Merge branch 'eIDAS_node_implementation' into development_preview

34 files changed, 354 insertions, 640 deletions

diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java
index 225f85462..ad99f5d22 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java
@@ -63,9 +63,9 @@ public class OAAuthenticationData implements IOnlineApplicationData {
 	private String mandateProfiles = null;
 	private boolean useMandates = false;
 	
-	private List<String> misServicesList = null;
-	private List<String> elgaServicesList = null;
-	private List<String> szrgwServicesList = null;
+	private List<String> misServicesList = new ArrayList<String>();
+	private List<String> elgaServicesList = new ArrayList<String>();
+	private List<String> szrgwServicesList = new ArrayList<String>();
 	private String misServiceSelected = null;
 	private String elgaServiceSelected = null;	
 	private String szrgwServiceSelected = null;
diff --git a/id/server/data/deploy/conf/moa-id/eIDAS/EncryptModule.xml b/id/server/data/deploy/conf/moa-id/eIDAS/EncryptModule.xml
index 9fef4fa2e..46052053a 100644
--- a/id/server/data/deploy/conf/moa-id/eIDAS/EncryptModule.xml
+++ b/id/server/data/deploy/conf/moa-id/eIDAS/EncryptModule.xml
@@ -3,14 +3,32 @@
 
 <properties>
     <comment>SWModule encrypt with JKS.</comment>
-    <entry key="keystorePath">keys/eidasKeyStore.jks</entry>
+    
+    <entry key="check_certificate_validity_period">false</entry>
+    <entry key="disallow_self_signed_certificate">false</entry>
+    <entry key="response.encryption.mandatory">false</entry>
+    
+    <!-- Data Encryption algorithm -->
+    <entry key="data.encryption.algorithm">http://www.w3.org/2009/xmlenc11#aes256-gcm</entry>
+    
+    <!-- Decryption algorithm Whitelist-->
+    <entry key="encryption.algorithm.whitelist">
+        http://www.w3.org/2009/xmlenc11#aes128-gcm;
+        http://www.w3.org/2009/xmlenc11#aes256-gcm;
+        http://www.w3.org/2009/xmlenc11#aes192-gcm
+    </entry>
+    
+    <!-- Key Encryption algorithm -->
+    <entry key="key.encryption.algorithm">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</entry>
+    
+    <entry key="keyStorePath">keys/eidasKeyStore.jks</entry>
+    <entry key="keyStoreType">JKS</entry>
     <entry key="keyStorePassword">local-demo</entry>
     <entry key="keyPassword">local-demo</entry>
 
     <!-- Management of the encryption activation -->
     <entry key="encryptionActivation">eIDAS/encryptionConf.xml</entry>
 
-
     <entry key="responseToPointIssuer.BE">CN=local-demo-cert, OU=DIGIT, O=European Comission, L=Brussels, ST=Belgium,C=BE</entry>
     <entry key="responseToPointSerialNumber.BE">54C8F779</entry>
 
@@ -18,5 +36,5 @@
     <entry key="responseDecryptionIssuer">CN=local-demo-cert, OU=DIGIT, O=European Comission, L=Brussels, ST=Belgium, C=BE</entry>
     <entry key="serialNumber">54C8F779</entry>
 
-    <entry key="keystoreType">JKS</entry>
+    
 </properties>
\ No newline at end of file
diff --git a/id/server/data/deploy/conf/moa-id/eIDAS/SignModule.xml b/id/server/data/deploy/conf/moa-id/eIDAS/SignModule.xml
index 745580428..bf7215cb5 100644
--- a/id/server/data/deploy/conf/moa-id/eIDAS/SignModule.xml
+++ b/id/server/data/deploy/conf/moa-id/eIDAS/SignModule.xml
@@ -3,17 +3,46 @@
 
 <properties>
 	<comment>SWModule sign with JKS.</comment>
-	<entry key="keystorePath">keys/eidasKeyStore_Service_CB.jks</entry>
+  <entry key="check_certificate_validity_period">false</entry>
+	<entry key="disallow_self_signed_certificate">false</entry>
+
+	<!-- signing Algorithm SHA_512(default),SHA_384,SHA_256 -->
+	<!-- http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 -->
+	<!-- http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 -->
+	<!-- http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 -->
+	<entry key="signature.algorithm">http://www.w3.org/2001/04/xmldsig-more#rsa-sha512</entry>
+
+	<!-- List of incoming Signature algorithms white list separated by ; (default all) -->
+	<entry key="signature.algorithm.whitelist">
+    http://www.w3.org/2001/04/xmldsig-more#rsa-sha256;
+    http://www.w3.org/2001/04/xmldsig-more#rsa-sha384;
+    http://www.w3.org/2001/04/xmldsig-more#rsa-sha512;
+    http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160;
+    http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256;
+    http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384;
+    http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512;
+    http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1;
+    http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-mgf1
+  </entry>
+  
+	<!-- signing response assertion true/false (default false) -->
+	<entry key="response.sign.assertions">true</entry>
+
+  <!--AuthnRequest / Assertion signing keyStore-->
+	<entry key="keyStorePath">keys/eidasKeyStore_Service_CB.jks</entry>
+  <entry key="keyStoreType">JKS</entry>
 	<entry key="keyStorePassword">local-demo</entry>
 	<entry key="keyPassword">local-demo</entry>
 	<entry key="issuer">CN=cpeps-cb-demo-certificate, OU=STORK, O=CPEPS, L=EU, ST=EU, C=CB</entry>
 	<entry key="serialNumber">54C8F839</entry>
-	<entry key="keystoreType">JKS</entry>
 
-	<entry key="metadata.keystorePath">keys/eidasKeyStore_METADATA.jks</entry>
+
+  <!--Metadata signing keystore-->
+	<entry key="metadata.keyStorePath">keys/eidasKeyStore_METADATA.jks</entry>
+  <entry key="metadata.keyStoreType">JKS</entry>
 	<entry key="metadata.keyStorePassword">local-demo</entry>
 	<entry key="metadata.keyPassword">local-demo</entry>
 	<entry key="metadata.issuer">CN=metadata, OU=DIGIT, O=EC, L=Brussels, ST=EU, C=BE</entry>
 	<entry key="metadata.serialNumber">561BC0C8</entry>
-	<entry key="metadata.keystoreType">JKS</entry>
+	
 </properties>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java
index 8f6dff849..99e4b4cce 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java
@@ -83,10 +83,19 @@ public class STORKConfig implements IStorkConfig {
         				

         				if (MiscUtil.isNotEmpty(storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_COUNTRY))) {

         					try {

+        						

+        						//Assertion encryption is enabled by default

+        						boolean enableAssertionEncryption = true;

+        						String enableAssertionEncryptionString = storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_SUPPORT_XMLDSIG);

+        						if (MiscUtil.isNotEmpty(enableAssertionEncryptionString)) {

+        							enableAssertionEncryption = Boolean.parseBoolean(enableAssertionEncryptionString);

+        							

+        						}

+        						        						

         						CPEPS moacpep = 

         								new CPEPS(storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_COUNTRY), 

         										new URL(storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_URL)), 

-        											Boolean.valueOf(storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_SUPPORT_XMLDSIG)));

+        										enableAssertionEncryption);

         						cpepsMap.put(moacpep.getCountryCode(), moacpep);

         					

         					} catch (MalformedURLException e) {

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
index b6fed5934..16b179d89 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
@@ -27,6 +27,7 @@ import java.io.IOException;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactoryConfigurationError;
 
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.provider.FilterException;
 import org.opensaml.saml2.metadata.provider.MetadataFilter;
@@ -37,6 +38,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * @author tlenz
@@ -61,67 +63,75 @@ public class MOASPMetadataSignatureFilter implements MetadataFilter {
 	@Override
 	public void doFilter(XMLObject metadata) throws FilterException {
 		if (metadata instanceof EntityDescriptor) {
-			if (((EntityDescriptor) metadata).isSigned()) {				
-				EntityDescriptor entityDes = (EntityDescriptor) metadata;
-				//check signature;
-				try {
-					byte[] serialized = DOMUtils.serializeNode(metadata.getDOM(), "UTF-8");
-					
-//					Transformer transformer = TransformerFactory.newInstance()
-//							.newTransformer();	
-//					StringWriter sw = new StringWriter();
-//					StreamResult sr = new StreamResult(sw);
-//					DOMSource source = new DOMSource(metadata.getDOM());
-//					transformer.transform(source, sr);
-//					sw.close();
-//					String metadataXML = sw.toString();
-					
-					SignatureVerificationUtils sigVerify = 
-							new SignatureVerificationUtils();
-					IVerifiyXMLSignatureResponse result = sigVerify.verify(
-							serialized, trustProfileID);
-					
-					//check signature-verification result
-					if (result.getSignatureCheckCode() != 0) {
-						Logger.warn("Metadata signature-verification FAILED!"
-								+ " Metadata: " + entityDes.getEntityID()
-								+ " StatusCode:" + result.getSignatureCheckCode());
-						throw new FilterException("Metadata signature-verification FAILED!"
-								+ " Metadata: " + entityDes.getEntityID()
-								+ " StatusCode:" + result.getSignatureCheckCode());
+			checkSignature(metadata, ((EntityDescriptor)metadata).getEntityID());
 						
-					}
-					
-					if (result.getCertificateCheckCode() != 0) {
-						Logger.warn("Metadata certificate-verification FAILED!"
-								+ " Metadata: " + entityDes.getEntityID()
-								+ " StatusCode:" + result.getCertificateCheckCode());
-						throw new FilterException("Metadata certificate-verification FAILED!"
-								+ " Metadata: " + entityDes.getEntityID()
-								+ " StatusCode:" + result.getCertificateCheckCode());
-						
-					}
-					
-					Logger.debug("SAML metadata for entityID:" + entityDes.getEntityID() + " is valid");
+		} else if (metadata instanceof EntitiesDescriptor) {
+			EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata;
+			if (entitiesDesc.getEntityDescriptors() != null && 
+					entitiesDesc.getEntityDescriptors().size() > 1) {
+				String nameForLogging = entitiesDesc.getName();
+				if (MiscUtil.isEmpty(nameForLogging))
+					nameForLogging = entitiesDesc.getID();
+				
+				checkSignature(metadata, nameForLogging);
+				
+			} else {
+				Logger.warn("Metadata root-element is of type 'EntitiesDescriptor' but only include one 'EntityDescriptor'");
+				throw new FilterException("Metadata root-element is not of type 'EntitiesDescriptor' but only include one 'EntityDescriptor");
+				
+			}
+			
+		} else {
+			Logger.warn("Metadata root-element is not of type 'EntityDescriptor' or 'EntitiesDescriptor'");
+			throw new FilterException("Metadata root-element is not of type 'EntityDescriptor' or 'EntitiesDescriptor'");
+			
+		}
+		
+	}
+	
+	private void checkSignature(XMLObject metadata, String nameForLogging) throws FilterException {
+		if (((EntityDescriptor) metadata).isSigned()) {				
+			//check signature;
+			try {
+				byte[] serialized = DOMUtils.serializeNode(metadata.getDOM(), "UTF-8");
+				
+				SignatureVerificationUtils sigVerify = 
+						new SignatureVerificationUtils();
+				IVerifiyXMLSignatureResponse result = sigVerify.verify(
+						serialized, trustProfileID);
 				
-				} catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) {
-					Logger.error("Metadata verification for Entity:" + entityDes.getEntityID() 
-							+ " has an interal error.", e);
-					throw new FilterException("Metadata verification has an interal error."
-							+ " Message:" + e.getMessage());
+				//check signature-verification result
+				if (result.getSignatureCheckCode() != 0) {
+					Logger.warn("Metadata signature-verification FAILED!"
+							+ " Metadata: " + nameForLogging
+							+ " StatusCode:" + result.getSignatureCheckCode());
 					
 				}
 				
+				if (result.getCertificateCheckCode() != 0) {
+					Logger.warn("Metadata certificate-verification FAILED!"
+							+ " Metadata: " + nameForLogging
+							+ " StatusCode:" + result.getCertificateCheckCode());
+					throw new FilterException("Metadata certificate-verification FAILED!"
+							+ " Metadata: " + nameForLogging
+							+ " StatusCode:" + result.getCertificateCheckCode());
+					
+				}
 				
-			} else {
-				Logger.warn("Metadata root-element MUST be signed.");
-				throw new FilterException("Metadata root-element MUST be signed.'");
+				Logger.debug("SAML metadata for entityID:" + nameForLogging + " is valid");
+			
+			} catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) {
+				Logger.error("Metadata verification for Entity:" + nameForLogging 
+						+ " has an interal error.", e);
+				throw new FilterException("Metadata verification has an interal error."
+						+ " Message:" + e.getMessage());
 				
 			}
-						
+			
+			
 		} else {
-			Logger.warn("Metadata root-element is not of type 'EntityDescriptor'");
-			throw new FilterException("Metadata root-element is not of type 'EntityDescriptor'");
+			Logger.warn("Metadata root-element MUST be signed.");
+			throw new FilterException("Metadata root-element MUST be signed.'");
 			
 		}
 		
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html b/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html
index 2f93428b5..64e88a688 100644
--- a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html
+++ b/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html
@@ -1,9 +1,9 @@
 ## ## Velocity Template for SAML 2 HTTP-POST binding ## ## Velocity
-context may contain the following properties ## action - String - the
-action URL for the form ## RelayState - String - the relay state for the
-message ## SAMLRequest - String - the Base64 encoded SAML Request ##
-SAMLResponse - String - the Base64 encoded SAML Response
-
+##context may contain the following properties ## action - String - the
+##action URL for the form ## RelayState - String - the relay state for the
+##message ## SAMLRequest - String - the Base64 encoded SAML Request ##
+##SAMLResponse - String - the Base64 encoded SAML Response
+<!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
 
 <body onload="document.forms[0].submit()">
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/saml2-post-binding-moa.vm b/id/server/idserverlib/src/main/resources/resources/templates/saml2-post-binding-moa.vm
deleted file mode 100644
index 8beb601c6..000000000
--- a/id/server/idserverlib/src/main/resources/resources/templates/saml2-post-binding-moa.vm
+++ /dev/null
@@ -1,38 +0,0 @@
-##
-## Velocity Template for SAML 2 HTTP-POST binding
-##
-## Velocity context may contain the following properties
-## action - String - the action URL for the form
-## RelayState - String - the relay state for the message
-## SAMLRequest - String - the Base64 encoded SAML Request
-## SAMLResponse - String - the Base64 encoded SAML Response
-## Contains target attribute to delegate PEPS authentication out of iFrame
-
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-
-    <body onload="document.forms[0].submit()">
-        <noscript>
-            <p>
-                <strong>Note:</strong> Since your browser does not support JavaScript,
-                you must press the Continue button once to proceed.
-            </p>
-        </noscript>
-        
-        <form action="${action}" method="post" target="_top">
-            <div>
-                #if($RelayState)<input type="hidden" name="RelayState" value="${RelayState}"/>#end
-                
-                #if($SAMLRequest)<input type="hidden" name="SAMLRequest" value="${SAMLRequest}"/>#end
-                
-                #if($SAMLResponse)<input type="hidden" name="SAMLResponse" value="${SAMLResponse}"/>#end
-                
-            </div>
-            <noscript>
-                <div>
-                    <input type="submit" value="Continue"/>
-                </div>
-            </noscript>
-        </form>
-        
-    </body>
-</html>
\ No newline at end of file
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/stork2_consent.html b/id/server/idserverlib/src/main/resources/resources/templates/stork2_consent.html
deleted file mode 100644
index 0ab41f146..000000000
--- a/id/server/idserverlib/src/main/resources/resources/templates/stork2_consent.html
+++ /dev/null
@@ -1,438 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
-
-   <!-- MOA-ID 2.x BKUSelection Layout CSS -->               
-    <style type="text/css">
-			@media screen and (min-width: 650px) {
-			
-				body {
-					margin:0;
-					padding:0;
-					color : #000;
-					background-color : #fff;
-			  	text-align: center;
-			  	background-color: #6B7B8B;
-				}
-        
-        #bku_header h2 {
-          font-size: 0.8em;
-        } 
-        
-        
-			  #page {
-			    display: block;
-			    border: 2px solid rgb(0,0,0);
-			    width: 650px;
-			    height: 460px;
-			    margin: 0 auto;
-			    margin-top: 5%;
-			    position: relative;
-			    border-radius: 25px;
-			    background: rgb(255,255,255);
-			  }
-			  
-			  #page1 {
-			    text-align: center;
-			  }
-			  
-			  #main {
-			    /*	clear:both; */
-				  position:relative;
-			    margin: 0 auto;
-			    width: 250px;
-			    text-align: center;
-			  }
-			  
-			  .OA_header {
-			/*	  background-color: white;*/
-			    font-size: 20pt;
-			    margin-bottom: 25px;
-			    margin-top: 25px;
-			  }
-			
-			  #leftcontent {
-			    /*float:left; */
-				  width:250px;
-				  margin-bottom: 25px;
-			    text-align: left;
-			    border: 1px solid rgb(0,0,0);
-			  }
-			  			  
-			  #selectArea {
-				 font-size: 15px;
-				 padding-bottom: 65px;
-			  }
-			
-			  #leftcontent {
-				 width: 300px;
-				 margin-top: 30px;
-			  }
-			
-        #bku_header {
-          height: 5%;
-          padding-bottom: 3px;
-          padding-top: 3px;
-        }
-      
-        #bkulogin {
-				  overflow:auto;	
-          min-width: 190px;
-          height: 260px;
-          padding: 20px;
-			  }
-      
-        h2#tabheader{
-				  font-size: 1.1em; 
-          padding-left: 2%;
-          padding-right: 2%;
-          position: relative;
-			  }
-        		  
-			  .setAssertionButton_full {
-			  	background: #efefef;
-				  cursor: pointer;
-				  margin-top: 15px;
-			    width: 100px;
-			    height: 30px
-			  }
-			
-			  #leftbutton  {
-				 width: 30%; 
-				 float:left; 
-				 margin-left: 40px;
-			  }
-			
-			  #rightbutton {
-				 width: 30%; 
-				 float:right; 
-				 margin-right: 45px; 
-				 text-align: right;
-			  }
-        
-        button {
-          height: 25px;
-          width: 75px;
-          margin-bottom: 10px;
-        }
-        
-       #validation {
-        position: absolute;
-        bottom: 0px;
-        margin-left: 270px;
-        padding-bottom: 10px;
-      }
-			
-			}
-
-      @media screen and (max-width: 205px) {        
-        #bku_header h2 {
-          font-size: 0.8em;
-          margin-top: -0.4em;
-          padding-top: 0.4em;
-        }
-        
-        #bkulogin {
-        min-height: 150px;
-        padding: 20px;
-        } 
-      }
-
-      @media screen and (max-width: 249px) and (min-width: 206px) {        
-        #bku_header h2 {
-          font-size: 0.9em;
-          margin-top: -0.45em;
-          padding-top: 0.45em;
-        }
-        
-        #bkulogin {
-          height: 180px;
-          padding: 20px;
-        }  
-      }
-
-      @media screen and (max-width: 299px) and (min-width: 250px) {
-        #bku_header h2 {
-          font-size: 1.1em;
-          margin-top: -0.55em;
-          padding-top: 0.55em;
-        } 
-      }
-      
-      @media screen and (max-width: 649px) and (min-width: 400px) {
-        #bku_header h2 {
-          font-size: 1.3em;
-          margin-top: -0.65em;
-          padding-top: 0.65em;
-        } 
-      }
-
-
-			
-			@media screen and (max-width: 649px) {
-				
-        body {
-					margin:0;
-					padding:0;
-					color : #000;
-			  	text-align: center;
-          font-size: 100%;
-			  	background-color: ${MAIN_BACKGOUNDCOLOR};
-				}
-        				
-			  #page {
-			     visibility: hidden;
-			     margin-top: 0%;
-			  }
-			  
-			  #page1 {
-			    visibility: hidden;
-			  }
-			  
-			  #main {
-			    visibility: hidden;
-			  }
-        
-        #validation {
-          visibility: hidden;
-          display: none;
-        }
-			  
-			  .OA_header {
-			    margin-bottom: 0px;
-			    margin-top: 0px;
-			    font-size: 0pt;
-			    visibility: hidden;
-			  }
-			
-			  #leftcontent {
-			    visibility: visible;
-			    margin-bottom: 0px;
-			    text-align: left;
-			    border:none;
-          vertical-align: middle;
-          min-height: 173px;
-          min-width: 204px;
-          
-			  }
-			  
-        #bku_header {
-          height: 10%;
-          min-height: 1.2em;
-          margin-top: 1%;
-        }
-        
-        h2#tabheader{
-          padding-left: 2%;
-          padding-right: 2%;
-          position: relative;
-          top: 50%;
-			  }
-        
-       	#bkulogin {	
-          min-width: 190px;
-          height: 155px;	
-          padding: 20px;
-			 }
-        
-			 .setAssertionButton_full {
-			     	background: #efefef;
-				    cursor: pointer;
-				    margin-top: 15px;
-			      width: 70px;
-			      height: 25px;
-			 }
-       
-        input[type=button] {
-/*          height: 11%;  */
-          width: 70%;
-        }
-			}
-			      
-			* {
-				margin: 0;
-				padding: 0;
-        font-family: ${FONTTYPE};
-			}
-							      			
-			#selectArea {
-				padding-top: 10px;
-				padding-bottom: 55px;
-				padding-left: 10px;
-			}
-			
-			.setAssertionButton {
-				background: #efefef;
-				cursor: pointer;
-				margin-top: 15px;
-			  width: 70px;
-			  height: 25px;
-			}
-			
-			#leftbutton  {
-				width: 35%; 
-				float:left; 
-				margin-left: 15px;
-			}
-			
-			#rightbutton {
-				width: 35%; 
-				float:right; 
-				margin-right: 25px; 
-				text-align: right;
-			}
-      
-      .verticalcenter {
-        vertical-align: middle;
-      }
-      
-			input {
-				/*border:1px solid #000;*/
-				cursor: pointer;
-			}
-      
-
-			#installJava, #BrowserNOK {
-				clear:both;
-				font-size:0.8em;
-				padding:4px;
-			}
-						
-			.selectText{
-			
-			}
-			
-			.selectTextHeader{
-			
-			}
-			
-			.sendButton {
-        width: 30%;
-        margin-bottom: 1%;	
-			}
-			
-			#leftcontent a {
-				text-decoration:none; 
-				color: #000;
-			/*	display:block;*/
-				padding:4px;	
-			}
-			
-			#leftcontent a:hover, #leftcontent a:focus, #leftcontent a:active {
-				text-decoration:underline;
-				color: #000;	
-			}
-						
-			.infobutton {
-				background-color: #005a00;
-				color: white;
-				font-family: serif;
-				text-decoration: none;
-				padding-top: 2px;
-				padding-right: 4px;
-				padding-bottom: 2px;
-				padding-left: 4px;
-				font-weight: bold;
-			}
-			
-			.hell {
-				background-color : ${MAIN_BACKGOUNDCOLOR};
-        color: ${MAIN_COLOR};	
-			}
-			
-			.dunkel {
-				background-color: ${HEADER_BACKGROUNDCOLOR};
-        color: ${HEADER_COLOR};
-			}
-			      
-			.main_header {
-			   color: black;
-			    font-size: 32pt;
-			    position: absolute;
-			    right: 10%;
-			    top: 40px;
-				
-			}
-			
-			#controls {
-				text-align: right;
-			}
-      			                        
-    </style>       
-<!-- MOA-ID 2.x BKUSelection JavaScript fucnctions-->
-<script type="text/javascript">
-		function isIE() {
-			return (/MSIE (\d+\.\d+);/.test(navigator.userAgent));
-		}
-		function isFullscreen() {
-			try {
-				return ((top.innerWidth == screen.width) && (top.innerHeight == screen.height));
-			} catch (e) {
-				return false;
-			}
-		}
-		function isActivexEnabled() {
-			var supported = null;
-			try {
-				supported = !!new ActiveXObject("htmlfile");
-			} catch (e) {
-				supported = false;
-			}
-			return supported;
-		}
-		function generateIFrame(iFrameURL) {
-			var el = document.getElementById("bkulogin");
-      var width = el.clientWidth;
-      var heigth = el.clientHeight - 20;
-			var parent = el.parentNode;
-            
-      iFrameURL += "&heigth=" + heigth;
-      iFrameURL += "&width=" + width;
-      
-			var iframe = document.createElement("iframe");
-			iframe.setAttribute("src", iFrameURL);
-			iframe.setAttribute("width", el.clientWidth - 1);
-			iframe.setAttribute("height", el.clientHeight - 1);
-			iframe.setAttribute("frameborder", "0");
-			iframe.setAttribute("scrolling", "no");
-			iframe.setAttribute("title", "Login");
-			parent.replaceChild(iframe, el);
-		}
-		function onChangeChecks() {
-      if (top.innerWidth < 650) {
-         document.getElementById("moaidform").setAttribute("target","_parent");
-      } else {
-         document.getElementById("moaidform").removeAttribute("target");
-      }
-      
-    }
-	</script>
-<title>Informationsfreigabe</title>
-</head>
-<body onload="onChangeChecks();" onresize="onChangeChecks();">
-	<div id="page">
-		<div id="page1" class="case selected-case" role="main">
-			<h2 class="OA_header" role="heading">STORK Informationsfreigabe</h2>
-			<div id="main">
-				<div id="leftcontent" class="hell" role="application">
-					<form method="POST" action="${action}">
-						<div id="bku_header" class="dunkel">
-							<h2 id="tabheader" class="dunkel" role="heading">STORK Informationsfreigabe</h2>
-						</div>
-						<div id="bkulogin" class="hell" role="form">
-							W&auml;hlen Sie jene Daten, die, wenn verf&uuml;gbar, an ein Drittland weitergegeben werden sollen:</br>
-	  						<table>
-	  							${tablecontent}
-							</table>
-						</div>
-						<div id="controls" class="hell">
-							<input type="submit" value="weiter" />
-						</div>
-					</form>
-				</div>
-			</div>
-		</div>
-	</div>
-</body>
-</html>
\ No newline at end of file
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/stork2_postbinding_template.html b/id/server/idserverlib/src/main/resources/resources/templates/stork2_postbinding_template.html
deleted file mode 100644
index f901351a2..000000000
--- a/id/server/idserverlib/src/main/resources/resources/templates/stork2_postbinding_template.html
+++ /dev/null
@@ -1,42 +0,0 @@
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-
-<body onload="document.forms[0].submit()">
-	<noscript>
-		<p>
-			<strong>Note:</strong> Since your browser does not support
-			JavaScript, you must press the Continue button once to proceed.
-		</p>
-	</noscript>
-
-
-	<div id="alert">Your login is being processed. Thank you for
-		waiting.</div>
-
-	<style type="text/css">
-<!--
-#alert {
-	margin: 100px 250px;
-	font-family: Verdana, Arial, Helvetica, sans-serif;
-	font-size: 14px;
-	font-weight: normal;
-}
--->
-</style>
-
-	<form action="${action}" method="post" target="_self">
-		<div>
-			#if($RelayState)<input type="hidden" name="RelayState"
-				value="${RelayState}" />#end #if($SAMLRequest)<input type="hidden"
-				name="SAMLRequest" value="${SAMLRequest}" />#end #if($SAMLResponse)<input
-				type="hidden" name="SAMLResponse" value="${SAMLResponse}" />#end
-
-		</div>
-		<noscript>
-			<div>
-				<input type="submit" value="Continue" />
-			</div>
-		</noscript>
-	</form>
-
-</body>
-</html>
diff --git a/id/server/moa-id-commons/pom.xml b/id/server/moa-id-commons/pom.xml
index d8d2e0d3d..c4007fc80 100644
--- a/id/server/moa-id-commons/pom.xml
+++ b/id/server/moa-id-commons/pom.xml
@@ -317,15 +317,16 @@
              <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>2.0.2</version>
+                <version>3.6.1</version>
                 <configuration>
                     <source>1.7</source>
                     <target>1.7</target>
                 </configuration>
             </plugin>
-            <plugin>
+             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-jar-plugin</artifactId>
+                <version>3.0.2</version>
                 <configuration>
                     <archive>
                         <addMavenDescriptor>false</addMavenDescriptor>
@@ -375,7 +376,7 @@
     </executions>
   </plugin>
 
-            <plugin>
+<!--             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-jar-plugin</artifactId>
                 <configuration>
@@ -390,7 +391,7 @@
                         </goals>
                     </execution>
                 </executions>
-            </plugin>
+            </plugin> -->
             <plugin>
                 <artifactId>maven-enforcer-plugin</artifactId>
                 <version>1.1.1</version>
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
index 6d573efe8..e9f9a7e80 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
@@ -36,6 +36,8 @@ public class MOAIDConstants {
 
 	//general configuration constants
 	
+	public static final String DEFAULT_CONTENT_TYPE_HTML_UTF8 = "text/html; charset=UTF-8";
+	
 	public static final String FILE_URI_PREFIX = "file:/";
 	
 	public static final String PREFIX_WPBK = "urn:publicid:gv.at:wbpk+";
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
index 4ecda435d..109390132 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
@@ -61,6 +61,8 @@ import javax.net.ssl.TrustManager;
 
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.KeyStoreUtils;
+import at.gv.egovernment.moaspss.logging.LoggingContext;
+import at.gv.egovernment.moaspss.logging.LoggingContextManager;
 import iaik.pki.DefaultPKIConfiguration;
 import iaik.pki.PKIException;
 import iaik.pki.PKIFactory;
@@ -94,6 +96,21 @@ public class SSLUtils {
     
   }
 
+  /**
+   * IAIK PKI module and MOA-SIG uses a ThreadLocal variable for logging
+   * check if current thread has set this variable and set loggingcontext otherwise
+   * 
+   * @param url transactionID for logging
+   */
+  private static void checkMoaSigLoggingContext(String url) {
+	  LoggingContextManager logMgr = LoggingContextManager.getInstance();  
+	  if (logMgr.getLoggingContext() == null) {
+		  LoggingContext ctx = new LoggingContext(url);
+	      logMgr.setLoggingContext(ctx);
+	        
+	  }	  
+  }
+  
   public static SSLSocketFactory getSSLSocketFactory(
 		  String url, 
 		  String certStoreRootDirParam, 
@@ -111,8 +128,11 @@ public class SSLUtils {
     Logger.debug("Get SSLSocketFactory for " + url);
     // retrieve SSLSocketFactory if already created
     SSLSocketFactory ssf = (SSLSocketFactory)sslSocketFactories.get(url);
-    if (ssf != null) 
-      return ssf;
+    if (ssf != null) {
+    	checkMoaSigLoggingContext(url);    	
+    	return ssf;
+    	
+    }
         
     TrustManager[] tms = getTrustManagers(
     		 certStoreRootDirParam,
@@ -129,6 +149,9 @@ public class SSLUtils {
     ssf = ctx.getSocketFactory();
     // store SSLSocketFactory
     sslSocketFactories.put(url, ssf);
+    
+    checkMoaSigLoggingContext(url); 
+    
     return ssf;
   }
   
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java
index e77933986..e8cd60afb 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java
@@ -43,6 +43,7 @@ import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException;
 import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider;
+import at.gv.egovernment.moa.id.commons.MOAIDConstants;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
@@ -54,7 +55,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
 @Service("guiFormBuilder")
 public class GUIFormBuilderImpl implements IGUIFormBuilder {
 	
-	private static final String DEFAULT_CONTENT_TYPE = "text/html; charset=UTF-8";
+	private static final String DEFAULT_CONTENT_TYPE = MOAIDConstants.DEFAULT_CONTENT_TYPE_HTML_UTF8;
 	private static final String CONFIG_HTMLTEMPLATES_DIR = "htmlTemplates/";
 	private static final String CLASSPATH_HTMLTEMPLATES_DIR = "templates/";
 			
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityProvider.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityProvider.java
index 21fe110ca..015d8e321 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityProvider.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityProvider.java
@@ -62,19 +62,22 @@ import org.apache.velocity.runtime.RuntimeConstants;
  */

 public class VelocityProvider {

 

+	private static VelocityEngine velocityEngine = null;

+	

 	/**

 	 * Gets velocityEngine from Classpath

 	 * @return VelocityEngine

 	 * @throws Exception

 	 */

 	public static VelocityEngine getClassPathVelocityEngine() throws Exception {

-		VelocityEngine velocityEngine = getBaseVelocityEngine();

-        velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");

-        velocityEngine.setProperty("classpath.resource.loader.class",

-                "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");

-        

-        

-		velocityEngine.init();

+		if (velocityEngine == null) {

+			velocityEngine = getBaseVelocityEngine();

+			velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");

+			velocityEngine.setProperty("classpath.resource.loader.class",

+					"org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");                

+			velocityEngine.init();

+			

+		}

 		

 		return velocityEngine;

 	}

@@ -86,13 +89,16 @@ public class VelocityProvider {
 	 * @throws Exception

 	 */

 	public static VelocityEngine getFileVelocityEngine(String rootPath) throws Exception {

-		VelocityEngine velocityEngine = getBaseVelocityEngine();

-        velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "file");

-        velocityEngine.setProperty("file.resource.loader.class",

-                "org.apache.velocity.runtime.resource.loader.FileResourceLoader");

-        velocityEngine.setProperty("file.resource.loader.path", rootPath);

+		if (velocityEngine == null) {

+			velocityEngine = getBaseVelocityEngine();

+			velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "file");

+			velocityEngine.setProperty("file.resource.loader.class",

+					"org.apache.velocity.runtime.resource.loader.FileResourceLoader");

+			velocityEngine.setProperty("file.resource.loader.path", rootPath);

         

-		velocityEngine.init();

+			velocityEngine.init();

+			

+		}

 		

 		return velocityEngine;

 	}

diff --git a/id/server/moa-id-jaxb_classes/pom.xml b/id/server/moa-id-jaxb_classes/pom.xml
index 9dbb28dfe..3d205bb06 100644
--- a/id/server/moa-id-jaxb_classes/pom.xml
+++ b/id/server/moa-id-jaxb_classes/pom.xml
@@ -52,4 +52,18 @@
     </profiles>
   
    <version>${moa-id-version}</version>
+   
+   <build>
+   	<plugins>
+   		      <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>1.7</source>
+                    <target>1.7</target>
+                </configuration>
+            </plugin> 
+   	</plugins>
+   </build> 
+   
 </project>
\ No newline at end of file
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java
index b0efb100a..7caf2f5a1 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java
@@ -26,8 +26,9 @@ public class DefaultCitizenCardAuthModuleImpl implements AuthModule {
 		if (performBKUSelectionObj != null && performBKUSelectionObj instanceof Boolean)
 			performBKUSelection = (boolean) performBKUSelectionObj;
 		
-		if (StringUtils.isBlank((String) context.get("ccc")) && 
-				StringUtils.isNotBlank((String) context.get(MOAIDAuthConstants.PARAM_BKU)) &&
+		if ( (StringUtils.isBlank((String) context.get("ccc")) && 
+				StringUtils.isBlank((String) context.get("CCC")) ) && 
+					StringUtils.isNotBlank((String) context.get(MOAIDAuthConstants.PARAM_BKU)) &&
 				 	!performBKUSelection)
 			return "DefaultAuthentication";
 		
diff --git a/id/server/modules/moa-id-module-eIDAS/pom.xml b/id/server/modules/moa-id-module-eIDAS/pom.xml
index 174ce40cb..55d02e82a 100644
--- a/id/server/modules/moa-id-module-eIDAS/pom.xml
+++ b/id/server/modules/moa-id-module-eIDAS/pom.xml
@@ -12,11 +12,11 @@
   <properties>
 		<repositoryPath>${basedir}/../../../../repository</repositoryPath>
 		
-		<eidas-commons.version>1.1.0</eidas-commons.version>
-		<eidas-light-commons.version>1.1.0</eidas-light-commons.version>
-		<eidas-saml-engine.version>1.1.0</eidas-saml-engine.version>
-		<eidas-encryption.version>1.1.0</eidas-encryption.version>
-		<eidas-configmodule.version>1.1.0</eidas-configmodule.version>
+		<eidas-commons.version>1.2.0</eidas-commons.version>
+		<eidas-light-commons.version>1.2.0</eidas-light-commons.version>
+		<eidas-saml-engine.version>1.2.0</eidas-saml-engine.version>
+		<eidas-encryption.version>1.2.0</eidas-encryption.version>
+		<eidas-configmodule.version>1.2.0</eidas-configmodule.version>
 				
 	</properties>
   
@@ -166,6 +166,12 @@
 			<!-- <scope>provided</scope> -->
 		</dependency>
   
+  	<dependency>
+    	<groupId>com.ibm.icu</groupId>
+    	<artifactId>icu4j</artifactId>
+    	<version>58.2</version>
+		</dependency>
+  
   
   </dependencies>
   
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java
index 9ad5f0db3..de4f3fc9c 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java
@@ -90,17 +90,21 @@ public class ModifiedEncryptionSW extends KeyStoreSamlEngineEncryption {
 	 */
 	@Override
 	public boolean isEncryptionEnabled(String countryCode) {
-		// - encrypt if so configured
+		//encryption is enabled by default in MOA-ID configuration object 				
 		try {
 			AuthConfiguration moaconfig = AuthConfigurationProviderFactory.getInstance();
 			Boolean useEncryption = moaconfig.getStorkConfig().getCPEPS(countryCode).isXMLSignatureSupported();
-			Logger.info(useEncryption ? "using encryption" : "do not use encrpytion");
+			String logResult = useEncryption ? " using encryption" : " do not use encrpytion";
+			Logger.debug("eIDAS respone for country " + countryCode + logResult);
 			return useEncryption;
+			
 		} catch(NullPointerException | ConfigurationException e) {
 			Logger.warn("failed to gather information about encryption for countryCode " + countryCode + " - thus, enabling encryption");
 			if(Logger.isDebugEnabled())
 				e.printStackTrace();
 			return true;
+			
 		}
+		
 	}
 }
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAProtocolEngine.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAProtocolEngine.java
new file mode 100644
index 000000000..d8fcd1694
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAProtocolEngine.java
@@ -0,0 +1,68 @@
+package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
+
+import java.security.cert.X509Certificate;
+
+import org.apache.commons.lang3.StringUtils;
+import org.opensaml.saml2.core.Response;
+
+import at.gv.egovernment.moa.logging.Logger;
+import eu.eidas.auth.commons.EidasErrorKey;
+import eu.eidas.auth.commons.protocol.IAuthenticationRequest;
+import eu.eidas.auth.engine.ProtocolEngine;
+import eu.eidas.auth.engine.configuration.ProtocolConfigurationAccessor;
+import eu.eidas.auth.engine.xml.opensaml.SAMLEngineUtils;
+import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
+
+public class MOAProtocolEngine extends ProtocolEngine {
+
+	public MOAProtocolEngine(ProtocolConfigurationAccessor configurationAccessor) {
+		super(configurationAccessor);
+
+	}
+
+//	@Override
+//	protected X509Certificate getEncryptionCertificate(String requestIssuer,
+//			String destinationCountryCode) throws EIDASSAMLEngineException {
+//		if ((StringUtils.isNotBlank(destinationCountryCode)) && (null != getProtocolEncrypter())
+//				&& (getProtocolEncrypter().isEncryptionEnabled(destinationCountryCode))) {
+//			X509Certificate encryptionCertificate = getProtocolProcessor().getEncryptionCertificate(requestIssuer);
+//			
+//			if (null == encryptionCertificate) {
+//				return getProtocolEncrypter().getEncryptionCertificate(destinationCountryCode);
+//				
+//			}
+//			return encryptionCertificate;
+//		}
+//		return null;
+//	}
+//	
+//	@Override
+//	protected Response signResponse(IAuthenticationRequest request, Response response)
+//			throws EIDASSAMLEngineException {
+//		Response responseToSign = response;
+//
+//		if ((null != getProtocolEncrypter()) && (!(SAMLEngineUtils.isErrorSamlResponse(responseToSign)))) {
+//			X509Certificate destinationCertificate = getEncryptionCertificate(request.getIssuer(),
+//					request.getOriginCountryCode());
+//
+//			if (null != destinationCertificate) {
+//				responseToSign = getProtocolEncrypter().encryptSamlResponse(responseToSign, destinationCertificate);
+//				
+//			} else if (getProtocolEncrypter().isEncryptionEnabled(request.getOriginCountryCode())) {
+////				Logger.error(SAML_EXCHANGE,
+////						"BUSINESS EXCEPTION : encryption cannot be performed, no matching certificate for issuer="
+////								+ request.getIssuer() + " and country=" + request.getOriginCountryCode());
+//
+//				throw new EIDASSAMLEngineException(EidasErrorKey.SAML_ENGINE_INVALID_CERTIFICATE.errorCode(),
+//						EidasErrorKey.SAML_ENGINE_INVALID_CERTIFICATE.errorMessage());
+//			}
+//
+//		} else if (!(SAMLEngineUtils.isErrorSamlResponse(responseToSign))) {
+//			checkSendingUnencryptedResponsesAllowed();
+//			
+//		}
+//
+//		Logger.debug("Signing SAML Response.");
+//		return ((Response) getSigner().sign(responseToSign));
+//	}
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index a9c4d5d3a..0eb067c5a 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -211,8 +211,13 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
 						
 			authnRequestBuilder.nameIdFormat(Constants.eIDAS_REQ_NAMEID_FORMAT);			
 			
-			//set minimum required eIDAS LoA from OA config			
-			authnRequestBuilder.levelOfAssurance(LevelOfAssurance.fromString(oaConfig.getQaaLevel()));			
+			//set minimum required eIDAS LoA from OA config
+			String LoA = oaConfig.getQaaLevel();
+			if (MiscUtil.isNotEmpty(LoA))			
+				authnRequestBuilder.levelOfAssurance(LevelOfAssurance.fromString(oaConfig.getQaaLevel()));
+			else
+				authnRequestBuilder.levelOfAssurance(LevelOfAssurance.HIGH);
+			
 			authnRequestBuilder.levelOfAssuranceComparison(LevelOfAssuranceComparison.MINIMUM);
 			
 			//set correct SPType for this online application
@@ -234,7 +239,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
 			
 			
 			IRequestMessage authnRequest = engine.generateRequestMessage(authnRequestBuilder.build(), issur);					
-			
+						
 			//encode AuthnRequest
 			byte[] token = authnRequest.getMessageBytes();		
 			String SAMLRequest = EidasStringUtil.encodeToBase64(token);
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAProtocolEngineFactory.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAProtocolEngineFactory.java
index f29d2bb65..47cdb4ade 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAProtocolEngineFactory.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAProtocolEngineFactory.java
@@ -95,5 +95,22 @@ public class MOAProtocolEngineFactory extends ProtocolEngineFactory {
 		
 	}
 
+//	public static ProtocolEngineI createProtocolEngine(String instanceName,
+//			ProtocolEngineConfigurationFactory protocolEngineConfigurationFactory,
+//			ProtocolProcessorI protocolProcessor, SamlEngineClock samlEngineClock)
+//					throws SamlEngineConfigurationException {
+//	
+//		ProtocolEngineConfiguration preConfiguration = protocolEngineConfigurationFactory
+//				.getConfiguration(instanceName);
+//
+//		protocolProcessor.configure();
+//
+//		ProtocolEngineConfiguration configuration = ProtocolEngineConfiguration.builder(preConfiguration)
+//				.protocolProcessor(protocolProcessor).clock(samlEngineClock).build();
+//
+//		ProtocolEngineI samlEngine = new MOAProtocolEngine(new FixedProtocolConfigurationAccessor(configuration));
+//
+//		return samlEngine;
+//	}
 
 }
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java
index dd14972e3..171d5c8e2 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java
@@ -210,10 +210,15 @@ public class MOAeIDASMetadataGenerator extends MetadataGenerator {
             addAssertionConsumerService();
         }
         fillNameIDFormat(spSSODescriptor);
-        if (params.getSpEngine() != null) {
-            ProtocolEngineI spEngine = params.getSpEngine();
-            ((MetadataSignerI) spEngine.getSigner()).signMetadata(spSSODescriptor);
-        }
+        
+        /**FIXME:
+         * 	Double signing of SPSSODescribtor is not required
+         */
+//        if (params.getSpEngine() != null) {
+//            ProtocolEngineI spEngine = params.getSpEngine();
+//            ((MetadataSignerI) spEngine.getSigner()).signMetadata(spSSODescriptor);
+//        }
+        
         entityDescriptor.getRoleDescriptors().add(spSSODescriptor);
 
     }
@@ -266,6 +271,8 @@ public class MOAeIDASMetadataGenerator extends MetadataGenerator {
         }
         idpSSODescriptor.addSupportedProtocol(params.getIdpSamlProtocol());
         fillNameIDFormat(idpSSODescriptor);
+        
+        
         if (params.getIdpEngine() != null) {
             if (params.getIdpEngine().getProtocolProcessor() != null
                     && params.getIdpEngine().getProtocolProcessor().getFormat() == SAMLExtensionFormat.EIDAS10) {
@@ -277,8 +284,13 @@ public class MOAeIDASMetadataGenerator extends MetadataGenerator {
                  */
             	generateSupportedAttributes(idpSSODescriptor, getAllSupportedAttributes());
             }
-            ProtocolEngineI idpEngine = params.getIdpEngine();
-            ((MetadataSignerI) idpEngine.getSigner()).signMetadata(idpSSODescriptor);
+            
+            
+            /**FIXME:
+             * 	Double signing of IDPSSODescribtor is not required
+             */
+//          ProtocolEngineI idpEngine = params.getIdpEngine();
+//          ((MetadataSignerI) idpEngine.getSigner()).signMetadata(idpSSODescriptor);
         }
 
         idpSSODescriptor.getSingleSignOnServices().addAll(buildSingleSignOnServicesBindingLocations());
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 13e64cdd0..aefae939b 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -36,7 +36,6 @@ import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.saml2.metadata.AssertionConsumerService;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.http.MediaType;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -51,6 +50,7 @@ import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASAuthnRequestV
 import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASException;
 import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.MOAIDConstants;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.IRequest;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
@@ -367,7 +367,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
         		String token = EidasStringUtil.encodeToBase64(eIDASRespMsg.getMessageBytes());
      		
                 VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine();
-                Template template = velocityEngine.getTemplate("/resources/templates/stork2_postbinding_template.html");
+                Template template = velocityEngine.getTemplate("/resources/templates/eidas_postbinding_template.vm");
                 VelocityContext context = new VelocityContext();
 
                 context.put("RelayState", eidasReq.getRemoteRelayState());
@@ -387,7 +387,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
                 Logger.trace("Sending html content  : " + new String(writer.getBuffer()));
 
                 byte[] content = writer.getBuffer().toString().getBytes("UTF-8");             
-                response.setContentType(MediaType.TEXT_HTML.getType());
+                response.setContentType(MOAIDConstants.DEFAULT_CONTENT_TYPE_HTML_UTF8);
                 response.setContentLength(content.length);
                 response.getOutputStream().write(content);
                 
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java
index 174fa2c17..df96bef12 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java
@@ -72,13 +72,19 @@ public class EidasMetaDataRequest implements IAction {
             String metadata_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_METADATA;            
             String sp_return_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_SP_POST;
             
+            //generate eIDAS metadata            
             String metaData = generateMetadata(req, metadata_url, sp_return_url);
-
+            
+            //write content to response
+            byte[] content = metaData.getBytes("UTF-8");            
+            httpResp.setStatus(HttpServletResponse.SC_OK);
+            httpResp.setContentType(MediaType.APPLICATION_XML.toString());            
+            httpResp.setContentLength(content.length);            
+            httpResp.getOutputStream().write(content);
+            
+            //write log if required
             Logger.trace(metaData);
-
-            httpResp.setContentType(MediaType.APPLICATION_XML.getType());
-            httpResp.getWriter().print(metaData);
-            httpResp.flushBuffer();
+            
         } catch (Exception e) {        	
         	Logger.error("eIDAS Metadata generation FAILED.", e);
         	throw new MOAIDException("eIDAS.05", new Object[]{e.getMessage()}, e);
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
index 22ac37604..97241af6a 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
@@ -34,7 +34,6 @@ import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
 import org.opensaml.saml2.core.StatusCode;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.http.MediaType;
 import org.springframework.stereotype.Service;
 
 import com.google.common.collect.ImmutableSet;
@@ -44,6 +43,7 @@ import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider;
 import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
 import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;
 import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SimpleEidasAttributeGenerator;
+import at.gv.egovernment.moa.id.commons.MOAIDConstants;
 import at.gv.egovernment.moa.id.commons.api.IRequest;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.data.IAuthData;
@@ -233,7 +233,7 @@ public class eIDASAuthenticationRequest implements IAction {
 		// send the response
         try {
             VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine();
-            Template template = velocityEngine.getTemplate("/resources/templates/stork2_postbinding_template.html");
+            Template template = velocityEngine.getTemplate("/resources/templates/eidas_postbinding_template.vm");
             VelocityContext context = new VelocityContext();
 
             context.put("RelayState", eidasRequest.getRemoteRelayState());
@@ -253,7 +253,7 @@ public class eIDASAuthenticationRequest implements IAction {
             Logger.trace("Sending html content  : " + new String(writer.getBuffer()));
 
             byte[] content = writer.getBuffer().toString().getBytes("UTF-8");
-            httpResp.setContentType(MediaType.TEXT_HTML.getType());
+            httpResp.setContentType(MOAIDConstants.DEFAULT_CONTENT_TYPE_HTML_UTF8);
             httpResp.setContentLength(content.length);
             httpResp.getOutputStream().write(content);
             
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/resources/templates/eidas_postbinding_template.vm b/id/server/modules/moa-id-module-eIDAS/src/main/resources/resources/templates/eidas_postbinding_template.vm
index 3bd225b00..0535d48b6 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/resources/resources/templates/eidas_postbinding_template.vm
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/resources/templates/eidas_postbinding_template.vm
@@ -7,7 +7,7 @@
 ## SAMLRequest - String - the Base64 encoded SAML Request
 ## SAMLResponse - String - the Base64 encoded SAML Response
 ## Contains target attribute to delegate PEPS authentication out of iFrame
-
+<!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
 		<head>
 			<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
diff --git a/pom.xml b/pom.xml
index e95e5d029..b3176bd2d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -22,14 +22,14 @@
 		-->
 		
 			<!-- Project Version -->			
-			<moa-id-version>3.2.1</moa-id-version>
+			<moa-id-version>3.2.2-Snapshot</moa-id-version>
 			
-			<moa-id-version-final>3.2.1</moa-id-version-final>			
-			<moa-id-version-edu>3.2.1</moa-id-version-edu>			
+			<moa-id-version-final>3.2.2-Snapshot</moa-id-version-final>			
+			<moa-id-version-edu>3.2.2-Snapshot</moa-id-version-edu>			
 			
 			<moa-id-proxy-version>2.0.1-Snapshot</moa-id-proxy-version>
 			
-			<configtool-version>2.3.1</configtool-version>
+			<configtool-version>2.3.2-Snapshot</configtool-version>
 			<demo-oa-version>2.0.6</demo-oa-version>
 			
 			<moa-id-module-elga_mandate_client>1.2</moa-id-module-elga_mandate_client>
diff --git a/repository/eu/eidas/eidas-commons/1.2.0/eidas-commons-1.2.0.jar b/repository/eu/eidas/eidas-commons/1.2.0/eidas-commons-1.2.0.jar
new file mode 100644
index 000000000..b4a614f7f
--- /dev/null
+++ b/repository/eu/eidas/eidas-commons/1.2.0/eidas-commons-1.2.0.jar
diff --git a/repository/eu/eidas/eidas-configmodule/1.2.0/eidas-configmodule-1.2.0.jar b/repository/eu/eidas/eidas-configmodule/1.2.0/eidas-configmodule-1.2.0.jar
new file mode 100644
index 000000000..201b7ddfd
--- /dev/null
+++ b/repository/eu/eidas/eidas-configmodule/1.2.0/eidas-configmodule-1.2.0.jar
diff --git a/repository/eu/eidas/eidas-encryption/1.2.0/eidas-encryption-1.2.0.jar b/repository/eu/eidas/eidas-encryption/1.2.0/eidas-encryption-1.2.0.jar
new file mode 100644
index 000000000..aa9ac228a
--- /dev/null
+++ b/repository/eu/eidas/eidas-encryption/1.2.0/eidas-encryption-1.2.0.jar
diff --git a/repository/eu/eidas/eidas-light-commons/1.2.0/eidas-light-commons-1.2.0.jar b/repository/eu/eidas/eidas-light-commons/1.2.0/eidas-light-commons-1.2.0.jar
new file mode 100644
index 000000000..c6d4ecdbb
--- /dev/null
+++ b/repository/eu/eidas/eidas-light-commons/1.2.0/eidas-light-commons-1.2.0.jar
diff --git a/repository/eu/eidas/eidas-saml-engine/1.2.0/eidas-saml-engine-1.2.0.jar b/repository/eu/eidas/eidas-saml-engine/1.2.0/eidas-saml-engine-1.2.0.jar
new file mode 100644
index 000000000..3a973e72b
--- /dev/null
+++ b/repository/eu/eidas/eidas-saml-engine/1.2.0/eidas-saml-engine-1.2.0.jar
diff --git a/repository/eu/eidas/eidas-specific-communication-definition/1.2.0/eidas-specific-communication-definition-1.2.0.jar b/repository/eu/eidas/eidas-specific-communication-definition/1.2.0/eidas-specific-communication-definition-1.2.0.jar
new file mode 100644
index 000000000..411e4cbe3
--- /dev/null
+++ b/repository/eu/eidas/eidas-specific-communication-definition/1.2.0/eidas-specific-communication-definition-1.2.0.jar
diff --git a/repository/eu/eidas/eidas-specific/1.2.0/eidas-specific-1.2.0.jar b/repository/eu/eidas/eidas-specific/1.2.0/eidas-specific-1.2.0.jar
new file mode 100644
index 000000000..a924833ac
--- /dev/null
+++ b/repository/eu/eidas/eidas-specific/1.2.0/eidas-specific-1.2.0.jar