MOA-ID Updates and Bugfixes

-- OW BPK calculation -- OA specific SL-Templates -- update MOA-ID configuration XML -- PVP2: QA Level and BPK calculation updated -- PVP2: add two attribute builder -- MOA-ID BKU selection: bugfix local BKU selection
author: Thomas Lenz <tlenz@iaik.tugraz.at> 2013-09-04 07:25:09 +0200
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2013-09-04 07:25:09 +0200
commit: 61362f940ca679fe215de34b1683e1110fea8d3e (patch)
tree: 0857aa21842a33d6e6e52d27b058c1af9831cb6b /id/server/idserverlib/src/main/java/at
parent: 8854b5c2c1e342b891271a04face4f4479653d46 (diff)
download: moa-id-spss-61362f940ca679fe215de34b1683e1110fea8d3e.tar.gz
moa-id-spss-61362f940ca679fe215de34b1683e1110fea8d3e.tar.bz2
moa-id-spss-61362f940ca679fe215de34b1683e1110fea8d3e.zip
22 files changed, 704 insertions, 341 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index f1c15e83b..89adbce3f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -23,9 +23,11 @@
 
 package at.gv.egovernment.moa.id.auth;
 
+import iaik.asn1.ObjectID;
 import iaik.pki.PKIException;
 import iaik.x509.CertificateFactory;
 import iaik.x509.X509Certificate;
+import iaik.x509.X509ExtensionInitException;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -652,21 +654,27 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 
 		// check if person is a Organwalter
 		// if true - don't show bPK in AUTH Block
-		boolean isOW = false;
-//		String oid = null;
-//		if (oid.equalsIgnoreCase(MISMandate.OID_ORGANWALTER))
-//			isOW = true;
-//		
-//		AuthenticationSession session = getSession(sessionID);
-		
+		try {
+			for (ObjectID OWid : MOAIDAuthConstants.OW_LIST) {
+				if (certificate.getExtension(OWid) != null) {
+					session.setOW(true);
+				}
+			
+			}
+			
+		} catch (X509ExtensionInitException e) {
+			Logger.warn("Certificate extension is not readable.");
+			session.setOW(false);
+		}
+				
 		AuthConfigurationProvider authConf = AuthConfigurationProvider
 				.getInstance();
 
 		OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
 				.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
 
-		String returnvalue = getCreateXMLSignatureRequestAuthBlockOrRedirectForOW(session,
-				authConf, oaParam, isOW);
+		String returnvalue = getCreateXMLSignatureRequestAuthBlockOrRedirect(session,
+				authConf, oaParam);
 			
 		return returnvalue;
 	}
@@ -784,75 +792,77 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 		return createXMLSignatureRequest;
 	}
 
-	/**
-	 * 
-	 * @param session
-	 * @param authConf
-	 * @param oaParam
-	 * @return
-	 * @throws ConfigurationException
-	 * @throws BuildException
-	 * @throws ValidateException
-	 */
-	public String getCreateXMLSignatureRequestAuthBlockOrRedirectForOW(
-			AuthenticationSession session, AuthConfigurationProvider authConf,
-			OAAuthParameter oaParam, boolean isOW) throws ConfigurationException,
-			BuildException, ValidateException {
-
-		// check for intermediate processing of the infoboxes
-		if (session.isValidatorInputPending())
-			return "Redirect to Input Processor";
-
-		if (authConf == null)
-			authConf = AuthConfigurationProvider.getInstance();
-		if (oaParam == null)
-			oaParam = AuthConfigurationProvider.getInstance()
-					.getOnlineApplicationParameter(
-							session.getPublicOAURLPrefix());
-
-		// BZ.., calculate bPK for signing to be already present in AuthBlock
-		IdentityLink identityLink = session.getIdentityLink();
-		if (identityLink.getIdentificationType().equals(
-				Constants.URN_PREFIX_BASEID)) {
-			// only compute bPK if online application is a public service and we
-			// have the Stammzahl
-			if (isOW) {
-				// if person is OW, delete identification value (bPK is calculated via MIS)
-				identityLink.setIdentificationValue(null);
-				identityLink.setIdentificationType(null);
-			}
-			else {
-			
-			//TODO: check correctness!!! bpk calcultion is done during Assertion generation	
-//			String bpkBase64 = new BPKBuilder().buildBPK(identityLink
-//					.getIdentificationValue(), session.getTarget());
-//				identityLink.setIdentificationValue(bpkBase64);
-//				
-//				//TODO: insert correct Type!!!!
-//				identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget());
-			}
-		}
-		// ..BZ
-		// }
-
-		// builds the AUTH-block
-		String authBlock = buildAuthenticationBlockForOW(session, oaParam, isOW);
-
-		// session.setAuthBlock(authBlock);
-		// builds the <CreateXMLSignatureRequest>
-		List<String> transformsInfos = oaParam.getTransformsInfos();
-		if ((transformsInfos == null) || (transformsInfos.size() == 0)) {
-			// no OA specific transforms specified, use default ones
-			transformsInfos = authConf.getTransformsInfos();
-		}
-		String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder()
-				.build(authBlock, oaParam.getKeyBoxIdentifier(),
-						transformsInfos, oaParam.isSlVersion12());
-		
-		System.out.println("XML: " + createXMLSignatureRequest);
-		
-		return createXMLSignatureRequest;
-	}
+//	/**
+//	 * 
+//	 * @param session
+//	 * @param authConf
+//	 * @param oaParam
+//	 * @return
+//	 * @throws ConfigurationException
+//	 * @throws BuildException
+//	 * @throws ValidateException
+//	 */
+//	public String getCreateXMLSignatureRequestAuthBlockOrRedirectForOW(
+//			AuthenticationSession session, AuthConfigurationProvider authConf,
+//			OAAuthParameter oaParam, boolean isOW) throws ConfigurationException,
+//			BuildException, ValidateException {
+//
+//		// check for intermediate processing of the infoboxes
+//		if (session.isValidatorInputPending())
+//			return "Redirect to Input Processor";
+//
+//		if (authConf == null)
+//			authConf = AuthConfigurationProvider.getInstance();
+//		if (oaParam == null)
+//			oaParam = AuthConfigurationProvider.getInstance()
+//					.getOnlineApplicationParameter(
+//							session.getPublicOAURLPrefix());
+//
+//		// BZ.., calculate bPK for signing to be already present in AuthBlock
+//		IdentityLink identityLink = session.getIdentityLink();
+//		if (identityLink.getIdentificationType().equals(
+//				Constants.URN_PREFIX_BASEID)) {
+//			
+//			// only compute bPK if online application is a public service and we
+//			// have the Stammzahl
+////			if (isOW) {
+////				// if person is OW, delete identification value (bPK is calculated via MIS)
+////				identityLink.setIdentificationValue(null);
+////				identityLink.setIdentificationType(null);
+////			}
+////			else {
+//			
+//			//TODO: check correctness!!! bpk calcultion is done during Assertion generation	
+////			String bpkBase64 = new BPKBuilder().buildBPK(identityLink
+////					.getIdentificationValue(), session.getTarget());
+////				identityLink.setIdentificationValue(bpkBase64);
+////				
+////				//TODO: insert correct Type!!!!
+////				identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget());
+////			}
+//			
+//		}
+//		// ..BZ
+//		// }
+//
+//		// builds the AUTH-block
+//		String authBlock = buildAuthenticationBlockForOW(session, oaParam, isOW);
+//
+//		// session.setAuthBlock(authBlock);
+//		// builds the <CreateXMLSignatureRequest>
+//		List<String> transformsInfos = oaParam.getTransformsInfos();
+//		if ((transformsInfos == null) || (transformsInfos.size() == 0)) {
+//			// no OA specific transforms specified, use default ones
+//			transformsInfos = authConf.getTransformsInfos();
+//		}
+//		String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder()
+//				.build(authBlock, oaParam.getKeyBoxIdentifier(),
+//						transformsInfos, oaParam.isSlVersion12());
+//		
+//		System.out.println("XML: " + createXMLSignatureRequest);
+//		
+//		return createXMLSignatureRequest;
+//	}
 	/**
 	 * Returns an CreateXMLSignatureRequest for signing the ERnP statement.<br>
 	 * <ul>
@@ -1067,14 +1077,22 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 		} else {
 			identificationValue = identityLink.getIdentificationValue();
 			identificationType = identityLink.getIdentificationType();
-		}
 			
+		}
+
+		//set empty AuthBlock BPK in case of OW 
+		if (session.isOW()) {
+			identificationType = "";
+			identificationValue = "";
+		}
+		
 		String issueInstant = DateTimeUtils.buildDateTime(Calendar
 				.getInstance(), oaParam.getUseUTC());
 		session.setIssueInstant(issueInstant);
 		String authURL = session.getAuthURL();
 		String target = session.getTarget();
 		String targetFriendlyName = session.getTargetFriendlyName();
+		
 		// Bug #485
 		// (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105)
 		// String oaURL = session.getPublicOAURLPrefix();
@@ -1115,59 +1133,61 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 		
 	}
 
-	/**
-	 * Builds an authentication block <code>&lt;saml:Assertion&gt;</code> from
-	 * given session data.
-	 * 
-	 * @param session
-	 *            authentication session
-	 * 
-	 * @return <code>&lt;saml:Assertion&gt;</code> as a String
-	 * 
-	 * @throws BuildException
-	 *             If an error occurs on serializing an extended SAML attribute
-	 *             to be appended to the AUTH-Block.
-	 */
-	private String buildAuthenticationBlockForOW(AuthenticationSession session,
-			OAAuthParameter oaParam, boolean isOW) throws BuildException {
-		IdentityLink identityLink = session.getIdentityLink();
-		String issuer = identityLink.getName();
-		String gebDat = identityLink.getDateOfBirth();
-		String identificationValue = identityLink.getIdentificationValue();
-		String identificationType = identityLink.getIdentificationType();
-
-		String issueInstant = DateTimeUtils.buildDateTime(Calendar
-				.getInstance(), oaParam.getUseUTC());
-		session.setIssueInstant(issueInstant);
-		String authURL = session.getAuthURL();
-		String target = session.getTarget();
-		String targetFriendlyName = session.getTargetFriendlyName();
-		// Bug #485
-		// (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105)
-		// String oaURL = session.getPublicOAURLPrefix();
-		String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&amp;");
-		List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
-		Iterator it = extendedSAMLAttributes.iterator();
-		// delete bPK attribute from extended SAML attributes
-		if (isOW) {
-			ExtendedSAMLAttribute toDelete = null;
-			while (it.hasNext()) {
-				ExtendedSAMLAttribute attr = (ExtendedSAMLAttribute)it.next();
-				if (attr.getName().equalsIgnoreCase("bPK"))
-					toDelete = attr;
-			}		
-			if (toDelete != null)
-				extendedSAMLAttributes.remove(toDelete);
-		}
-		
-		String authBlock = new AuthenticationBlockAssertionBuilder()
-				.buildAuthBlock(issuer, issueInstant, authURL, target,
-						targetFriendlyName, identificationValue,
-						identificationType, oaURL, gebDat,
-						extendedSAMLAttributes, session, oaParam);
-
-		return authBlock;
-	}
+//	/**
+//	 * Builds an authentication block <code>&lt;saml:Assertion&gt;</code> from
+//	 * given session data.
+//	 * 
+//	 * @param session
+//	 *            authentication session
+//	 * 
+//	 * @return <code>&lt;saml:Assertion&gt;</code> as a String
+//	 * 
+//	 * @throws BuildException
+//	 *             If an error occurs on serializing an extended SAML attribute
+//	 *             to be appended to the AUTH-Block.
+//	 */
+//	private String buildAuthenticationBlockForOW(AuthenticationSession session,
+//			OAAuthParameter oaParam, boolean isOW) throws BuildException {
+//		IdentityLink identityLink = session.getIdentityLink();
+//		String issuer = identityLink.getName();
+//		String gebDat = identityLink.getDateOfBirth();
+//		String identificationValue = identityLink.getIdentificationValue();
+//		String identificationType = identityLink.getIdentificationType();
+//
+//		String issueInstant = DateTimeUtils.buildDateTime(Calendar
+//				.getInstance(), oaParam.getUseUTC());
+//		session.setIssueInstant(issueInstant);
+//		String authURL = session.getAuthURL();
+//		String target = session.getTarget();
+//		String targetFriendlyName = session.getTargetFriendlyName();
+//		// Bug #485
+//		// (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105)
+//		// String oaURL = session.getPublicOAURLPrefix();
+//		String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&amp;");
+//		
+//		
+//		List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
+//		Iterator it = extendedSAMLAttributes.iterator();
+//		// delete bPK attribute from extended SAML attributes
+//		if (session.isOW()) {
+//			ExtendedSAMLAttribute toDelete = null;
+//			while (it.hasNext()) {
+//				ExtendedSAMLAttribute attr = (ExtendedSAMLAttribute)it.next();
+//				if (attr.getName().equalsIgnoreCase("bPK"))
+//					toDelete = attr;
+//			}		
+//			if (toDelete != null)
+//				extendedSAMLAttributes.remove(toDelete);
+//		}
+//		
+//		String authBlock = new AuthenticationBlockAssertionBuilder()
+//				.buildAuthBlock(issuer, issueInstant, authURL, target,
+//						targetFriendlyName, identificationValue,
+//						identificationType, oaURL, gebDat,
+//						extendedSAMLAttributes, session, oaParam);
+//
+//		return authBlock;
+//	}
 	
 	/**
 	 * Verifies the infoboxes (except of the identity link infobox) returned by
@@ -2283,52 +2303,61 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 			
 			//TODO: resign the IdentityLink!!!
 			
-			if (businessService) {
-				//since we have foreigner, wbPK is not calculated in BKU
-				if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
+			
+			if (session.getUseMandate() && session.isOW()) {
+				MISMandate mandate = session.getMISMandate();
+				authData.setBPK(mandate.getOWbPK());
+				authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW");
+				
+			} else {
+			
+				if (businessService) {
+					//since we have foreigner, wbPK is not calculated in BKU
+					if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
+							
+					 	String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier();
+						 
+						if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) {
+							// If domainIdentifier starts with prefix
+							// "urn:publicid:gv.at:wbpk+"; remove this prefix
+							registerAndOrdNr = registerAndOrdNr
+									.substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length());
+							Logger.debug("Register and ordernumber prefix stripped off; resulting register string: "
+									+ registerAndOrdNr);
+						} 
+							    
+						String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr);
+						authData.setBPK(wbpkBase64);
+						authData.setBPKType( Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr);
 						
-				 	String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier();
-					 
-					if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) {
-						// If domainIdentifier starts with prefix
-						// "urn:publicid:gv.at:wbpk+"; remove this prefix
-						registerAndOrdNr = registerAndOrdNr
-								.substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length());
-						Logger.debug("Register and ordernumber prefix stripped off; resulting register string: "
-								+ registerAndOrdNr);
-					} 
-						    
-					String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr);
-					authData.setBPK(wbpkBase64);
-					authData.setBPKType( Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr);
+					} else {
+						authData.setBPK(identityLink.getIdentificationValue());
+						authData.setBPKType(identityLink.getIdentificationType());
+					}
+									
+					Element idlassertion = session.getIdentityLink().getSamlAssertion();
+					//set bpk/wpbk;
+					Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
+					prIdentification.getFirstChild().setNodeValue(authData.getBPK());
+					//set bkp/wpbk type 
+					Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH);
+					prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType());
+					
+					IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion);
+					IdentityLink idl = idlparser.parseIdentityLink();
+					authData.setIdentityLink(idl);
 					
 				} else {
-					authData.setBPK(identityLink.getIdentificationValue());
-					authData.setBPKType(identityLink.getIdentificationType());
-				}
-								
-				Element idlassertion = session.getIdentityLink().getSamlAssertion();
-				//set bpk/wpbk;
-				Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
-				prIdentification.getFirstChild().setNodeValue(authData.getBPK());
-				//set bkp/wpbk type 
-				Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH);
-				prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType());
-				
-				IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion);
-				IdentityLink idl = idlparser.parseIdentityLink();
-				authData.setIdentityLink(idl);
-				
-			} else {
+									
+					if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { 
+						// only compute bPK if online application is a public service and we have the Stammzahl
+						String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target);
+						authData.setBPK(bpkBase64);
+						authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
+					}
 					
-				if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { 
-					// only compute bPK if online application is a public service and we have the Stammzahl
-					String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target);
-					authData.setBPK(bpkBase64);
-					authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
+					authData.setIdentityLink(identityLink);
 				}
-				
-				authData.setIdentityLink(identityLink);
 			}
 				
 			return authData;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
index e1552a5a6..edc43da0c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
@@ -118,10 +118,19 @@ public interface MOAIDAuthConstants {
    * used for checking the authorisation for signing the identity link for identity links signed after february 19th 2007
    */
   public static final ObjectID IDENTITY_LINK_SIGNER_OID = new ObjectID(IDENTITY_LINK_SIGNER_OID_NUMBER);
+  
   /** the number of the certifcate extension for party representatives */
   public static final String PARTY_REPRESENTATION_OID_NUMBER = "1.2.40.0.10.3";
-  /** the number of the certifcate extension for party organ representatives */
-  public static final String PARTY_ORGAN_REPRESENTATION_OID_NUMBER = PARTY_REPRESENTATION_OID_NUMBER + ".10";
+  
+//  /** the number of the certifcate extension for party organ representatives */
+//  public static final String PARTY_ORGAN_REPRESENTATION_OID_NUMBER = PARTY_REPRESENTATION_OID_NUMBER + ".10";
+  
+  /** OW */
+  public static final String OW_ORGANWALTER = PARTY_REPRESENTATION_OID_NUMBER + ".4";
+  
+  /** List of OWs */
+  public static final List<ObjectID> OW_LIST = Arrays.asList( 
+		  new ObjectID(OW_ORGANWALTER));  
   
   /**BKU type identifiers to use bkuURI from configuration*/ 
   public static final String REQ_BKU_TYPE_LOCAL = "local";
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
index abb33203c..ee2313070 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
@@ -179,6 +179,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
     String wbpkNSDeclaration = "";
            
     if (target == null) {
+    	
       // OA is a business application
       if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) {
         // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator
@@ -195,6 +196,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
         // We do not have a wbPK, therefore no SAML-Attribute is provided
         session.setSAMLAttributeGebeORwbpk(false);
       }
+      
     } else {
       // OA is a govermental application
       String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
index 023b36d83..9bec06135 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
@@ -61,7 +61,12 @@ public class BPKBuilder {
       		                     new Object[] {"BPK", "Unvollständige Parameterangaben: identificationValue=" + 
                                              identificationValue + ",target=" + target});
     }
-    String basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target;
+    String basisbegriff;
+	if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
+		basisbegriff = identificationValue + "+" + target;
+	else
+		basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target;
+	
     try {
       MessageDigest md = MessageDigest.getInstance("SHA-1");
       byte[] hash = md.digest(basisbegriff.getBytes("ISO-8859-1"));
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
index e6de2ce02..4560e69cf 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
@@ -123,6 +123,9 @@ public class AuthenticationSession implements Serializable {
 	private boolean useMandate;
 
 	
+	private boolean isOW = false;
+	
+	
 	/**
 	 * STORK
 	 */
@@ -1114,5 +1117,20 @@ public class AuthenticationSession implements Serializable {
 	public void setSsoRequested(boolean ssoRequested) {
 		this.ssoRequested = ssoRequested;
 	}
+
+	/**
+	 * @return the isOW
+	 */
+	public boolean isOW() {
+		return isOW;
+	}
+
+	/**
+	 * @param isOW the isOW to set
+	 */
+	public void setOW(boolean isOW) {
+		this.isOW = isOW;
+	}
+	
 	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
index 58cea2926..58194361c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
@@ -1,5 +1,7 @@
 package at.gv.egovernment.moa.id.auth.parser;
 
+import java.io.UnsupportedEncodingException;
+
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
@@ -19,7 +21,9 @@ import at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.BoolUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moa.util.StringUtils;
+import at.gv.egovernment.moa.util.URLEncoder;
 
 public class StartAuthentificationParameterParser implements MOAIDAuthConstants{
 
@@ -39,15 +43,14 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{
 //	    String sso = req.getParameter(PARAM_SSO);
 		
 	    // escape parameter strings
-	    //TODO: use URLEncoder.encode!!
-	    target = StringEscapeUtils.escapeHtml(target);
-	    oaURL = StringEscapeUtils.escapeHtml(oaURL);
-	    bkuURL = StringEscapeUtils.escapeHtml(bkuURL);
-	    templateURL = StringEscapeUtils.escapeHtml(templateURL);
-	    useMandate = StringEscapeUtils.escapeHtml(useMandate);
-	    ccc = StringEscapeUtils.escapeHtml(ccc);
-//	    sso = StringEscapeUtils.escapeHtml(sso);
-	    
+		target = StringEscapeUtils.escapeHtml(target);
+		oaURL = StringEscapeUtils.escapeHtml(oaURL);
+		bkuURL = StringEscapeUtils.escapeHtml(bkuURL);
+		templateURL = StringEscapeUtils.escapeHtml(templateURL);
+		useMandate = StringEscapeUtils.escapeHtml(useMandate);
+		ccc = StringEscapeUtils.escapeHtml(ccc);
+			//	    sso = StringEscapeUtils.escapeHtml(sso);
+
 	      // check parameter
 	    
 	    //pvp2.x can use general identifier (equals oaURL in SAML1)
@@ -153,7 +156,6 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{
 			
 			moasession.setPublicOAURLPrefix(oaParam.getPublicURLPrefix());
 			
-			//TODO: check for SSO
 			moasession.setTarget(target);
 			moasession.setBusinessService(oaParam.getBusinessService());
 			moasession.setTargetFriendlyName(targetFriendlyName);
@@ -193,9 +195,12 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{
 		
 		moasession.setAuthURL(authURL);
 
-//		//check and set SourceID
-//		if (sourceID != null)
-//			moasession.setSourceID(sourceID);
+		//check and set SourceID
+		if (oaParam.getSAML1Parameter() != null) {
+			String sourceID = oaParam.getSAML1Parameter().getSourceID();
+			if (MiscUtil.isNotEmpty(sourceID))
+				moasession.setSourceID(sourceID);
+		}
 		
 		// BKU URL has not been set yet, even if session already exists
 		if (bkuURL == null) {
@@ -208,14 +213,10 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{
 		moasession.setBkuURL(bkuURL);
 
 		
-	    if (!ParamValidatorUtils.isValidTemplate(req, templateURL))
+	    if (!ParamValidatorUtils.isValidTemplate(req, templateURL, oaParam.getTemplateURL()))
 		       throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12");
-
-		// override template url by url from configuration file
-		if (oaParam.getTemplateURL() != null) {
-			templateURL = oaParam.getTemplateURL();
-		}
 		moasession.setTemplateURL(templateURL);
+		
 		moasession.setCcc(ccc);
 		
 	}
@@ -223,10 +224,7 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{
 	public static void parse(HttpServletRequest req, HttpServletResponse resp, 
 			AuthenticationSession moasession, IRequest request) throws WrongParametersException, MOAIDException {
 		
-//	    //check Module and Action
-//	    HttpSession httpSession = req.getSession();    
-//	    IRequest request = RequestStorage.getPendingRequest(httpSession);
-	    
+		
 	    String modul = request.requestedModule();//req.getParameter(PARAM_MODUL);
 	    String action = request.requestedAction();//req.getParameter(PARAM_ACTION);
 	    
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
index f68e0361a..d4484a97c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
@@ -94,10 +94,7 @@ public class GenerateIFrameTemplateServlet extends AuthServlet {
 	    	
 				//load Parameters from config
 		    	String target = oaParam.getTarget();
-//		    	String sourceID = ""; //TODO: load from Config
-//		    	String bkuURL = getBKUURIFromConfig(Integer.valueOf(bkuid), oaParam);
-//		    	String templateURL = getTemplateURIFromConfig(Integer.valueOf(bkuid), oaParam);
-		    	
+		    			    	
 		    	String bkuURL = oaParam.getBKUURL(bkuid);
 		    	String templateURL = AuthConfigurationProvider.getInstance().getSLRequestTemplates(bkuid);
 		    	
@@ -119,7 +116,8 @@ public class GenerateIFrameTemplateServlet extends AuthServlet {
 			
 			//store MOASession
 			try {
-				AuthenticationSessionStoreage.storeSession(moasession);				
+				AuthenticationSessionStoreage.storeSession(moasession);
+				
 			} catch (MOADatabaseException e) {
 				Logger.error("Database Error! MOASession is not stored!");
 				throw new MOAIDException("init.04", new Object[] {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
index 67932063a..e461197e2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
@@ -186,13 +186,7 @@ public class GetMISSessionIDServlet extends AuthServlet {
 				throw new AuthenticationException("auth.16",
 						new Object[] { GET_MIS_SESSIONID });
 			}
-			
-			// TODO OW bPK (Offen: was bei saml:NameIdentifier
-			// NameQualifier="urn:publicid:gv.at:cdid+bpk"> und <saml:Attribute
-			// AttributeName="bPK" )
-			System.out.println("\n\n\n OW BPK: " + mandate.getOWbPK());
-			// TODO wenn OW bPK vorhanden - in SAML Assertion setzen!
-
+						
 			//check if it is a parsable XML
 			byte[] byteMandate = mandate.getMandate();
 			String stringMandate = new String(byteMandate);
@@ -220,38 +214,8 @@ public class GetMISSessionIDServlet extends AuthServlet {
 							session.getAction(), pendingRequestID), newMOASessionID);
 			redirectURL = resp.encodeRedirectURL(redirectURL);
 			
-			
-//			String samlArtifactBase64 = AuthenticationServer.getInstance()
-//					.verifyAuthenticationBlockMandate(session, mandateDoc);
-
-//			if (!samlArtifactBase64.equals("Redirect to Input Processor")) {
-//
-//				redirectURL = session.getOAURLRequested();
-//				if (!session.getBusinessService()) {
-//					// redirectURL = addURLParameter(redirectURL, PARAM_TARGET,
-//					// URLEncoder.encode(session.getTarget(), "UTF-8"));
-//				}
-//				// redirectURL = addURLParameter(redirectURL,
-//				// PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64,
-//				// "UTF-8"));
-//				redirectURL = new DataURLBuilder().buildDataURL(
-//						session.getAuthURL(),
-//						ModulUtils.buildAuthURL(session.getModul(),
-//								session.getAction()), samlArtifactBase64);
-//				redirectURL = resp.encodeRedirectURL(redirectURL);
-//
-//			} else {
-//				redirectURL = new DataURLBuilder().buildDataURL(
-//						session.getAuthURL(),
-//						AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT,
-//						session.getSessionID());
-//
-//			}
-			
-			
 			resp.setContentType("text/html");
 			resp.setStatus(302);
-
 			resp.addHeader("Location", redirectURL);
 			Logger.debug("REDIRECT TO: " + redirectURL);
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
index 9e7c8536d..477d99220 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
@@ -155,7 +155,7 @@ public class VerifyCertificateServlet extends AuthServlet {
 					throw new MOAIDException("session store error", null);
 				}
 	    		
-	    		ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink");
+	    		ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyCertificate");
 	    	}
 	    	else {
 	    		// Foreign Identities Modus	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
index ac7466c11..38f650a65 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
@@ -190,29 +190,30 @@ public class VerifyIdentityLinkServlet extends AuthServlet {
     		// AUTH Block aufscheinen darf. --> D.h. verifyIdentityLink umbauen - verify und AUTH Block bauen trennen)
     		
     		//TODO: Klaus fragen ob der Teil wirklich noch benötigt wird!!!!!
-//    		boolean useMandate = session.getUseMandate();
-//    		if (useMandate) { // Mandate modus
-//    			// read certificate and set dataurl to 
-//    			Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate.");
-//    			
-//    
-//     		   String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
-//
-//     		   // build dataurl (to the GetForeignIDSerlvet)
-//     		   String dataurl =
-//                 new DataURLBuilder().buildDataURL(
-//                   session.getAuthURL(),
-//                   REQ_VERIFY_CERTIFICATE,
-//                   session.getSessionID());
-//           
-//          
-//     		  //Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)");
-//     		  //ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
-//     		  Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)");
-//     		  ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
-//    			
-//    		}
-//    		else {
+    		boolean useMandate = session.getUseMandate();
+    		
+    		if (useMandate) { // Mandate modus
+    			// read certificate and set dataurl to 
+    			Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate.");
+    			
+    
+     		   String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
+
+     		   // build dataurl (to the GetForeignIDSerlvet)
+     		   String dataurl =
+                 new DataURLBuilder().buildDataURL(
+                   session.getAuthURL(),
+                   REQ_VERIFY_CERTIFICATE,
+                   session.getSessionID());
+           
+     		  //Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)");
+     		  //ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+     		   
+     		  Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)");
+     		  ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+    			
+    		}	
+    		else {
     			Logger.info("Normal");
     			
     			OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
@@ -226,7 +227,7 @@ public class VerifyIdentityLinkServlet extends AuthServlet {
     			
     			ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink");
     		}
-//    	}
+    	}
     	
 		try {
 			AuthenticationSessionStoreage.storeSession(session);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index 57f6ee4f1..c62594d6f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -35,6 +35,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2;
 import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1;
 import at.gv.egovernment.moa.id.commons.db.dao.config.OASSO;
 import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
+import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType;
 import at.gv.egovernment.moa.id.commons.db.dao.config.TemplatesType;
 import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType;
 import at.gv.egovernment.moa.id.config.ConfigurationUtils;
@@ -162,12 +163,13 @@ public List<String> getTransformsInfos() {
 	/**
 	 * @return the templateURL
 	 */
-	public String getTemplateURL() {
+	public List<TemplateType> getTemplateURL() {
 		TemplatesType templates = oa_auth.getTemplates();
 	
 		if (templates != null) {
-			if (templates.getTemplate() != null)
-				return templates.getTemplate().getURL();
+			if (templates.getTemplate() != null) {
+				return templates.getTemplate();
+			}
 		}
 		return null;
 	}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java
index cb35e708c..1460668e2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java
@@ -435,7 +435,10 @@ public class BuildFromLegacyConfig {
 	        	templates.setAditionalAuthBlockText("");
 	        	TemplateType template = new TemplateType();
 	        	template.setURL(oa.getTemplateURL());
-	        	templates.setTemplate(template);
+	        	ArrayList<TemplateType> template_list = new ArrayList<TemplateType>();
+	        	template_list.add(template);
+	        	templates.setTemplate(template_list);
+	        	
 	        	
 	        	//set TransformsInfo
 	        	String[] transforminfos = oa.getTransformsInfos();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
index 5875a37c7..e8b661362 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
@@ -2,10 +2,10 @@ package at.gv.egovernment.moa.id.protocols.pvp2x;
 
 public interface PVPConstants {
 	
-	public static final String STORK_QAA_1_1 = "http://www.ref.gv.at/ns/names/agiz/stork/qaa/1";
-	public static final String STORK_QAA_1_2 = "http://www.ref.gv.at/ns/names/agiz/stork/qaa/1-2";
-	public static final String STORK_QAA_1_3 = "http://www.ref.gv.at/ns/names/agiz/stork/qaa/1-3";
-	public static final String STORK_QAA_1_4 = "http://www.ref.gv.at/ns/names/agiz/stork/qaa/1-4";
+	public static final String STORK_QAA_1_1 = "http://www.stork.gov.eu/1.0/citizenQAALevel/1";
+	public static final String STORK_QAA_1_2 = "http://www.stork.gov.eu/1.0/citizenQAALevel/2";
+	public static final String STORK_QAA_1_3 = "http://www.stork.gov.eu/1.0/citizenQAALevel/3";
+	public static final String STORK_QAA_1_4 = "http://www.stork.gov.eu/1.0/citizenQAALevel/4";
 	
 	public static final String URN_OID_PREFIX = "urn:oid:";
 	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java
index 11ec2fe25..60e510de2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java
@@ -25,6 +25,8 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNatura
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonBirthDateAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonFamilyNameAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonGivenNameAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonSourcePinAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonSourcePinTypeAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateProfRepDescAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateProfRepOIDAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateReferenceValueAttributeBuilder;
@@ -62,6 +64,8 @@ public class PVPAttributeBuilder {
 		addBuilder(new MandateNaturalPersonBPKAttributeBuilder());
 		addBuilder(new MandateNaturalPersonFamilyNameAttributeBuilder());
 		addBuilder(new MandateNaturalPersonGivenNameAttributeBuilder());
+		addBuilder(new MandateNaturalPersonSourcePinAttributeBuilder());
+		addBuilder(new MandateNaturalPersonSourcePinTypeAttributeBuilder());
 		addBuilder(new MandateTypeAttributeBuilder());
 		addBuilder(new MandateProfRepOIDAttributeBuilder());
 		addBuilder(new MandateProfRepDescAttributeBuilder());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 2d29f7454..17fc52a8c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -1,6 +1,7 @@
 package at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion;
 
 import java.util.Iterator;
+import java.util.List;
 
 import org.joda.time.DateTime;
 import org.opensaml.common.xml.SAMLConstants;
@@ -25,9 +26,15 @@ import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.NameIDFormat;
 import org.opensaml.saml2.metadata.RequestedAttribute;
 import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.w3c.dom.Element;
 
+import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
+import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType;
+import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
+import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
 import at.gv.egovernment.moa.id.MOAIDException;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
@@ -37,11 +44,14 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoAuthContextException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.QAANotSupportedException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.UnprovideableAttributeException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.id.util.MandateBuilder;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Constants;
 
 public class PVP2AssertionBuilder implements PVPConstants {
 	public static Assertion buildAssertion(AuthnRequest authnRequest,
@@ -58,48 +68,64 @@ public class PVP2AssertionBuilder implements PVPConstants {
 
 		boolean stork_qaa_1_4_found = false;
 
-		Iterator<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext
-				.getAuthnContextClassRefs().iterator();
-
-		while (reqAuthnContextClassRefIt.hasNext()) {
-			AuthnContextClassRef authnClassRef = reqAuthnContextClassRefIt
-					.next();
-			String[] qaa_uris = authnClassRef.getAuthnContextClassRef().split(
-					"\\s+");
-			for (int i = 0; i < qaa_uris.length; i++) {
-				if (qaa_uris[i].trim().equals(STORK_QAA_1_4)) {
-					stork_qaa_1_4_found = true;
-					break;
-				}
-			}
-		}
+		AuthnContextClassRef authnContextClassRef = SAML2Utils
+				.createSAMLObject(AuthnContextClassRef.class);
+
+		 List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext
+				.getAuthnContextClassRefs();
+		
+		 if (reqAuthnContextClassRefIt.size() == 0) {
+			 stork_qaa_1_4_found = true;
+			 authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
+			 
+		 } else {
+			 for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
+				 String qaa_uri = authnClassRef.getAuthnContextClassRef();
+				 if (qaa_uri.trim().equals(STORK_QAA_1_4)
+						 || qaa_uri.trim().equals(STORK_QAA_1_3)
+						 || qaa_uri.trim().equals(STORK_QAA_1_2)
+						 || qaa_uri.trim().equals(STORK_QAA_1_1)) {
+					
+					 if (authSession.isForeigner()) {
+						 //TODO: insert QAA check
+					
+						 stork_qaa_1_4_found = false;
+					
+					 } else {
+						 stork_qaa_1_4_found = true;
+						 authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
+					 }
+					 break;
+				 }
+			 }
+		 }
 
 		if (!stork_qaa_1_4_found) {
 			throw new QAANotSupportedException(STORK_QAA_1_4);
 		}
 
-		reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs()
-				.iterator();
-		StringBuilder authContextsb = new StringBuilder();
-		while (reqAuthnContextClassRefIt.hasNext()) {
-			AuthnContextClassRef authnClassRef = reqAuthnContextClassRefIt
-					.next();
-			String[] qaa_uris = authnClassRef.getAuthnContextClassRef().split(
-					"\\s+");
-			for (int i = 0; i < qaa_uris.length; i++) {
-				if (qaa_uris[i].trim().equals(STORK_QAA_1_4)
-						|| qaa_uris[i].trim().equals(STORK_QAA_1_3)
-						|| qaa_uris[i].trim().equals(STORK_QAA_1_2)
-						|| qaa_uris[i].trim().equals(STORK_QAA_1_1)) {
-					authContextsb.append(qaa_uris[i].trim());
-					authContextsb.append(" ");
-				}
-			}
-
-		}
-		AuthnContextClassRef authnContextClassRef = SAML2Utils
-				.createSAMLObject(AuthnContextClassRef.class);
-		authnContextClassRef.setAuthnContextClassRef(authContextsb.toString());
+//		reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs()
+//				.iterator();
+//		
+//		StringBuilder authContextsb = new StringBuilder();
+//		
+//		while (reqAuthnContextClassRefIt.hasNext()) {
+//			AuthnContextClassRef authnClassRef = reqAuthnContextClassRefIt
+//					.next();
+//			String[] qaa_uris = authnClassRef.getAuthnContextClassRef().split(
+//					"\\s+");
+//			for (int i = 0; i < qaa_uris.length; i++) {
+//				if (qaa_uris[i].trim().equals(STORK_QAA_1_4)
+//						|| qaa_uris[i].trim().equals(STORK_QAA_1_3)
+//						|| qaa_uris[i].trim().equals(STORK_QAA_1_2)
+//						|| qaa_uris[i].trim().equals(STORK_QAA_1_1)) {
+//					authContextsb.append(qaa_uris[i].trim());
+//					authContextsb.append(" ");
+//				}
+//			}
+//
+//		}
+		
 		AuthnContext authnContext = SAML2Utils
 				.createSAMLObject(AuthnContext.class);
 		authnContext.setAuthnContextClassRef(authnContextClassRef);
@@ -199,14 +225,63 @@ public class PVP2AssertionBuilder implements PVPConstants {
 			assertion.getAttributeStatements().add(attributeStatement);
 		}
 
-		// TL: getIdentificationValue holds the baseID --> change to pBK
-		// subjectNameID.setValue(authData.getIdentificationValue());
-
 		subjectNameID.setFormat(NameID.PERSISTENT);
 		
 		//TLenz: set correct bPK Type and Value from AuthData
-		subjectNameID.setNameQualifier(authData.getBPKType());
-		subjectNameID.setValue(authData.getBPK());
+		if (authSession.getUseMandate()) {
+			Element mandate = authSession.getMandate();
+			if(mandate == null) {
+				throw new NoMandateDataAvailableException();
+			}
+			Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+			if(mandateObject == null) {
+				throw new NoMandateDataAvailableException();
+			}
+			CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
+			PhysicalPersonType pysicalperson = mandateObject.getMandator().getPhysicalPerson();
+			
+			IdentificationType id;
+			if(corporation != null && corporation.getIdentification().size() > 0)
+				id = corporation.getIdentification().get(0);
+
+				
+			else if (pysicalperson != null && pysicalperson.getIdentification().size() > 0)
+				id = pysicalperson.getIdentification().get(0);
+				
+			else {
+				Logger.error("Failed to generate IdentificationType");
+				throw new NoMandateDataAvailableException();		
+			}
+		
+			String bpktype = id.getType();
+			String bpk = id.getValue().getValue();
+			
+			if (bpktype.equals(Constants.URN_PREFIX_BASEID)) {
+				if (authSession.getBusinessService()) {						    
+					subjectNameID.setValue(new BPKBuilder().buildWBPK(bpk, oaParam.getIdentityLinkDomainIdentifier()));
+					if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
+						subjectNameID.setNameQualifier(oaParam.getIdentityLinkDomainIdentifier());
+					else
+						subjectNameID.setNameQualifier(Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier());
+					
+				} else {
+					subjectNameID.setValue(new BPKBuilder().buildBPK(bpk, oaParam.getTarget()));
+					if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+"))
+						subjectNameID.setNameQualifier(oaParam.getTarget());
+					else
+						subjectNameID.setNameQualifier(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
+				}
+				
+				
+			} else {
+				subjectNameID.setNameQualifier(bpktype);
+				subjectNameID.setValue(bpk);
+			}
+			
+		} else {
+			subjectNameID.setNameQualifier(authData.getBPKType());
+			subjectNameID.setValue(authData.getBPK());
+		}
 		
 
 		subject.setNameID(subjectNameID);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
index bbb610d62..49e013fe0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
@@ -6,6 +6,8 @@ import org.w3c.dom.Element;
 import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
 import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
 import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
+import at.gv.egovernment.moa.id.BuildException;
+import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.data.AuthenticationData;
@@ -13,6 +15,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailabl
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
 import at.gv.egovernment.moa.id.util.MandateBuilder;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Constants;
 
 public class MandateNaturalPersonBPKAttributeBuilder extends BaseAttributeBuilder {
 
@@ -39,17 +42,40 @@ public class MandateNaturalPersonBPKAttributeBuilder extends BaseAttributeBuilde
 			}
 			IdentificationType id = null;
 			id = physicalPerson.getIdentification().get(0);
-			/*if(authSession.getBusinessService()) {
-				id = MandateBuilder.getWBPKIdentification(physicalPerson);
-			} else {
-				id = MandateBuilder.getBPKIdentification(physicalPerson);
-			}*/
+//			if(authSession.getBusinessService()) {
+//				id = MandateBuilder.getWBPKIdentification(physicalPerson);
+//			} else {
+//				id = MandateBuilder.getBPKIdentification(physicalPerson);
+//			}
 			if(id == null) {
 				Logger.error("Failed to generate IdentificationType");
 				throw new NoMandateDataAvailableException();
 			}
+			
+			String bpk;
+			try {
+			
+				if (id.getType().equals(Constants.URN_PREFIX_BASEID)) {
+					if (authSession.getBusinessService()) {						    
+						bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier());
+						
+					}
+					
+					else {
+						bpk = new BPKBuilder().buildBPK(id.getValue().getValue(), oaParam.getTarget());
+						
+					}
+								
+				} else 
+					bpk = id.getValue().getValue();
+				
+			} catch (BuildException e ){
+				Logger.error("Failed to generate IdentificationType");
+				throw new NoMandateDataAvailableException();
+			}
+		
 			return buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, 
-					MANDATE_NAT_PER_BPK_NAME, id.getValue().getValue());
+					MANDATE_NAT_PER_BPK_NAME, bpk);
 		}
 		return null;
 		
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
new file mode 100644
index 000000000..eaa7e88af
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
@@ -0,0 +1,65 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
+
+import org.opensaml.saml2.core.Attribute;
+import org.w3c.dom.Element;
+
+import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
+import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
+import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.AuthenticationData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
+import at.gv.egovernment.moa.id.util.MandateBuilder;
+import at.gv.egovernment.moa.logging.Logger;
+
+public class MandateNaturalPersonSourcePinAttributeBuilder extends
+		BaseAttributeBuilder {
+
+	public String getName() {
+		return MANDATE_NAT_PER_SOURCE_PIN_OID;
+	}
+
+	public Attribute build(AuthenticationSession authSession,
+			OAAuthParameter oaParam, AuthenticationData authData)
+			throws PVP2Exception {
+		if(authSession.getUseMandate()) {
+			Element mandate = authSession.getMandate();
+			if(mandate == null) {
+				throw new NoMandateDataAvailableException();
+			}
+			Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+			if(mandateObject == null) {
+				throw new NoMandateDataAvailableException();
+			}
+			PhysicalPersonType physicalPerson = mandateObject.getMandator()
+					.getPhysicalPerson();
+			if (physicalPerson == null) {
+				Logger.error("No physicalPerson mandate");
+				throw new NoMandateDataAvailableException();
+			}
+			IdentificationType id = null;
+			id = physicalPerson.getIdentification().get(0);
+			/*if(authSession.getBusinessService()) {
+				id = MandateBuilder.getWBPKIdentification(physicalPerson);
+			} else {
+				id = MandateBuilder.getBPKIdentification(physicalPerson);
+			}*/
+			if(id == null) {
+				Logger.error("Failed to generate IdentificationType");
+				throw new NoMandateDataAvailableException();
+			}
+			
+			return buildStringAttribute(MANDATE_NAT_PER_SOURCE_PIN_FRIENDLY_NAME,
+					MANDATE_NAT_PER_SOURCE_PIN_NAME, id.getValue().getValue());
+		}
+		return null;
+	}
+
+	public Attribute buildEmpty() {
+		return buildemptyAttribute(MANDATE_NAT_PER_SOURCE_PIN_FRIENDLY_NAME, 
+				MANDATE_NAT_PER_SOURCE_PIN_NAME);
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
new file mode 100644
index 000000000..7b8f59dd2
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
@@ -0,0 +1,65 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
+
+import org.opensaml.saml2.core.Attribute;
+import org.w3c.dom.Element;
+
+import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
+import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
+import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.AuthenticationData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
+import at.gv.egovernment.moa.id.util.MandateBuilder;
+import at.gv.egovernment.moa.logging.Logger;
+
+public class MandateNaturalPersonSourcePinTypeAttributeBuilder extends
+		BaseAttributeBuilder {
+
+	public String getName() {
+		return MANDATE_NAT_PER_SOURCE_PIN_TYPE_OID;
+	}
+
+	public Attribute build(AuthenticationSession authSession,
+			OAAuthParameter oaParam, AuthenticationData authData)
+			throws PVP2Exception {
+		if(authSession.getUseMandate()) {
+			Element mandate = authSession.getMandate();
+			if(mandate == null) {
+				throw new NoMandateDataAvailableException();
+			}
+			Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+			if(mandateObject == null) {
+				throw new NoMandateDataAvailableException();
+			}
+			PhysicalPersonType physicalPerson = mandateObject.getMandator()
+					.getPhysicalPerson();
+			if (physicalPerson == null) {
+				Logger.error("No physicalPerson mandate");
+				throw new NoMandateDataAvailableException();
+			}
+			IdentificationType id = null;
+			id = physicalPerson.getIdentification().get(0);
+			/*if(authSession.getBusinessService()) {
+				id = MandateBuilder.getWBPKIdentification(physicalPerson);
+			} else {
+				id = MandateBuilder.getBPKIdentification(physicalPerson);
+			}*/
+			if(id == null) {
+				Logger.error("Failed to generate IdentificationType");
+				throw new NoMandateDataAvailableException();
+			}
+			
+			return buildStringAttribute(MANDATE_NAT_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME,
+					MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, id.getType());
+		}
+		return null;
+	}
+
+	public Attribute buildEmpty() {
+		return buildemptyAttribute(MANDATE_NAT_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, 
+				MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME);
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
index c8a9a24ad..1fbcb9a46 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
@@ -27,6 +27,7 @@ package at.gv.egovernment.moa.id.protocols.saml1;
 import java.util.Calendar;
 
 import org.apache.axis.AxisFault;
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
 
@@ -78,12 +79,12 @@ public class GetAuthenticationDataService implements Constants {
   	throws AxisFault {
   		
 		Element request = requests[0];
-    Element[] responses = new Element[1];
+		Element[] responses = new Element[1];
 		String requestID = "";
 		String statusCode = "";
 		String subStatusCode = null;
 		String statusMessageCode = null;
-    String statusMessage = null;
+		String statusMessage = null;
 		String samlAssertion = "";
 		boolean useUTC = false;
 		if (requests.length > 1) {
@@ -107,14 +108,15 @@ public class GetAuthenticationDataService implements Constants {
 					subStatusCode = "samlp:TooManyResponses";
 					statusMessageCode = "1203";
 				}
+				
 				else {
 					Element samlArtifactElem = (Element)samlArtifactList.item(0);
                     requestID = request.getAttribute("RequestID");
 					String samlArtifact = DOMUtils.getText(samlArtifactElem);
+					SAML1AuthenticationServer saml1server = SAML1AuthenticationServer.getInstace();
+					
 					try {
-						
-						SAML1AuthenticationServer saml1server = SAML1AuthenticationServer.getInstace();
-						
+							
 						AuthenticationData authData = saml1server.getSaml1AuthenticationData(samlArtifact);
                         
 						useUTC = authData.getUseUTC();
@@ -123,9 +125,36 @@ public class GetAuthenticationDataService implements Constants {
 						samlAssertion = authData.getSamlAssertion();
 						statusCode = "samlp:Success";
 						statusMessageCode = "1200";
-          }
-          catch (AuthenticationException ex) {
-						// no authentication data for given SAML artifact
+					}
+					
+					catch (ClassCastException ex) {
+					
+						try {
+							Throwable error = saml1server.getErrorResponse(samlArtifact);
+							statusCode = "samlp:Responder";
+							subStatusCode = "samlp:RequestDenied";
+							
+							if (error instanceof MOAIDException) {
+								statusMessageCode = ((MOAIDException)error).getMessageId();	
+								statusMessage = StringEscapeUtils.escapeXml(((MOAIDException)error).getMessage());
+								
+							} else {
+								statusMessage = StringEscapeUtils.escapeXml(error.getMessage());	
+							}
+							
+							
+									
+						} catch (Exception e) {
+							//no authentication data for given SAML artifact
+							statusCode = "samlp:Requester";
+							subStatusCode = "samlp:ResourceNotRecognized";
+							statusMessage = ex.toString();
+						}
+						
+					}
+					
+					catch (AuthenticationException ex) {
+						//no authentication data for given SAML artifact
 						statusCode = "samlp:Requester";
 						subStatusCode = "samlp:ResourceNotRecognized";
 						statusMessage = ex.toString();
@@ -137,10 +166,12 @@ public class GetAuthenticationDataService implements Constants {
 				statusCode = "samlp:Requester";
 				statusMessageCode = "1204";
 	    }
-		}
+	}
+		
     try {
 			String responseID = Random.nextRandom();			
 			String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance(), useUTC);
+			
       if (statusMessage == null)
 			  statusMessage = MOAIDMessageProvider.getInstance().getMessage(statusMessageCode, null);
 	    responses[0] = new SAMLResponseBuilder().build(
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
index 2a7147bcb..fec2d2b35 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
@@ -1,13 +1,8 @@
 package at.gv.egovernment.moa.id.protocols.saml1;
 
-import iaik.x509.X509Certificate;
-
-import java.io.File;
 import java.io.IOException;
-import java.security.cert.CertificateEncodingException;
 import java.util.Date;
 import java.util.List;
-import java.util.Vector;
 
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.TransformerException;
@@ -27,16 +22,15 @@ import at.gv.egovernment.moa.id.auth.builder.SAMLArtifactBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
 import at.gv.egovernment.moa.id.auth.data.IdentityLink;
-import at.gv.egovernment.moa.id.auth.data.SAMLAttribute;
 import at.gv.egovernment.moa.id.auth.parser.SAMLArtifactParser;
 import at.gv.egovernment.moa.id.auth.validator.ValidateException;
 import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils;
 import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.config.ConfigurationException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.data.AuthenticationData;
+import at.gv.egovernment.moa.id.moduls.IRequest;
 import at.gv.egovernment.moa.id.storage.AssertionStorage;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Base64Utils;
@@ -66,6 +60,33 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 	 */
 	private static final long authDataTimeOut = 2 * 60 * 1000; // default 2 minutes
 		
+	
+	public Throwable getErrorResponse(String samlArtifact) throws AuthenticationException {
+		try {
+			new SAMLArtifactParser(samlArtifact).parseAssertionHandle();
+			
+		} catch (ParseException ex) {
+			throw new AuthenticationException("1205", new Object[] {
+					samlArtifact, ex.toString() });
+		}
+		Throwable error = null;
+		synchronized (authenticationDataStore) {
+			try {
+				error = authenticationDataStore
+						.get(samlArtifact, Throwable.class);
+			
+				authenticationDataStore.remove(samlArtifact);
+				
+			} catch (MOADatabaseException e) {
+				Logger.error("Assertion not found for SAML Artifact: " + samlArtifact);
+				throw new AuthenticationException("1206", new Object[] { samlArtifact });
+			}
+			
+		}
+		
+		return error;
+	}
+	
 	/**
 	 * Retrieves <code>AuthenticationData</code> indexed by the SAML artifact.
 	 * The <code>AuthenticationData</code> is deleted from the store upon end of
@@ -77,6 +98,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 			throws AuthenticationException {
 		try {
 			new SAMLArtifactParser(samlArtifact).parseAssertionHandle();
+			
 		} catch (ParseException ex) {
 			throw new AuthenticationException("1205", new Object[] {
 					samlArtifact, ex.toString() });
@@ -123,6 +145,18 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 		return authData;
 	}
 	
+	public String BuildErrorAssertion(Throwable error, IRequest protocolRequest) 
+			throws BuildException, MOADatabaseException {
+		
+		String samlArtifact = new SAMLArtifactBuilder().build(
+				protocolRequest.getOAURL(), protocolRequest.getRequestID(),
+				null);
+		
+		authenticationDataStore.put(samlArtifact, error);
+		
+		return samlArtifact;
+	}
+	
 	public String BuildSAMLArtifact(AuthenticationSession session, 
 			OAAuthParameter oaParam, 
 			AuthenticationData authData) 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
index fad25bc20..a310b16ff 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
@@ -13,6 +13,7 @@ import at.gv.egovernment.moa.id.AuthenticationException;
 import at.gv.egovernment.moa.id.MOAIDException;
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.WrongParametersException;
+import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.moduls.IAction;
@@ -22,6 +23,8 @@ import at.gv.egovernment.moa.id.moduls.ServletInfo;
 import at.gv.egovernment.moa.id.moduls.ServletType;
 import at.gv.egovernment.moa.id.moduls.RequestImpl;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.URLEncoder;
 
 public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants {
 
@@ -107,8 +110,22 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants {
 			HttpServletRequest request, HttpServletResponse response,
 			IRequest protocolRequest) 
 					throws Throwable{
-		// TODO Auto-generated method stub
-		return false;
+		
+		SAML1AuthenticationServer saml1authentication = SAML1AuthenticationServer.getInstace();
+		
+		String samlArtifactBase64 = saml1authentication.BuildErrorAssertion(e, protocolRequest);
+		
+		String url = "RedirectServlet";
+		url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(protocolRequest.getOAURL(), "UTF-8"));
+		url = addURLParameter(url, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8"));
+		url = response.encodeRedirectURL(url);
+		
+		response.setContentType("text/html");
+		response.setStatus(302);
+		response.addHeader("Location", url);
+		Logger.debug("REDIRECT TO: " + url);
+		
+		return true;
 	}
 
 	public IAction getAction(String action) {
@@ -145,5 +162,14 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants {
 		
 		return true;
 	}
+	
+	protected static String addURLParameter(String url, String paramname,
+			String paramvalue) {
+		String param = paramname + "=" + paramvalue;
+		if (url.indexOf("?") < 0)
+			return url + "?" + param;
+		else
+			return url + "&" + param;
+	}
 
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
index d6bef8d53..ea823889f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
@@ -43,6 +43,7 @@ import org.xml.sax.SAXException;
 
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.WrongParametersException;
+import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType;
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.logging.Logger;
@@ -237,7 +238,7 @@ public class ParamValidatorUtils implements MOAIDAuthConstants{
     * @param template
     * @return
     */
-   public static boolean isValidTemplate(HttpServletRequest req, String template) {
+   public static boolean isValidTemplate(HttpServletRequest req, String template, List<TemplateType> oaSlTemplates) {
    
 	   Logger.debug("Ueberpruefe Parameter Template bzw. bkuSelectionTemplateURL");
 	   
@@ -267,6 +268,13 @@ public class ParamValidatorUtils implements MOAIDAuthConstants{
     			  //check against configured trustet template urls
     			  AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
     			  List<String> trustedTemplateURLs = authConf.getSLRequestTemplates();
+    			  
+    			  //get OA specific template URLs
+    			  if (oaSlTemplates != null && oaSlTemplates.size() > 0) {
+    			    for (TemplateType el : oaSlTemplates)
+    			    	trustedTemplateURLs.add(el.getURL());    				  
+    			  }
+    			  
 	    		  boolean b = trustedTemplateURLs.contains(template);
 	    		  if (b) {
 	    			  Logger.debug("Parameter Template erfolgreich ueberprueft");
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2013-09-04 07:25:09 +0200
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2013-09-04 07:25:09 +0200
commit	61362f940ca679fe215de34b1683e1110fea8d3e (patch)
tree	0857aa21842a33d6e6e52d27b058c1af9831cb6b /id/server/idserverlib/src/main/java/at
parent	8854b5c2c1e342b891271a04face4f4479653d46 (diff)
download	moa-id-spss-61362f940ca679fe215de34b1683e1110fea8d3e.tar.gz moa-id-spss-61362f940ca679fe215de34b1683e1110fea8d3e.tar.bz2 moa-id-spss-61362f940ca679fe215de34b1683e1110fea8d3e.zip