aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-module-AT_eIDAS_connector/src
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2020-04-06 10:23:53 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2020-04-06 10:23:53 +0200
commita056118bbfabb53dc2856ff07d068cd57ddc8be3 (patch)
treee8972ade3b0137e8a61e10d9717a512787c16ba5 /id/server/modules/moa-id-module-AT_eIDAS_connector/src
parent7fa91731a8b852e9a8a4ea1a152a5aa74523d47e (diff)
parentaebaed0e889413491b5769babf39a200bd312992 (diff)
downloadmoa-id-spss-a056118bbfabb53dc2856ff07d068cd57ddc8be3.tar.gz
moa-id-spss-a056118bbfabb53dc2856ff07d068cd57ddc8be3.tar.bz2
moa-id-spss-a056118bbfabb53dc2856ff07d068cd57ddc8be3.zip
Merge branch 'development_preview'
Diffstat (limited to 'id/server/modules/moa-id-module-AT_eIDAS_connector/src')
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java19
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java3
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java2
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java27
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java3
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessor.java151
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java22
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java27
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java6
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule1
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml4
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessorTest.java348
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/DummyAuthConfigMap.java136
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/SemperMandateProfilesAttributeBuilderTest.java30
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/SpringTest-context_basic_test.xml20
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_1.xml43
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_10.xml33
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_2.xml43
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_3.xml40
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_4.xml43
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_5.xml44
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_6.xml40
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_7.xml44
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_8.xml42
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_9.xml35
25 files changed, 1188 insertions, 18 deletions
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
index 19950a078..96c78abb4 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
@@ -27,6 +27,7 @@ import java.util.Collections;
import java.util.List;
import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
import at.gv.egiz.eaaf.core.impl.data.Trible;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
@@ -60,6 +61,8 @@ public class EidasCentralAuthConstants {
public static final String CONFIG_PROPS_NODE_METADATAURL = CONFIG_PROPS_PREFIX + "node.metadataUrl";
public static final String CONFIG_PROPS_NODE_TRUSTPROFILEID = CONFIG_PROPS_PREFIX + "node.trustprofileID";
+ public static final String CONFIG_PROPS_SEMPER_MANDATES_ACTIVE = CONFIG_PROPS_PREFIX + "semper.mandates.active";
+ public static final String CONFIG_PROPS_SEMPER_MANDATES_MS_PROXY_LIST = CONFIG_PROPS_PREFIX + "semper.msproxy.list";
public static final String CONFIG_DEFAULT_LOA_EIDAS_LEVEL = EAAFConstants.EIDAS_LOA_HIGH;
public static final List<Trible<String, String, Boolean>> DEFAULT_REQUIRED_PVP_ATTRIBUTES =
@@ -81,6 +84,22 @@ public class EidasCentralAuthConstants {
}
});
+ public static final List<Pair<String, Boolean>> DEFAULT_SEMPER_MANDATE_PVP_ATTRIBUTES =
+ Collections.unmodifiableList(new ArrayList<Pair<String, Boolean>>() {
+ private static final long serialVersionUID = 1L;
+ {
+ //request entity information
+ add(Pair.newInstance(PVPConstants.MANDATE_TYPE_NAME, false));
+ add(Pair.newInstance(PVPConstants.MANDATE_TYPE_OID_NAME, false));
+
+ add(Pair.newInstance(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME, false));
+ add(Pair.newInstance(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, false));
+ add(Pair.newInstance(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME, false));
+
+
+ }
+ });
+
public static final List<String> DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES =
Collections.unmodifiableList(new ArrayList<String>() {
private static final long serialVersionUID = 1L;
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java
index 821a200c7..53b3f3e1a 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java
@@ -29,6 +29,7 @@ import javax.annotation.PostConstruct;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
+import at.gv.egiz.eaaf.core.api.IRequest;
import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule;
import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
@@ -64,7 +65,7 @@ public class EidasCentralAuthModuleImpl implements AuthModule {
* @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext)
*/
@Override
- public String selectProcess(ExecutionContext context) {
+ public String selectProcess(ExecutionContext context, IRequest pendingReq) {
Serializable paramObj = context.get(EidasCentralAuthConstants.HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION);
if (paramObj != null ) {
if (paramObj instanceof String) {
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java
index aad1244f1..2bb384c74 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java
@@ -334,7 +334,7 @@ public class EidasCentralAuthMetadataConfiguration implements IPVPMetadataBuilde
* @param additionalAttr List of PVP attribute name and isRequired flag
*/
public void setAdditionalRequiredAttributes(List<Pair<String, Boolean>> additionalAttr) {
- if (additionalAttr != null) {
+ if (additionalAttr != null && !additionalAttr.isEmpty()) {
additionalAttributes = new ArrayList<RequestedAttribute>();
for (Pair<String, Boolean> el : additionalAttr) {
Attribute attributBuilder = PVPAttributeBuilder.buildEmptyAttribute(el.getFirst());
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java
index 4898c8f1e..a0c1fa30b 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java
@@ -37,6 +37,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
import com.google.common.net.MediaType;
+import at.gv.egiz.eaaf.core.exceptions.EAAFException;
import at.gv.egiz.eaaf.core.impl.data.Pair;
import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController;
import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils;
@@ -72,7 +73,7 @@ public class EidasCentralAuthMetadataController extends AbstractController {
@RequestMapping(value = EidasCentralAuthConstants.ENDPOINT_METADATA,
method = {RequestMethod.GET})
- public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException {
//check PublicURL prefix
try {
String authURL = HTTPUtils.extractAuthURLFromRequest(req);
@@ -101,16 +102,24 @@ public class EidasCentralAuthMetadataController extends AbstractController {
} catch (Exception e) {
Logger.warn("Build federated-authentication PVP metadata FAILED.", e);
- handleErrorNoRedirect(e, req, resp, false);
+ protAuthService.handleErrorNoRedirect(e, req, resp, false);
}
}
private List<Pair<String, Boolean>> getAdditonalRequiredAttributes() {
- Map<String, String> addReqAttributes = authConfig.getBasicMOAIDConfigurationWithPrefix(EidasCentralAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST);
- if (addReqAttributes != null) {
- List<Pair<String, Boolean>> result = new ArrayList<Pair<String, Boolean>>();
+ List<Pair<String, Boolean>> result = new ArrayList<Pair<String, Boolean>>();
+
+ //load SEMPER attributes if required
+ if (authConfig.getBasicConfigurationBoolean(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, false)) {
+ result.addAll(EidasCentralAuthConstants.DEFAULT_SEMPER_MANDATE_PVP_ATTRIBUTES);
+
+ }
+
+ //load attributes from configuration
+ Map<String, String> addReqAttributes = authConfig.getBasicConfigurationWithPrefix(EidasCentralAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST);
+ if (addReqAttributes != null) {
for (String el : addReqAttributes.values()) {
if (MiscUtil.isNotEmpty(el)) {
Logger.trace("Parse additional attr. definition: " + el);
@@ -122,12 +131,12 @@ public class EidasCentralAuthMetadataController extends AbstractController {
Logger.info("IGNORE additional attr. definition: " + el
+ " Reason: Format not valid");
}
- }
-
- return result;
+ }
}
- return null;
+ return result;
+
+
}
}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java
index 1486ef841..60a98213e 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java
@@ -32,6 +32,7 @@ import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
+import at.gv.egiz.eaaf.core.exceptions.EAAFException;
import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController;
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
import at.gv.egovernment.moa.logging.Logger;
@@ -55,7 +56,7 @@ public class EidasCentralAuthSignalController extends AbstractProcessEngineSigna
EidasCentralAuthConstants.ENDPOINT_REDIRECT
},
method = {RequestMethod.POST, RequestMethod.GET})
- public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException {
signalProcessManagement(req, resp);
}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessor.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessor.java
new file mode 100644
index 000000000..222ba812c
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessor.java
@@ -0,0 +1,151 @@
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.semper;
+
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.commons.lang3.StringUtils;
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.xml.XMLObject;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
+import at.gv.egiz.eaaf.core.api.data.ExtendedPVPAttributeDefinitions;
+import at.gv.egiz.eaaf.core.api.data.PVPAttributeDefinitions;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException;
+import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils;
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute;
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttributes;
+import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestPostProcessor;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.id.commons.MOAIDConstants;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
+import at.gv.egovernment.moa.logging.Logger;
+
+public class AuthnRequestSemperProcessor implements IAuthnRequestPostProcessor {
+
+ @Autowired IConfiguration authConfig;
+
+ @Override
+ public void process(HttpServletRequest httpReq, IRequest pendingReq, AuthnRequest authReq,
+ SPSSODescriptor spSsoDescriptor) throws AuthnRequestValidatorException {
+ if (authConfig.getBasicConfigurationBoolean(
+ EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, false)
+ && isSpAllowed(authReq)) {
+
+ Logger.debug("SEMPER mode detected. Starting SP-Info extraction from requested attributes ...");
+ extractRequestedAttributeInformation(authReq, pendingReq);
+
+ } else {
+ Logger.trace("Skip: " + AuthnRequestSemperProcessor.class.getSimpleName() + " because is's not active or not allowed");
+
+ }
+
+ }
+
+ private boolean isSpAllowed(AuthnRequest authReq) {
+ String csvOfAllowedProxies = authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_MS_PROXY_LIST);
+ List<String> allowedProxies = KeyValueUtils.getListOfCSVValues(csvOfAllowedProxies);
+ Logger.trace("Validate SP-EntityId: " + authReq.getIssuer().getValue()
+ + " with allowed MS-Proxies: [" + StringUtils.join(allowedProxies, ", ") + "]");
+ return allowedProxies.contains(authReq.getIssuer().getValue());
+
+ }
+
+
+ private void extractRequestedAttributeInformation(AuthnRequest authnReq, IRequest pendingReq) throws AuthnRequestValidatorException {
+ // validate and process requested attributes
+ boolean hasValidBpkTarget = false;
+ if (authnReq.getExtensions() != null) {
+ final List<XMLObject> requestedAttributes = authnReq.getExtensions().getUnknownXMLObjects();
+ for (final XMLObject reqAttrObj : requestedAttributes) {
+ if (reqAttrObj instanceof EAAFRequestedAttributes) {
+ final EAAFRequestedAttributes reqAttr = (EAAFRequestedAttributes) reqAttrObj;
+ if (reqAttr.getAttributes() != null && reqAttr.getAttributes().size() != 0) {
+ for (final EAAFRequestedAttribute el : reqAttr.getAttributes()) {
+ Logger.trace("Processing req. attribute '" + el.getName() + "' ... ");
+ if (el.getName().equals(PVPAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
+ hasValidBpkTarget = extractBpkTarget(el, pendingReq);
+
+ } else if (el.getName().equals(ExtendedPVPAttributeDefinitions.SP_USESMANDATES_NAME )) {
+ extractMandateProfiles(el, pendingReq);
+
+ } else {
+ Logger.debug("Ignore req. attribute: " + el.getName());
+ }
+
+ }
+
+ } else {
+ Logger.debug("No requested Attributes in Authn. Request");
+ }
+
+ } else {
+ Logger.info("Ignore unknown requested attribute: " + reqAttrObj.getElementQName().toString());
+ }
+
+ }
+ }
+
+ if (!hasValidBpkTarget) {
+ Logger.info("Authn.Req validation FAILED. Reason: Contains NO or NO VALID target-sector information.");
+ throw new AuthnRequestValidatorException("pvp2.22", new Object[] {
+ "NO or NO VALID target-sector information" });
+
+ }
+
+ }
+
+ private void extractMandateProfiles(EAAFRequestedAttribute el, IRequest pendingReq) {
+ if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) {
+ final String profiles = el.getAttributeValues().get(0).getDOM().getTextContent();
+ Map<String, String> configProps = pendingReq.getServiceProviderConfiguration().getFullConfiguration();
+ Logger.debug("Set MandateProfiles to: " + profiles);
+ configProps.put(
+ MOAIDConfigurationConstants.SERVICE_AUTH_MANDATES_OVS_USE,
+ String.valueOf(true));
+ configProps.put(
+ MOAIDConfigurationConstants.SERVICE_AUTH_MANDATES_OVS_PROFILES,
+ profiles);
+
+ } else {
+ Logger.info("Req. attribute '" + el.getName()
+ + "' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute");
+ }
+
+ }
+
+
+ private boolean extractBpkTarget(final EAAFRequestedAttribute el, IRequest pendingReq) {
+ if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) {
+ final String sectorId = el.getAttributeValues().get(0).getDOM().getTextContent();
+ Map<String, String> configProps = pendingReq.getServiceProviderConfiguration().getFullConfiguration();
+ if (sectorId.startsWith(EAAFConstants.URN_PREFIX_EIDAS)) {
+ Logger.debug("Set eIDAS target to: " + sectorId);
+ configProps.put(
+ MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE,
+ MOAIDConstants.IDENIFICATIONTYPE_EIDAS);
+ configProps.put(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE,
+ sectorId.substring(EAAFConstants.URN_PREFIX_EIDAS.length()));
+ return true;
+
+ } else {
+ Logger.info("Requested sector: " + sectorId + " DOES NOT match to allowed sectors for SP: "
+ + pendingReq.getServiceProviderConfiguration().getUniqueIdentifier());
+
+ }
+
+ } else {
+ Logger.info("Req. attribute '" + el.getName()
+ + "' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute");
+ }
+
+ return false;
+
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
index c1229e3ff..d3a2d2840 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
@@ -29,6 +29,7 @@ import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang3.StringUtils;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.metadata.EntityDescriptor;
@@ -38,6 +39,7 @@ import org.opensaml.xml.security.SecurityException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+import at.gv.egiz.eaaf.core.api.data.ExtendedPVPAttributeDefinitions;
import at.gv.egiz.eaaf.core.api.data.PVPAttributeDefinitions;
import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
@@ -55,6 +57,7 @@ import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentral
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.Utils;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -168,15 +171,30 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {
private List<EAAFRequestedAttribute> buildRequestedAttributes() {
List<EAAFRequestedAttribute> attributs = new ArrayList<EAAFRequestedAttribute>();
+ OAAuthParameterDecorator spConfig =
+ pendingReq.getServiceProviderConfiguration(OAAuthParameterDecorator.class);
+
//build EID sector for identification attribute
Attribute attr = PVPAttributeBuilder.buildEmptyAttribute(PVPAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME);
EAAFRequestedAttribute reqAttr = SAML2Utils.generateReqAuthnAttributeSimple(
attr ,
true,
- pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier());
+ spConfig.getAreaSpecificTargetIdentifier());
attributs.add(reqAttr );
- //TODO: add mandate information if mandates are used!!!!
+ //build MandateProfileAttribute if SEMPER is enabled and mandates are requested
+ if (spConfig.isShowMandateCheckBox()
+ && authConfig.getBasicConfigurationBoolean(
+ EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, false)) {
+ Logger.debug("SEMPER mode is active. Inject MandateProfiles into eIDAS MS-Connector request");
+ final Attribute attrMandateProfiles = PVPAttributeBuilder.buildEmptyAttribute(
+ ExtendedPVPAttributeDefinitions.SP_USESMANDATES_NAME);
+ final EAAFRequestedAttribute mandateProfilesReqAttr = SAML2Utils.generateReqAuthnAttributeSimple(
+ attrMandateProfiles, true,
+ StringUtils.join(spConfig.getMandateProfiles(), ","));
+ attributs.add(mandateProfilesReqAttr);
+
+ }
return attributs;
}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
index f3eaff11a..eeef68c3e 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
@@ -23,6 +23,7 @@
package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.tasks;
import java.io.IOException;
+import java.util.Arrays;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
@@ -64,6 +65,7 @@ import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentral
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.Utils;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -148,6 +150,9 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
getAuthDataFromInterfederation(extractor, pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class));
+ //set NeedConsent to false, because user gives consont during authentication
+ pendingReq.setNeedUserConsent(false);
+
//store pending-request
requestStoreage.storePendingRequest(pendingReq);
@@ -194,7 +199,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING});
}
-
+
//copy attributes into MOASession
AuthenticationSessionWrapper session = pendingReq.getSessionData(AuthenticationSessionWrapper.class);
Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();
@@ -207,12 +212,32 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
//set foreigner flag
session.setForeigner(true);
+
+ //set CCE URL
if (extractor.getFullAssertion().getIssuer() != null &&
StringUtils.isNotEmpty(extractor.getFullAssertion().getIssuer().getValue()))
session.setBkuURL(extractor.getFullAssertion().getIssuer().getValue());
else
session.setBkuURL("eIDAS_Authentication");
+ if (authConfig.getBasicConfigurationBoolean(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, false)) {
+ if (extractor.containsAttribute(PVPConstants.MANDATE_TYPE_NAME)) {
+ Logger.trace("Check attributes in SEMPER eIDAS mode.");
+ if (!extractor.containsAllRequiredAttributes(Arrays.asList(
+ PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME,
+ PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME,
+ PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME))) {
+ Logger.warn("PVP Response from 'ms-specific eIDAS node' contains not all required attributes for eIDAS SEMPER process.");
+ throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING});
+
+ }
+
+ Logger.info("SEMPER mode is active and mandates are found. Activing mandates for eIDAS login ... ");
+ session.setUseMandates(true);
+
+ }
+ }
+
} catch (AssertionValidationExeption e) {
throw new BuildException("builder.06", null, e);
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java
index cd3f1f788..5c3bf0d27 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java
@@ -44,7 +44,7 @@ import org.opensaml.xml.parse.BasicParserPool;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
-import at.gv.egiz.eaaf.core.api.IDestroyableObject;
+import at.gv.egiz.components.spring.api.IDestroyableObject;
import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.MetadataFilterChain;
import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.SimpleMetadataProvider;
import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter;
@@ -323,14 +323,14 @@ public class EidasCentralAuthMetadataProvider extends SimpleMetadataProvider
//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
PVPConstants.SSLSOCKETFACTORYNAME,
- moaAuthConfig.getBasicMOAIDConfigurationBoolean(
+ moaAuthConfig.getBasicConfigurationBoolean(
AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false),
moaAuthConfig.getTrustedCACertificates(),
null,
AuthConfiguration.DEFAULT_X509_CHAININGMODE,
moaAuthConfig.isTrustmanagerrevoationchecking(),
moaAuthConfig.getRevocationMethodOrder(),
- moaAuthConfig.getBasicMOAIDConfigurationBoolean(
+ moaAuthConfig.getBasicConfigurationBoolean(
AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false));
httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule
new file mode 100644
index 000000000..b0bb67f32
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule
@@ -0,0 +1 @@
+at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthModuleImpl \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml
index f57d4a94b..baf7e84b5 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml
@@ -31,6 +31,10 @@
<bean id="pvpAuthnRequestBuilder"
class="at.gv.egiz.eaaf.modules.pvp2.sp.impl.PVPAuthnRequestBuilder" />
+ <bean id="semperAuthnRequestPostProcessor"
+ class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.semper.AuthnRequestSemperProcessor" />
+
+
<!-- Federated Authentication Process Tasks -->
<bean id="CreateEidasCentrialAuthnRequestTask"
class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.tasks.CreateAuthnRequestTask"
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessorTest.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessorTest.java
new file mode 100644
index 000000000..9b0ebf88c
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessorTest.java
@@ -0,0 +1,348 @@
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.semper;
+
+import static org.hamcrest.collection.IsIterableContainingInOrder.contains;
+import static org.junit.Assert.assertThat;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.commons.lang3.RandomStringUtils;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.xml.ConfigurationException;
+import org.opensaml.xml.io.Unmarshaller;
+import org.opensaml.xml.io.UnmarshallerFactory;
+import org.opensaml.xml.io.UnmarshallingException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.annotation.DirtiesContext.ClassMode;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+import org.w3c.dom.Element;
+import org.xml.sax.SAXException;
+
+import at.gv.egiz.eaaf.core.api.data.EAAFConfigConstants;
+import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException;
+import at.gv.egiz.eaaf.core.impl.idp.conf.SPConfigurationImpl;
+import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl;
+import at.gv.egiz.eaaf.core.impl.utils.DOMUtils;
+import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EAAFDefaultSAML2Bootstrap;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration({
+ "/SpringTest-context_basic_test.xml" })
+@DirtiesContext(classMode = ClassMode.BEFORE_CLASS)
+public class AuthnRequestSemperProcessorTest {
+
+ @Autowired DummyAuthConfigMap configMap;
+ @Autowired AuthnRequestSemperProcessor processor;
+
+ private MockHttpServletRequest httpReq;
+ private MockHttpServletResponse httpResp;
+ private TestRequestImpl pendingReq;
+
+ /**
+ * jUnit class initializer.
+ * @throws ConfigurationException In case of an OpenSAML error
+ *
+ */
+ @BeforeClass
+ public static void classInitializer() throws ConfigurationException {
+ EAAFDefaultSAML2Bootstrap.bootstrap();
+
+ }
+
+ /**
+ * jUnit test set-up.
+ *
+ */
+ @Before
+ public void initialize() {
+ configMap.putConfigValue(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, "true");
+ configMap.putConfigValue(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_MS_PROXY_LIST,
+ RandomStringUtils.randomAlphabetic(15) + ",https://demo.egiz.gv.at/ms_connector/sp/metadata");
+
+ httpReq = new MockHttpServletRequest("POST", "https://localhost/ms_connector");
+ httpResp = new MockHttpServletResponse();
+ RequestContextHolder.resetRequestAttributes();
+ RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp));
+
+ Map<String, String> spConfig = new HashMap<>();
+ spConfig.put(EAAFConfigConstants.SERVICE_UNIQUEIDENTIFIER,
+ "https://demo.egiz.gv.at/ms_connector/sp/metadata");
+
+ pendingReq = new TestRequestImpl();
+ pendingReq.setAuthURL("https://localhost/ms_connector");
+ pendingReq.setPendingReqId(RandomStringUtils.randomAlphanumeric(10));
+ pendingReq.setSpConfig(new OAAuthParameterDecorator(new SPConfigurationImpl(spConfig, configMap)));
+
+ }
+
+ @Test
+ public void semperModeNotSet() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, AuthnRequestValidatorException {
+ configMap.removeConfigValue(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE);
+
+ AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_1.xml");
+
+ processor.process(httpReq, pendingReq, authReq , null);
+
+ ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration();
+ Assert.assertNotNull("SP config is null", spConfig);
+ org.springframework.util.Assert.isInstanceOf(OAAuthParameterDecorator.class,
+ spConfig, "SP config is NOT of type MOA-ID SP Config");
+
+ Assert.assertNull("SP target is null", spConfig.getAreaSpecificTargetIdentifier());
+ Assert.assertFalse("UseMandates flag", ((OAAuthParameterDecorator)spConfig).isShowMandateCheckBox());
+ Assert.assertNull("Mandate profiles", ((OAAuthParameterDecorator)spConfig).getMandateProfiles());
+
+ }
+
+ @Test
+ public void semperModeInactive() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, AuthnRequestValidatorException {
+ configMap.putConfigValue(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, "false");
+
+ AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_1.xml");
+
+ processor.process(httpReq, pendingReq, authReq , null);
+
+ ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration();
+ Assert.assertNotNull("SP config is null", spConfig);
+ org.springframework.util.Assert.isInstanceOf(OAAuthParameterDecorator.class,
+ spConfig, "SP config is NOT of type MOA-ID SP Config");
+
+ Assert.assertNull("SP target is null", spConfig.getAreaSpecificTargetIdentifier());
+ Assert.assertFalse("UseMandates flag", ((OAAuthParameterDecorator)spConfig).isShowMandateCheckBox());
+ Assert.assertNull("Mandate profiles", ((OAAuthParameterDecorator)spConfig).getMandateProfiles());
+
+ }
+
+ @Test
+ public void allowedSPsNotSet() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, AuthnRequestValidatorException {
+ configMap.removeConfigValue(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_MS_PROXY_LIST);
+
+ AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_1.xml");
+
+ processor.process(httpReq, pendingReq, authReq , null);
+
+ ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration();
+ Assert.assertNotNull("SP config is null", spConfig);
+ org.springframework.util.Assert.isInstanceOf(OAAuthParameterDecorator.class,
+ spConfig, "SP config is NOT of type MOA-ID SP Config");
+
+ Assert.assertNull("SP target is null", spConfig.getAreaSpecificTargetIdentifier());
+ Assert.assertFalse("UseMandates flag", ((OAAuthParameterDecorator)spConfig).isShowMandateCheckBox());
+ Assert.assertNull("Mandate profiles", ((OAAuthParameterDecorator)spConfig).getMandateProfiles());
+
+ }
+
+ @Test
+ public void nonValidSpEntityId() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, AuthnRequestValidatorException {
+
+
+ pendingReq.getServiceProviderConfiguration().getFullConfiguration().put(
+ EAAFConfigConstants.SERVICE_UNIQUEIDENTIFIER,
+ "https://apps.egiz.gv.at/ms_connector/sp/metadata");
+ AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_2.xml");
+
+ processor.process(httpReq, pendingReq, authReq , null);
+
+ ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration();
+ Assert.assertNotNull("SP config is null", spConfig);
+ org.springframework.util.Assert.isInstanceOf(OAAuthParameterDecorator.class,
+ spConfig, "SP config is NOT of type MOA-ID SP Config");
+
+ Assert.assertNull("SP target is null", spConfig.getAreaSpecificTargetIdentifier());
+ Assert.assertFalse("UseMandates flag", ((OAAuthParameterDecorator)spConfig).isShowMandateCheckBox());
+ Assert.assertNull("Mandate profiles", ((OAAuthParameterDecorator)spConfig).getMandateProfiles());
+
+ }
+
+ @Test
+ public void bPKTargetIsMissing_1() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException {
+
+ AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_3.xml");
+
+ try {
+ processor.process(httpReq, pendingReq, authReq , null);
+ Assert.fail("No bPK target not detected");
+
+ } catch (AuthnRequestValidatorException e) {
+ Assert.assertEquals("ErrorMessage", "pvp2.22", e.getErrorId());
+
+ }
+ }
+
+ @Test
+ public void bPKTargetIsMissing_2() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException {
+
+ AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_4.xml");
+
+ try {
+ processor.process(httpReq, pendingReq, authReq , null);
+ Assert.fail("No bPK target not detected");
+
+ } catch (AuthnRequestValidatorException e) {
+ Assert.assertEquals("ErrorMessage", "pvp2.22", e.getErrorId());
+
+ }
+ }
+
+ @Test
+ public void bPKTargetIsMissing_3() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException {
+
+ AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_5.xml");
+
+ try {
+ processor.process(httpReq, pendingReq, authReq , null);
+ Assert.fail("No bPK target not detected");
+
+ } catch (AuthnRequestValidatorException e) {
+ Assert.assertEquals("ErrorMessage", "pvp2.22", e.getErrorId());
+
+ }
+ }
+
+ @Test
+ public void noRequestedAttributes() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException {
+
+ AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_9.xml");
+
+ try {
+ processor.process(httpReq, pendingReq, authReq , null);
+ Assert.fail("No bPK target not detected");
+
+ } catch (AuthnRequestValidatorException e) {
+ Assert.assertEquals("ErrorMessage", "pvp2.22", e.getErrorId());
+
+ }
+ }
+
+ @Test
+ public void noSAML2ExtentsionElement() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException {
+
+ AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_10.xml");
+
+ try {
+ processor.process(httpReq, pendingReq, authReq , null);
+ Assert.fail("No bPK target not detected");
+
+ } catch (AuthnRequestValidatorException e) {
+ Assert.assertEquals("ErrorMessage", "pvp2.22", e.getErrorId());
+
+ }
+ }
+
+ @Test
+ public void validSpEntityIdNoMandateProfiles() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, AuthnRequestValidatorException {
+
+ AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_6.xml");
+
+ processor.process(httpReq, pendingReq, authReq , null);
+
+ ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration();
+ Assert.assertNotNull("SP config is null", spConfig);
+ org.springframework.util.Assert.isInstanceOf(OAAuthParameterDecorator.class,
+ spConfig, "SP config is NOT of type MOA-ID SP Config");
+
+ Assert.assertNotNull("SP target is null", spConfig.getAreaSpecificTargetIdentifier());
+ Assert.assertEquals("SP target not match", "urn:publicid:gv.at:eidasid+AT+EE", spConfig.getAreaSpecificTargetIdentifier());
+
+
+ Assert.assertFalse("UseMandates flag", ((OAAuthParameterDecorator)spConfig).isShowMandateCheckBox());
+ Assert.assertNull("Mandate profiles", ((OAAuthParameterDecorator)spConfig).getMandateProfiles());
+
+ }
+
+ @Test
+ public void validSpEntityIdNotValidMandateProfiles_1() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, AuthnRequestValidatorException {
+
+ AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_7.xml");
+
+ processor.process(httpReq, pendingReq, authReq , null);
+
+ ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration();
+ Assert.assertNotNull("SP config is null", spConfig);
+ org.springframework.util.Assert.isInstanceOf(OAAuthParameterDecorator.class,
+ spConfig, "SP config is NOT of type MOA-ID SP Config");
+
+ Assert.assertNotNull("SP target is null", spConfig.getAreaSpecificTargetIdentifier());
+ Assert.assertEquals("SP target not match", "urn:publicid:gv.at:eidasid+AT+EE", spConfig.getAreaSpecificTargetIdentifier());
+
+
+ Assert.assertFalse("UseMandates flag", ((OAAuthParameterDecorator)spConfig).isShowMandateCheckBox());
+ Assert.assertNull("Mandate profiles", ((OAAuthParameterDecorator)spConfig).getMandateProfiles());
+
+ }
+
+ @Test
+ public void validSpEntityIdNotValidMandateProfiles_2() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, AuthnRequestValidatorException {
+
+ AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_8.xml");
+
+ processor.process(httpReq, pendingReq, authReq , null);
+
+ ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration();
+ Assert.assertNotNull("SP config is null", spConfig);
+ org.springframework.util.Assert.isInstanceOf(OAAuthParameterDecorator.class,
+ spConfig, "SP config is NOT of type MOA-ID SP Config");
+
+ Assert.assertNotNull("SP target is null", spConfig.getAreaSpecificTargetIdentifier());
+ Assert.assertEquals("SP target not match", "urn:publicid:gv.at:eidasid+AT+EE", spConfig.getAreaSpecificTargetIdentifier());
+
+
+ Assert.assertFalse("UseMandates flag", ((OAAuthParameterDecorator)spConfig).isShowMandateCheckBox());
+ Assert.assertNull("Mandate profiles", ((OAAuthParameterDecorator)spConfig).getMandateProfiles());
+
+ }
+
+ @Test
+ public void validSpEntityIdWithMandateProfiles() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, AuthnRequestValidatorException {
+
+ AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_1.xml");
+
+ processor.process(httpReq, pendingReq, authReq , null);
+
+ ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration();
+ Assert.assertNotNull("SP config is null", spConfig);
+ org.springframework.util.Assert.isInstanceOf(OAAuthParameterDecorator.class,
+ spConfig, "SP config is NOT of type MOA-ID SP Config");
+
+ Assert.assertNotNull("SP target is null", spConfig.getAreaSpecificTargetIdentifier());
+ Assert.assertEquals("SP target not match", "urn:publicid:gv.at:eidasid+AT+EE", spConfig.getAreaSpecificTargetIdentifier());
+
+
+ Assert.assertTrue("UseMandates flag", ((OAAuthParameterDecorator)spConfig).isShowMandateCheckBox());
+
+ Assert.assertNotNull("Mandate profiles are null", ((OAAuthParameterDecorator)spConfig).getMandateProfiles());
+ Assert.assertEquals("Number of mandate profiles not match", 3, ((OAAuthParameterDecorator)spConfig).getMandateProfiles().size());
+ assertThat("Mandate profiles not match", ((OAAuthParameterDecorator)spConfig).getMandateProfiles(),
+ contains("Einzelvertretungsbefugnis", "1.2.40.0.10.1.7.3.1.1", "ERsB"));
+
+ }
+
+ private AuthnRequest getAuthRequest(String resource) throws
+ ParserConfigurationException, SAXException, IOException, UnmarshallingException {
+ final Element authBlockDom =
+ DOMUtils.parseXmlValidating(AuthnRequestSemperProcessor.class.getResourceAsStream(resource));
+
+ final UnmarshallerFactory unmarshallerFactory =
+ org.opensaml.xml.Configuration.getUnmarshallerFactory();
+ final Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(authBlockDom);
+ return (AuthnRequest) unmarshaller.unmarshall(authBlockDom);
+
+}
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/DummyAuthConfigMap.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/DummyAuthConfigMap.java
new file mode 100644
index 000000000..1cc51f2e0
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/DummyAuthConfigMap.java
@@ -0,0 +1,136 @@
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.semper;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URI;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Properties;
+
+import org.apache.commons.lang3.StringUtils;
+
+import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP;
+import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException;
+import at.gv.egiz.eaaf.core.exceptions.EAAFException;
+import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils;
+
+/**
+ * Dummy Application-configuration implementation for jUnit tests.
+ *
+ * @author tlenz
+ *
+ */
+public class DummyAuthConfigMap implements IConfigurationWithSP {
+
+ private Map<String, String> config = new HashMap<>();
+
+ public DummyAuthConfigMap() {
+
+ }
+
+ /**
+ * Dummy Application-configuration.
+ *
+ * @param configIs Property based configuration
+ * @throws IOException In case of an configuration read error
+ */
+ public DummyAuthConfigMap(final InputStream configIs) throws IOException {
+
+ final Properties props = new Properties();
+ props.load(configIs);
+
+ config = KeyValueUtils.convertPropertiesToMap(props);
+
+ }
+
+ /**
+ * Dummy Application-configuration.
+ *
+ * @param path Path to property based configuration
+ * @throws IOException In case of an configuration read error
+ */
+ public DummyAuthConfigMap(final String path) throws IOException {
+
+ final Properties props = new Properties();
+ props.load(this.getClass().getResourceAsStream(path));
+
+ config = KeyValueUtils.convertPropertiesToMap(props);
+
+ }
+
+
+ @Override
+ public String getBasicConfiguration(final String key) {
+ return config.get(key);
+
+ }
+
+ @Override
+ public String getBasicConfiguration(final String key, final String defaultValue) {
+ final String value = getBasicConfiguration(key);
+ if (StringUtils.isEmpty(value)) {
+ return defaultValue;
+ } else {
+ return value;
+ }
+
+ }
+
+ @Override
+ public Boolean getBasicConfigurationBoolean(final String key) {
+ final String value = getBasicConfiguration(key);
+ if (StringUtils.isEmpty(value)) {
+ return false;
+ } else {
+ return Boolean.valueOf(value);
+ }
+ }
+
+ @Override
+ public boolean getBasicConfigurationBoolean(final String key, final boolean defaultValue) {
+ return Boolean.parseBoolean(getBasicConfiguration(key, String.valueOf(defaultValue)));
+
+ }
+
+ @Override
+ public Map<String, String> getBasicConfigurationWithPrefix(final String prefix) {
+ return KeyValueUtils.getSubSetWithPrefix(config, prefix);
+
+ }
+
+ @Override
+ public ISPConfiguration getServiceProviderConfiguration(final String uniqueID)
+ throws EAAFConfigurationException {
+ return null;
+ }
+
+ @Override
+ public <T> T getServiceProviderConfiguration(final String spIdentifier, final Class<T> decorator)
+ throws EAAFConfigurationException {
+ return null;
+ }
+
+ @Override
+ public URI getConfigurationRootDirectory() {
+ return new java.io.File(".").toURI();
+
+ }
+
+ @Override
+ public String validateIDPURL(final URL authReqUrl) throws EAAFException {
+ return null;
+ }
+
+ public void putConfigValue(final String key, final String value) {
+ config.put(key, value);
+ }
+
+ public void removeConfigValue(final String key) {
+ config.remove(key);
+
+ }
+
+
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/SemperMandateProfilesAttributeBuilderTest.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/SemperMandateProfilesAttributeBuilderTest.java
new file mode 100644
index 000000000..c359c2da3
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/SemperMandateProfilesAttributeBuilderTest.java
@@ -0,0 +1,30 @@
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.semper;
+
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.BlockJUnit4ClassRunner;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.xml.ConfigurationException;
+
+import at.gv.egiz.eaaf.core.api.data.ExtendedPVPAttributeDefinitions;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder;
+import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EAAFDefaultSAML2Bootstrap;
+
+@RunWith(BlockJUnit4ClassRunner.class)
+public class SemperMandateProfilesAttributeBuilderTest {
+
+ @BeforeClass
+ public static void classInitializer() throws ConfigurationException {
+ EAAFDefaultSAML2Bootstrap.bootstrap();
+
+ }
+
+ @Test
+ public void buildEmptyAttribute() {
+ final Attribute attrMandateProfiles = PVPAttributeBuilder.buildEmptyAttribute(
+ ExtendedPVPAttributeDefinitions.SP_USESMANDATES_NAME);
+ Assert.assertNotNull("Attr.", attrMandateProfiles);
+ }
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/SpringTest-context_basic_test.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/SpringTest-context_basic_test.xml
new file mode 100644
index 000000000..18900c27d
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/SpringTest-context_basic_test.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:tx="http://www.springframework.org/schema/tx"
+ xmlns:aop="http://www.springframework.org/schema/aop"
+ xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
+ http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
+ http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
+
+ <context:annotation-config />
+
+ <bean id="semperAuthnRequestPostProcessor"
+ class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.semper.AuthnRequestSemperProcessor" />
+
+ <bean id="dummyConfig"
+ class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.semper.DummyAuthConfigMap" />
+
+</beans> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_1.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_1.xml
new file mode 100644
index 000000000..f6c6b26ee
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_1.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+ <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer>
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:SignedInfo>
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+ <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95">
+ <ds:Transforms>
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+ <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
+ </ds:Transform>
+ </ds:Transforms>
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+ <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue>
+ </ds:Reference>
+ </ds:SignedInfo>
+ <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue>
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </ds:Signature>
+ <saml2p:Extensions>
+ <eid:RequestedAttributes xmlns:eid="http://eid.gv.at/eID/attributes/saml-extensions">
+ <eid:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
+ <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:eidasid+AT+EE</eid:AttributeValue>
+ </eid:RequestedAttribute>
+ <eid:RequestedAttribute FriendlyName="ServiceProvider-MandateProfiles" Name="urn:eidgvat:attributes.ServiceProviderMandateProfiles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
+ <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Einzelvertretungsbefugnis,1.2.40.0.10.1.7.3.1.1,ERsB</eid:AttributeValue>
+ </eid:RequestedAttribute>
+ </eid:RequestedAttributes>
+ </saml2p:Extensions>
+ <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+ <saml2p:RequestedAuthnContext Comparison="minimum">
+ <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef>
+ </saml2p:RequestedAuthnContext>
+ <saml2p:Scoping>
+ <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID>
+ </saml2p:Scoping>
+</saml2p:AuthnRequest> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_10.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_10.xml
new file mode 100644
index 000000000..1d52986fc
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_10.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+ <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer>
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:SignedInfo>
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+ <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95">
+ <ds:Transforms>
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+ <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
+ </ds:Transform>
+ </ds:Transforms>
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+ <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue>
+ </ds:Reference>
+ </ds:SignedInfo>
+ <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue>
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </ds:Signature>
+ <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+ <saml2p:RequestedAuthnContext Comparison="minimum">
+ <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef>
+ </saml2p:RequestedAuthnContext>
+ <saml2p:Scoping>
+ <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID>
+ </saml2p:Scoping>
+</saml2p:AuthnRequest> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_2.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_2.xml
new file mode 100644
index 000000000..c5b634539
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_2.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+ <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://apps.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer>
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:SignedInfo>
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+ <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95">
+ <ds:Transforms>
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+ <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
+ </ds:Transform>
+ </ds:Transforms>
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+ <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue>
+ </ds:Reference>
+ </ds:SignedInfo>
+ <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue>
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </ds:Signature>
+ <saml2p:Extensions>
+ <eid:RequestedAttributes xmlns:eid="http://eid.gv.at/eID/attributes/saml-extensions">
+ <eid:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
+ <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:eidasid+AT+EE</eid:AttributeValue>
+ </eid:RequestedAttribute>
+ <eid:RequestedAttribute FriendlyName="ServiceProvider-MandateProfiles" Name="urn:eidgvat:attributes.ServiceProviderMandateProfiles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
+ <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Einzelvertretungsbefugnis,1.2.40.0.10.1.7.3.1.1,ERsB</eid:AttributeValue>
+ </eid:RequestedAttribute>
+ </eid:RequestedAttributes>
+ </saml2p:Extensions>
+ <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+ <saml2p:RequestedAuthnContext Comparison="minimum">
+ <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef>
+ </saml2p:RequestedAuthnContext>
+ <saml2p:Scoping>
+ <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID>
+ </saml2p:Scoping>
+</saml2p:AuthnRequest> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_3.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_3.xml
new file mode 100644
index 000000000..d79caa0fe
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_3.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+ <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer>
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:SignedInfo>
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+ <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95">
+ <ds:Transforms>
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+ <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
+ </ds:Transform>
+ </ds:Transforms>
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+ <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue>
+ </ds:Reference>
+ </ds:SignedInfo>
+ <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue>
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </ds:Signature>
+ <saml2p:Extensions>
+ <eid:RequestedAttributes xmlns:eid="http://eid.gv.at/eID/attributes/saml-extensions">
+ <eid:RequestedAttribute FriendlyName="ServiceProvider-MandateProfiles" Name="urn:eidgvat:attributes.ServiceProviderMandateProfiles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
+ <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Einzelvertretungsbefugnis,1.2.40.0.10.1.7.3.1.1,ERsB</eid:AttributeValue>
+ </eid:RequestedAttribute>
+ </eid:RequestedAttributes>
+ </saml2p:Extensions>
+ <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+ <saml2p:RequestedAuthnContext Comparison="minimum">
+ <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef>
+ </saml2p:RequestedAuthnContext>
+ <saml2p:Scoping>
+ <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID>
+ </saml2p:Scoping>
+</saml2p:AuthnRequest> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_4.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_4.xml
new file mode 100644
index 000000000..c04a97a7f
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_4.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+ <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer>
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:SignedInfo>
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+ <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95">
+ <ds:Transforms>
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+ <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
+ </ds:Transform>
+ </ds:Transforms>
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+ <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue>
+ </ds:Reference>
+ </ds:SignedInfo>
+ <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue>
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </ds:Signature>
+ <saml2p:Extensions>
+ <eid:RequestedAttributes xmlns:eid="http://eid.gv.at/eID/attributes/saml-extensions">
+ <eid:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
+ <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"></eid:AttributeValue>
+ </eid:RequestedAttribute>
+ <eid:RequestedAttribute FriendlyName="ServiceProvider-MandateProfiles" Name="urn:eidgvat:attributes.ServiceProviderMandateProfiles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
+ <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Einzelvertretungsbefugnis,1.2.40.0.10.1.7.3.1.1,ERsB</eid:AttributeValue>
+ </eid:RequestedAttribute>
+ </eid:RequestedAttributes>
+ </saml2p:Extensions>
+ <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+ <saml2p:RequestedAuthnContext Comparison="minimum">
+ <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef>
+ </saml2p:RequestedAuthnContext>
+ <saml2p:Scoping>
+ <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID>
+ </saml2p:Scoping>
+</saml2p:AuthnRequest> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_5.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_5.xml
new file mode 100644
index 000000000..339514323
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_5.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+ <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer>
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:SignedInfo>
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+ <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95">
+ <ds:Transforms>
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+ <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
+ </ds:Transform>
+ </ds:Transforms>
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+ <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue>
+ </ds:Reference>
+ </ds:SignedInfo>
+ <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue>
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </ds:Signature>
+ <saml2p:Extensions>
+ <eid:RequestedAttributes xmlns:eid="http://eid.gv.at/eID/attributes/saml-extensions">
+ <eid:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
+ <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:eidasid+AT+EE</eid:AttributeValue>
+ <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:eidasid+AT+XX</eid:AttributeValue>
+ </eid:RequestedAttribute>
+ <eid:RequestedAttribute FriendlyName="ServiceProvider-MandateProfiles" Name="urn:eidgvat:attributes.ServiceProviderMandateProfiles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
+ <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Einzelvertretungsbefugnis,1.2.40.0.10.1.7.3.1.1,ERsB</eid:AttributeValue>
+ </eid:RequestedAttribute>
+ </eid:RequestedAttributes>
+ </saml2p:Extensions>
+ <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+ <saml2p:RequestedAuthnContext Comparison="minimum">
+ <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef>
+ </saml2p:RequestedAuthnContext>
+ <saml2p:Scoping>
+ <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID>
+ </saml2p:Scoping>
+</saml2p:AuthnRequest> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_6.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_6.xml
new file mode 100644
index 000000000..8a046363c
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_6.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+ <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer>
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:SignedInfo>
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+ <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95">
+ <ds:Transforms>
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+ <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
+ </ds:Transform>
+ </ds:Transforms>
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+ <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue>
+ </ds:Reference>
+ </ds:SignedInfo>
+ <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue>
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </ds:Signature>
+ <saml2p:Extensions>
+ <eid:RequestedAttributes xmlns:eid="http://eid.gv.at/eID/attributes/saml-extensions">
+ <eid:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
+ <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:eidasid+AT+EE</eid:AttributeValue>
+ </eid:RequestedAttribute>
+ </eid:RequestedAttributes>
+ </saml2p:Extensions>
+ <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+ <saml2p:RequestedAuthnContext Comparison="minimum">
+ <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef>
+ </saml2p:RequestedAuthnContext>
+ <saml2p:Scoping>
+ <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID>
+ </saml2p:Scoping>
+</saml2p:AuthnRequest> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_7.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_7.xml
new file mode 100644
index 000000000..502619e94
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_7.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+ <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer>
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:SignedInfo>
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+ <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95">
+ <ds:Transforms>
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+ <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
+ </ds:Transform>
+ </ds:Transforms>
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+ <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue>
+ </ds:Reference>
+ </ds:SignedInfo>
+ <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue>
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </ds:Signature>
+ <saml2p:Extensions>
+ <eid:RequestedAttributes xmlns:eid="http://eid.gv.at/eID/attributes/saml-extensions">
+ <eid:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
+ <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:eidasid+AT+EE</eid:AttributeValue>
+ </eid:RequestedAttribute>
+ <eid:RequestedAttribute FriendlyName="ServiceProvider-MandateProfiles" Name="urn:eidgvat:attributes.ServiceProviderMandateProfiles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
+ <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Einzelvertretungsbefugnis,1.2.40.0.10.1.7.3.1.1,ERsB</eid:AttributeValue>
+ <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Einzelvertretungsbefugnis,1.2.40.0.10.1.7.3.1.1,ERsB</eid:AttributeValue>
+ </eid:RequestedAttribute>
+ </eid:RequestedAttributes>
+ </saml2p:Extensions>
+ <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+ <saml2p:RequestedAuthnContext Comparison="minimum">
+ <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef>
+ </saml2p:RequestedAuthnContext>
+ <saml2p:Scoping>
+ <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID>
+ </saml2p:Scoping>
+</saml2p:AuthnRequest> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_8.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_8.xml
new file mode 100644
index 000000000..ff667168a
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_8.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+ <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer>
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:SignedInfo>
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+ <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95">
+ <ds:Transforms>
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+ <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
+ </ds:Transform>
+ </ds:Transforms>
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+ <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue>
+ </ds:Reference>
+ </ds:SignedInfo>
+ <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue>
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </ds:Signature>
+ <saml2p:Extensions>
+ <eid:RequestedAttributes xmlns:eid="http://eid.gv.at/eID/attributes/saml-extensions">
+ <eid:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
+ <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:eidasid+AT+EE</eid:AttributeValue>
+ </eid:RequestedAttribute>
+ <eid:RequestedAttribute FriendlyName="ServiceProvider-MandateProfiles" Name="urn:eidgvat:attributes.ServiceProviderMandateProfiles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
+ </eid:RequestedAttribute>
+ </eid:RequestedAttributes>
+ </saml2p:Extensions>
+ <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+ <saml2p:RequestedAuthnContext Comparison="minimum">
+ <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef>
+ </saml2p:RequestedAuthnContext>
+ <saml2p:Scoping>
+ <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID>
+ </saml2p:Scoping>
+</saml2p:AuthnRequest> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_9.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_9.xml
new file mode 100644
index 000000000..5506b2f31
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_9.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+ <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer>
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:SignedInfo>
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+ <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95">
+ <ds:Transforms>
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+ <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
+ </ds:Transform>
+ </ds:Transforms>
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+ <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue>
+ </ds:Reference>
+ </ds:SignedInfo>
+ <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue>
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </ds:Signature>
+ <saml2p:Extensions>
+ </saml2p:Extensions>
+ <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+ <saml2p:RequestedAuthnContext Comparison="minimum">
+ <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef>
+ </saml2p:RequestedAuthnContext>
+ <saml2p:Scoping>
+ <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID>
+ </saml2p:Scoping>
+</saml2p:AuthnRequest> \ No newline at end of file