finish first beta-version of ELGA mandate-service client-module

7 files changed, 216 insertions, 28 deletions

diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java
index b521116d3..320c4fdc6 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java
@@ -42,6 +42,8 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest
 	private EntityDescriptor idpEntity;
 	private Credential signCred;
 	private String subjectNameID;
+	private String subjectNameIDQualifier;
+	private String requestID;
 	
 	
 	/* (non-Javadoc)
@@ -73,7 +75,7 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest
 	 */
 	@Override
 	public String getNameIDPolicyFormat() {
-		return NameID.TRANSIENT;
+		return NameID.PERSISTENT;
 	}
 
 	/* (non-Javadoc)
@@ -81,7 +83,7 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest
 	 */
 	@Override
 	public boolean getNameIDPolicyAllowCreation() {
-		return true;
+		return false;
 	}
 	
 	/* (non-Javadoc)
@@ -143,6 +145,15 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest
 		this.subjectNameID = subjectNameID;
 	}
 
+	
+	
+	/**
+	 * @param requestID the requestID to set
+	 */
+	public void setRequestID(String requestID) {
+		this.requestID = requestID;
+	}
+
 	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnRequestSigningCredential()
 	 */
@@ -183,5 +194,30 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest
 		return NameID.PERSISTENT;
 	}
 
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getRequestID()
+	 */
+	@Override
+	public String getRequestID() {
+		return this.requestID;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier()
+	 */
+	@Override
+	public String getSubjectNameIDQualifier() {
+		return this.subjectNameIDQualifier;
+	}
+
+	/**
+	 * @param subjectNameIDQualifier the subjectNameIDQualifier to set
+	 */
+	public void setSubjectNameIDQualifier(String subjectNameIDQualifier) {
+		this.subjectNameIDQualifier = subjectNameIDQualifier;
+	}
+	
+	
+
 	
 }
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ELGAInitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ELGAInitializeBKUAuthenticationTask.java
new file mode 100644
index 000000000..50bac3eab
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ELGAInitializeBKUAuthenticationTask.java
@@ -0,0 +1,107 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.stereotype.Component;
+
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.modules.internal.tasks.InitializeBKUAuthenticationTask;
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("ELGAInitializeBKUAuthenticationTask")
+public class ELGAInitializeBKUAuthenticationTask extends InitializeBKUAuthenticationTask {
+
+	@Override
+	public void execute(ExecutionContext executionContext,
+			HttpServletRequest request, HttpServletResponse response)
+			throws TaskExecutionException {
+				
+		try {
+			//perform Default-BKU authentication initialization
+			internalInitializeWithoutPersist(executionContext, request, response);
+			
+			//perform ELGA Mandate-Service specific parts
+			Logger.debug("Perfom ELGA-Mandate specific parts of initialisation.");
+			Boolean misMandateUsed = (Boolean) executionContext.get(MOAIDAuthConstants.PARAM_USEMISMANDATE);
+			
+			boolean elgaMandateUsed = false;
+			Object elgaMandateUsedObj = executionContext.get(MOAIDAuthConstants.PARAM_USEELGAMANDATE);
+			if (elgaMandateUsedObj == null || 
+					!(elgaMandateUsedObj instanceof String || elgaMandateUsedObj instanceof Boolean)) {
+				Logger.error("Use ELGA-MandateService flag has a wrong type.");
+				throw new MOAIDException("auth.12", new Object[]{"Start-BKU Authentication","useELGAMandate"});
+				
+			} else {
+				if (elgaMandateUsedObj instanceof String)
+					elgaMandateUsed = Boolean.parseBoolean((String) elgaMandateUsedObj);
+				else
+					elgaMandateUsed = (boolean) elgaMandateUsedObj;
+								
+			}
+			
+			
+			//check if both mandate Services are requested
+			if ( (misMandateUsed != null && misMandateUsed) &&
+					elgaMandateUsed ) {
+				Logger.error("Can not use MIS-MandateService and ELGA-MandateService twince");
+				throw new MOAIDException("validator.73", null);
+				
+			}
+			
+			//remove MIS-Mandate flag and set useMandate flag to MOASession
+			if (elgaMandateUsed) {
+				Logger.debug("Authentication process select ELGA-MandateService.");
+				executionContext.remove(MOAIDAuthConstants.PARAM_USEMISMANDATE);
+				moasession.setUseMandates(elgaMandateUsed);
+			}
+			
+			//disable SSO if it is requested
+			if (pendingReq.needSingleSignOnFunctionality() && moasession.isMandateUsed()) {
+				Logger.info("ELGA-MandateService does not allow Single Sign-On. SSO get disabled for this request.");
+				pendingReq.setNeedSingleSignOnFunctionality(false);
+				
+				
+			}
+			
+			//store MOASession and pendingRequest
+			requestStoreage.storePendingRequest(pendingReq);
+			authenticatedSessionStorage.storeSession(moasession);
+			
+		} catch (MOADatabaseException | MOAIDException e) {
+			Logger.info("Initialize BKUAuthentication with ELGA Mandates FAILED. Reason:" + e.getMessage());
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		}
+	}
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java
index 13e17e03e..a5e316f10 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java
@@ -37,6 +37,7 @@ import org.opensaml.xml.security.SecurityException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
@@ -46,6 +47,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCred
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
@@ -55,7 +57,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
-import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
@@ -67,7 +69,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
 @Component("ReceiveElgaMandateResponseTask")
 public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {
 
-	@Autowired SAMLVerificationEngine samlVerificationEngine;
+	@Autowired SAMLVerificationEngineSP samlVerificationEngine;
 	@Autowired ELGAMandatesCredentialProvider credentialProvider;
 	@Autowired ELGAMandateServiceMetadataProvider metadataProvider;
 	
@@ -81,13 +83,18 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {
 		
 		try {						
 			IDecoder decoder = null;
+			MOAURICompare comperator = null;
 			//select Response Binding
 			if (request.getMethod().equalsIgnoreCase("POST")) {
 				decoder = new PostBinding();
+				comperator = new MOAURICompare(pendingReq.getAuthURL() 
+						+ ELGAMandatesAuthConstants.ENDPOINT_POST);
 				Logger.debug("Receive PVP Response from ELGA mandate-service, by using POST-Binding.");
 				
 			}  else if (request.getMethod().equalsIgnoreCase("GET")) {
 				decoder = new RedirectBinding();
+				comperator = new MOAURICompare(pendingReq.getAuthURL()
+						+ ELGAMandatesAuthConstants.ENDPOINT_REDIRECT);
 				Logger.debug("Receive PVP Response from ELGA mandate-service, by using Redirect-Binding.");
 				
 			} else {
@@ -99,7 +106,8 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {
 			}
 			
 			//decode PVP response object
-			msg = (InboundMessage) decoder.decode(request, response, metadataProvider, true);
+			msg = (InboundMessage) decoder.decode(request, response, metadataProvider, true,
+					comperator);
 			 
 			if (MiscUtil.isEmpty(msg.getEntityID())) {
 				throw new InvalidProtocolRequestException("sp.pvp2.04", 
@@ -138,7 +146,7 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {
 			//validate receive mandate reference-value
 			String responseRefValue = extractor.getSingleAttributeValue(PVPConstants.MANDATE_REFERENCE_VALUE_NAME); 
 			if (!moasession.getMandateReferenceValue().equals(responseRefValue)) {
-				Logger.warn("PVP Response from ELGA mandate-service contains not all requested attributes.");
+				Logger.warn("PVP Response from ELGA mandate-service contains a not valid MandateReferenceValue.");
 				throw new AssertionValidationExeption("sp.pvp2.07", 
 						new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING,
 								PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME});
@@ -157,30 +165,35 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {
 			//store MOASession
 			authenticatedSessionStorage.storeSession(moasession);
 						
-			//TODO write log entries
-			//revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION_REVEIVED);
+			//write revisions log entry
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_RECEIVED);
 			
 			Logger.info("Receive a valid assertion from ELGA mandate-service " + msg.getEntityID()); 
 											
 		} catch (MessageDecodingException | SecurityException e) {
 			String samlRequest = request.getParameter("SAMLRequest");			
 			Logger.warn("Receive INVALID PVP Response from ELGA mandate-service: " + samlRequest, e);
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED);
 			throw new TaskExecutionException(pendingReq, "Receive INVALID PVP Response from ELGA mandate-service", e);
 
 		} catch (IOException | MarshallingException | TransformerException e) {
 			Logger.warn("Processing PVP response from ELGA mandate-service FAILED.", e);
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED);
 			throw new TaskExecutionException(pendingReq, "Processing PVP response from ELGA mandate-service FAILED.", e);
 			
 		} catch (CredentialsNotAvailableException e) {
 			Logger.error("ELGA mandate-service: PVP response decrytion FAILED. No credential found.", e);
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED);
 			throw new TaskExecutionException(pendingReq, "ELGA mandate-service: PVP response decrytion FAILED. No credential found.", e);
 
 		} catch (AssertionValidationExeption | AuthnResponseValidationException e) {
-			Logger.info("ELGA mandate-service: PVP response validation FAILED. Msg:" + e.getMessage());			
+			Logger.info("ELGA mandate-service: PVP response validation FAILED. Msg:" + e.getMessage());
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED, e.getMessageId());
 			throw new TaskExecutionException(pendingReq, "ELGA mandate-service: PVP response validation FAILED.", e);
 									
 		} catch (Exception e) {
-			Logger.info("ELGA mandate-service: General Exception. Msg:" + e.getMessage());			
+			Logger.info("ELGA mandate-service: General Exception. Msg:" + e.getMessage());
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED);
 			throw new TaskExecutionException(pendingReq, "ELGA mandate-service: General Exception.", e);
 			
 		}
@@ -210,12 +223,36 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {
 			return msg;
 				
 		} else {
-			Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue() 
-				+ " from federated IDP.");
-			throw new AuthnResponseValidationException("sp.pvp2.04", 
-					new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, 
-							samlResp.getIssuer().getValue(), 
-							samlResp.getStatus().getStatusCode().getValue()});
+			String errorMsg = "No error message";
+			StatusCode firstCode = samlResp.getStatus().getStatusCode();
+			
+			//get errormessage from response
+			if (samlResp.getStatus().getStatusMessage() != null && 
+					MiscUtil.isNotEmpty(samlResp.getStatus().getStatusMessage().getMessage()))
+				errorMsg = samlResp.getStatus().getStatusMessage().getMessage();
+			
+			//extract response status-codes
+			if (firstCode.getStatusCode() == null) {			
+				Logger.info("Receive StatusCode:" + firstCode.getValue() + " | Msg:" +  errorMsg 
+						+ " from federated IDP.");			
+				throw new AuthnResponseValidationException("sp.pvp2.05", 
+						new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, 
+								samlResp.getIssuer().getValue(), 
+								firstCode.getValue(),
+								samlResp.getStatus().getStatusMessage().getMessage()});
+				
+			} else {
+				StatusCode secondCode = firstCode.getStatusCode();
+				Logger.info("Receive StatusCode:" + firstCode.getValue() + " -> StatusCode:" + secondCode.getValue() 
+					+ " | Msg:" +  errorMsg + " from federated IDP.");			
+				throw new AuthnResponseValidationException("sp.pvp2.09", 
+						new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, 
+								samlResp.getIssuer().getValue(), 
+								firstCode.getValue(),
+								secondCode.getValue(),
+								samlResp.getStatus().getStatusMessage().getMessage()});
+				
+			}
 					
 		}
 								
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
index bcd8076bc..2a3e72640 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
@@ -34,6 +34,7 @@ import org.opensaml.xml.security.SecurityException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
@@ -92,7 +93,7 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask {
 			authnReqConfig.setPassive(false);
 			authnReqConfig.setSignCred(credential.getIDPAssertionSigningCredential());
 			authnReqConfig.setSPEntityID(pendingReq.getAuthURL() + ELGAMandatesAuthConstants.ENDPOINT_METADATA);			
-			
+						
 			//set bPK of representative
 			String representativeBPK = null;
 			
@@ -129,15 +130,19 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask {
 					
 				}								
 			}
-											
-			//TODO: check subjectNameID: as per PVP S-Profile specification, 
-			// subjectNameID starts with target postfix (like. GH:xxxxxxxxxxxxx)
+			
+			//set bPK of representative as SAML2 subjectNameID
 			authnReqConfig.setSubjectNameID(representativeBPK );
+			authnReqConfig.setSubjectNameIDQualifier(configTarget);
+			
+			//set MandateReferenceValue as RequestID
+			authnReqConfig.setRequestID(moasession.getMandateReferenceValue());
 						
 			//build and transmit AuthnRequest
 			authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response);
 		
-			//TODO: TODO: add revisionslog entries
+			//write revisions log entry
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_SERVICE_REQUESTED, moasession.getMandateReferenceValue());
 			
 		} catch (MetadataProviderException e) {			
 			throw new TaskExecutionException(pendingReq, "ELGA Mandate-Service metadata problem", new ELGAMetadataException("service.10", 
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
index 6deb8eb2b..49f131983 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
@@ -197,13 +197,12 @@ public class ELGAMandateServiceMetadataProvider extends SimpleMOAMetadataProvide
 				filter, 
 				ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING);
 		
-		metadataProvider.setRequireValidMetadata(true);
-
-		
 		if (metadataProvider == null) {
 			Logger.error("Create ELGA Mandate-Service Client FAILED.");
 			throw new MetadataProviderException("Can not initialize ELGA Mandate-Service metadaa provider.");
 			
 		}
+		
+		metadataProvider.setRequireValidMetadata(true);
 	}
 }
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
index b648e4d27..8cd08d226 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
@@ -5,7 +5,7 @@
 	- National authentication with Austrian Citizen Card and mobile signature with our without mandate.
 	- Legacy authentication for foreign citizens using MOCCA supported signature cards.
 -->
-	<pd:Task id="initializeBKUAuthentication" class="InitializeBKUAuthenticationTask" />
+	<pd:Task id="elgaInitializeBKUAuthentication" class="ELGAInitializeBKUAuthenticationTask" />
 	<pd:Task id="createIdentityLinkForm"    class="CreateIdentityLinkFormTask" />
 	<pd:Task id="verifyIdentityLink"        class="VerifyIdentityLinkTask"        async="true" />
 	<pd:Task id="verifyAuthBlock"           class="VerifyAuthenticationBlockTask" async="true" />
@@ -25,9 +25,9 @@
 	<!-- Process is triggered either by GenerateIFrameTemplateServlet (upon bku selection) or by AuthenticationManager (upon legacy authentication start using legacy parameters. -->
 	<pd:StartEvent id="start" />
 	
-	<pd:Transition from="start"                     to="initializeBKUAuthentication" />
+	<pd:Transition from="start"                     			to="elgaInitializeBKUAuthentication" />
 	
-	<pd:Transition from="initializeBKUAuthentication" to="createIdentityLinkForm" />
+	<pd:Transition from="elgaInitializeBKUAuthentication" to="createIdentityLinkForm" />
 	
 	<pd:Transition from="createIdentityLinkForm"    to="verifyIdentityLink" />
 	
@@ -43,7 +43,7 @@
 	<pd:Transition from="verifyCertificate"         to="verifyAuthBlock" conditionExpression="ctx['useMandate']" />
 	<pd:Transition from="verifyCertificate"         to="getForeignID" />
 	
-	<pd:Transition from="verifyAuthBlock"           to="prepareGetMISMandate" conditionExpression="ctx['useMandate']" />
+	<pd:Transition from="verifyAuthBlock"           to="prepareGetMISMandate" conditionExpression="ctx['useMISMandate']" />
 	<pd:Transition from="verifyAuthBlock"           to="requestELGAMandateTask" conditionExpression="ctx['useELGAMandate']" />
 	<pd:Transition from="verifyAuthBlock"           to="finalizeAuthentication" />
 		
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml
index 6e567a42c..c1abe78df 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml
@@ -27,6 +27,10 @@
 				class="at.gv.egovernment.moa.id.auth.modules.elgamandates.controller.ELGAMandateSignalController"/>
 	
 <!-- Federated Authentication Process Tasks -->
+	<bean id="ELGAInitializeBKUAuthenticationTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks.ELGAInitializeBKUAuthenticationTask"
+				scope="prototype"/>
+				
 	<bean id="RequestELGAMandateTask" 
 				class="at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks.RequestELGAMandateTask"
 				scope="prototype"/>