid.gv.at/eID/status/identity",
+        extractor.getSingleAttributeValue(PvpAttributeDefinitions.EID_IDENTITY_STATUS_LEVEL_NAME));
     
   }
 
diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/controller/ProcessEngineSignalControllerTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/controller/ProcessEngineSignalControllerTest.java
index d2c4aff2..5b612036 100644
--- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/controller/ProcessEngineSignalControllerTest.java
+++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/controller/ProcessEngineSignalControllerTest.java
@@ -69,7 +69,7 @@ public class ProcessEngineSignalControllerTest {
     Assert.assertEquals("http StatusCode", 302, httpResp.getStatus());
     Assert.assertNotNull("redirect header", httpResp.getHeaderValue("Location"));
     Assert.assertTrue("wrong redirect header", 
-        httpResp.getHeader("Location").startsWith("http://localhost/errorHandling?errorid="));
+        httpResp.getHeader("Location").startsWith("http://localhost/public/secure/errorHandling?errorid="));
   
   }
   
diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/utils/AuthenticationDataBuilderTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/utils/AuthenticationDataBuilderTest.java
index 5f1c5dcf..0df8638c 100644
--- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/utils/AuthenticationDataBuilderTest.java
+++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/utils/AuthenticationDataBuilderTest.java
@@ -11,6 +11,7 @@ import java.util.Map;
 import javax.xml.transform.TransformerException;
 
 import org.apache.commons.lang3.RandomStringUtils;
+import org.apache.commons.lang3.RandomUtils;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.BeforeClass;
@@ -35,6 +36,7 @@ import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants;
 import at.gv.egiz.eaaf.core.api.data.EaafConstants;
 import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions;
 import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions;
+import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions.EidIdentityStatusLevelValues;
 import at.gv.egiz.eaaf.core.api.idp.IAuthData;
 import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
 import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink;
@@ -42,8 +44,10 @@ import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException;
 import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException;
 import at.gv.egiz.eaaf.core.exceptions.EaafParserException;
 import at.gv.egiz.eaaf.core.exceptions.EaafStorageException;
+import at.gv.egiz.eaaf.core.impl.idp.EidAuthenticationData;
 import at.gv.egiz.eaaf.core.impl.idp.auth.builder.BpkBuilder;
 import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
+import at.gv.egiz.eaaf.core.impl.idp.auth.data.EidAuthProcessDataWrapper;
 import at.gv.egiz.eaaf.core.impl.idp.auth.data.SimpleIdentityLinkAssertionParser;
 import at.gv.egiz.eaaf.core.impl.idp.module.test.DummySpConfiguration;
 import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl;
@@ -118,8 +122,10 @@ public class AuthenticationDataBuilderTest {
   @Test
   public void eidMode() throws EaafAuthenticationException {
     // initialize state
+    boolean isTestIdentity = RandomUtils.nextBoolean();
     pendingReq.getSessionData(AuthProcessDataWrapper.class).setEidProcess(true);
-
+    pendingReq.getSessionData(EidAuthProcessDataWrapper.class).setTestIdentity(isTestIdentity);
+    
     // execute
     IAuthData authData = authenticationDataBuilder.buildAuthenticationData(pendingReq);
 
@@ -128,6 +134,9 @@ public class AuthenticationDataBuilderTest {
     Assert.assertNotNull("authBlock null", authData.getGenericData(Constants.SZR_AUTHBLOCK, String.class));
     Assert.assertNotNull("eidasBind null", authData.getGenericData(Constants.EIDAS_BIND, String.class));
     Assert.assertNotNull("LoA null", authData.getEidasQaaLevel());
+    Assert.assertEquals("testIdentity flag", 
+        isTestIdentity ? EidIdentityStatusLevelValues.TESTIDENTITY : EidIdentityStatusLevelValues.IDENTITY, 
+        ((EidAuthenticationData)authData).getEidStatus());
 
     String authBlock = authData.getGenericData(Constants.SZR_AUTHBLOCK, String.class);
     String eidasBind = authData.getGenericData(Constants.EIDAS_BIND, String.class);
@@ -159,6 +168,8 @@ public class AuthenticationDataBuilderTest {
   @Test
   public void moaIdMode() throws EaafAuthenticationException, EaafBuilderException {
     //initialize state
+    boolean isTestIdentity = RandomUtils.nextBoolean();
+    pendingReq.getSessionData(AuthProcessDataWrapper.class).setEidProcess(true);    
     pendingReq.getSessionData(AuthProcessDataWrapper.class).setEidProcess(false);
     IIdentityLink idl = buildDummyIdl();
     pendingReq.getSessionData(AuthProcessDataWrapper.class).setIdentityLink(idl);
@@ -173,6 +184,9 @@ public class AuthenticationDataBuilderTest {
     Assert.assertNull("piiTransactionId", 
         authData.getGenericData(ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME, String.class));
     
+    Assert.assertEquals("testIdentity flag", 
+        isTestIdentity ? EidIdentityStatusLevelValues.TESTIDENTITY : EidIdentityStatusLevelValues.IDENTITY, 
+        ((EidAuthenticationData)authData).getEidStatus());
     
     Assert.assertNotNull("assertion validTo", authData.getSsoSessionValidTo());
     Assert.assertNotNull("LoA null", authData.getEidasQaaLevel());
diff --git a/connector/src/test/resources/data/metadata_valid_without_encryption.xml b/connector/src/test/resources/data/metadata_valid_without_encryption.xml
index b224c336..32b24e91 100644
--- a/connector/src/test/resources/data/metadata_valid_without_encryption.xml
+++ b/connector/src/test/resources/data/metadata_valid_without_encryption.xml
@@ -71,6 +71,7 @@ ANsmjI2azWiTSFjb7Ou5fnCfbeiJUP0s66m8qS4rYl9L</ds:X509Certificate>
       <md:RequestedAttribute FriendlyName="userAuthBlock" Name="urn:eidgvat:attributes.authblock.signed" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
       <md:RequestedAttribute FriendlyName="eidBind" Name="urn:eidgvat:attributes.eidbind" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
       <md:RequestedAttribute FriendlyName="piiTransactionId" Name="urn:eidgvat:attributes.piiTransactionId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
+      <md:RequestedAttribute FriendlyName="EID-IDENTITY-STATUS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.109" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
     </md:AttributeConsumingService>
   </md:SPSSODescriptor>
   <md:Organization>
diff --git a/connector/src/test/resources/spring/SpringTest_connector.beans.xml b/connector/src/test/resources/spring/SpringTest_connector.beans.xml
index ba385cb9..83acf445 100644
--- a/connector/src/test/resources/spring/SpringTest_connector.beans.xml
+++ b/connector/src/test/resources/spring/SpringTest_connector.beans.xml
@@ -41,6 +41,9 @@
     <property name="pvpIdpCredentials">
       <ref bean="PVPEndPointCredentialProvider" />
     </property>
+    <property name="metadataProvider">
+      <ref bean="PVPMetadataProvider" />
+    </property>       
   </bean>
 
   <bean id="AuthnRequestValidator"
@@ -61,6 +64,9 @@
     <property name="pvpIdpCredentials">
       <ref bean="PVPEndPointCredentialProvider" />
     </property>
+    <property name="metadataProvider">
+      <ref bean="PVPMetadataProvider" />
+    </property>     
   </bean>
 
   <bean id="eaafProtocolAuthenticationService"
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java
index c175d999..d13dd00f 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java
@@ -41,6 +41,8 @@ public class Constants {
 
   // configuration properties
   public static final String CONIG_PROPS_EIDAS_PREFIX = "auth.eIDAS";
+  public static final String CONIG_PROPS_EIDAS_IS_TEST_IDENTITY = CONIG_PROPS_EIDAS_PREFIX 
+      + ".eid.testidentity.default";
   public static final String CONIG_PROPS_EIDAS_NODE = CONIG_PROPS_EIDAS_PREFIX + ".node_v2";
   public static final String CONIG_PROPS_EIDAS_NODE_COUNTRYCODE = CONIG_PROPS_EIDAS_NODE + ".countrycode";
   public static final String CONIG_PROPS_EIDAS_NODE_PUBLICSECTOR_TARGETS = CONIG_PROPS_EIDAS_NODE
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseTask.java
index 684546f7..6cab9214 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseTask.java
@@ -39,7 +39,7 @@ import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
 import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
 import at.gv.egiz.eaaf.core.exceptions.EaafException;
 import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
-import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
+import at.gv.egiz.eaaf.core.impl.idp.auth.data.EidAuthProcessDataWrapper;
 import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
 import eu.eidas.auth.commons.light.ILightResponse;
 import lombok.extern.slf4j.Slf4j;
@@ -99,10 +99,15 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 
       // update MOA-Session data with received information
       log.debug("Store eIDAS response information into pending-request.");
-      final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
+      final EidAuthProcessDataWrapper authProcessData = pendingReq.getSessionData(EidAuthProcessDataWrapper.class);
       authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance());
       authProcessData.setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, eidasResponse);
 
+      
+      //inject set flag to inject 
+      authProcessData.setTestIdentity(
+          basicConfig.getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_IS_TEST_IDENTITY, false));
+            
       // store MOA-session to database
       requestStoreage.storePendingRequest(pendingReq);
 
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveEidasResponseTaskTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveEidasResponseTaskTest.java
index de9b2d3b..0e56e2b3 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveEidasResponseTaskTest.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveEidasResponseTaskTest.java
@@ -39,7 +39,7 @@ import at.gv.egiz.eaaf.core.exceptions.EaafException;
 import at.gv.egiz.eaaf.core.exceptions.EaafStorageException;
 import at.gv.egiz.eaaf.core.exceptions.PendingReqIdValidationException;
 import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
-import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
+import at.gv.egiz.eaaf.core.impl.idp.auth.data.EidAuthProcessDataWrapper;
 import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl;
 import at.gv.egiz.eaaf.core.impl.idp.process.ExecutionContextImpl;
 import at.gv.egiz.eaaf.core.impl.utils.Random;
@@ -84,6 +84,7 @@ public class ReceiveEidasResponseTaskTest {
     RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp));
 
     basicConfig.putConfigValue("eidas.ms.auth.eIDAS.szrclient.debug.useDummySolution", "false");
+    basicConfig.putConfigValue("eidas.ms.auth.eIDAS.eid.testidentity.default", "false");
     
     final Map<String, String> spConfig = new HashMap<>();
     spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "testSp");
@@ -153,15 +154,44 @@ public class ReceiveEidasResponseTaskTest {
     IRequest storedReq = storage.getPendingRequest(pendingReq.getPendingRequestId());
     Assert.assertNotNull("pendingReq not stored", storedReq);
     
-    final AuthProcessDataWrapper authProcessData = storedReq.getSessionData(AuthProcessDataWrapper.class);
+    final EidAuthProcessDataWrapper authProcessData = storedReq.getSessionData(EidAuthProcessDataWrapper.class);
     Assert.assertEquals("LoA", eidasResponse.getLevelOfAssurance(), authProcessData.getQaaLevel());
     Assert.assertNotNull("eIDAS response", 
         authProcessData.getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE));
     Assert.assertEquals("eIDAS response", eidasResponse, 
         authProcessData.getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE));
+    Assert.assertFalse("testIdentity flag", authProcessData.isTestIdentity());
         
   }
   
+  @Test
+  public void successWithTestIdentity() throws URISyntaxException, TaskExecutionException, PendingReqIdValidationException {    
+    basicConfig.putConfigValue("eidas.ms.auth.eIDAS.eid.testidentity.default", "true");
+    
+    @NotNull        
+    AuthenticationResponse eidasResponse = buildDummyAuthResponse(Constants.SUCCESS_URI);
+    httpReq.setAttribute(Constants.DATA_FULL_EIDAS_RESPONSE, eidasResponse);
+    executionContext.put(MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY, "LU");    
+      
+    //execute test
+    task.execute(pendingReq, executionContext);
+    
+    //validate state
+    IRequest storedReq = storage.getPendingRequest(pendingReq.getPendingRequestId());
+    Assert.assertNotNull("pendingReq not stored", storedReq);
+    
+    final EidAuthProcessDataWrapper authProcessData = storedReq.getSessionData(EidAuthProcessDataWrapper.class);
+    Assert.assertEquals("LoA", eidasResponse.getLevelOfAssurance(), authProcessData.getQaaLevel());
+    Assert.assertNotNull("eIDAS response", 
+        authProcessData.getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE));
+    Assert.assertEquals("eIDAS response", eidasResponse, 
+        authProcessData.getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE));
+    Assert.assertTrue("testIdentity flag", authProcessData.isTestIdentity());
+        
+  }
+  
+  
+  
   @NotNull
   private AuthenticationResponse buildDummyAuthResponse(String statusCode) throws URISyntaxException {
     final AttributeDefinition attributeDef = attrRegistry.getCoreAttributeRegistry().getByFriendlyName(
diff --git a/infos/handbook-work_in_progress.docx b/infos/handbook-work_in_progress.docx
index d311fa80..192db5d4 100644
Binary files a/infos/handbook-work_in_progress.docx and b/infos/handbook-work_in_progress.docx differ
diff --git a/pom.xml b/pom.xml
index 46d02706..808d71b9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -22,7 +22,7 @@
     <!-- ===================================================================== -->
     <egiz-spring-api>0.3</egiz-spring-api>
     <egiz-eventlog-slf4jBackend>0.4</egiz-eventlog-slf4jBackend>
-    <eaaf-core.version>1.1.11</eaaf-core.version>
+    <eaaf-core.version>1.1.13-SNAPSHOT</eaaf-core.version>
 
     <spring-boot-starter-web.version>2.4.1</spring-boot-starter-web.version>
     <spring-boot-admin-starter-client.version>2.3.1</spring-boot-admin-starter-client.version>
-- 
cgit v1.2.3