Merge branch 'eIDAS_node_implementation' of https://gitlab.iaik.tugraz.at/egiz/moa-idspss into eIDAS_node_implementation

75 files changed, 1967 insertions, 836 deletions

diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java
index 80800543b..5ee2ee6a7 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java
@@ -97,6 +97,9 @@ public class FormularCustomization implements IOnlineApplicationData {
 	private String aditionalAuthBlockText = null;
 	private boolean isHideBPKAuthBlock = false;
 
+	private String saml2PostBindingTemplate = null;
+	private String mandateServiceSelectionTemplate = null;
+	
 	public FormularCustomization() {
 		new FormularCustomization(null);
 	}
@@ -128,6 +131,9 @@ public class FormularCustomization implements IOnlineApplicationData {
 	public List<String> parse(OnlineApplication dbOA, AuthenticatedUser authUser, HttpServletRequest request) {
 		AuthComponentOA auth = dbOA.getAuthComponentOA();
 
+		mandateServiceSelectionTemplate = dbOA.getMandateServiceSelectionTemplateURL();
+		saml2PostBindingTemplate = dbOA.getSaml2PostBindingTemplateURL();
+		
 		if (dbOA.getAuthComponentOA() != null)
 			isHideBPKAuthBlock = dbOA.isRemoveBPKFromAuthBlock();
 		
@@ -243,6 +249,9 @@ public class FormularCustomization implements IOnlineApplicationData {
         
         dbOA.setRemoveBPKFromAuthBlock(isHideBPKAuthBlock());
         
+        dbOA.setMandateServiceSelectionTemplateURL(mandateServiceSelectionTemplate);
+        dbOA.setSaml2PostBindingTemplateURL(saml2PostBindingTemplate);
+        
         TemplatesType templates = authoa.getTemplates();
         if (templates == null) {
             templates = new TemplatesType();
@@ -382,6 +391,21 @@ public class FormularCustomization implements IOnlineApplicationData {
 
         }
 		
+        check = getSaml2PostBindingTemplate();
+        if (MiscUtil.isNotEmpty(check) && ValidationHelper.isNotValidIdentityLinkSigner(check)	) {
+        	log.info("URL to SAML2 POST-Binding template is not valid");
+			errors.add(LanguageHelper.getErrorString("validation.general.templates.saml2.postbinding.valid", request));
+			
+		}
+        
+        check = getMandateServiceSelectionTemplate();
+        if (MiscUtil.isNotEmpty(check) && ValidationHelper.isNotValidIdentityLinkSigner(check)	) {
+        	log.info("URL to mandate-service selection-template is not valid");
+			errors.add(LanguageHelper.getErrorString("validation.general.templates.mandateserviceselection.valid", request));
+			
+		}
+        
+        
         //validate BKUFormCustomization
 		errors.addAll(new FormularCustomizationValitator().validate(this, request));
        		
@@ -813,7 +837,36 @@ public class FormularCustomization implements IOnlineApplicationData {
 	 */
 	public Map<String, String> getFormMap() {
 		return map;
+	}
+
+	/**
+	 * @return the saml2PostBindingTemplate
+	 */
+	public String getSaml2PostBindingTemplate() {
+		return saml2PostBindingTemplate;
+	}
+
+	/**
+	 * @param saml2PostBindingTemplate the saml2PostBindingTemplate to set
+	 */
+	public void setSaml2PostBindingTemplate(String saml2PostBindingTemplate) {
+		this.saml2PostBindingTemplate = saml2PostBindingTemplate;
+	}
+
+	/**
+	 * @return the mandateServiceSelectionTemplate
+	 */
+	public String getMandateServiceSelectionTemplate() {
+		return mandateServiceSelectionTemplate;
+	}
+
+	/**
+	 * @param mandateServiceSelectionTemplate the mandateServiceSelectionTemplate to set
+	 */
+	public void setMandateServiceSelectionTemplate(String mandateServiceSelectionTemplate) {
+		this.mandateServiceSelectionTemplate = mandateServiceSelectionTemplate;
 	}	
 	
 	
+	
 }
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java
index 67fef3b1d..c69998fa2 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java
@@ -28,9 +28,6 @@ import java.util.Date;
 import java.util.StringTokenizer;
 import java.util.regex.Pattern;
 
-import org.apache.commons.lang.StringUtils;
-import org.apache.log4j.Logger;
-
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
@@ -42,6 +39,9 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.apache.commons.lang.StringUtils;
+import org.apache.log4j.Logger;
+
 import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException;
 import at.gv.egovernment.moa.id.configuration.Constants;
 import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser;
@@ -205,7 +205,9 @@ public class AuthenticationFilter implements Filter{
 				filterchain.doFilter(req, resp);
 			
 			} catch (Exception e) {
-						
+
+				log.error("Servlet filter catchs an unhandled exception! Msg: " + e.getMessage(), e);
+				
 				//String redirectURL = "./index.action";
 				//HttpServletResponse httpResp = (HttpServletResponse) resp;
 				//redirectURL = httpResp.encodeRedirectURL(redirectURL);
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java
index 5022be915..539deac9e 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java
@@ -44,7 +44,7 @@ import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
 
 import at.gv.egiz.components.configuration.meta.api.ConfigurationStorageException;
-import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.AbstractServiceProviderSpecificGUIFormBuilderConfiguration;
 import at.gv.egovernment.moa.id.auth.frontend.utils.FormBuildUtils;
 import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider;
 import at.gv.egovernment.moa.id.commons.config.ConfigurationMigrationUtils;
@@ -610,7 +610,7 @@ public class BasicOAAction extends BasicAction {
                 //set parameters
                 Map<String, Object> params =  (Map<String, Object>) mapobj;
                 params.put(
-                		ServiceProviderSpecificGUIFormBuilderConfiguration.PARAM_AUTHCONTEXT, 
+                		AbstractServiceProviderSpecificGUIFormBuilderConfiguration.PARAM_AUTHCONTEXT, 
                 		contextpath);
                 
                 request.setCharacterEncoding("UTF-8");
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java
index 8e8020d75..fbd2f3bb3 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java
@@ -43,7 +43,7 @@ public class StorkConfigValidator {
 						errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.cc",
 								new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request ));
 					}
-					if(!check.toLowerCase().matches("(^[a-z][a-z]$)|(^[a-z][a-z]-[a-z]*)")) {
+					if(!check.toLowerCase().matches("(^[a-z][a-z]$)|(^[a-z][a-z]-[a-z,0-9]*)")) {
 							log.warn("CPEPS config countrycode does not comply to ISO 3166-2 : " + check);
 							errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.cc",
 									new Object[] {check}, request ));
diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
index d75403575..728ce989a 100644
--- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
+++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
@@ -218,6 +218,11 @@ webpages.oaconfig.general.bku.bkuselection.upload=Neues Template hochladen
 webpages.oaconfig.general.bku.sendassertion.header=Send-Assertion Template
 webpages.oaconfig.general.bku.sendassertion.filename=Dateiname
 webpages.oaconfig.general.bku.sendassertion.upload=Neues Template hochladen
+webpages.oaconfig.general.templates.elgamandates.header=Template zur Vollmachtenserviceauswahl
+webpages.oaconfig.general.templates.elgamandates.url=Template URL
+webpages.oaconfig.general.templates.saml2.postbinding.header=SAML2 POST Binding Formular
+webpages.oaconfig.general.templates.saml2.postbinding.url=Template URL
+
 
 webpages.oaconfig.bPKEncDec.header=Fremd-bPK Konfiguration
 webpages.oaconfig.bPKEncDec.keystore.header=KeyStore Konfiguration
@@ -493,6 +498,8 @@ validation.general.sendassertion.filename.valid=Der Dateiname des Send-Assertion
 validation.general.sendassertion.file.valid=Das Send-Assertion Templates konnte nicht geladen werden.
 validation.general.sendassertion.file.selected=Es kann nur EIN Send-Assertion Template angegeben werden.
 validation.general.testcredentials.oid.valid=Die Testdaten OID {0} ist ung\u00FCltig.
+validation.general.templates.saml2.postbinding.valid=URL zum Template f\u00FCr das SAML2 POST-Binding Formular ist nicht g\u00FCltig.
+validation.general.templates.mandateserviceselection.valid=URL zum Template z\u00FCr Auswahl des Vollmachtenservices ist nicht g\u00FCltig.
 
 validation.bPKDec.keyStorePassword.empty=Das Password f\u00FCr den KeyStore ist leer.
 validation.bPKDec.keyStorePassword.valid=Das Password f\u00FCr den KeyStore enth\u00E4lt nicht erlaubte Zeichen. Folgende Zeichen sind nicht erlaubt\: {0}
diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
index 708cc605e..a8f4be796 100644
--- a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
+++ b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
@@ -224,6 +224,12 @@ webpages.oaconfig.general.bku.sendassertion.header=Send-Assertion Template
 webpages.oaconfig.general.bku.sendassertion.filename=Filename
 webpages.oaconfig.general.bku.sendassertion.upload=Upload new template
 
+webpages.oaconfig.general.templates.elgamandates.header=Template to select a specific mandate service
+webpages.oaconfig.general.templates.elgamandates.url=Template URL
+webpages.oaconfig.general.templates.saml2.postbinding.header=SAML2 POST-Binding Formular
+webpages.oaconfig.general.templates.saml2.postbinding.url=Template URL
+
+
 webpages.oaconfig.bPKEncDec.header=Foreign-bPK Configuration
 webpages.oaconfig.bPKEncDec.keystore.header=Keystore configuration
 webpages.oaconfig.bPKEncDec.filename=Filename
@@ -491,6 +497,8 @@ validation.general.sendassertion.filename.valid=The file name of Send-Assertion
 validation.general.sendassertion.file.valid=Send-Assertion Templates could not be loaded.
 validation.general.sendassertion.file.selected=Only one Send-Assertion Template can be provided.
 validation.general.testcredentials.oid.valid=The OID {0} for test credentials is not a valid.
+validation.general.templates.saml2.postbinding.valid=URL to SAML2 POST-Binding template is not valid
+validation.general.templates.mandateserviceselection.valid=URL to mandate-service selection-template is not valid
 
 validation.bPKDec.keyStorePassword.empty=KeyStore password is blank.
 validation.bPKDec.keyStorePassword.valid=The keyStore password contains forbidden characters. The following characters are not allowed\: {0}
diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp
index 008a8b521..6dbed0047 100644
--- a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp
+++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp
@@ -160,7 +160,7 @@
 																
 							</div>
 							
-														<div class="oa_protocol_area">
+							<div class="oa_protocol_area">
 								<h4><%=LanguageHelper.getGUIString("webpages.oaconfig.general.bku.bkuselection.header", request) %></h4>
 								<s:iterator value="%{formOA.bkuSelectionFileUploadFileName}" var="fileNameBKU">
 									<div class="floatClass">
@@ -202,6 +202,16 @@
 								</s:if>
 							</div>
 							
+							<div class="oa_protocol_area">
+								<h4><%=LanguageHelper.getGUIString("webpages.oaconfig.general.templates.elgamandates.header", request) %></h4>
+								<s:textfield name="formOA.mandateServiceSelectionTemplate" 
+		 												 value="%{formOA.mandateServiceSelectionTemplate}" 
+								 						 labelposition="left"
+								 						 key="webpages.oaconfig.general.templates.elgamandates.url"
+								 						 cssClass="textfield_long">
+								</s:textfield>
+							</div>
+							
 						</s:if>
 							
 					</div>
diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/pvp2.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/pvp2.jsp
index 7e40fc60b..693ef8073 100644
--- a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/pvp2.jsp
+++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/pvp2.jsp
@@ -23,6 +23,17 @@
 							<div id="pvp2_certificate_upload">
 								<s:file name="pvp2OA.fileUpload" key="webpages.oaconfig.pvp2.certifcate" cssClass="textfield_long"></s:file>
 							</div>
+							
+							<div class="oa_protocol_area">
+								<h4><%=LanguageHelper.getGUIString("webpages.oaconfig.general.templates.saml2.postbinding.header", request) %></h4>
+								<s:textfield name="formOA.saml2PostBindingTemplate" 
+		 												 value="%{formOA.saml2PostBindingTemplate}" 
+								 						 labelposition="left"
+								 						 key="webpages.oaconfig.general.templates.saml2.postbinding.url"
+								 						 cssClass="textfield_long">
+								</s:textfield>
+							</div>
+							
 						</div>
 				
 </html>
\ No newline at end of file
diff --git a/id/history.txt b/id/history.txt
index befe0ffbc..1734d69e9 100644
--- a/id/history.txt
+++ b/id/history.txt
@@ -1,5 +1,12 @@
 Dieses Dokument zeigt die Veränderungen und Erweiterungen von MOA-ID auf.

 

+Version MOA-ID Release 3.2.3: Änderungen seit Version MOA-ID 3.2.2

+- Änderungen

+  - Bug-Fix - Possible problem in combination with IAIK_JCE and JAVA JDK >= 8u141

+  - Bug-Fix - Possible thread looking during certificate validation 

+  - Bug-Fix - Wrong logging entries  

+  - Stability improvements  

+

 Version MOA-ID Release 3.2.2: Änderungen seit Version MOA-ID 3.2.1

 - Änderungen

   - Security-Fix - Struts2 (CVE-2017-5638)

diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java
index fb675ad43..df67ca2f1 100644
--- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java
+++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java
@@ -125,7 +125,7 @@ public static final List<String> KEYWHITELIST;
 										LanguageHelper.getErrorString("validation.stork.cpeps.cc",
 												new Object[] {ValidationHelper.getPotentialCSSCharacter(false)})));
 							}
-							if(!cc.toLowerCase().matches("(^[a-z][a-z]$)|(^[a-z][a-z]-[a-z]*)")) {
+							if(!cc.toLowerCase().matches("(^[a-z][a-z]$)|(^[a-z][a-z]-[a-z,0-9]*)")) {
 								log.warn("CPEPS config countrycode does not comply to ISO 3166-2 : " + cc);
 								errors.add(new ValidationObjectIdentifier(
 										MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST
diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java
index ca1109aa1..f8ce21c99 100644
--- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java
+++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java
@@ -41,7 +41,6 @@ import at.gv.egovernment.moa.id.config.webgui.helper.GUIDataParser;
 import at.gv.egovernment.moa.id.config.webgui.helper.LanguageHelper;
 import at.gv.egovernment.moa.id.config.webgui.validation.task.AbstractTaskValidator;
 import at.gv.egovernment.moa.id.config.webgui.validation.task.ITaskValidator;
-import at.gv.egovernment.moa.util.Base64Utils;
 import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
@@ -82,18 +81,27 @@ public class ServicesBKUSelectionTask extends AbstractTaskValidator implements I
 		
 		Map<String, String> newConfigValues = new HashMap<String, String>();
 		
+		//delete configuration key if the configuration value is empty or null
+		if (MiscUtil.isEmpty(input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL)))
+			keysToDelete.add(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL);
+
+		//delete configuration key if the configuration value is empty or null
+		if (MiscUtil.isEmpty(input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL)))
+			keysToDelete.add(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL);
+		
+		
 		String bkuSelectTemplateUploadedFileName = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_BKUSELECTION_FILENAME);
 		if (MiscUtil.isNotEmpty(bkuSelectTemplateUploadedFileName)) {
 			newConfigValues.put(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_BKUSELECTION_PREVIEW, bkuSelectTemplateUploadedFileName);
 			
 		}
-		
+				
 		String sendAssertionTemplateUploadedFileName = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SENDASSERTION_FILENAME);
 		if (MiscUtil.isNotEmpty(sendAssertionTemplateUploadedFileName)) {
 			newConfigValues.put(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_BKUSELECTION_PREVIEW, sendAssertionTemplateUploadedFileName);
 			
 		}
-		
+				
 		String bkuSelectionFileUpload = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_BKUSELECTION_DATA);
 		String bkuSelectionFile = GUIDataParser.getBase64ContentFromGUIUpload(bkuSelectionFileUpload);
 		if (bkuSelectionFile != null)
@@ -253,6 +261,29 @@ public class ServicesBKUSelectionTask extends AbstractTaskValidator implements I
 			
 		}
 		
+		
+		//validate template URLs
+		check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL);
+		if (MiscUtil.isNotEmpty(check) && ValidationHelper.isNotValidIdentityLinkSigner(check)	) {
+			log.info("URL to SAML2 POST-Binding template is not valid");
+			errors.add(new ValidationObjectIdentifier(
+					MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL, 
+					"Templates - SAML2 Post-Binding",
+					LanguageHelper.getErrorString("validation.general.templates.saml2.postbinding.valid")));
+							
+		}
+		check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL);
+        if (MiscUtil.isNotEmpty(check) && ValidationHelper.isNotValidIdentityLinkSigner(check)	) {
+        	log.info("URL to mandate-service selection-template is not valid");
+        	errors.add(new ValidationObjectIdentifier(
+					MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL, 
+					"Templates - Mandate-Service selection",
+					LanguageHelper.getErrorString("validation.general.templates.mandateserviceselection.valid")));
+			
+		}
+		
+				
+		//check Template customization parameters
 		check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_BACKGROUNDCOLOR);
 		if (MiscUtil.isNotEmpty(check)) {
 			if (!check.startsWith("#"))
diff --git a/id/moa-spss-container/pom.xml b/id/moa-spss-container/pom.xml
index fe6ea0c47..085c731fd 100644
--- a/id/moa-spss-container/pom.xml
+++ b/id/moa-spss-container/pom.xml
@@ -47,7 +47,7 @@
 		<dependency>
 			<groupId>MOA.spss.server</groupId>
 			<artifactId>moa-sig-lib</artifactId>
-			<version>3.1.0</version>
+			<version>3.1.1</version>
 			<exclusions>
 				<exclusion> 
 					<groupId>commons-logging</groupId>
@@ -65,7 +65,7 @@
 		<dependency>
 			<groupId>MOA.spss</groupId>
 			<artifactId>common</artifactId>
-			<version>3.1.0</version>
+			<version>3.1.1</version>
 		</dependency>
 		<dependency>
 			<groupId>MOA.spss</groupId>
@@ -90,17 +90,19 @@
 		<dependency>
 			<groupId>iaik.prod</groupId>
 			<artifactId>iaik_eccelerate</artifactId>
-			<version>3.1_eval</version>
+			<version>4.02_eval</version>
 		</dependency>		
-		<dependency>
+
+	  <dependency>
 			<groupId>iaik.prod</groupId>
 			<artifactId>iaik_eccelerate_addon</artifactId>
-			<version>3.01_eval</version>
-		</dependency>							
+			<version>4.02</version>
+		</dependency>
+								
 		<dependency>
 			<groupId>iaik.prod</groupId>
 			<artifactId>iaik_eccelerate_cms</artifactId>
-			<version>3.01</version>
+			<version>4.02</version>
 		</dependency>		
 		<dependency>
     	<groupId>iaik.prod</groupId>
@@ -115,12 +117,12 @@
 		<dependency>
     	<groupId>iaik.prod</groupId>
       <artifactId>iaik_moa</artifactId>
-      <version>2.04</version>
+      <version>2.05</version>
     </dependency>		
-		<dependency>
+		<dependency> 
 			<groupId>iaik.prod</groupId>
 			<artifactId>iaik_pki_module</artifactId>
-			<version>1.02_moa</version>
+			<version>1.04_moa</version>
 		</dependency>		
 		<dependency>
 			<groupId>iaik.prod</groupId>
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java
index 95347c265..09069ac7f 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java
@@ -174,6 +174,14 @@ public class Configuration {
 	}
 	
 	
+	public boolean useRedirectBindingRequest() {
+		return Boolean.parseBoolean(props.getProperty("general.login.pvp2.binding.req.redirect", "true"));
+	}
+	
+	public boolean useRedirectBindingResponse() {
+		return Boolean.parseBoolean(props.getProperty("general.login.pvp2.binding.resp.redirect", "false"));
+	}
+	
 	public void initializePVP2Login() throws ConfigurationException {
 		if (!pvp2logininitialzied)
 			initalPVP2Login();
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java
index d6d2b32da..00e7c3619 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java
@@ -34,4 +34,5 @@ public class Constants {
 	public static final String SESSION_NAMEID = "pvp2nameID";
 
 	public static final String SESSION_NAMEIDFORMAT = "pvp2nameIDFormat";
+		
 }
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java
index 2641797ed..4c909ff80 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java
@@ -34,11 +34,15 @@ import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 
+import org.apache.commons.lang3.RandomUtils;
+import org.apache.velocity.app.VelocityEngine;
+import org.apache.velocity.runtime.RuntimeConstants;
 import org.joda.time.DateTime;
 import org.opensaml.common.SAMLObject;
 import org.opensaml.common.binding.BasicSAMLMessageContext;
 import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
 import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
 import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
 import org.opensaml.saml2.core.AuthnContextClassRef;
 import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
@@ -107,8 +111,13 @@ public class Authenticate extends HttpServlet {
 			SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
 			authReq.setID(gen.generateIdentifier());
 			
+			String relayState = String.valueOf(RandomUtils.nextLong());
 			
-			authReq.setAssertionConsumerServiceIndex(0);
+			if (config.useRedirectBindingResponse())
+				authReq.setAssertionConsumerServiceIndex(1);
+			else
+				authReq.setAssertionConsumerServiceIndex(0);
+				
 			authReq.setAttributeConsumingServiceIndex(0);
 			
 			authReq.setIssueInstant(new DateTime());
@@ -152,17 +161,24 @@ public class Authenticate extends HttpServlet {
 			for (SingleSignOnService sss : 
 					idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) {
 				
-//				//Get the service address for the binding you wish to use
-//				if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { 
-//					redirectEndpoint = sss;  
-//				}
+				//Get the service address for the binding you wish to use
+				if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI) && !config.useRedirectBindingRequest()) { 
+					redirectEndpoint = sss;  
+				}
 				
 				//Get the service address for the binding you wish to use
-				if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { 
+				if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) && config.useRedirectBindingRequest()) { 
 					redirectEndpoint = sss;  
 				}  
 				
 			}
+			
+			if (redirectEndpoint == null) {
+				log.warn("Can not find valid EndPoint for SAML2 response");
+				throw new ConfigurationException("Can not find valid EndPoint for SAML2 response");
+				
+			}
+			
 			authReq.setDestination(redirectEndpoint.getLocation());
 			
 			//authReq.setDestination("http://test.test.test");
@@ -195,49 +211,54 @@ public class Authenticate extends HttpServlet {
 			signer.setSigningCredential(authcredential);
 			authReq.setSignature(signer);
 
-			//generate Http-POST Binding message
-//			VelocityEngine engine = new VelocityEngine();
-//			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
-//			engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
-//			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
-//			engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
-//			engine.setProperty("classpath.resource.loader.class",
-//					"org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
-//			engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS,
-//					"org.apache.velocity.runtime.log.SimpleLog4JLogSystem");
-//			engine.init();
-//
-//			HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
-//					"templates/pvp_postbinding_template.html");
-//			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
-//					response, true);
-//			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
-//			SingleSignOnService service = new SingleSignOnServiceBuilder()
-//					.buildObject();
-//			service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
-//			service.setLocation(redirectEndpoint.getLocation());;
-//			
-//			context.setOutboundSAMLMessageSigningCredential(authcredential);
-//			context.setPeerEntityEndpoint(service);
-//			context.setOutboundSAMLMessage(authReq);
-//			context.setOutboundMessageTransport(responseAdapter);
-
-			//generate Redirect Binding message
-			HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
-			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
-					response, true);
-			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
-			SingleSignOnService service = new SingleSignOnServiceBuilder()
-					.buildObject();
-			service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
-			service.setLocation(redirectEndpoint.getLocation());
-			context.setOutboundSAMLMessageSigningCredential(authcredential);
-			context.setPeerEntityEndpoint(service);
-			context.setOutboundSAMLMessage(authReq);
-			context.setOutboundMessageTransport(responseAdapter);
-			//context.setRelayState(relayState);
-			
-			encoder.encode(context);
+		
+			if (!config.useRedirectBindingRequest()) {			
+				//generate Http-POST Binding message
+				VelocityEngine engine = new VelocityEngine();
+				engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+				engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
+				engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+				engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
+				engine.setProperty("classpath.resource.loader.class",
+						"org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
+				engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS,
+						"org.apache.velocity.runtime.log.SimpleLog4JLogSystem");
+				engine.init();
+	
+				HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
+						"templates/pvp_postbinding_template.html");
+				HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+						response, true);
+				BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+				SingleSignOnService service = new SingleSignOnServiceBuilder()
+						.buildObject();
+				service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
+				service.setLocation(redirectEndpoint.getLocation());;				
+				context.setOutboundSAMLMessageSigningCredential(authcredential);
+				context.setPeerEntityEndpoint(service);
+				context.setOutboundSAMLMessage(authReq);
+				context.setOutboundMessageTransport(responseAdapter);
+				context.setRelayState(relayState);
+				encoder.encode(context);
+				
+			} else {
+				//generate Redirect Binding message
+				HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
+				HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+						response, true);
+				BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+				SingleSignOnService service = new SingleSignOnServiceBuilder()
+						.buildObject();
+				service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+				service.setLocation(redirectEndpoint.getLocation());
+				context.setOutboundSAMLMessageSigningCredential(authcredential);
+				context.setPeerEntityEndpoint(service);
+				context.setOutboundSAMLMessage(authReq);
+				context.setOutboundMessageTransport(responseAdapter);			
+				context.setRelayState(relayState);				
+				encoder.encode(context);
+				
+			}
 
 		} catch (Exception e) {
 			log.warn("Authentication Request can not be generated", e);
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
index 75b54cfc4..d28f94fd6 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
@@ -234,13 +234,20 @@ public class BuildMetadata extends HttpServlet {
 
 			//set HTTP-POST Binding assertion consumer service
 			AssertionConsumerService postassertionConsumerService = 
-					SAML2Utils.createSAMLObject(AssertionConsumerService.class);
-			
+					SAML2Utils.createSAMLObject(AssertionConsumerService.class);			
 			postassertionConsumerService.setIndex(0);
 			postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
 			postassertionConsumerService.setLocation(serviceURL + Constants.SERVLET_PVP2ASSERTION);		
 			spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService);
 			
+			//set HTTP-Redirect Binding assertion consumer service
+			AssertionConsumerService redirectassertionConsumerService = 
+					SAML2Utils.createSAMLObject(AssertionConsumerService.class);			
+			redirectassertionConsumerService.setIndex(1);
+			redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+			redirectassertionConsumerService.setLocation(serviceURL + Constants.SERVLET_PVP2ASSERTION);		
+			spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService);
+			
 			//set Single Log-Out service
 			SingleLogoutService sloService =  SAML2Utils.createSAMLObject(SingleLogoutService.class);
 			sloService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java
index cfc170011..93622f828 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java
@@ -38,6 +38,9 @@ import org.opensaml.common.SAMLObject;
 import org.opensaml.common.binding.BasicSAMLMessageContext;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
+import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
+import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
+import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
 import org.opensaml.saml2.core.Attribute;
 import org.opensaml.saml2.core.AttributeStatement;
 import org.opensaml.saml2.core.EncryptedAssertion;
@@ -46,10 +49,14 @@ import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.saml2.encryption.Decrypter;
 import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
 import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.opensaml.security.MetadataCredentialResolver;
 import org.opensaml.security.MetadataCredentialResolverFactory;
 import org.opensaml.security.MetadataCriteria;
 import org.opensaml.security.SAMLSignatureProfileValidator;
+import org.opensaml.ws.security.SecurityPolicyResolver;
+import org.opensaml.ws.security.provider.BasicSecurityPolicy;
+import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver;
 import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
 import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
 import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
@@ -91,6 +98,7 @@ public class DemoApplication extends HttpServlet {
 		
 		ApplicationBean bean = new ApplicationBean();
 		
+		log.debug("Receive request on secure-area endpoint ...");
 		
 		String method = request.getMethod();
 		HttpSession session = request.getSession();
@@ -101,11 +109,44 @@ public class DemoApplication extends HttpServlet {
 			return;
 		}
 		
-		if (method.equals("POST")) {
-		
-			try {
-				Configuration config = Configuration.getInstance();
+		try {
+			Configuration config = Configuration.getInstance();
+			Response samlResponse = null;
+			
+			if (method.equals("GET")) {
+				log.debug("Find possible SAML2 Redirect-Binding response ...");
+				HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(new BasicParserPool());
+				BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
+				
+				messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request));
+				messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
+				
+				messageContext.setMetadataProvider(config.getMetaDataProvier());
+				
+				MetadataCredentialResolver resolver = new MetadataCredentialResolver(config.getMetaDataProvier());
+				List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
+				keyInfoProvider.add(new DSAKeyValueProvider());
+				keyInfoProvider.add(new RSAKeyValueProvider());
+				keyInfoProvider.add(new InlineX509DataProvider());
+				KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
+						keyInfoProvider);
+				ExplicitKeySignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine(
+						resolver, keyInfoResolver);
+				
+				SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(engine);
+				SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
+				BasicSecurityPolicy policy = new BasicSecurityPolicy();
+				policy.getPolicyRules().add(signatureRule);
+				policy.getPolicyRules().add(signedRole);		
+				SecurityPolicyResolver resolver1 = new StaticSecurityPolicyResolver(policy);		
+				messageContext.setSecurityPolicyResolver(resolver1);
 				
+				decode.decode(messageContext);
+				
+				log.info("PVP2 Assertion  with Redirect-Binding is valid");
+			
+			} else if (method.equals("POST")) {
+				log.debug("Find possible SAML2 Post-Binding response ...");
 				//Decode with HttpPost Binding
 				HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool());
 				BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
@@ -114,7 +155,7 @@ public class DemoApplication extends HttpServlet {
 							request));
 				decode.decode(messageContext);
 				
-				Response samlResponse = (Response) messageContext.getInboundMessage();
+				samlResponse = (Response) messageContext.getInboundMessage();
 			
 				Signature sign = samlResponse.getSignature();
 				if (sign == null) {
@@ -148,116 +189,117 @@ public class DemoApplication extends HttpServlet {
 				ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver);
 				trustEngine.validate(sign, criteriaSet);
 				
-				log.info("PVP2 Assertion is valid");
+				log.info("PVP2 Assertion  with POST-Binding is valid");
 				
-				//set assertion
-				org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse);
-				String assertion = DOMUtils.serializeNode(doc);				
-				bean.setAssertion(assertion);
+			} else {
+				bean.setErrorMessage("Die Demoapplikation unterstützt nur SAML2 POST-Binding.");
+				setAnser(request, response, bean);
+				return;
 				
-				if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+			}
 			
-					List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
-					
-					//check encrypted Assertion
-					List<EncryptedAssertion> encryAssertionList = samlResponse.getEncryptedAssertions();
-					if (encryAssertionList != null && encryAssertionList.size() > 0) {
-						//decrypt assertions
-						
-						log.debug("Found encryped assertion. Start decryption ...");
-						
-						KeyStore keyStore = config.getPVP2KeyStore();
-						
-						X509Credential authDecCredential = new KeyStoreX509CredentialAdapter(
-								keyStore, 
-								config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(), 
-								config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray());
-						
-						
-						StaticKeyInfoCredentialResolver skicr =
-								  new StaticKeyInfoCredentialResolver(authDecCredential);
-						
-						ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
-						encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
-						encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
-						encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
-						
-						Decrypter samlDecrypter =
-								new Decrypter(null, skicr, encryptedKeyResolver);
-						
-						for (EncryptedAssertion encAssertion : encryAssertionList) {							
-							saml2assertions.add(samlDecrypter.decrypt(encAssertion));
-
-						}
-						
-						log.debug("Assertion decryption finished. ");
-						
-					} else {
-						saml2assertions = samlResponse.getAssertions();
+			//set assertion
+			org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse);
+			String assertion = DOMUtils.serializeNode(doc);				
+			bean.setAssertion(assertion);
+			
+			if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+		
+				List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
 				
-					}
+				//check encrypted Assertion
+				List<EncryptedAssertion> encryAssertionList = samlResponse.getEncryptedAssertions();
+				if (encryAssertionList != null && encryAssertionList.size() > 0) {
+					//decrypt assertions
 					
-					String givenName = null;
-					String familyName = null;
-					String birthday = null;
+					log.debug("Found encryped assertion. Start decryption ...");
 					
-					for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
-						
-						//loop through the nodes to get what we want
-						List<AttributeStatement> attributeStatements = saml2assertion.getAttributeStatements();
-						for (int i = 0; i < attributeStatements.size(); i++)
-						{
-							List<Attribute> attributes = attributeStatements.get(i).getAttributes();
-							for (int x = 0; x < attributes.size(); x++)
-							{
-								String strAttributeName = attributes.get(x).getDOM().getAttribute("Name");
+					KeyStore keyStore = config.getPVP2KeyStore();
+					
+					X509Credential authDecCredential = new KeyStoreX509CredentialAdapter(
+							keyStore, 
+							config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(), 
+							config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray());
+					
+					
+					StaticKeyInfoCredentialResolver skicr =
+							  new StaticKeyInfoCredentialResolver(authDecCredential);
+					
+					ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
+					encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
+					encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
+					encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
+					
+					Decrypter samlDecrypter =
+							new Decrypter(null, skicr, encryptedKeyResolver);
+					
+					for (EncryptedAssertion encAssertion : encryAssertionList) {							
+						saml2assertions.add(samlDecrypter.decrypt(encAssertion));
 
-								if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME))
-									familyName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
-								if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME))
-									givenName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
-								
-								if (strAttributeName.equals(PVPConstants.BIRTHDATE_NAME)) {
-									birthday = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
-								}								
-							}
-						}						
-						request.getSession().setAttribute(Constants.SESSION_NAMEIDFORMAT,
-								saml2assertion.getSubject().getNameID().getFormat());
-						request.getSession().setAttribute(Constants.SESSION_NAMEID, 
-								saml2assertion.getSubject().getNameID().getValue());
-						
 					}
-										
-					bean.setDateOfBirth(birthday);
-					bean.setFamilyName(familyName);
-					bean.setGivenName(givenName);
-					bean.setLogin(true);
-										
-					setAnser(request, response, bean);
-					return;
 					
+					log.debug("Assertion decryption finished. ");
 					
 				} else {
-					bean.setErrorMessage("Der Anmeldevorgang wurde abgebrochen.<br>Eine genaue Beschreibung des Fehlers finden Sie in der darunterliegenden Assertion.");
-					setAnser(request, response, bean);
-					return;
+					saml2assertions = samlResponse.getAssertions();
+			
+				}
+				
+				String givenName = null;
+				String familyName = null;
+				String birthday = null;
+				
+				for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
+					
+					//loop through the nodes to get what we want
+					List<AttributeStatement> attributeStatements = saml2assertion.getAttributeStatements();
+					for (int i = 0; i < attributeStatements.size(); i++)
+					{
+						List<Attribute> attributes = attributeStatements.get(i).getAttributes();
+						for (int x = 0; x < attributes.size(); x++)
+						{
+							String strAttributeName = attributes.get(x).getDOM().getAttribute("Name");
+
+							if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME))
+								familyName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
+							if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME))
+								givenName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
+							
+							if (strAttributeName.equals(PVPConstants.BIRTHDATE_NAME)) {
+								birthday = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
+							}								
+						}
+					}						
+					request.getSession().setAttribute(Constants.SESSION_NAMEIDFORMAT,
+							saml2assertion.getSubject().getNameID().getFormat());
+					request.getSession().setAttribute(Constants.SESSION_NAMEID, 
+							saml2assertion.getSubject().getNameID().getValue());
 					
 				}
+									
+				bean.setDateOfBirth(birthday);
+				bean.setFamilyName(familyName);
+				bean.setGivenName(givenName);
+				bean.setLogin(true);
+									
+				setAnser(request, response, bean);
+				return;
+				
 				
-			} catch (Exception e) {
-				log.warn(e);
-				bean.setErrorMessage("Internal Error: " + e.getMessage());
+			} else {
+				bean.setErrorMessage("Der Anmeldevorgang wurde abgebrochen.<br>Eine genaue Beschreibung des Fehlers finden Sie in der darunterliegenden Assertion.");
 				setAnser(request, response, bean);
 				return;
+				
 			}
 			
-		} else {
-			bean.setErrorMessage("Die Demoapplikation unterstützt nur SAML2 POST-Binding.");
+		} catch (Exception e) {
+			log.warn(e);
+			bean.setErrorMessage("Internal Error: " + e.getMessage());
 			setAnser(request, response, bean);
 			return;
-			
 		}
+					
 	}	
 	
 	private void setAnser(HttpServletRequest request, HttpServletResponse response, ApplicationBean answersBean) throws ServletException, IOException {
diff --git a/id/readme_3.2.3.txt b/id/readme_3.2.3.txt
new file mode 100644
index 000000000..edb75f6de
--- /dev/null
+++ b/id/readme_3.2.3.txt
@@ -0,0 +1,732 @@
+===============================================================================
+MOA ID Version Release 3.2.3 - Wichtige Informationen zur Installation
+===============================================================================
+
+-------------------------------------------------------------------------------
+A. Neuerungen/Änderungen
+-------------------------------------------------------------------------------
+
+Mit MOA ID Version 3.2.3 wurden folgende Neuerungen und Änderungen eingeführt, 
+die jetzt erstmals in der Veröffentlichung enthalten sind (siehe auch 
+history.txt im gleichen Verzeichnis).
+   
+- Änderungen
+  - Behebung eines möglichen Problems mit JAVA JDK 8u141 
+  - Behebung eines möglichen Thread Look Problems während Zertifikatsprüfung
+  - Bug-Fixes
+  - Stabilitätsverbesserungen
+
+-------------------------------------------------------------------------------
+B. Durchführung eines Updates
+-------------------------------------------------------------------------------
+
+Es wird generell eine Neuinstallation lt. Handbuch empfohlen! Dennoch ist auch
+eine Aktualisierung bestehender Installationen möglich. Je nachdem von welcher
+MOA-ID Version ausgegangen wird ergibt sich eine Kombination der nachfolgend 
+angebebenen Updateschritte.
+
+Hinweis: Wenn Sie die bestehende Konfiguration von MOA-ID 2.x.x in MOA-ID 3.2.x
+reimportieren möchten, so muss diese vor dem Update mit Hilfe der import/export
+Funktion der grafischen Konfigurationsoberfläche in eine Datei exportiert werden.
+Diese Datei dient dann als Basis für den Import in MOA-ID 3.2.x. 
+
+...............................................................................
+A.1 Durchführung eines Updates von Version 3.2.x auf Version 3.2.3
+...............................................................................
+1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+   Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.2.3.zip) in
+   ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST 
+   bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+   beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+   wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation 
+   für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war 
+   als auch das komplette Verzeichnis moa-id-auth. 
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+   CATALINA_HOME_ID/webapps.   
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+   CATALINA_HOME_ID/webapps.
+
+6. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis
+	 JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach.
+	
+7. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das 
+   Verzeichnis	JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr 
+   unterstuetzt).
+
+8.  Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+    Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.1 Durchführung eines Updates von Version 3.1.x auf Version 3.2.3
+...............................................................................
+1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+   Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.2.3.zip) in
+   ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST 
+   bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+   beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+   wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation 
+   für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war 
+   als auch das komplette Verzeichnis moa-id-auth. 
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+   CATALINA_HOME_ID/webapps.   
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+   CATALINA_HOME_ID/webapps.
+
+6. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis
+	 JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach.
+	
+7. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das 
+   Verzeichnis	JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr 
+   unterstuetzt).
+
+8. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth
+   Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties     
+     a.)  moasession.jpaVendorAdapter.generateDdl=true
+          moasession.dbcp.connectionProperties=
+          moasession.dbcp.initialSize=5
+          moasession.dbcp.maxActive=100
+          moasession.dbcp.maxIdle=8
+          moasession.dbcp.minIdle=5
+          moasession.dbcp.maxWaitMillis=-1
+          moasession.dbcp.testOnBorrow=true
+          moasession.dbcp.testOnReturn=false
+          moasession.dbcp.testWhileIdle=false
+          moasession.dbcp.validationQuery=select 1
+     b.)  advancedlogging.jpaVendorAdapter.generateDdl=true
+          advancedlogging.dbcp.initialSize=0
+          advancedlogging.dbcp.maxActive=50
+          advancedlogging.dbcp.maxIdle=8
+          advancedlogging.dbcp.minIdle=0
+          advancedlogging.dbcp.maxWaitMillis=-1
+          advancedlogging.dbcp.testOnBorrow=true
+          advancedlogging.dbcp.testOnReturn=false
+          advancedlogging.dbcp.testWhileIdle=false
+          advancedlogging.dbcp.validationQuery=SELECT 1
+     c.)  *.hibernate.connection.url=... um den GET Parameter '&serverTimezone=UTC' erweitern
+     d.)  configuration.ssl.validation.revocation.method.order=crl,ocsp
+     e.) Zusätzliche neu, aber optionale Parameter finden Sie in der Beispielkonfiguration 
+
+9.  Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+    Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.1 Durchführung eines Updates von Version 3.0.x auf Version 3.2.3
+...............................................................................
+1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+   Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.2.2.zip) in
+   ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST 
+   bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+   beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+   wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation 
+   für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war 
+   als auch das komplette Verzeichnis moa-id-auth. 
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+   CATALINA_HOME_ID/webapps.   
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+   CATALINA_HOME_ID/webapps.
+
+6. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis
+	 JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach.
+	
+7. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das 
+   Verzeichnis	JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr 
+   unterstuetzt).
+
+8. Update der TrustStores für WebService Zugriffe.
+     a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\certs\ca-certs
+         in das Verzeichnis CATALINA_HOME\conf\moa-id\certs\ca-certs.         
+     b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\certs\certstore\toBeAdded
+         in das Verzeichnis CATALINA_HOME\conf\moa-id\certs\certstore\toBeAdded.
+
+9. Hinzufügen der zusätzlichen Konfigurationsparameter in der 
+   MOA-ID-Configuration Konfigurationsdatei
+   CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties     
+     a.) dbcp.validationQuery=.....         (SQL Query zum Validieren der
+         Datenbankverbindung 
+           z.B: "SELECT 1" für mySQL
+                "select 1 from dual" für OracleDB)
+
+10. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth
+   Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties     
+     a.) configuration.dbcp.validationQuery=.....         (SQL Query zum 
+         Validieren der Datenbankverbindung 
+           z.B: "SELECT 1" für mySQL
+                "select 1 from dual" für OracleDB)
+     b.)  moasession.jpaVendorAdapter.generateDdl=true
+          moasession.dbcp.connectionProperties=
+          moasession.dbcp.initialSize=5
+          moasession.dbcp.maxActive=100
+          moasession.dbcp.maxIdle=8
+          moasession.dbcp.minIdle=5
+          moasession.dbcp.maxWaitMillis=-1
+          moasession.dbcp.testOnBorrow=true
+          moasession.dbcp.testOnReturn=false
+          moasession.dbcp.testWhileIdle=false
+          moasession.dbcp.validationQuery=select 1
+     c.)  advancedlogging.jpaVendorAdapter.generateDdl=true
+          advancedlogging.dbcp.initialSize=0
+          advancedlogging.dbcp.maxActive=50
+          advancedlogging.dbcp.maxIdle=8
+          advancedlogging.dbcp.minIdle=0
+          advancedlogging.dbcp.maxWaitMillis=-1
+          advancedlogging.dbcp.testOnBorrow=true
+          advancedlogging.dbcp.testOnReturn=false
+          advancedlogging.dbcp.testWhileIdle=false
+          advancedlogging.dbcp.validationQuery=SELECT 1
+     d.)  *.hibernate.connection.url=... um den GET Parameter '&serverTimezone=UTC' erweitern
+     e.)  configuration.ssl.validation.revocation.method.order=crl,ocsp
+     f.) Zusätzliche neu, aber optionale Parameter finden Sie in der Beispielkonfigration 
+
+11. Update der Default html-Templates für die Bürgerkartenauswahl.
+     a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates
+         in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates.         
+     b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates
+         in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates. 
+
+12.  Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+    Logging von MOA ID beim Einlesen der Konfiguration.
+
+         
+...............................................................................
+B.3 Durchführung eines Updates von Version 2.2.1 auf Version 3.2.3 
+...............................................................................
+
+1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+   Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.2.2.zip) in
+   ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST 
+   bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+   beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+   wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation 
+   für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war und
+   moa-id-configuration.war als auch das komplette Verzeichnis moa-id-auth 
+   und das komplette Verzeichnis moa-id-configuration.
+
+4. Erstellen Sie eine Sicherungskopie aller "*.jar"-Dateien im Verzeichnis
+	 CATALINA_HOME_ID\endorsed und loeschen Sie diese Dateien danach.
+   	
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+   CATALINA_HOME_ID/webapps.
+   
+6. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+   CATALINA_HOME_ID/webapps.
+
+7. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis
+	 JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach.
+	
+8. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das 
+   Verzeichnis	JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr 
+   unterstuetzt).
+                                 
+9. Update des Cert-Stores.
+   Kopieren Sie den Inhalt des Verzeichnisses
+   MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis
+   CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie 
+   vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann 
+   bejahen sie das.
+
+10. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen 
+   wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile 
+   beibehalten wollen, dann gehen Sie vor, wie in Punkt b).
+
+   a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen:
+
+    1)  Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles.
+    2)  Kopieren Sie das Verzeichnis 
+        MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis 
+        CATALINA_HOME\conf\moa-spss.
+
+   b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie 
+      folgt vor, um die Profile auf den aktuellen Stand zu bringen:
+
+    1)  Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den 
+        entsprechenden Profilen im Verzeichnis 
+        MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren 
+        Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt 
+        der einzelnen Profile aus der Distribution 
+        (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden 
+        Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) 
+        kopieren und dabei die vorhandenen gleichnamigen Zertifikate 
+        überschreiben), also z.B: Kopieren des Inhalts von 
+        MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\
+        MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach 
+        CATALINA_HOME\conf\moa-spss\trustProfiles\
+        MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw. 
+
+11. Update der Default html-Templates für die Bürgerkartenauswahl.
+
+     a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates
+         in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates.         
+     b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates
+         in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates. 
+
+12. Update der STORK Konfiguration
+     a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork
+         in das Verzeichnis CATALINA_HOME\conf\moa-id\stork.
+     b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration ->   
+         2.4 Konfiguration des SamlEngines an.
+         
+13. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei
+    CATALINA_HOME\conf\moa-id\moa-id.properties
+   
+14. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Configration Konfigurationsdatei
+    CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties
+
+15. Hinzufügen der zusätzlichen Konfigurationsdatei in der MOA-ID-Configuration
+    CATALINA_HOME\conf\moa-id-configuration\userdatabase.properties
+
+16. Update der Tomcat Start-Skripts:
+    - Die Konfigurationsdateien für MOA-ID-Auth und MOA-ID-Configuration müssen
+      nur als URI (file:/...) übergeben werden. 
+                 
+17.  Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+    Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.4 Durchführung eines Updates von Version 2.2.0 auf Version 2.2.1 
+...............................................................................
+1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+   Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.2.1.zip) in
+   ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST 
+   bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+   beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+   wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation 
+   für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war und
+   moa-id-configuration.war als auch das komplette Verzeichnis moa-id-auth 
+   und das komplette Verzeichnis moa-id-configuration.
+	
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+   CATALINA_HOME_ID/webapps.
+   
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+   CATALINA_HOME_ID/webapps.
+                                 
+6. Update des Cert-Stores.
+   Kopieren Sie den Inhalt des Verzeichnisses
+   MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis
+   CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie 
+   vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann 
+   bejahen sie das.
+
+7. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen 
+   wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile 
+   beibehalten wollen, dann gehen Sie vor, wie in Punkt b).
+
+   a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen:
+
+    1)  Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles.
+    2)  Kopieren Sie das Verzeichnis 
+        MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis 
+        CATALINA_HOME\conf\moa-spss.
+
+   b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie 
+      folgt vor, um die Profile auf den aktuellen Stand zu bringen:
+
+    1)  Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den 
+        entsprechenden Profilen im Verzeichnis 
+        MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren 
+        Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt 
+        der einzelnen Profile aus der Distribution 
+        (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden 
+        Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) 
+        kopieren und dabei die vorhandenen gleichnamigen Zertifikate 
+        überschreiben), also z.B: Kopieren des Inhalts von 
+        MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\
+        MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach 
+        CATALINA_HOME\conf\moa-spss\trustProfiles\
+        MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw. 
+                 
+8.  Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+    Logging von MOA ID beim Einlesen der Konfiguration.
+
+...............................................................................
+B.1 Durchführung eines Updates von Version 2.1.2 auf Version 2.2.0 
+...............................................................................
+ 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+   Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.2.0.zip) in
+   ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST 
+   bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+   beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+   wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation 
+   für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war und
+   moa-id-configuration.war als auch das komplette Verzeichnis moa-id-auth 
+   und das komplette Verzeichnis moa-id-configuration.
+   
+4. Erstellen Sie eine Sicherungskopie aller "*.jar"-Dateien im Verzeichnis
+	 CATALINA_HOME_ID\endorsed und loeschen Sie diese Dateien danach.
+	
+6. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+   CATALINA_HOME_ID/webapps.
+   
+7. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+   CATALINA_HOME_ID/webapps.
+   
+8. Kopieren der folgenden Dateien:
+      Sollte die Datei bereits vorhanden sein erstellen Sie ein Backup der 
+      Datei bevor Sie diese durch die neue Version ersetzen.  
+      a.) MOA_ID_AUTH_INST/conf/moa-id/stork/StorkSamlEngine_VIDP.xml ->
+          CATALINA_HOME/conf/moa-id/stork/StorkSamlEngine_VIDP.xml
+      b.) MOA_ID_AUTH_INST/conf/moa-id/stork/StorkSamlEngine_outgoing.xml ->
+          CATALINA_HOME/conf/moa-id/stork/StorkSamlEngine_outgoing.xml          
+                    
+9. Dem STORK KeyStores unter MOA_ID_AUTH_INST/conf/moa-id/keys/storkDemoKeys.jks 
+   (Passwort=local-demo) wurden neue vertrauenswürdige Zertifikate hinzugefügt.
+   Gleichen Sie bei Bedarf die Zertifikate dieses KeyStores mit Ihrem aktuell
+   verwendeten KeyStore ab. 
+
+10. Update des Cert-Stores.
+   Kopieren Sie den Inhalt des Verzeichnisses
+   MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis
+   CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie 
+   vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann 
+   bejahen sie das.
+
+11. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen 
+   wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile 
+   beibehalten wollen, dann gehen Sie vor, wie in Punkt b).
+
+   a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen:
+
+    1)  Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles.
+    2)  Kopieren Sie das Verzeichnis 
+        MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis 
+        CATALINA_HOME\conf\moa-spss.
+
+   b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie 
+      folgt vor, um die Profile auf den aktuellen Stand zu bringen:
+
+    1)  Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den 
+        entsprechenden Profilen im Verzeichnis 
+        MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren 
+        Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt 
+        der einzelnen Profile aus der Distribution 
+        (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden 
+        Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) 
+        kopieren und dabei die vorhandenen gleichnamigen Zertifikate 
+        überschreiben), also z.B: Kopieren des Inhalts von 
+        MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\
+        MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach 
+        CATALINA_HOME\conf\moa-spss\trustProfiles\
+        MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw. 
+
+                 
+12. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+    Logging von MOA ID beim Einlesen der Konfiguration.
+
+...............................................................................
+B.2 Durchführung eines Updates von Version 2.1.1 auf Version 2.1.2 
+...............................................................................
+ 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+   Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.2.zip) in
+   ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST 
+   bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+   beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+   wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation 
+   für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war und
+   moa-id-configuration.war als auch das komplette Verzeichnis moa-id-auth 
+   und das komplette Verzeichnis moa-id-configuration.
+   
+4. Erstellen Sie eine Sicherungskopie aller "*.jar"-Dateien im Verzeichnis
+	 CATALINA_HOME_ID\endorsed und loeschen Sie diese Dateien danach.
+	
+5. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\endorsed in das 
+   Verzeichnis	CATALINA_HOME_ID\endorsed   
+
+6. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+   CATALINA_HOME_ID/webapps.
+   
+7. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+   CATALINA_HOME_ID/webapps.
+   
+8. Kopieren der folgenden Dateien  
+      a.) MOA_ID_AUTH_INST/conf/moa-id/stork/StorkSamlEngine_VIDP.xml ->
+          CATALINA_HOME/conf/moa-id/stork/StorkSamlEngine_VIDP.xml
+          Sollte die Datei bereits vorhanden sein erstellen Sie ein Backup der 
+          Datei slo_template.html bevor Sie diese durch die neue Version ersetzen.
+          
+9. Dem STORK KeyStores unter MOA_ID_AUTH_INST/conf/moa-id/keys/storkDemoKeys.jks 
+   (Passwort=local-demo) wurden neue vertrauenswürdige Zertifikate hinzugefügt.
+   Gleichen Sie bei Bedarf die Zertifikate dieses KeyStores mit Ihrem aktuell
+   verwendeten KeyStore ab. 
+                 
+10. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+    Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.3 Durchführung eines Updates von Version 2.1.0 auf Version 2.1.1 
+...............................................................................
+ 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+   Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.0.zip) in
+   ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST 
+   bezeichnet.
+
+3. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis
+	 JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach.
+	
+4. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das 
+   Verzeichnis	JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr 
+   unterstuetzt).
+
+5. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+   beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+   wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation 
+   für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als 
+   auch das komplette Verzeichnis moa-id-auth.
+
+6. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+   CATALINA_HOME_ID/webapps.
+   
+7. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+   CATALINA_HOME_ID/webapps.
+   
+8. Hinzufügen der zusätzlichen Konfigurationsparameter in der 
+   MOA-ID-Configuration Konfigurationsdatei
+   CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties     
+     a.) general.moaconfig.key=.....         (Passwort zum Ver- und 
+         Entschlüsseln von Konfigurationsparametern in der Datenbank)
+
+9. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth
+   Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties     
+     a.) configuration.moaconfig.key=.....   (Passwort zum Ver- und 
+         Entschlüsseln von Konfigurationsparametern in der Datenbank)
+
+10. Kopieren der folgenden Dateien  
+      a.) MOA_ID_AUTH_INST/conf/moa-id/htmlTemplates/slo_template.html ->
+          CATALINA_HOME/conf/moa-id/htmlTemplates/slo_template.html
+          Sollte die Datei bereits vorhanden sein erstellen Sie ein Backup der 
+          Datei slo_template.html bevor Sie diese durch die neue Version ersetzen.
+         
+11. Update des Cert-Stores.
+   Kopieren Sie den Inhalt des Verzeichnisses
+   MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis
+   CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie 
+   vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann 
+   bejahen sie das.
+
+12. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen 
+   wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile 
+   beibehalten wollen, dann gehen Sie vor, wie in Punkt b).
+
+   a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen:
+
+    1)  Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles.
+    2)  Kopieren Sie das Verzeichnis 
+        MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis 
+        CATALINA_HOME\conf\moa-spss.
+
+   b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie 
+      folgt vor, um die Profile auf den aktuellen Stand zu bringen:
+
+    1)  Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den 
+        entsprechenden Profilen im Verzeichnis 
+        MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren 
+        Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt 
+        der einzelnen Profile aus der Distribution 
+        (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden 
+        Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) 
+        kopieren und dabei die vorhandenen gleichnamigen Zertifikate 
+        überschreiben), also z.B: Kopieren des Inhalts von 
+        MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\
+        MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach 
+        CATALINA_HOME\conf\moa-spss\trustProfiles\
+        MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw. 
+        
+13. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+    Logging von MOA ID beim Einlesen der Konfiguration.
+    
+    
+...............................................................................
+B.4 Durchführung eines Updates von Version 2.0.1 auf Version 2.1.0 
+...............................................................................
+ 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+   Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.0.zip) in
+   ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST 
+   bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+   beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+   wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation 
+   für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als 
+   auch das komplette Verzeichnis moa-id-auth.
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+   CATALINA_HOME_ID/webapps.
+   
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+   CATALINA_HOME_ID/webapps.   
+
+6. Update der STORK Konfiguration
+     a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork
+         in das Verzeichnis CATALINA_HOME\conf\moa-id\stork.
+     b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration ->   
+         2.4 Konfiguration des SamlEngines an.
+         
+7. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Configuration Konfigurationsdatei
+   CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties     
+     a.) general.ssl.certstore=certs/certstore
+     b.) general.ssl.truststore=certs/truststore
+ 
+8. Kopieren des folgenden zusätzlichen Ordners  MOA_ID_AUTH_INST/conf/moa-id-configuration/certs
+   nach CATALINA_HOME\conf\moa-id-configuration\
+   
+9. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei
+   CATALINA_HOME\conf\moa-id\moa-id.properties und Anpassung an das zu verwendeten Schlüsselpaar.     
+     a.) protocols.pvp2.idp.ks.assertion.encryption.alias=pvp_assertion
+         protocols.pvp2.idp.ks.assertion.encryption.keypassword=password
+ 
+10. Kopieren der folgenden zusätzlichen Ordner aus MOA_ID_AUTH_INST/conf/moa-id/
+    nach CATALINA_HOME\conf\moa-id\
+      a.) MOA_ID_AUTH_INST/conf/moa-id/SLTemplates -> CATALINA_HOME\conf\moa-id\    
+      b.) MOA_ID_AUTH_INST/conf/moa-id/htmlTemplates/slo_template.html ->
+          CATALINA_HOME/conf/moa-id/htmlTemplates/slo_template.html
+      
+11. Neuinitialisieren des Datenbank Schema für die MOA-Session. Hierfür stehen 
+    zwei Varianten zur Verfügung.
+      a.) Ändern Sie in der Konfigurationsdatei für das Modul MOA-ID-Auth 
+          CATALINA_HOME\conf\moa-id\moa-id.properties die Zeile 
+               moasession.hibernate.hbm2ddl.auto=update
+          zu
+               moasession.hibernate.hbm2ddl.auto=create
+          Danach werden die Tabellen beim nächsten Startvorgang neu generiert.
+               
+      b.) Löschen Sie alle Tabellen aus dem Datenbank Schema für die MOA-Sessixson 
+          Informationen per Hand. Alle Tabellen werden beim nächsten Start autmatisch neu generiert.   
+       
+12 . Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+   Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.5 Durchführung eines Updates von Version 2.0-RC1  auf Version 2.0.1
+...............................................................................
+
+1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+   Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.0.1.zip) in
+   ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST 
+   bezeichnet.
+   Für MOA ID Proxy:
+   Entpacken Sie die Distribution von MOA-ID-Proxy (moa-id-proxy-2.0.1.zip) in
+   ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_PROXY_INST 
+   bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+   beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+   wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation 
+   für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als 
+   auch das komplette Verzeichnis moa-id-auth.
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+   CATALINA_HOME_ID/webapps.
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+   CATALINA_HOME_ID/webapps.  
+
+6. Update des Cert-Stores.
+   Kopieren Sie den Inhalt des Verzeichnisses
+   MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis
+   CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie 
+   vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann 
+   bejahen sie das.
+
+7. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen 
+   wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile 
+   beibehalten wollen, dann gehen Sie vor, wie in Punkt b).
+
+   a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen:
+
+    1)  Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles.
+    2)  Kopieren Sie das Verzeichnis 
+        MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis 
+        CATALINA_HOME\conf\moa-spss.
+
+   b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie 
+      folgt vor, um die Profile auf den aktuellen Stand zu bringen:
+
+    1)  Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den 
+        entsprechenden Profilen im Verzeichnis 
+        MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren 
+        Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt 
+        der einzelnen Profile aus der Distribution 
+        (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden 
+        Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) 
+        kopieren und dabei die vorhandenen gleichnamigen Zertifikate 
+        überschreiben), also z.B: Kopieren des Inhalts von 
+        MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\
+        MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach 
+        CATALINA_HOME\conf\moa-spss\trustProfiles\
+        MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw.
+           
+8. Update der Default html-Templates für die Bürgerkartenauswahl.
+
+     a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates
+         in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates.         
+     b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates
+         in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates. 
+
+9. Update der STORK Konfiguration
+     a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork
+         in das Verzeichnis CATALINA_HOME\conf\moa-id\stork.
+     b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration ->   
+         2.4 Konfiguration des SamlEngines an.
+         
+10. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei
+   CATALINA_HOME\conf\moa-id\moa-id.properties
+     
+     a.) configuration.validation.certificate.QC.ignore=false
+     b.) protocols.pvp2.assertion.encryption.active=false          
+                                    
+11. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+   Logging von MOA ID beim Einlesen der Konfiguration.
+
+   
+...............................................................................
+B.6 Durchführung eines Updates von Version <= 1.5.1
+...............................................................................
+
+Bitte führen Sie eine Neuinstallation von MOA ID laut Handbuch durch und passen
+Sie die mitgelieferte Musterkonfiguration entsprechend Ihren Bedürfnissen unter 
+Zuhilfenahme Ihrer bisherigen Konfiguration an.
+
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html
index 64e88a688..4ea9a4873 100644
--- a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html
+++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html
@@ -31,11 +31,9 @@
 
 	<form action="${action}" method="post" target="_parent">
 		<div>
-			#if($RelayState)<input type="hidden" name="RelayState"
-				value="${RelayState}" />#end #if($SAMLRequest)<input type="hidden"
-				name="SAMLRequest" value="${SAMLRequest}" />#end #if($SAMLResponse)<input
-				type="hidden" name="SAMLResponse" value="${SAMLResponse}" />#end
-
+			#if($RelayState)   <input type="hidden" name="RelayState" value="${RelayState}"/>     #end 
+			#if($SAMLRequest)  <input type="hidden" name="SAMLRequest" value="${SAMLRequest}" />  #end
+			#if($SAMLResponse) <inputtype="hidden" name="SAMLResponse" value="${SAMLResponse}" /> #end
 		</div>
 		<noscript>
 			<div>
diff --git a/id/server/data/deploy/conf/moa-id/log4j.properties b/id/server/data/deploy/conf/moa-id/log4j.properties
index d83e8e550..f37100a5b 100644
--- a/id/server/data/deploy/conf/moa-id/log4j.properties
+++ b/id/server/data/deploy/conf/moa-id/log4j.properties
@@ -19,8 +19,7 @@ log4j.logger.at.gv.egovernment.moa.id.configuration=info,CONFIGTOOL
 # configure the stdout appender
 log4j.appender.stdout=org.apache.log4j.ConsoleAppender
 log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
-#log4j.appender.stdout.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} | %20c |  %10t | %m%n
-log4j.appender.stdout.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} |%20.20c | %10t | %m%n
+log4j.appender.stdout.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} |%20.20c | %10t | %m%n
 
 # configure the rolling file appender (R)
 log4j.appender.R=org.apache.log4j.RollingFileAppender
@@ -28,7 +27,7 @@ log4j.appender.R.File=${catalina.base}/logs/moa-id.log
 log4j.appender.R.MaxFileSize=10000KB
 log4j.appender.R.MaxBackupIndex=1
 log4j.appender.R.layout=org.apache.log4j.PatternLayout
-log4j.appender.R.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} | %t | %m%n
+log4j.appender.R.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} | %t | %m%n
 
 # configure the rolling file appender (R)
 log4j.appender.CONFIGTOOL=org.apache.log4j.RollingFileAppender
@@ -36,4 +35,4 @@ log4j.appender.CONFIGTOOL.File=${catalina.base}/logs/moa-id-webgui.log
 log4j.appender.CONFIGTOOL.MaxFileSize=10000KB
 log4j.appender.CONFIGTOOL.MaxBackupIndex=1
 log4j.appender.CONFIGTOOL.layout=org.apache.log4j.PatternLayout
-log4j.appender.CONFIGTOOL.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} | %t | %m%n
\ No newline at end of file
+log4j.appender.CONFIGTOOL.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} | %t | %m%n
\ No newline at end of file
diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html
index 0361442ac..84590aaee 100644
--- a/id/server/doc/handbook/config/config.html
+++ b/id/server/doc/handbook/config/config.html
@@ -1724,20 +1724,6 @@ Soll die B&uuml;rgerkartenauswahl weiterhin, wie in MOA-ID  1.5.1 im Kontext der
     <td align="center">X</td>
     <td>&Uuml;ber diese Funktion k&ouml;nnen drei zus&auml;tzliche SecurtityLayer-Request Templates f&uuml;r diese Online-Applikation definiert werden. Diese hier definierten Templates dienen als zus&auml;tzliche WhiteList f&uuml;r Templates welche im &bdquo;StartAuthentication&ldquo; Request mit dem Parameter &bdquo;template&ldquo; &uuml;bergeben werden. Sollte im &bdquo;StartAuthentication&ldquo; Request der Parameter &bdquo;template&ldquo; fehlen, es wurde jedoch eine &bdquo;bkuURL&ldquo; &uuml;bergeben, dann wird f&uuml;r den Authentifizierungsvorgang das erste Template in dieser Liste verwendet. Detailinformationen zum <a href="./../protocol/protocol.html#allgemeines_legacy">Legacy Request</a> finden Sie im Kapitel Protokolle.</td>
   </tr>
-  <tr>
-    <td>BKU-Selection Template</td>
-    <td>&nbsp;</td>
-    <td align="center">X</td>
-    <td align="center">X</td>
-    <td>Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates f&uuml;r die B&uuml;rgerkartenauswahl. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus <a href="#import_template_bku">Kapitel 4.1</a> umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle f&uuml;r Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen. </td>
-  </tr>
-  <tr>
-    <td>Send-Assertion Template</td>
-    <td>&nbsp;</td>
-    <td align="center">X</td>
-    <td align="center">X</td>
-    <td>Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates f&uuml;r die zus&auml;tzliche Anmeldeabfrage im Falle einer Single Sign-On Anmeldung. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus <a href="#import_template_sso">Kapitel 4.2</a> umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle f&uuml;r Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen.</td>
-  </tr>
 </table>
 <h4><a name="konfigurationsparameter_oa_testcredentials" id="uebersicht_zentraledatei_aktualisierung10"></a> 3.2.3 Test Identit&auml;ten</h4>
 <p>In diesem Abschnitt k&ouml;nnen f&uuml;r diese Online-Applikation Testidentit&auml;ten erlaubt werden. Diese Testidentit&auml;ten k&ouml;nnen auch bei produktiven Instanzen freigeschalten werden, da die Unterschiedung zwischen Produkt- und Testidentit&auml;t anhand einer speziellen OID im Signaturzertifikat der Testidentit&auml;t getroffen wird. Folgende Konfigurationsparameter stehen hierf&uuml;r zur Verf&uuml;gung.</p>
@@ -2007,6 +1993,13 @@ Soll die B&uuml;rgerkartenauswahl weiterhin, wie in MOA-ID  1.5.1 im Kontext der
     <td align="center">&nbsp;</td>
     <td>Zertifikat mit dem die Metadaten  der Online-Applikation signiert sind. Dieses wird ben&ouml;tigt um die Metadaten zu  verifizieren.</td>
   </tr>
+  <tr>
+    <td>SAML2 Post-Binding Template</td>
+    <td>&nbsp;</td>
+    <td align="center">X</td>
+    <td align="center">X</td>
+    <td>Pfad zum online-applikationsspezifischen Template f&uuml;r SAML2 (PVP2 S-Profil) http POST-Binding. Relative Pfadangaben werden dabei relativ zum Verzeichnis, in dem sich die MOA-ID-Auth Basiskonfigurationsdatei befindet, interpretiert. Das Template kann ausschlie&szlig;lich aus dem Dateisystem geladen werden.</td>
+  </tr>
 </table>
 <h5><a name="konfigurationsparameter_oa_protocol_openIDConnect" id="uebersicht_zentraledatei_aktualisierung27"></a>3.2.8.3 OpenID Connect</h5>
 <p>In diesem Bereich erfolgt die applikationsspezifische Konfiguration f&uuml;r OpenID Connect (OAuth 2.0). </p>
@@ -2074,7 +2067,30 @@ wenn die individuelle Security-Layer Transformation den Formvorschriften  der Sp
     <td align="center">X</td>
     <td>Wird diese Option gew&auml;hlt wird im AuthBlock, welcher im Anmeldevorgang signiert wird, keine bPK oder wbPK dargestellt.</td>
   </tr>
+  <tr>
+    <td>BKU-Selection Template</td>
+    <td>&nbsp;</td>
+    <td align="center">X</td>
+    <td align="center">X</td>
+    <td>Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates f&uuml;r die B&uuml;rgerkartenauswahl. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus <a href="#import_template_bku">Kapitel 4.1</a> umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle f&uuml;r Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen. </td>
+  </tr>
+  <tr>
+    <td>Send-Assertion Template</td>
+    <td>&nbsp;</td>
+    <td align="center">X</td>
+    <td align="center">X</td>
+    <td>Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates f&uuml;r die zus&auml;tzliche Anmeldeabfrage im Falle einer Single Sign-On Anmeldung. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus <a href="#import_template_sso">Kapitel 4.2</a> umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle f&uuml;r Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen.</td>
+  </tr>
+  <tr>
+    <td>Vollmachtenservice Auswahlseite Template</td>
+    <td>&nbsp;</td>
+    <td align="center">X</td>
+    <td align="center">X</td>
+    <td>Pfad zum online-applikationsspezifischen Template zur Auswahl des gew&uuml;nschten Vollmachtenservices. Relative Pfadangaben werden dabei relativ zum Verzeichnis, in dem sich die MOA-ID-Auth Basiskonfigurationsdatei befindet, interpretiert. Das Template kann ausschlie&szlig;lich aus dem Dateisystem geladen werden.</td>
+  </tr>
 </table>
+<h5>&nbsp;</h5>
+<h5>&nbsp;</h5>
 <h5><a name="konfigurationsparameter_oa_additional_formular" id="uebersicht_zentraledatei_aktualisierung29"></a>3.2.9.1 Login-Fenster Konfiguration</h5>
 <p>Diese Konfigurationsparameter  bieten zus&auml;tzliche Einstellungen f&uuml;r eine Anpassung der B&uuml;rgerkartenauswahl welche von MOA-ID-Auth generiert wird.
 Zur besseren Handhabung werden die angegebenen Parameter direkt in einer Vorschau dargestellt.  
diff --git a/id/server/doc/handbook/install/install.html b/id/server/doc/handbook/install/install.html
index aa4114539..db96cda3c 100644
--- a/id/server/doc/handbook/install/install.html
+++ b/id/server/doc/handbook/install/install.html
@@ -235,8 +235,8 @@ https://&lt;host&gt;:&lt;port&gt;/egiz-configuration-webapp/</pre>
   <h5><a name="webservice_basisinstallation_logging_format" id="webservice_basisinstallation_logging_format"></a>2.1.3.1 Format der Log-Meldungen</h5>
       <p> Anhand einer konkreten Log-Meldung wird das Format der MOA SP/SS Log-Meldungen erl&auml;utert:      </p>
       <pre>
-INFO | 01 21:25:26,540 | Thread-3 | TID=1049225059594-100 NID=node1 
-  MSG=Starte neue Transaktion: TID=1049225059594-100, Service=SignatureVerification
+ INFO | 2017-09-18 10:29:22,904 | SID-7947921060553739539 | TID-4708232418268334030 | https://sso.demosp.at/handysignatur 
+      | ajp-nio-28109-exec-7 | No SSO Session cookie found
 </pre>
 <p>    Der Wert <code>INFO</code> besagt, dass die Log-Meldung im Log-Level <code>INFO</code> entstanden ist. Folgende Log-Levels existieren:</p>
     <ul>
@@ -257,7 +257,10 @@ INFO | 01 21:25:26,540 | Thread-3 | TID=1049225059594-100 NID=node1
       </li>
     </ul>
     <p>Der n&auml;chste Wert <code>01 21:25:26,540</code> gibt den Zeitpunkt an, zu dem die Log-Meldung generiert wurde (in diesem Fall den 1. Tag im aktuellen Monat, sowie die genaue Uhrzeit). </p>
-    <p>      Der Wert <code>Thread-3</code> bezeichnet den Thread, von dem die Anfrage bearbeitet wird.</p>
+    <p>Der Wert <code>SID-7947921060553739539</code> bezeichnet die SessionID, welche diesem Request zugeordnet wurde. Eine SessionID ist innerhalb einer SSO auch &uuml;ber mehrere Authentifizierungsrequests eindeutig. Das Loggen der SessionID kann mittels <code>%X{sessionId}</code> in der log4j Konfiguration gesetzt werden</p>
+  <p>Der Wert <code>TID-4708232418268334030</code> bezeichnet die TransactionsID, welche diesem Request zugeordnet wurde. Eine TransactionsID ist innerhalb eines Authentifizierungsrequests eindeutig. Das Loggen der TransactionsID kann mittels <code>%X{transactionId}</code> in der log4j Konfiguration gesetzt werden</p>
+    <p>Der Wert <code>https://sso.demosp.at/handysignatur</code> bezeichnet die Online Applikation (eindeutiger Identifier dieses Service Providers) f&uuml;r welchen dieser Authentifizierungsrequest durchgef&uuml;hrt wird. Das Loggen des OA Identifiers kann mittels <code>%X{oaId}</code> in der log4j Konfiguration gesetzt werden</p>
+    <p>Der Wert <code>ajp-nio-28109-exec-7</code> bezeichnet den Thread, von dem die Anfrage bearbeitet wird.</p>
     <p>      Der Rest der Zeile einer Log-Meldung ist der eigentliche Text, mit dem das System bestimmte Informationen anzeigt. Im Fehlerfall ist h&auml;ufig ein Java Stack-Trace angef&uuml;gt, der eine genauere Ursachen-Forschung erm&ouml;glicht.</p>
 <h5>      <a name="webservice_basisinstallation_logging_messages" id="webservice_basisinstallation_logging_messages"></a>2.1.3.2 Wichtige Log-Meldungen</h5>
     <p>      Neben den im Abschnitt <a href="#webservice_basisinstallation_installation_tomcatstartstop_verify">2.1.2.4.3</a> beschriebenen Log-Meldungen, die anzeigen, ob das Service ordnungsgem&auml;&szlig; gestartet wurde, geben nachfolgenden Log-Meldungen Aufschluss &uuml;ber die Abarbeitung von Anfragen. </p>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
index b57e6ed69..55b1a7c9a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
@@ -69,6 +69,7 @@ public class StatisticLogger implements IStatisticLogger{
 	
 	private static final String GENERIC_LOCALBKU = ":3496/https-security-layer-request";
 	private static final String GENERIC_HANDYBKU = "https://www.handy-signatur.at/";
+	private static final String GENERIC_ONLINE_BKU = "bkuonline";
 	
 	private static final String MANTATORTYPE_JUR = "jur";
 	private static final String MANTATORTYPE_NAT = "nat";
@@ -422,8 +423,13 @@ public class StatisticLogger implements IStatisticLogger{
 			return IOAAuthParameters.HANDYBKU;
 		}
 		
-		Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.ONLINEBKU);
-		return IOAAuthParameters.ONLINEBKU;
+		if (bkuURL.contains(GENERIC_ONLINE_BKU)) {		
+			Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.ONLINEBKU);
+			return IOAAuthParameters.ONLINEBKU;			
+		}
+		
+		Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.AUTHTYPE_OTHERS);
+		return IOAAuthParameters.AUTHTYPE_OTHERS;
 	}
 	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java
index 6d53fd510..0b066f3b9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java
@@ -23,10 +23,8 @@
 package at.gv.egovernment.moa.id.advancedlogging;
 
 
-import java.util.Date;
-
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
-import at.gv.egovernment.moa.util.MiscUtil;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
 
 /**
  * @author tlenz
@@ -34,6 +32,43 @@ import at.gv.egovernment.moa.util.MiscUtil;
  */
 public class TransactionIDUtils {
 
+	/**
+	 * Set all MDC variables from pending request to this threat context<br>
+	 * These includes SessionID, TransactionID, and unique service-provider identifier
+	 * 
+	 * @param pendingRequest
+	 */
+	public static void setAllLoggingVariables(IRequest pendingRequest) {
+		setTransactionId(pendingRequest.getUniqueTransactionIdentifier());
+		setSessionId(pendingRequest.getUniqueSessionIdentifier());
+		setServiceProviderId(pendingRequest.getOnlineApplicationConfiguration().getPublicURLPrefix());
+		
+	}
+	
+	/**
+	 * Remove all MDC variables from this threat context
+	 * 
+	 */
+	public static void removeAllLoggingVariables() {
+		removeSessionId();
+		removeTransactionId();
+		removeServiceProviderId();
+		
+	}
+	
+	
+	public static void setServiceProviderId(String oaUniqueId) {
+		org.apache.log4j.MDC.put(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID, oaUniqueId);		
+		org.slf4j.MDC.put(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID, oaUniqueId);
+		
+	}
+	
+	public static void removeServiceProviderId() {
+		org.apache.log4j.MDC.remove(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID);
+		org.slf4j.MDC.remove(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID);
+		
+	}
+	
 	public static void setTransactionId(String pendingRequestID) {	  
 		org.apache.log4j.MDC.put(MOAIDAuthConstants.MDC_TRANSACTION_ID, 
 				"TID-" + pendingRequestID);		
@@ -50,9 +85,9 @@ public class TransactionIDUtils {
 		
 	public static void setSessionId(String uniqueSessionId) {	  
 		org.apache.log4j.MDC.put(MOAIDAuthConstants.MDC_SESSION_ID, 
-				"TID-" + uniqueSessionId);		
+				"SID-" + uniqueSessionId);		
 		org.slf4j.MDC.put(MOAIDAuthConstants.MDC_SESSION_ID, 
-				"TID-" + uniqueSessionId);
+				"SID-" + uniqueSessionId);
 				    
 	}
 		
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java
index bbb322a4f..34d0d4be1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java
@@ -74,20 +74,26 @@ public class AuthenticationSessionCleaner implements Runnable {
     								ExceptionContainer exContainer = (ExceptionContainer) entry;    								
     								
     								if (exContainer.getExceptionThrown() != null) {
-    									//add session and transaction ID to log if exists
+    									//add session, transaction, and service-provider IDs into logging context if exists
     									if (MiscUtil.isNotEmpty(exContainer.getUniqueTransactionID()))
     										TransactionIDUtils.setTransactionId(exContainer.getUniqueTransactionID());
 									
     									if (MiscUtil.isNotEmpty(exContainer.getUniqueSessionID()))
     										TransactionIDUtils.setSessionId(exContainer.getUniqueSessionID());
  
+    									if (MiscUtil.isNotEmpty(exContainer.getUniqueServiceProviderId()))
+    										TransactionIDUtils.setServiceProviderId(exContainer.getUniqueServiceProviderId());
+    									
     									//log exception to technical log
     									logExceptionToTechnicalLog(exContainer.getExceptionThrown());
     									
     									//remove session and transaction ID from thread
-    									TransactionIDUtils.removeSessionId();
-    									TransactionIDUtils.removeTransactionId();
-    								}    								
+    									TransactionIDUtils.removeAllLoggingVariables();
+    									
+    								} else {
+    									Logger.warn("Receive an ExceptionContainer that includes no 'Exception' object. Somethinge is suspect!!!!!");
+    									
+    								}
     							}
     							
     						} catch (Exception e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java
index c582050ad..710008714 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java
@@ -32,7 +32,7 @@ import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration;
 import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
-import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad;
 import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
@@ -68,10 +68,10 @@ public class GenerateBKUSelectionFrameTask extends AbstractAuthServletTask {
 				throw new AuthenticationException("auth.00", new Object[] { pendingReq.getOAURL() });
 				
 			}
-												
-			IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+												 
+			IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
 					pendingReq, 
-					ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_BKUSELECTION, 
+					SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_BKUSELECTION, 
 					GeneralProcessEngineSignalController.ENDPOINT_BKUSELECTION_EVALUATION);
 			
 			guiBuilder.build(response, config, "BKU-Selection form");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java
index ca99e9ba3..475009cf2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java
@@ -31,7 +31,7 @@ import org.springframework.stereotype.Component;
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration;
 import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
-import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad;
 import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
@@ -67,10 +67,10 @@ public class GenerateSSOConsentEvaluatorFrameTask extends AbstractAuthServletTas
 			//store pending request
 			requestStoreage.storePendingRequest(pendingReq);
 					
-			//build consents evaluator form
-			IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+			//build consents evaluator form 
+			IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
 					pendingReq, 
-					ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_SENDASSERTION, 
+					SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_SENDASSERTION, 
 					GeneralProcessEngineSignalController.ENDPOINT_SENDASSERTION_EVALUATION);
 			
 			guiBuilder.build(response, config, "SendAssertion-Evaluation");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
index 1431911a3..353261085 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
@@ -33,6 +33,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 
 import com.google.common.net.MediaType;
+
 import at.gv.egovernment.moa.id.advancedlogging.IStatisticLogger;
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
@@ -139,13 +140,11 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 			if (pendingReq != null) {
 				revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR);
 				transactionStorage.put(key, 
-						new ExceptionContainer(pendingReq.getUniqueSessionIdentifier(), 
-								pendingReq.getUniqueTransactionIdentifier(), loggedException),-1);
+						new ExceptionContainer(pendingReq, loggedException),-1);
 			
 			} else {
 				transactionStorage.put(key, 
-						new ExceptionContainer(null, 
-								null, loggedException),-1);
+						new ExceptionContainer(null, loggedException),-1);
 				
 			}
 				
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
index 0ce7b0050..32f103ca7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
@@ -45,11 +45,7 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont
 			//change pending-request ID

 			requestStorage.changePendingRequestID(pendingReq);

 			pendingRequestID = pendingReq.getRequestID();

-			

-			//add transactionID and unique sessionID to Logger

-			TransactionIDUtils.setSessionId(pendingReq.getUniqueSessionIdentifier());

-			TransactionIDUtils.setTransactionId(pendingReq.getUniqueTransactionIdentifier());

-			

+						

 			// process instance is mandatory

 			if (pendingReq.getProcessInstanceId() == null) {

 				throw new MOAIllegalStateException("process.03", new Object[]{"MOA session does not provide process instance id."});

@@ -64,8 +60,7 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont
 			

 		} finally {

 			//MOASessionDBUtils.closeSession();

-			TransactionIDUtils.removeTransactionId();

-			TransactionIDUtils.removeSessionId();

+			TransactionIDUtils.removeAllLoggingVariables();

 			

 		}

 		

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java
index 9b658d81b..416e787a7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java
@@ -34,7 +34,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
 import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
-import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.IRequest;
@@ -71,17 +71,17 @@ public class GUILayoutBuilderServlet extends AbstractController {
 			IRequest pendingReq = extractPendingRequest(req);
 		
 			//initialize GUI builder configuration
-			ServiceProviderSpecificGUIFormBuilderConfiguration config = null;
+			SPSpecificGUIBuilderConfigurationWithDBLoad config = null;
 			if (pendingReq != null) 
-				config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+				config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
 						pendingReq, 
-						ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_CSS, 
+						SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_CSS, 
 						null);
 			
 			else
-				config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+				config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
 						HTTPUtils.extractAuthURLFromRequest(req), 
-						ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_CSS, 
+						SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_CSS, 
 						null);
 		
 			//build GUI component
@@ -100,17 +100,17 @@ public class GUILayoutBuilderServlet extends AbstractController {
 			IRequest pendingReq = extractPendingRequest(req);
 		
 			//initialize GUI builder configuration
-			ServiceProviderSpecificGUIFormBuilderConfiguration config = null;
+			SPSpecificGUIBuilderConfigurationWithDBLoad config = null;
 			if (pendingReq != null) 
-				config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+				config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
 						pendingReq, 
-						ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_JS, 
+						SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_JS, 
 						GeneralProcessEngineSignalController.ENDPOINT_BKUSELECTION_EVALUATION);
 			
 			else
-				config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+				config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
 						HTTPUtils.extractAuthURLFromRequest(req), 
-						ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_JS, 
+						SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_JS, 
 						GeneralProcessEngineSignalController.ENDPOINT_BKUSELECTION_EVALUATION);
 		
 			//build GUI component
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java
index bedc67513..466364adb 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java
@@ -57,8 +57,8 @@ public class UniqueSessionIdentifierInterceptor implements HandlerInterceptor {
 		String uniqueSessionIdentifier = ssomanager.getUniqueSessionIdentifier(ssoId);											
 		if (MiscUtil.isEmpty(uniqueSessionIdentifier))
 			uniqueSessionIdentifier = Random.nextRandom();
-		TransactionIDUtils.setSessionId(uniqueSessionIdentifier);
 		
+		TransactionIDUtils.setSessionId(uniqueSessionIdentifier);		
 		request.setAttribute(MOAIDConstants.UNIQUESESSIONIDENTIFIER, uniqueSessionIdentifier);
 		
 		return true; 
@@ -79,8 +79,8 @@ public class UniqueSessionIdentifierInterceptor implements HandlerInterceptor {
 	@Override
 	public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
 			throws Exception {
-		// TODO Auto-generated method stub
-
+		TransactionIDUtils.removeAllLoggingVariables();
+		
 	}
 
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java
index 1c6fdcb65..4820b6fdc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java
@@ -24,6 +24,8 @@ package at.gv.egovernment.moa.id.data;
 
 import java.io.Serializable;
 
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+
 /**
  * @author tlenz
  *
@@ -34,13 +36,21 @@ public class ExceptionContainer implements Serializable {
 	private Throwable exceptionThrown = null;
 	private String uniqueSessionID = null;
 	private String uniqueTransactionID = null;
+	private String uniqueServiceProviderId = null;
 	
 	/**
 	 * 
 	 */
-	public ExceptionContainer(String uniqueSessionID, String uniqueTransactionID, Throwable exception) {
-		this.uniqueSessionID = uniqueSessionID;
-		this.uniqueTransactionID = uniqueTransactionID;
+	public ExceptionContainer(IRequest pendingReq, Throwable exception) {
+		if (pendingReq != null) {
+			this.uniqueSessionID = pendingReq.getUniqueSessionIdentifier();
+			this.uniqueTransactionID = pendingReq.getUniqueTransactionIdentifier();
+		
+			if (pendingReq.getOnlineApplicationConfiguration() != null)
+				this.uniqueServiceProviderId = pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix();
+			
+		}
+		
 		this.exceptionThrown = exception;		
 	}
 	
@@ -62,6 +72,14 @@ public class ExceptionContainer implements Serializable {
 	public String getUniqueTransactionID() {
 		return uniqueTransactionID;
 	}
+
+	/**
+	 * @return the uniqueServiceProviderId
+	 */
+	public String getUniqueServiceProviderId() {
+		return uniqueServiceProviderId;
+	}
+	
 	
 	
 	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index ab0a1ec40..7c581d470 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -47,6 +47,7 @@ import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
+import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions;
 import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
@@ -202,6 +203,14 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 	public AuthenticationSession doAuthentication(HttpServletRequest httpReq,
 			HttpServletResponse httpResp, RequestImpl pendingReq) throws MOADatabaseException, ServletException, IOException, MOAIDException {
 	
+		//load OA configuration from pending request
+		IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
+				
+		//set logging context and log unique OA identifier to revision log 
+		TransactionIDUtils.setServiceProviderId(pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix());
+		revisionsLogger.logEvent(oaParam, 
+				pendingReq, MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER, pendingReq.getOAURL());
+			
 		//generic authentication request validation 
 		if (pendingReq.isPassiv()
 				&& pendingReq.forceAuth()) {
@@ -236,12 +245,8 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 		boolean isValidSSOSession = ssoManager.isValidSSOSession(ssoId, pendingReq);
 		
 		// check if Service-Provider allows SSO sessions
-		IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
 		boolean useSSOOA = oaParam.useSSO() || oaParam.isInderfederationIDP();		
-		
-		revisionsLogger.logEvent(oaParam, 
-				pendingReq, MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER, pendingReq.getOAURL());
-		
+				
 		//if a legacy request is used SSO should not be allowed in case of mandate authentication
 		boolean isUseMandateRequested = LegacyHelper.isUseMandateRequested(httpReq);
 			
@@ -615,7 +620,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 					//send SLO response to SLO request issuer
 					SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq);
 					LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs());
-					sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);
+					sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq);
 					
 				} else {
 					//print SLO information directly
@@ -651,7 +656,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 			if (pvpReq != null) {
 				SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq);
 				LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
-				sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);
+				sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq);
 
 				revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID);
 				
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java
index eec48e0f3..90ccb3c27 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java
@@ -52,9 +52,8 @@ public class RequestStorage implements IRequestStorage{
 			}
 					
 			//set transactionID and sessionID to Logger
-			TransactionIDUtils.setTransactionId(pendingRequest.getUniqueTransactionIdentifier());
-			TransactionIDUtils.setSessionId(pendingRequest.getUniqueSessionIdentifier());
-			
+			TransactionIDUtils.setAllLoggingVariables(pendingRequest);
+						
 			return pendingRequest;
 		
 		} catch (MOADatabaseException | NullPointerException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java
new file mode 100644
index 000000000..b05e60e94
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java
@@ -0,0 +1,114 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.opemsaml;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.OutputStreamWriter;
+import java.io.Writer;
+
+import org.apache.velocity.VelocityContext;
+import org.apache.velocity.app.VelocityEngine;
+import org.opensaml.common.binding.SAMLMessageContext;
+import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
+import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.ws.transport.http.HTTPOutTransport;
+import org.opensaml.ws.transport.http.HTTPTransportUtils;
+
+import at.gv.egovernment.moa.id.auth.frontend.builder.GUIFormBuilderImpl;
+import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOAIDHTTPPostEncoder extends HTTPPostEncoder {
+
+	private VelocityEngine velocityEngine;
+	private IGUIBuilderConfiguration guiConfig;
+	private GUIFormBuilderImpl guiBuilder;
+	
+	/**
+	 * @param engine
+	 * @param templateId
+	 */
+	public MOAIDHTTPPostEncoder(IGUIBuilderConfiguration guiConfig, GUIFormBuilderImpl guiBuilder, VelocityEngine engine) {
+		super(engine, null);
+		this.velocityEngine = engine;
+		this.guiConfig = guiConfig;
+		this.guiBuilder = guiBuilder;
+		
+	}
+
+    /**
+     * Base64 and POST encodes the outbound message and writes it to the outbound transport.
+     * 
+     * @param messageContext current message context
+     * @param endpointURL endpoint URL to which to encode message
+     * 
+     * @throws MessageEncodingException thrown if there is a problem encoding the message
+     */
+    protected void postEncode(SAMLMessageContext messageContext, String endpointURL) throws MessageEncodingException {
+        Logger.debug("Invoking Velocity template to create POST body");
+        InputStream is = null;
+        try {        	
+        	//build Velocity Context from GUI input paramters
+			VelocityContext context = guiBuilder.generateVelocityContextFromConfiguration(guiConfig);
+        	
+			//load template
+			is = guiBuilder.getTemplateInputStream(guiConfig);
+						
+			//populate velocity context with SAML2 parameters
+            populateVelocityContext(context, messageContext, endpointURL);
+
+            //populate transport parameter
+            HTTPOutTransport outTransport = (HTTPOutTransport) messageContext.getOutboundMessageTransport();
+            HTTPTransportUtils.addNoCacheHeaders(outTransport);
+            HTTPTransportUtils.setUTF8Encoding(outTransport);
+            HTTPTransportUtils.setContentType(outTransport, "text/html");
+
+            //evaluate template and write content to response
+            Writer out = new OutputStreamWriter(outTransport.getOutgoingStream(), "UTF-8");                        
+            velocityEngine.evaluate(context, out, "SAML2_POST_BINDING", new BufferedReader(new InputStreamReader(is)));            
+            out.flush();
+            
+        } catch (Exception e) {
+            Logger.error("Error invoking Velocity template", e);
+            throw new MessageEncodingException("Error creating output document", e);
+            
+        } finally {
+			if (is != null) {
+				try {
+					is.close();
+					
+				} catch (IOException e) {
+					Logger.error("Can NOT close GUI-Template InputStream.", e);
+				}
+			}
+        	
+		}
+    }
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index 365a31fe1..643e30ac9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -39,6 +39,7 @@ import org.opensaml.saml2.core.Response;
 import org.opensaml.ws.message.encoder.MessageEncodingException;
 import org.opensaml.xml.security.SecurityException;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
 import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
@@ -79,6 +80,7 @@ public class AttributQueryAction implements IAction {
 	@Autowired private IDPCredentialProvider pvpCredentials;
 	@Autowired private AuthConfiguration authConfig;
 	@Autowired(required=true) private MOAMetadataProvider metadataProvider;
+	@Autowired(required=true) ApplicationContext springContext;
 	
 	private final static List<String> DEFAULTSTORKATTRIBUTES = Arrays.asList(
 			new String[]{PVPConstants.EID_STORK_TOKEN_NAME});	
@@ -141,9 +143,9 @@ public class AttributQueryAction implements IAction {
 						metadataProvider, issuerEntityID, attrQuery, date, 
 						assertion, authConfig.isPVP2AssertionEncryptionActive());
 									
-				SoapBinding decoder = new SoapBinding();				
+				SoapBinding decoder = springContext.getBean("PVPSOAPBinding", SoapBinding.class);
 				decoder.encodeRespone(httpReq, httpResp, authResponse, null, null,
-						pvpCredentials.getIDPAssertionSigningCredential());
+						pvpCredentials.getIDPAssertionSigningCredential(), pendingReq);
 				return null;
 				
 			} catch (MessageEncodingException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java
index aac49844e..9d60ae4b2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java
@@ -35,6 +35,7 @@ import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.ws.message.encoder.MessageEncodingException;
 import org.opensaml.xml.security.SecurityException;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
 import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
@@ -62,6 +63,7 @@ public class AuthenticationAction implements IAction {
 	@Autowired IDPCredentialProvider pvpCredentials;
 	@Autowired AuthConfiguration authConfig;
 	@Autowired(required=true) private MOAMetadataProvider metadataProvider;
+	@Autowired(required=true) ApplicationContext springContext;
 	
 	public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq,
 			HttpServletResponse httpResp, IAuthData authData) throws MOAIDException {
@@ -102,11 +104,11 @@ public class AuthenticationAction implements IAction {
 
 		if (consumerService.getBinding().equals(
 				SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
-			binding = new RedirectBinding();
+			binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class);
 						
 		} else if (consumerService.getBinding().equals(
 				SAMLConstants.SAML2_POST_BINDING_URI)) {
-			binding = new PostBinding();
+			binding = springContext.getBean("PVPPOSTBinding", PostBinding.class);
 			
 		}
 
@@ -117,7 +119,7 @@ public class AuthenticationAction implements IAction {
 		try {
 			binding.encodeRespone(httpReq, httpResp, authResponse, 
 					consumerService.getLocation(), moaRequest.getRelayState(),
-					pvpCredentials.getIDPAssertionSigningCredential());
+					pvpCredentials.getIDPAssertionSigningCredential(), req);
 
 			//set protocol type
 			sloInformation.setProtocolType(req.requestedModule());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index a7a249eed..216d7a8b1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -444,13 +444,13 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController  {
 		IEncoder encoder = null;
 		
 		if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {			
-			encoder = new RedirectBinding();
+			encoder = applicationContext.getBean("PVPRedirectBinding", RedirectBinding.class);
 						
 		} else if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI))  {
-			encoder = new PostBinding();
+			encoder = applicationContext.getBean("PVPPOSTBinding", PostBinding.class);
 			
 		} else if (pvpRequest.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI))  {
-			encoder = new SoapBinding();
+			encoder = applicationContext.getBean("PVPSOAPBinding", SoapBinding.class);
 		}
 
 		if(encoder == null) {
@@ -465,7 +465,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController  {
 		X509Credential signCred = pvpCredentials.getIDPAssertionSigningCredential();
 		
 		encoder.encodeRespone(request, response, samlResponse, pvpRequest.getConsumerURL(), 
-				relayState, signCred);
+				relayState, signCred, protocolRequest);
 		return true;
 	}
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
index ff703d585..f709da213 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
@@ -111,7 +111,7 @@ public class SingleLogOutAction implements IAction {
 					//LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
 					LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, null);
 					Logger.info("Sending SLO success message to requester ...");
-					sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());						
+					sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState(), pvpReq);						
 					return null;
 
 				} else {						
@@ -127,7 +127,7 @@ public class SingleLogOutAction implements IAction {
 						//LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
 						LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, null);
 						Logger.info("Sending SLO success message to requester ...");
-						sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());
+						sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState(), pvpReq);
 						return null;
 
 					}						
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
index 3b2fb3687..ccbef6e6c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
@@ -31,6 +31,7 @@ import org.opensaml.ws.message.encoder.MessageEncodingException;
 import org.opensaml.xml.security.SecurityException;
 import org.opensaml.xml.security.credential.Credential;
 
+import at.gv.egovernment.moa.id.commons.api.IRequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
 
 public interface IEncoder {
@@ -43,12 +44,13 @@ public interface IEncoder {
 	 * @param targetLocation URL, where the request should be transmit
 	 * @param relayState token for session handling
 	 * @param credentials Credential to sign the request object
+	 * @param pendingReq Internal MOA-ID request object that contains session-state informations but never null
 	 * @throws MessageEncodingException
 	 * @throws SecurityException
 	 * @throws PVP2Exception
 	 */
 	public void encodeRequest(HttpServletRequest req, 
-			HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState, Credential credentials) 
+			HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) 
 					throws MessageEncodingException, SecurityException, PVP2Exception;
 	
 	/**
@@ -59,10 +61,11 @@ public interface IEncoder {
 	 * @param targetLocation URL, where the request should be transmit
 	 * @param relayState token for session handling
 	 * @param credentials Credential to sign the response object
+	 * @param pendingReq Internal MOA-ID request object that contains session-state informations but never null
 	 * @throws MessageEncodingException
 	 * @throws SecurityException
 	 */
 	public void encodeRespone(HttpServletRequest req, 
-			HttpServletResponse resp, StatusResponseType response, String targetLocation, String relayState, Credential credentials) 
+			HttpServletResponse resp, StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) 
 					throws MessageEncodingException, SecurityException, PVP2Exception;
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 9977e607b..c7688c14b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -25,13 +25,11 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.apache.velocity.app.VelocityEngine;
 import org.opensaml.common.SAMLObject;
 import org.opensaml.common.binding.BasicSAMLMessageContext;
 import org.opensaml.common.binding.decoding.URIComparator;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
-import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
 import org.opensaml.saml2.core.RequestAbstractType;
 import org.opensaml.saml2.core.StatusResponseType;
 import org.opensaml.saml2.metadata.IDPSSODescriptor;
@@ -49,8 +47,17 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
 import org.opensaml.xml.parse.BasicParserPool;
 import org.opensaml.xml.security.SecurityException;
 import org.opensaml.xml.security.credential.Credential;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
 
+import at.gv.egovernment.moa.id.auth.frontend.builder.GUIFormBuilderImpl;
+import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithFileSystemLoad;
 import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
+import at.gv.egovernment.moa.id.opemsaml.MOAIDHTTPPostEncoder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
@@ -62,10 +69,14 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 
+@Service("PVPPOSTBinding")
 public class PostBinding implements IDecoder, IEncoder {
+	
+	@Autowired(required=true) AuthConfiguration authConfig;
+	@Autowired(required=true) GUIFormBuilderImpl guiBuilder;
 		
 	public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
-			RequestAbstractType request, String targetLocation, String relayState, Credential credentials)	
+			RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)	
 			throws MessageEncodingException, SecurityException {
 	
 		try {
@@ -75,9 +86,18 @@ public class PostBinding implements IDecoder, IEncoder {
 			//load default PVP security configurations
 			MOADefaultBootstrap.initializeDefaultPVPConfiguration();
 			
-			VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine();
-			HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
-					"resources/templates/pvp_postbinding_template.html");
+			//initialize POST binding encoder with template decoration
+			IGUIBuilderConfiguration guiConfig = 
+					new SPSpecificGUIBuilderConfigurationWithFileSystemLoad(
+							pendingReq, 
+							"pvp_postbinding_template.html", 
+							MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL, 
+							null, 
+							authConfig.getRootConfigFileDir());								
+			MOAIDHTTPPostEncoder encoder = new MOAIDHTTPPostEncoder(guiConfig, guiBuilder,
+					VelocityProvider.getClassPathVelocityEngine());	
+			
+			//set OpenSAML2 process parameter into binding context dao
 			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
 					resp, true);
 			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
@@ -103,22 +123,27 @@ public class PostBinding implements IDecoder, IEncoder {
 	}
 
 	public void encodeRespone(HttpServletRequest req, HttpServletResponse resp,
-			StatusResponseType response, String targetLocation, String relayState, Credential credentials)
+			StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
 			throws MessageEncodingException, SecurityException {
 
 		try {
-//			X509Credential credentials = credentialProvider
-//					.getIDPAssertionSigningCredential();
-
 			//load default PVP security configurations
 			MOADefaultBootstrap.initializeDefaultPVPConfiguration();
 			
 			Logger.debug("create SAML POSTBinding response");
 			
-			 VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine();
-
-			HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
-					"resources/templates/pvp_postbinding_template.html");
+			//initialize POST binding encoder with template decoration
+			IGUIBuilderConfiguration guiConfig = 
+					new SPSpecificGUIBuilderConfigurationWithFileSystemLoad(
+							pendingReq, 
+							"pvp_postbinding_template.html", 
+							MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL, 
+							null, 
+							authConfig.getRootConfigFileDir());								
+			MOAIDHTTPPostEncoder encoder = new MOAIDHTTPPostEncoder(guiConfig, guiBuilder,
+					VelocityProvider.getClassPathVelocityEngine());	
+			
+			//set OpenSAML2 process parameter into binding context dao			
 			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
 					resp, true);
 			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 279038967..4f44a6202 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -50,7 +50,9 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
 import org.opensaml.xml.parse.BasicParserPool;
 import org.opensaml.xml.security.SecurityException;
 import org.opensaml.xml.security.credential.Credential;
+import org.springframework.stereotype.Service;
 
+import at.gv.egovernment.moa.id.commons.api.IRequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
@@ -62,10 +64,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 
+@Service("PVPRedirectBinding")
 public class RedirectBinding implements IDecoder, IEncoder {
 	
 	public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
-			RequestAbstractType request, String targetLocation, String relayState, Credential credentials)
+			RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
 			throws MessageEncodingException, SecurityException {
 		
 //		try {
@@ -100,7 +103,7 @@ public class RedirectBinding implements IDecoder, IEncoder {
 
 	public void encodeRespone(HttpServletRequest req, HttpServletResponse resp,
 			StatusResponseType response, String targetLocation, String relayState, 
-			Credential credentials) throws MessageEncodingException, SecurityException {
+			Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException {
 //		try {
 //			X509Credential credentials = credentialProvider
 //					.getIDPAssertionSigningCredential();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
index 94d91694a..552b64ac6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
@@ -48,7 +48,9 @@ import org.opensaml.xml.security.SecurityException;
 import org.opensaml.xml.security.credential.Credential;
 import org.opensaml.xml.signature.SignableXMLObject;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
 
+import at.gv.egovernment.moa.id.commons.api.IRequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
@@ -60,6 +62,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 
+@Service("PVPSOAPBinding")
 public class SoapBinding implements IDecoder, IEncoder {
 
 	@Autowired(required=true) private MOAMetadataProvider metadataProvider;
@@ -136,13 +139,13 @@ public class SoapBinding implements IDecoder, IEncoder {
 	}
 
 	public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
-			RequestAbstractType request, String targetLocation, String relayState, Credential credentials)
+			RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
 			throws MessageEncodingException, SecurityException, PVP2Exception {
 		
 	}
 
 	public void encodeRespone(HttpServletRequest req, HttpServletResponse resp,
-			StatusResponseType response, String targetLocation, String relayState, Credential credentials)
+			StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
 			throws MessageEncodingException, SecurityException, PVP2Exception {
 //		try {
 //			Credential credentials = credentialProvider
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java
index 01ef4a43d..f29418853 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java
@@ -44,6 +44,8 @@ import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.SingleSignOnService;
 import org.opensaml.ws.message.encoder.MessageEncodingException;
 import org.opensaml.xml.security.SecurityException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
 import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.commons.api.IRequest;
@@ -64,6 +66,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
 @Service("PVPAuthnRequestBuilder")
 public class PVPAuthnRequestBuilder {
 	
+	@Autowired(required=true) ApplicationContext springContext;
 	
 	/**
 	 * Build a PVP2.x specific authentication request
@@ -202,17 +205,17 @@ public class PVPAuthnRequestBuilder {
 		IEncoder binding = null;
 		if (endpoint.getBinding().equals(
 				SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
-			binding = new RedirectBinding();
+			binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class);
 														
 		} else if (endpoint.getBinding().equals(
 				SAMLConstants.SAML2_POST_BINDING_URI)) {
-			binding = new PostBinding();
+			binding = springContext.getBean("PVPPOSTBinding", PostBinding.class);
 			
 		}
 		
 		//encode message
 		binding.encodeRequest(null, httpResp, authReq, 
-				endpoint.getLocation(), pendingReq.getRequestID(), config.getAuthnRequestSigningCredential());
+				endpoint.getLocation(), pendingReq.getRequestID(), config.getAuthnRequestSigningCredential(), pendingReq);
 	}
 
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
index de59e6055..4fef52aec 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
@@ -59,6 +59,7 @@ import org.opensaml.xml.signature.Signature;
 import org.opensaml.xml.signature.SignatureConstants;
 import org.opensaml.xml.signature.Signer;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
 import org.springframework.stereotype.Service;
 import org.w3c.dom.Document;
 
@@ -95,7 +96,9 @@ import at.gv.egovernment.moa.logging.Logger;
 public class SingleLogOutBuilder {
 
 	@Autowired(required=true) private MOAMetadataProvider metadataProvider;
+	@Autowired(required=true) ApplicationContext springContext;
 	@Autowired private IDPCredentialProvider credentialProvider;
+	
 		
 	public void checkStatusCode(ISLOInformationContainer sloContainer, LogoutResponse logOutResp) {
 		Status status = logOutResp.getStatus();				
@@ -185,15 +188,15 @@ public class SingleLogOutBuilder {
 	
 	public void sendFrontChannelSLOMessage(SingleLogoutService consumerService, 
 			LogoutResponse sloResp, HttpServletRequest req, HttpServletResponse resp, 
-			String relayState) throws MOAIDException {
+			String relayState, PVPTargetConfiguration pvpReq) throws MOAIDException {
 		IEncoder binding = null;
 		if (consumerService.getBinding().equals(
 				SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
-			binding = new RedirectBinding();
+			binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class);
 						
 		} else if (consumerService.getBinding().equals(
 				SAMLConstants.SAML2_POST_BINDING_URI)) {
-			binding = new PostBinding();
+			binding = springContext.getBean("PVPPOSTBinding", PostBinding.class);
 			
 		}
 
@@ -204,7 +207,7 @@ public class SingleLogOutBuilder {
 		try {
 			binding.encodeRespone(req, resp, sloResp, 
 					consumerService.getLocation(), relayState, 
-					credentialProvider.getIDPAssertionSigningCredential());
+					credentialProvider.getIDPAssertionSigningCredential(), pvpReq);
 			
 		} catch (MessageEncodingException e) {
 			Logger.error("Message Encoding exception", e);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
index 2ded32bac..d05d180e1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
@@ -55,6 +55,12 @@ public class EntityVerifier {
 		try {
 			IOAAuthParameters oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID);
 		
+			if (oa == null) {
+				Logger.debug("No OnlineApplication with EntityID: " + entityID);
+				return null;
+				
+			}
+			
 			String certBase64 = oa.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE);
 			if (MiscUtil.isNotEmpty(certBase64)) {
 				return Base64Utils.decode(certBase64, false);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java
index f37ae0b0b..d30ce4924 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java
@@ -44,9 +44,9 @@ import iaik.security.ec.common.ECParameterSpec;
 import iaik.security.ec.common.ECPublicKey;
 import iaik.security.ec.common.ECStandardizedParameterFactory;
 import iaik.security.ec.common.EllipticCurve;
+import iaik.security.ec.math.field.AbstractPrimeField;
 import iaik.security.ec.math.field.Field;
 import iaik.security.ec.math.field.FieldElement;
-import iaik.security.ec.math.field.PrimeField;
 
 public class ECDSAKeyValueConverter
 { 
@@ -221,7 +221,7 @@ public class ECDSAKeyValueConverter
 
 //    Value xValue = FieldFactory.getInstance().getPrimeFieldValue(new BigInteger(publicKeyXStr, 10));
 //    publicKeyPointX = field.newElement(xValue);
-    PrimeField pf = (PrimeField) field;
+    AbstractPrimeField pf = (AbstractPrimeField) field;
     publicKeyPointX = pf.newElement(new BigInteger(publicKeyXStr, 10));
 //    Value yValue = FieldFactory.getInstance().getPrimeFieldValue(new BigInteger(publicKeyYStr, 10));
 //    publicKeyPointY = field.newElement(yValue);
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html b/id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html
deleted file mode 100644
index f5bca7f1f..000000000
--- a/id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html
+++ /dev/null
@@ -1,193 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">

-<html>

-<head>

-<BASE href="<BASE_href>">

-	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

-		<title>Berufsm&auml;&szlig;ige Parteieinvertretung</title>

-</head>

-<body>

-	Berufsm&auml;&szlig;ige Parteienvertretung einer

-	nat&uuml;rlichen/juristischen Person

-	<form name="ProcessInputForm" method="post" accept-charset="UTF-8"

-		enctype="application/x-www-form-urlencoded" action="<BKU>">

-		<table width="80%" border="0">

-			<tr />

-			<tr />

-			<tr>

-				<td colspan="3"><em>Vertreter:</em></td>

-			</tr>

-			<tr>

-				<td align="right" width="20%">Vorname&nbsp;<img

-					title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"

-					src="img/stern.gif" width="10" height="16" /></td>

-				<td><input name="rpgivenname_" type="text" disabled="true"

-					id="rpgivenname" value="<rpgivenname>" size="50" readonly="true" />

-				</td>

-				<td></td>

-			</tr>

-			<tr>

-				<td align="right">Name&nbsp;<img

-					title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"

-					src="img/stern.gif" width="10" height="16" /></td>

-				<td><input name="rpfamilyname_" type="text" disabled="true"

-					id="rpfamilyname" value="<rpfamilyname>" size="50" readonly="true" />

-				</td>

-				<td></td>

-			</tr>

-			<tr>

-				<td align="right">Geburtsdatum&nbsp;<img

-					title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"

-					src="img/stern.gif" width="10" height="16" /></td>

-				<td><input name="rpdobyear_" type="text" disabled="true"

-					id="rpdobyear" value="<rpdobyear>" size="4" maxlength="4"

-					readonly="true" /> - <input name="rpdobmonth_" type="text"

-					disabled="true" id="rpdobmonth" value="<rpdobmonth>" size="2"

-					maxlength="2" readonly="true" /> - <input name="rpdobday_"

-					type="text" disabled="true" id="rpdobday" value="<rpdobday>"

-					size="2" maxlength="2" readonly="true" /></td>

-				<td></td>

-			</tr>

-			<tr>

-				<td colspan="2"><br /> <em>Ich bin berufsm&auml;&szlig;ig

-						berechtigt f&uuml;r die nachfolgend genannte Person in deren Namen

-						mit der B&uuml;rgerkarte einzuschreiten.</em></td>

-				<td>&nbsp;</td>

-			</tr>

-			<tr>

-				<td colspan="3"><br /> <em>Vertretene Person:</em></td>

-			</tr>

-			<tr>

-				<td colspan="3"><input name="physical_" type="radio"

-					physdisabled="" value="true" physselected="" />&nbsp;nat&uuml;rliche

-					Person:&nbsp;</td>

-			</tr>

-			<tr>

-				<td align="right">Vorname&nbsp;<img

-					title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"

-					src="img/stern.gif" width="10" height="16" /></td>

-				<td><input name="givenname_" type="text" id="givenname"

-					value="<givenname>" physdisabled="" size="50" />&nbsp;<img

-					src="img/info.gif" title="Vorname laut ZMR Schreibweise" alt="Info"

-					border="0" /></td>

-				<td></td>

-			</tr>

-			<tr>

-				<td align="right">Name&nbsp;<img

-					title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"

-					src="img/stern.gif" width="10" height="16" /></td>

-				<td><input name="familyname_" type="text" id="familyname"

-					value="<familyname>" physdisabled="" size="50" />&nbsp;<img

-					src="img/info.gif" title="Familienname laut ZMR Schreibweise"

-					alt="Info" border="0" /></td>

-				<td></td>

-			</tr>

-			<tr>

-				<td align="right">Geburtsdatum&nbsp;<img

-					title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"

-					src="img/stern.gif" width="10" height="16" /></td>

-				<td><input name="dobyear_" type="text" id="dobyear" size="4"

-					maxlength="4" value="<dobyear>" physdisabled="" /> - <input

-					name="dobmonth_" type="text" id="dobmonth" size="2" maxlength="2"

-					value="<dobmonth>" physdisabled="" /> - <input name="dobday_"

-					type="text" id="dobday" size="2" maxlength="2" value="<dobday>"

-					physdisabled="" />&nbsp;<img src="img/info.gif"

-					title="Format: JJJJ-MM-TT" alt="Info" border="0" /></td>

-				<td></td>

-			</tr>

-			<tr>

-				<td align="center"><em>optional:</em></td>

-				<td colspan="2" />

-			</tr>

-			<tr>

-				<td align="right">Stra&szlig;e&nbsp;</td>

-				<td><input name="streetname_" type="text" id="streetname"

-					value="<streetname>" physdisabled="" size="50" />&nbsp;<img

-					src="img/info.gif" title="Stra&szlig;e laut ZMR Schreibweise"

-					border="0" /></td>

-				<td></td>

-			</tr>

-			<tr>

-				<td align="right">Hausnummer&nbsp;</td>

-				<td><input name="buildingnumber_" type="text"

-					id="buildingnumber" value="<buildingnumber>" physdisabled=""

-					size="50" />&nbsp;<img src="img/info.gif"

-					title="Hausnummer laut ZMR Schreibweise" alt="Info" border="0" /></td>

-				<td></td>

-			</tr>

-			<tr>

-				<td align="right">Einh. Nr.&nbsp;</td>

-				<td><input name="unit_" type="text" id="unit" value="<unit>"

-					size="50" physdisabled="" />&nbsp;<img src="img/info.gif"

-					title="Nutzungseinheitsnummer laut ZMR Schreibweise" alt="Info"

-					border="0" /></td>

-				<td></td>

-			</tr>

-			<tr>

-				<td align="right">Postleitzahl&nbsp;</td>

-				<td><input name="postalcode_" type="text" id="postalcode"

-					value="<postalcode>" size="50" physdisabled="" />&nbsp;<img

-					src="img/info.gif" title="Postleitzahl laut ZMR Schreibweise"

-					alt="Info" border="0" /></td>

-				<td></td>

-			</tr>

-			<tr>

-				<td align="right">Gemeinde&nbsp;</td>

-				<td><input name="municipality_" type="text" id="municipality"

-					value="<municipality>" size="50" physdisabled="" />&nbsp;<img

-					src="img/info.gif" title="Gemeinde laut ZMR Schreibweise"

-					alt="Info" border="0" /></td>

-				<td></td>

-			</tr>

-			<tr>

-				<td colspan="3">&nbsp;</td>

-			</tr>

-			<tr>

-				<td colspan="3"><input name="physical_" type="radio"

-					cbdisabled="" value="false" cbselected=""/ >&nbsp;juristische

-						Person:&nbsp;</td>

-			</tr>

-			<tr>

-				<td align="right">Name&nbsp;<img

-					title=" Dieses Feld muss ausgef&uuml;llt sein!" src="img/stern.gif"

-					alt="Stern" width="10" height="16" /></td>

-				<td><input name="fullname_" type="text" cbdisabled=""

-					id="fullname" value="<fullname>" size="50" />&nbsp;<img

-					src="img/info.gif"

-					title="Name der Organisation laut ZMR Schreibweise" alt="Info"

-					border="0" /></td>

-				<td></td>

-			</tr>

-			<tr>

-				<td align="right" nowrap="nowrap"><select

-					name="cbidentificationtype_" size="1" cbseldisabled="">

-						<option value="urn:publicid:gv.at:baseid+XFN" fnselected="">Firmenbuchnummer</option>

-						<option value="urn:publicid:gv.at:baseid+XZVR" vrselected="">Vereinsnummer</option>

-						<option value="urn:publicid:gv.at:baseid+XERSB" ersbselected="">Ord.Nr.im

-							Erg&auml;nzungsreg.</option>

-				</select>&nbsp;<img title=" Dieses Feld muss ausgef&uuml;llt sein!"

-					src="img/stern.gif" alt="Stern" width="10" height="16" /></td>

-				<td><input name="cbidentificationvalue_" type="text"

-					cbdisabled="" id="cbidentificationvalue"

-					value="<cbidentificationvalue>" size="50" />&nbsp;<img

-					src="img/info.gif" title="Ordnungsbegriff laut ZMR Schreibweise"

-					alt="Info" border="0" /></td>

-				<td></td>

-			</tr>

-		</table>

-		<br />

-		<errortext>

-		<p>

-			<em>Bitte halten Sie Ihre B&uuml;rgerkartenumgebung bereit.</em>

-		</p>

-		<p>

-			<input name="XMLRequest" type="hidden"

-				value="&lt;?xml version='1.0' encoding='UTF-8'?>&lt;NullOperationRequest xmlns='http://www.buergerkarte.at/namespaces/securitylayer/1.2#'/>" />

-			<input name="DataURL" type="hidden" value="<DataURL>" /> <input

-				type="submit" name="Submit" value="      Weiter      " /> <input

-				name="Clear" type="reset" id="Clear"

-				value="Formular zur&uuml;cksetzen" />

-		</p>

-		<br />

-	</form>

-</body>

-</html>

diff --git a/id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html b/id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html
deleted file mode 100644
index cffc46981..000000000
--- a/id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html
+++ /dev/null
@@ -1,235 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">

-

-<html>

-<head>

-<BASE href="<BASE_href>">

-	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

-		<title>Berufsm&auml;&szlig;ige Parteieinvertretung</title>

-		<link href="css/styles.css" type="text/css" rel="stylesheet">

-			<link href="css/styles_opera.css" type="text/css" rel="stylesheet">

-				<link href="css/mandates.css" type="text/css" rel="stylesheet">

-

-					<script src="formallg.js" type="text/javascript"></script>

-					<script src="fa.js" type="text/javascript"></script>

-</head>

-<body>

-

-

-	<div class="hleft">

-		<!--Stammzahlenregisterbehörde<br/>-->

-		&nbsp;

-		<!--Ballhausplatz 2<br/>-->

-		<!--1014 Wien-->

-	</div>

-	<div class="hright" align="right">

-		<img src="img/egov_schrift.gif" alt="E-Gov Logo" />

-	</div>

-	<div class="htitle" align="left">

-		<h1>Berufsm&auml;&szlig;ige Parteienvertretung</h1>

-	</div>

-	<div class="leiste1" align="center">Bitte beachten Sie</div>

-	<div class="leiste2" align="center"></div>

-	<div class="leiste3">

-		<img title=" Dieses Feld muss ausgefüllt sein!" alt="Stern"

-			src="img/stern.gif" width="10" height="16" />&nbsp; Feld muss

-		ausgef&uuml;llt sein

-	</div>

-	<div class="leiste3">

-		<img title=" Hilfe zum Ausfüllen " alt="Info" src="img/info.gif"

-			width="10" height="16" />&nbsp; Ausf&uuml;llhilfe

-	</div>

-	<div class="leiste3">

-		<img title=" Angabe bitte ergänzen oder richtig stellen! "

-			alt="Rufezeichen" src="img/rufezeichen.gif" width="10" height="16" />&nbsp;

-		Fehlerhinweis

-	</div>

-	<div style="clear: both">&nbsp;</div>

-

-	<h2>Berufsm&auml;&szlig;ige Parteienvertretung einer

-		nat&uuml;rlichen/juristischen Person</h2>

-	<div class="boundingbox">

-		<form name="ProcessInputForm" method="post" accept-charset="UTF-8"

-			enctype="application/x-www-form-urlencoded" action="<BKU>">

-			<table width="80%" border="0">

-				<tr />

-				<tr />

-				<tr>

-					<td colspan="3"><em>Vertreter:</em></td>

-				</tr>

-				<tr>

-					<td align="right" width="20%">Vorname&nbsp;<img

-						title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"

-						src="img/stern.gif" width="10" height="16" /></td>

-					<td><input name="rpgivenname_" type="text" disabled="true"

-						id="rpgivenname" value="<rpgivenname>" size="50" readonly="true" />

-					</td>

-					<td></td>

-				</tr>

-				<tr>

-					<td align="right">Name&nbsp;<img

-						title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"

-						src="img/stern.gif" width="10" height="16" /></td>

-					<td><input name="rpfamilyname_" type="text" disabled="true"

-						id="rpfamilyname" value="<rpfamilyname>" size="50" readonly="true" />

-					</td>

-					<td></td>

-				</tr>

-				<tr>

-					<td align="right">Geburtsdatum&nbsp;<img

-						title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"

-						src="img/stern.gif" width="10" height="16" /></td>

-					<td><input name="rpdobyear_" type="text" disabled="true"

-						id="rpdobyear" value="<rpdobyear>" size="4" maxlength="4"

-						readonly="true" /> - <input name="rpdobmonth_" type="text"

-						disabled="true" id="rpdobmonth" value="<rpdobmonth>" size="2"

-						maxlength="2" readonly="true" /> - <input name="rpdobday_"

-						type="text" disabled="true" id="rpdobday" value="<rpdobday>"

-						size="2" maxlength="2" readonly="true" /></td>

-					<td></td>

-				</tr>

-				<tr>

-					<td colspan="2"><br /> <em>Ich bin berufsm&auml;&szlig;ig

-							berechtigt f&uuml;r die nachfolgend genannte Person in deren

-							Namen mit der B&uuml;rgerkarte einzuschreiten.</em></td>

-					<td>&nbsp;</td>

-				</tr>

-				<tr>

-					<td colspan="3"><br /> <em>Vertretene Person:</em></td>

-				</tr>

-				<tr>

-					<td colspan="3"><input name="physical_" type="radio"

-						physdisabled="" value="true" physselected="" />&nbsp;nat&uuml;rliche

-						Person:&nbsp;</td>

-				</tr>

-				<tr>

-					<td align="right">Vorname&nbsp;<img

-						title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"

-						src="img/stern.gif" width="10" height="16" /></td>

-					<td><input name="givenname_" type="text" id="givenname"

-						value="<givenname>" physdisabled="" size="50" />&nbsp;<img

-						src="img/info.gif" title="Vorname laut ZMR Schreibweise"

-						alt="Info" border="0" /></td>

-					<td></td>

-				</tr>

-				<tr>

-					<td align="right">Name&nbsp;<img

-						title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"

-						src="img/stern.gif" width="10" height="16" /></td>

-					<td><input name="familyname_" type="text" id="familyname"

-						value="<familyname>" physdisabled="" size="50" />&nbsp;<img

-						src="img/info.gif" title="Familienname laut ZMR Schreibweise"

-						alt="Info" border="0" /></td>

-					<td></td>

-				</tr>

-				<tr>

-					<td align="right">Geburtsdatum&nbsp;<img

-						title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"

-						src="img/stern.gif" width="10" height="16" /></td>

-					<td><input name="dobyear_" type="text" id="dobyear" size="4"

-						maxlength="4" value="<dobyear>" physdisabled="" /> - <input

-						name="dobmonth_" type="text" id="dobmonth" size="2" maxlength="2"

-						value="<dobmonth>" physdisabled="" /> - <input name="dobday_"

-						type="text" id="dobday" size="2" maxlength="2" value="<dobday>"

-						physdisabled="" />&nbsp;<img src="img/info.gif"

-						title="Format: JJJJ-MM-TT" alt="Info" border="0" /></td>

-					<td></td>

-				</tr>

-				<tr>

-					<td align="center"><em>optional:</em></td>

-					<td colspan="2" />

-				</tr>

-				<tr>

-					<td align="right">Stra&szlig;e&nbsp;</td>

-					<td><input name="streetname_" type="text" id="streetname"

-						value="<streetname>" physdisabled="" size="50" />&nbsp;<img

-						src="img/info.gif" title="Stra&szlig;e laut ZMR Schreibweise"

-						border="0" /></td>

-					<td></td>

-				</tr>

-				<tr>

-					<td align="right">Hausnummer&nbsp;</td>

-					<td><input name="buildingnumber_" type="text"

-						id="buildingnumber" value="<buildingnumber>" physdisabled=""

-						size="50" />&nbsp;<img src="img/info.gif"

-						title="Hausnummer laut ZMR Schreibweise" alt="Info" border="0" />

-					</td>

-					<td></td>

-				</tr>

-				<tr>

-					<td align="right">Einh. Nr.&nbsp;</td>

-					<td><input name="unit_" type="text" id="unit" value="<unit>"

-						size="50" physdisabled="" />&nbsp;<img src="img/info.gif"

-						title="Nutzungseinheitsnummer laut ZMR Schreibweise" alt="Info"

-						border="0" /></td>

-					<td></td>

-				</tr>

-				<tr>

-					<td align="right">Postleitzahl&nbsp;</td>

-					<td><input name="postalcode_" type="text" id="postalcode"

-						value="<postalcode>" size="50" physdisabled="" />&nbsp;<img

-						src="img/info.gif" title="Postleitzahl laut ZMR Schreibweise"

-						alt="Info" border="0" /></td>

-					<td></td>

-				</tr>

-				<tr>

-					<td align="right">Gemeinde&nbsp;</td>

-					<td><input name="municipality_" type="text" id="municipality"

-						value="<municipality>" size="50" physdisabled="" />&nbsp;<img

-						src="img/info.gif" title="Gemeinde laut ZMR Schreibweise"

-						alt="Info" border="0" /></td>

-					<td></td>

-				</tr>

-				<tr>

-					<td colspan="3">&nbsp;</td>

-				</tr>

-				<tr>

-					<td colspan="3"><input name="physical_" type="radio"

-						cbdisabled="" value="false" cbselected=""/ >&nbsp;juristische

-							Person:&nbsp;</td>

-				</tr>

-				<tr>

-					<td align="right">Name&nbsp;<img

-						title=" Dieses Feld muss ausgef&uuml;llt sein!"

-						src="img/stern.gif" alt="Stern" width="10" height="16" /></td>

-					<td><input name="fullname_" type="text" cbdisabled=""

-						id="fullname" value="<fullname>" size="50" />&nbsp;<img

-						src="img/info.gif"

-						title="Name der Organisation laut ZMR Schreibweise" alt="Info"

-						border="0" /></td>

-					<td></td>

-				</tr>

-				<tr>

-					<td align="right" nowrap="nowrap"><select

-						name="cbidentificationtype_" size="1" cbseldisabled="">

-							<option value="urn:publicid:gv.at:baseid+XFN" fnselected="">Firmenbuchnummer</option>

-							<option value="urn:publicid:gv.at:baseid+XZVR" vrselected="">Vereinsnummer</option>

-							<option value="urn:publicid:gv.at:baseid+XERSB" ersbselected="">Ord.Nr.im

-								Erg&auml;nzungsreg.</option>

-					</select>&nbsp;<img title=" Dieses Feld muss ausgef&uuml;llt sein!"

-						src="img/stern.gif" alt="Stern" width="10" height="16" /></td>

-					<td><input name="cbidentificationvalue_" type="text"

-						cbdisabled="" id="cbidentificationvalue"

-						value="<cbidentificationvalue>" size="50" />&nbsp;<img

-						src="img/info.gif" title="Ordnungsbegriff laut ZMR Schreibweise"

-						alt="Info" border="0" /></td>

-					<td></td>

-				</tr>

-			</table>

-			<br />

-			<errortext>

-			<p>

-				<em>Bitte halten Sie Ihre B&uuml;rgerkartenumgebung bereit.</em>

-			</p>

-			<p>

-				<input name="XMLRequest" type="hidden"

-					value="&lt;?xml version='1.0' encoding='UTF-8'?>&lt;NullOperationRequest xmlns='http://www.buergerkarte.at/namespaces/securitylayer/1.2#'/>" />

-				<input name="DataURL" type="hidden" value="<DataURL>" /> <input

-					type="submit" name="Submit" value="      Weiter      " /> <input

-					name="Clear" type="reset" id="Clear"

-					value="Formular zur&uuml;cksetzen" />

-			</p>

-			<br />

-		</form>

-	</div>

-</body>

-</html>

diff --git a/id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html b/id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html
deleted file mode 100644
index f47ee53ff..000000000
--- a/id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html
+++ /dev/null
@@ -1,16 +0,0 @@
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-
-    <body>
-        <form action="${action}" method="post" target="_parent">
-            <div>
-                <input type="hidden" name="SAMLResponse" value="${SAMLResponse}"/>
-            </div>
-            <p>Please indicate the gender of the represented.</p>
-            <div>
-                <input type="submit" name="gender" value="M"/>
-                <input type="submit" name="gender" value="F"/>
-            </div>
-        </form>
-        
-    </body>
-</html>
\ No newline at end of file
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm b/id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm
deleted file mode 100644
index 7fcc1bb36..000000000
--- a/id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm
+++ /dev/null
@@ -1,36 +0,0 @@
-##
-## Velocity Template for OASIS WEBFORM BINDING
-##
-## Velocity context may contain the following properties
-## action - String - the action URL for the form
-## signresponse - String - the Base64 encoded SAML Request
-## verifyresponse - String - the Base64 encoded SAML Response
-## clienturl - String - URL where the USer gets redirected after the signature process
-
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-
-    <body onload="document.forms[0].submit()">
-        <noscript>
-            <p>
-                <strong>Note:</strong> Since your browser does not support JavaScript,
-                you must press the Continue button once to proceed.
-            </p>
-        </noscript>
-        
-        <form action="${action}" method="post">
-            <div>
-                #if($signrequest)<input type="hidden" name="signrequest" value="${signrequest}"/>#end
-                
-                #if($verifyrequest)<input type="hidden" name="verifyrequest" value="${verifyrequest}"/>#end
-                #if($clienturl)<input type="hidden" name="clienturl" value="${clienturl}"/>#end
-                
-            </div>
-            <noscript>
-                <div>
-                    <input type="submit" value="Continue"/>
-                </div>
-            </noscript>
-        </form>
-        
-    </body>
-</html>
\ No newline at end of file
diff --git a/id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html b/id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html
new file mode 100644
index 000000000..45c183215
--- /dev/null
+++ b/id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html
@@ -0,0 +1,46 @@
+## ## Velocity Template for SAML 2 HTTP-POST binding ## ## Velocity
+##context may contain the following properties ## action - String - the
+##action URL for the form ## RelayState - String - the relay state for the
+##message ## SAMLRequest - String - the Base64 encoded SAML Request ##
+##SAMLResponse - String - the Base64 encoded SAML Response
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+
+<body onload="document.forms[0].submit()">
+	<noscript>
+		<p>
+			<strong>Note:</strong> Since your browser does not support
+			JavaScript, you must press the Continue button once to proceed.
+		</p>
+	</noscript>
+
+
+	<div id="alert">Your login is being processed. Thank you for
+		waiting.</div>
+
+	<style type="text/css">
+<!--
+#alert {
+	margin: 100px 250px;
+	font-family: Verdana, Arial, Helvetica, sans-serif;
+	font-size: 14px;
+	font-weight: normal;
+}
+-->
+</style>
+
+	<form action="${action}" method="post" target="_parent">
+		<div>
+			#if($RelayState)   <input type="hidden" name="RelayState" value="${RelayState}"/>     #end 
+			#if($SAMLRequest)  <input type="hidden" name="SAMLRequest" value="${SAMLRequest}" />  #end
+			#if($SAMLResponse) <input type="hidden" name="SAMLResponse" value="${SAMLResponse}" /> #end
+		</div>
+		<noscript>
+			<div>
+				<input type="submit" value="Continue" />
+			</div>
+		</noscript>
+	</form>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
index b16941f51..d8d3dbeee 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
@@ -171,8 +171,10 @@ public class MOAIDAuthConstants extends MOAIDConstants{
   
   public static final String REGEX_PATTERN_TARGET = "^[A-Za-z]{2}(-.*)?$";
   
+  //MDC variables for logging
   public static final String MDC_TRANSACTION_ID = "transactionId";
   public static final String MDC_SESSION_ID = "sessionId";
+  public static final String MDC_SERVICEPROVIDER_ID = "oaId";
   
   //AuthnRequest IssueInstant validation
   public static final int TIME_JITTER = 5;  //all 5 minutes time jitter 
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
index 971e401ca..bba6d0541 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
@@ -43,6 +43,7 @@ public interface IOAAuthParameters {
 	public static final String LOCALBKU = "local";
 	public static final String INDERFEDERATEDIDP = "interfederated";
 	public static final String EIDAS = "eIDAS";
+	public static final String AUTHTYPE_OTHERS = "others";
 
 	/**
 	 * Get the full key/value configuration for this online application
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
index b8284c8f9..5091195d8 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
@@ -143,7 +143,9 @@ public class ConfigurationMigrationUtils {
 			if (MiscUtil.isNotEmpty(oa.getEventCodes())) {
 				result.put(MOAIDConfigurationConstants.SERVICE_REVERSION_LOGS_EVENTCODES, oa.getEventCodes());
 			}
-			
+						
+			result.put(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL, oa.getMandateServiceSelectionTemplateURL());
+			result.put(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL, oa.getSaml2PostBindingTemplateURL());
 			
 			//convert target
 			String target_full = oa.getTarget();
@@ -769,6 +771,9 @@ public class ConfigurationMigrationUtils {
 	        }
 
 	        dbOA.setSelectedSZRGWServiceURL(oa.get(MOAIDConfigurationConstants.SERVICE_EXTERNAL_SZRGW_SERVICE_URL));
+
+	        dbOA.setMandateServiceSelectionTemplateURL(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL));
+	        dbOA.setSaml2PostBindingTemplateURL(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL));
 	        
 	        if (Boolean.valueOf(oa.get(MOAIDConfigurationConstants.SERVICE_BUSINESSSERVICE))) {
 	            dbOA.setType(MOA_CONFIG_BUSINESSSERVICE);
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
index 9fe90daa4..b72034002 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
@@ -105,6 +105,9 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants {
 	public static final String SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETHEIGHT = SERVICE_AUTH_TEMPLATES_CUSTOMIZATION + ".applet.hight";
 	public static final String SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETWIDTH = SERVICE_AUTH_TEMPLATES_CUSTOMIZATION + ".applet.width";
 	
+	public static final String SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL = SERVICE_AUTH_TEMPLATES + ".saml2.postbinding.url";
+	public static final String SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL = SERVICE_AUTH_TEMPLATES + ".elga.mandateserviceselection.url";
+	
 	private static final String SERVICE_AUTH_TESTCREDENTIALS = AUTH + "." + TESTCREDENTIALS;
 	public static final String SERVICE_AUTH_TESTCREDENTIALS_ENABLED = SERVICE_AUTH_TESTCREDENTIALS + ".enabled"; 
 	public static final String SERVICE_AUTH_TESTCREDENTIALS_OIDs = SERVICE_AUTH_TESTCREDENTIALS + ".oids";
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java
index 4aee10bc1..196923ce6 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java
@@ -109,10 +109,44 @@ public class OnlineApplication
     @XmlTransient
     protected String selectedSZRGWServiceURL = null;
     
+    @XmlTransient
+    protected String saml2PostBindingTemplateURL = null;
+    
+    @XmlTransient
+    protected String mandateServiceSelectionTemplateURL = null;
+    
     
     
     
     /**
+	 * @return the saml2PostBindingTemplateURL
+	 */
+	public String getSaml2PostBindingTemplateURL() {
+		return saml2PostBindingTemplateURL;
+	}
+
+	/**
+	 * @param saml2PostBindingTemplateURL the saml2PostBindingTemplateURL to set
+	 */
+	public void setSaml2PostBindingTemplateURL(String saml2PostBindingTemplateURL) {
+		this.saml2PostBindingTemplateURL = saml2PostBindingTemplateURL;
+	}
+
+	/**
+	 * @return the mandateServiceSelectionTemplateURL
+	 */
+	public String getMandateServiceSelectionTemplateURL() {
+		return mandateServiceSelectionTemplateURL;
+	}
+
+	/**
+	 * @param mandateServiceSelectionTemplateURL the mandateServiceSelectionTemplateURL to set
+	 */
+	public void setMandateServiceSelectionTemplateURL(String mandateServiceSelectionTemplateURL) {
+		this.mandateServiceSelectionTemplateURL = mandateServiceSelectionTemplateURL;
+	}
+
+	/**
 	 * @return the selectedSZRGWServiceURL
 	 */
 	public String getSelectedSZRGWServiceURL() {
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
index 109390132..abf2d211c 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
@@ -49,7 +49,6 @@ package at.gv.egovernment.moa.id.commons.utils.ssl;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
-import java.security.Security;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -66,8 +65,6 @@ import at.gv.egovernment.moaspss.logging.LoggingContextManager;
 import iaik.pki.DefaultPKIConfiguration;
 import iaik.pki.PKIException;
 import iaik.pki.PKIFactory;
-//import iaik.pki.jsse.IAIKX509TrustManager;
-import iaik.security.provider.IAIK;
 
 
 /**
@@ -83,18 +80,18 @@ public class SSLUtils {
   /** SSLSocketFactory store, mapping URL->SSLSocketFactory **/
   private static Map<String, SSLSocketFactory> sslSocketFactories = new HashMap<String, SSLSocketFactory>();
 
-  /**
-   * Initializes the SSLSocketFactory store.
-   */
-  public static void initialize() {
-    sslSocketFactories = new HashMap<String, SSLSocketFactory>();
-    // JSSE Abhängigkeit
-    //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
-    Security.addProvider(new IAIK());
-    //System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
-    
-    
-  }
+//  /**
+//   * Initializes the SSLSocketFactory store.
+//   */
+//  public static void initialize() {
+//    sslSocketFactories = new HashMap<String, SSLSocketFactory>();
+//    // JSSE Abhängigkeit
+//    //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
+//    Security.addProvider(new IAIK());
+//    //System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
+//    
+//    
+//  }
 
   /**
    * IAIK PKI module and MOA-SIG uses a ThreadLocal variable for logging
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
index 129478270..2a4e3b362 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
@@ -394,6 +394,12 @@ public interface Constants {
   public static final String SAML2_METADATA_SCHEMA_LOCATION =
     SCHEMA_ROOT + "saml-schema-metadata-2.0.xsd";
   
+  
+  /* Prefix and Schema definition for eIDAS specific SAML2 extensions*/
+  public static final String  SAML2_eIDAS_EXTENSIONS_PREFIX = "eidas";
+  public static final String SAML2_eIDAS_EXTENSIONS = "http://eidas.europa.eu/saml-extensions";
+  public static final String SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION = SCHEMA_ROOT + "eIDAS_saml_extensions.xsd";
+  
   /**
    * Contains all namespaces and local schema locations for XML schema
    * definitions relevant for MOA. For use in validating XML parsers.
@@ -427,7 +433,8 @@ public interface Constants {
       + (STORK_NS_URI + " " + STORK_SCHEMA_LOCATION + " ")
       + (STORKP_NS_URI + " " + STORKP_SCHEMA_LOCATION + " ")
       + (SAML2_METADATA_URI + " " + SAML2_METADATA_SCHEMA_LOCATION + " ")
-      + (XENC_NS_URI + " " + XENC_SCHEMA_LOCATION);
+      + (XENC_NS_URI + " " + XENC_SCHEMA_LOCATION)
+      + (SAML2_eIDAS_EXTENSIONS + " " + SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION);
 
   /** URN prefix for bPK and wbPK. */
   public static final String URN_PREFIX = "urn:publicid:gv.at";
diff --git a/id/server/moa-id-commons/src/main/resources/resources/schemas/eIDAS_saml_extensions.xsd b/id/server/moa-id-commons/src/main/resources/resources/schemas/eIDAS_saml_extensions.xsd
new file mode 100644
index 000000000..76b82a267
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/resources/resources/schemas/eIDAS_saml_extensions.xsd
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:eidas="http://eidas.europa.eu/saml-extensions" targetNamespace="http://eidas.europa.eu/saml-extensions" elementFormDefault="qualified" attributeFormDefault="unqualified">
+
+	<xsd:element name="SPType" type="eidas:SPTypeType"/>
+	<xsd:simpleType name="SPTypeType">
+		<xsd:restriction base="xsd:string">
+			<xsd:enumeration value="public"/>
+			<xsd:enumeration value="private"/>
+		</xsd:restriction>
+	</xsd:simpleType>
+	
+	<xsd:element name="RequestedAttributes" type="eidas:RequestedAttributesType"/>
+	<xsd:complexType name="RequestedAttributesType">
+		<xsd:sequence>
+			<xsd:element minOccurs="0" maxOccurs="unbounded" ref="eidas:RequestedAttribute"/>
+		</xsd:sequence>
+	</xsd:complexType>
+
+	<xsd:element name="RequestedAttribute" type="eidas:RequestedAttributeType"/>
+	<xsd:complexType name="RequestedAttributeType">
+		<xsd:sequence>
+			<xsd:element name="AttributeValue" minOccurs="0" maxOccurs="unbounded" type="xsd:anyType"/>
+		</xsd:sequence>
+		<xsd:attribute name="Name" type="xsd:string" use="required"/>
+		<xsd:attribute name="NameFormat" type="xsd:anyURI" use="required" />
+		<xsd:attribute name="isRequired" type="xsd:boolean" use="required"/>
+		<xsd:attribute name="FriendlyName" type="xsd:string" use="optional"/>
+		<xsd:anyAttribute namespace="##other" processContents="lax" />
+	</xsd:complexType>
+	
+</xsd:schema>
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
index 63df81b3c..4bb4b0e27 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
@@ -39,7 +39,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
  * @author tlenz
  *
  */
-public class ServiceProviderSpecificGUIFormBuilderConfiguration extends AbstractGUIFormBuilderConfiguration {
+public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration extends AbstractGUIFormBuilderConfiguration {
 
 	public static final String VIEW_BKUSELECTION = "loginFormFull.html";
 	public static final String VIEW_SENDASSERTION = "sendAssertionFormFull.html";	
@@ -53,7 +53,7 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract
 	public static final String PARAM_OANAME = "OAName";
 	public static final String PARAM_COUNTRYLIST = "countryList";
 	
-	private IRequest pendingReq = null;
+	protected IRequest pendingReq = null;
 	
 	/**
 	 * @param authURL PublicURLPrefix of the IDP but never null
@@ -61,7 +61,7 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract
 	 * @param formSubmitEndpoint EndPoint on which the form should be submitted, 
 	 * 			or null if the form must not submitted
 	 */
-	public ServiceProviderSpecificGUIFormBuilderConfiguration(String authURL, String viewName, 
+	public AbstractServiceProviderSpecificGUIFormBuilderConfiguration(String authURL, String viewName, 
 			String formSubmitEndpoint) {
 		super(authURL, viewName, formSubmitEndpoint);
 		
@@ -73,7 +73,7 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract
 	 * @param formSubmitEndpoint EndPoint on which the form should be submitted, 
 	 * 			or null if the form must not submitted
 	 */
-	public ServiceProviderSpecificGUIFormBuilderConfiguration(IRequest pendingReq, String viewName, 
+	public AbstractServiceProviderSpecificGUIFormBuilderConfiguration(IRequest pendingReq, String viewName, 
 			String formSubmitEndpoint) {
 		super(pendingReq.getAuthURL(), viewName, formSubmitEndpoint);
 		this.pendingReq = pendingReq;
@@ -97,10 +97,11 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract
 			IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
 			if (oaParam != null) {
 				params.put(PARAM_OANAME, oaParam.getFriendlyName());
-				
-				
+								
 				if (oaParam.isShowStorkLogin())
 					addCountrySelection(params, oaParam);
+				else
+					params.put(PARAM_COUNTRYLIST, "");
 				
 				FormBuildUtils.customiceLayoutBKUSelection(params, oaParam);
 								
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java
index e8cd60afb..285c90163 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java
@@ -78,24 +78,16 @@ public class GUIFormBuilderImpl implements IGUIFormBuilder {
 		build(httpResp, config, getInternalContentType(config), loggerName);
 		
 	}
-	
-	
+		
 	@Override
 	public void build(HttpServletResponse httpResp, IGUIBuilderConfiguration config, 
 			String contentType, String loggerName) throws GUIBuildException {
 		
 		InputStream is = null;
 		try {
-			String viewName = config.getViewName();
+			String viewName = config.getViewName();			
+			is = getTemplateInputStream(config);
 			
-			//load Tempate
-			 is = getInternalTemplate(config);
-			if (is == null) {
-				Logger.warn("No GUI with viewName:" + viewName + " FOUND.");
-				throw new GUIBuildException("No GUI with viewName:" + viewName + " FOUND.");
-			
-			}
-
 			//build Velocity Context from input paramters
 			VelocityContext context = buildContextFromViewParams(config.getViewParameters());
 
@@ -137,6 +129,35 @@ public class GUIFormBuilderImpl implements IGUIFormBuilder {
 		
 	}
 
+	/**
+	 * Generate a new {@link VelocityContext} and populate it with MOA-ID GUI parameters
+	 * 
+	 * @param config
+	 * @return
+	 */
+	public VelocityContext generateVelocityContextFromConfiguration(IGUIBuilderConfiguration config) {
+		return buildContextFromViewParams(config.getViewParameters());
+		
+	}
+	
+	/**
+	 * Load the template from different resources
+	 * 
+	 * @param config
+	 * @return An {@link InputStream} but never null. The {@link InputStream} had to be closed be the invoking method
+	 * @throws GUIBuildException
+	 */
+	public InputStream getTemplateInputStream(IGUIBuilderConfiguration config) throws GUIBuildException {			
+		InputStream is = getInternalTemplate(config);
+		if (is == null) {
+			Logger.warn("No GUI with viewName:" + config.getViewName() + " FOUND.");
+			throw new GUIBuildException("No GUI with viewName:" + config.getViewName() + " FOUND.");
+		
+		}		
+		return is;
+		
+	}
+	
 	private String getInternalContentType(IGUIBuilderConfiguration config) {
 		if (MiscUtil.isEmpty(config.getDefaultContentType()))
 			return DEFAULT_CONTENT_TYPE;
@@ -167,7 +188,7 @@ public class GUIFormBuilderImpl implements IGUIFormBuilder {
 										
 				} catch (Exception e) {
 					//load template from classpath as backup
-					Logger.info("GUI template:" + viewName + " is not found in configuration directory. "
+					Logger.debug("GUI template:" + viewName + " is not found in configuration directory. "
 							+ " Load template from project library ... ");					
 					try  {
 						pathLocation = getInternalClasspathTemplateDir(config) + viewName;
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java
index 198220e97..8e8a63094 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java
@@ -64,4 +64,5 @@ public interface IGUIFormBuilder {
 	 */
 	void build(HttpServletResponse httpResp, IGUIBuilderConfiguration config, String contentType,
 			String loggerName) throws GUIBuildException;
+		
 }
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java
new file mode 100644
index 000000000..13d8d3bb7
--- /dev/null
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java
@@ -0,0 +1,82 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.frontend.builder;
+
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+
+/**
+ * @author tlenz
+ *
+ */
+public class SPSpecificGUIBuilderConfigurationWithDBLoad extends AbstractServiceProviderSpecificGUIFormBuilderConfiguration {
+		
+	/**
+	 * @param authURL PublicURLPrefix of the IDP but never null
+	 * @param viewName Name of the template (with suffix) but never null
+	 * @param formSubmitEndpoint EndPoint on which the form should be submitted, 
+	 * 			or null if the form must not submitted
+	 */
+	public SPSpecificGUIBuilderConfigurationWithDBLoad(String authURL, String viewName, 
+			String formSubmitEndpoint) {
+		super(authURL, viewName, formSubmitEndpoint);
+		
+	}
+	
+	/**
+	 * @param Current processed pending-request DAO but never null
+	 * @param viewName Name of the template (with suffix) but never null
+	 * @param formSubmitEndpoint EndPoint on which the form should be submitted, 
+	 * 			or null if the form must not submitted
+	 */
+	public SPSpecificGUIBuilderConfigurationWithDBLoad(IRequest pendingReq, String viewName, 
+			String formSubmitEndpoint) {
+		super(pendingReq, viewName, formSubmitEndpoint);
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String)
+	 */
+	@Override
+	public InputStream getTemplate(String viewName) {		
+		if (pendingReq != null && pendingReq.getOnlineApplicationConfiguration() != null) {
+			
+			byte[] oatemplate = null;			
+			if (VIEW_BKUSELECTION.equals(viewName))				
+				oatemplate = pendingReq.getOnlineApplicationConfiguration().getBKUSelectionTemplate();
+			
+			else if (VIEW_SENDASSERTION.equals(viewName))
+				oatemplate = pendingReq.getOnlineApplicationConfiguration().getSendAssertionTemplate();
+			
+			// OA specific template requires a size of 8 bits minimum
+			if (oatemplate != null && oatemplate.length > 7)
+				return new ByteArrayInputStream(oatemplate);							
+		}
+		
+		return null;
+	}
+
+}
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java
new file mode 100644
index 000000000..b5c50004b
--- /dev/null
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java
@@ -0,0 +1,110 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.frontend.builder;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
+
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.FileUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+public class SPSpecificGUIBuilderConfigurationWithFileSystemLoad extends AbstractServiceProviderSpecificGUIFormBuilderConfiguration {
+	
+	private String configKeyIdentifier = null;
+	private String configRootContextDir = null;
+	
+	/**
+	 * @param authURL PublicURLPrefix of the IDP but never null
+	 * @param viewName Name of the template (with suffix) but never null
+	 * @param configKeyIdentifier Identifier of the configuration key in OA configuration that holds the filesystem URI to template 
+	 * @param formSubmitEndpoint EndPoint on which the form should be submitted 
+	 * @param configRootContextDir Path to MOA-ID-Auth configuration root directory 
+	 * 			or null if the form must not submitted
+	 */
+	public SPSpecificGUIBuilderConfigurationWithFileSystemLoad(String authURL, String viewName, 
+			String configKeyIdentifier, String formSubmitEndpoint, String configRootContextDir) {
+		super(authURL, viewName, formSubmitEndpoint);
+		this.configKeyIdentifier = configKeyIdentifier;
+		this.configRootContextDir = configRootContextDir;
+		
+	}
+	
+	/**
+	 * @param Current processed pending-request DAO but never null
+	 * @param viewName Name of the template (with suffix) but never null
+	 * @param configKeyIdentifier Identifier of the configuration key in OA configuration that holds the filesystem URI to template 
+	 * @param formSubmitEndpoint EndPoint on which the form should be submitted 
+	 * @param configRootContextDir Path to MOA-ID-Auth configuration root directory 
+	 */
+	public SPSpecificGUIBuilderConfigurationWithFileSystemLoad(IRequest pendingReq, String viewName, 
+			String configKeyIdentifier, String formSubmitEndpoint, String configRootContextDir) {
+		super(pendingReq, viewName, formSubmitEndpoint);
+		this.configKeyIdentifier = configKeyIdentifier;
+		this.configRootContextDir = configRootContextDir;
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String)
+	 */
+	@Override
+	public InputStream getTemplate(String viewName) {		
+		if (pendingReq != null && pendingReq.getOnlineApplicationConfiguration() != null && 
+				configKeyIdentifier != null) {
+			try {
+				String templateURL = pendingReq.getOnlineApplicationConfiguration().getConfigurationValue(configKeyIdentifier);
+				if (MiscUtil.isNotEmpty(templateURL)) {
+					String absURL = FileUtils.makeAbsoluteURL(templateURL, configRootContextDir);				
+					if (!absURL.startsWith("file:")) {
+						Logger.warn("GUI template are only loadable from filesystem! "
+								+ "(templateURL: " + absURL + ")");
+						return null;
+					}
+				
+					Logger.debug("Load template URL for view: " + viewName + " from: " + absURL);
+					URI uri = new URL(absURL).toURI();
+					return new FileInputStream(new File(uri));
+				
+				}									
+			} catch (FileNotFoundException | URISyntaxException | MalformedURLException e) {
+				Logger.warn("Template for view: " + viewName + " is NOT loadable!  -> Switch to default template", e);
+				
+			}
+		}
+		Logger.trace("NO ServiceProvider specific template for view: " + viewName + " available");		
+		return null;
+	}
+
+}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java
index a09f0a2a8..602914229 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java
@@ -46,10 +46,16 @@
 
 package at.gv.egovernment.moa.id.auth.parser;
 
+import java.io.IOException;
+
+import javax.xml.transform.TransformerException;
+
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
 
 import at.gv.egovernment.moa.id.auth.exception.ParseException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.util.DOMUtils;
 
 /**
  * Parses an <code>&lt;ErrorResponse&gt;</code>.
@@ -84,15 +90,30 @@ public class ErrorResponseParser {
    */
   public ErrorResponseParser(Element errorElement) throws ParseException {
     if (errorElement != null) {
-      String namespace = errorElement.getNamespaceURI();
-      NodeList nl = errorElement.getElementsByTagNameNS(namespace, "ErrorCode");
-      if (nl.getLength() == 1) {
-        errorCode_ = ((Element)nl.item(0)).getFirstChild().getNodeValue();
-      }
-      nl = errorElement.getElementsByTagNameNS(namespace, "Info");
-      if (nl.getLength() == 1) {
-        errorInfo_ = ((Element)nl.item(0)).getFirstChild().getNodeValue();
-      }
+    	try {
+    		String namespace = errorElement.getNamespaceURI();
+    		NodeList nl = errorElement.getElementsByTagNameNS(namespace, "ErrorCode");
+    		if (nl.getLength() == 1) {
+    			errorCode_ = ((Element)nl.item(0)).getFirstChild().getNodeValue();
+    		}
+    		nl = errorElement.getElementsByTagNameNS(namespace, "Info");
+    		if (nl.getLength() == 1 && ((Element)nl.item(0)).getFirstChild() != null) {
+    			errorInfo_ = ((Element)nl.item(0)).getFirstChild().getNodeValue();
+        
+    		}
+    	} catch ( Exception e) {
+    		try {
+    			if (Logger.isDebugEnabled())
+    				Logger.warn("Can not extract error code from BKU response. Full-response: " + DOMUtils.serializeNode(errorElement), e) ;
+    			else
+    				Logger.warn("Can not extract error code from BKU response. Exception: " + e.getMessage()) ;
+				
+			} catch (TransformerException | IOException e1) {
+				Logger.warn("Can not extract error code from BKU response.", e);
+				Logger.warn("Can not serialize error response.", e1);
+				
+			}    		
+		}
     }
   }
 
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java
index 275a85129..154092b03 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java
@@ -150,6 +150,7 @@ public class InfoboxReadResponseParser {
       
       if ("InfoboxReadResponse".equals(responseElem.getLocalName())) {
         infoBoxElem_ = responseElem;
+        
       } else {
         ErrorResponseParser erp = new ErrorResponseParser(responseElem);
         throw new BKUException("auth.08", 
diff --git a/id/server/modules/moa-id-module-eIDAS/pom.xml b/id/server/modules/moa-id-module-eIDAS/pom.xml
index 5bdead8b2..f3d8eeb36 100644
--- a/id/server/modules/moa-id-module-eIDAS/pom.xml
+++ b/id/server/modules/moa-id-module-eIDAS/pom.xml
@@ -12,11 +12,11 @@
   <properties>
 		<repositoryPath>${basedir}/../../../../repository</repositoryPath>
 		
-		<eidas-commons.version>1.3.0</eidas-commons.version>
-		<eidas-light-commons.version>1.3.0</eidas-light-commons.version>
-		<eidas-saml-engine.version>1.3.0</eidas-saml-engine.version>
-		<eidas-encryption.version>1.3.0</eidas-encryption.version>
-		<eidas-configmodule.version>1.3.0</eidas-configmodule.version>
+		<eidas-commons.version>1.4.0-SNAPSHOT</eidas-commons.version>
+		<eidas-light-commons.version>1.4.0-SNAPSHOT</eidas-light-commons.version>
+		<eidas-saml-engine.version>1.4.0-SNAPSHOT</eidas-saml-engine.version>
+		<eidas-encryption.version>1.4.0-SNAPSHOT</eidas-encryption.version>
+		<eidas-configmodule.version>1.4.0-SNAPSHOT</eidas-configmodule.version>
 				
 	</properties>
   
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index c0101b553..d975b6e0a 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -69,6 +69,8 @@ public class Constants {
 	
 	public static final String CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".metadata.url";
 	
+	public static final String CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".bpk.target.";
+	
 	
 	
 	//timeouts and clock skews
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index 6f1d75bfe..c55b5a749 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -31,7 +31,6 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang3.BooleanUtils;
-import org.apache.commons.lang3.StringUtils;
 import org.apache.velocity.Template;
 import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
@@ -41,6 +40,7 @@ import org.opensaml.saml2.metadata.SingleSignOnService;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
 
 import com.google.common.net.MediaType;
 
@@ -306,7 +306,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
 
             context.put("RelayState", pendingReq.getRequestID());
             
-            Logger.debug("Using assertion consumer url as action: " + authnReqEndpoint.getLocation());
+            Logger.debug("Using SingleSignOnService url as action: " + authnReqEndpoint.getLocation());
             context.put("action", authnReqEndpoint.getLocation());
 
             Logger.debug("Starting template merge");
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java
index d0c003b31..bb52d2ffe 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java
@@ -168,12 +168,12 @@ public class NewMoaEidasMetadata {
 		}
 
 		private void generateDigest(Extensions eidasExtensions) throws EIDASSAMLEngineException {
-			if (!(StringUtils.isEmpty(this.params.getDigestMethods()))) {
-				Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getDigestMethods());
+			if (!(StringUtils.isEmpty(this.params.getSigningMethods()))) {
+				Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getSigningMethods());
 				Set<String> digestMethods = new HashSet();
 				for (String signatureMethod : signatureMethods) {
 					digestMethods.add(CertificateUtil.validateDigestAlgorithm(signatureMethod));
-				}
+				} 
 				for (String digestMethod : digestMethods) {
 					DigestMethod dm = (DigestMethod) BuilderFactoryUtil.buildXmlObject(DigestMethod.DEF_ELEMENT_NAME);
 					if (dm != null) {
@@ -203,7 +203,7 @@ public class NewMoaEidasMetadata {
 			generateDigest(eidasExtensions);
 
 			if (!(StringUtils.isEmpty(this.params.getSigningMethods()))) {
-				Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getDigestMethods());
+				Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getSigningMethods());
 				for (String signMethod : signMethods) {
 					SigningMethod sm = (SigningMethod) BuilderFactoryUtil
 							.buildXmlObject(SigningMethod.DEF_ELEMENT_NAME);
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
index d469ca28c..02a5df098 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
@@ -28,6 +28,7 @@ import java.net.URL;
 import java.util.HashMap;
 import java.util.Map;
 
+import org.opensaml.common.xml.SAMLSchemaBuilder;
 import org.opensaml.xml.ConfigurationException;
 import org.opensaml.xml.XMLConfigurator;
 
@@ -107,6 +108,9 @@ public class SAMLEngineUtils {
 				//overwrite eIDAS response validator suite because Condition-Valitator has not time jitter
 				initOpenSAMLConfig("own-saml-eidasnode-config.xml");
 				
+				//add eIDAS specific SAML2 extensions to eIDAS Schema validatior
+				SAMLSchemaBuilder.addExtensionSchema(
+						at.gv.egovernment.moa.util.Constants.SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION);
 				
 				eIDASEngine = engine;
 				
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 940b91b44..4b67370d6 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -56,6 +56,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDConstants;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.IRequest;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
 import at.gv.egovernment.moa.id.moduls.RequestImpl;
 import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;
 import at.gv.egovernment.moa.logging.Logger;
@@ -283,14 +284,22 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
 			} else {
 				String[] splittedTarget = eIDASTarget.split("\\+");
 				if (!splittedTarget[2].equalsIgnoreCase(reqCC)) {
-					Logger.error("Configuration for eIDAS-node:" + samlReq.getIssuer() 
+					Logger.debug("Configuration for eIDAS-node:" + samlReq.getIssuer() 
 						+ " Destination Country from request (" + reqCC 
-						+ ") does not match to configuration:" + eIDASTarget);
-					throw new MOAIDException("eIDAS.01", 
-							new Object[]{"Destination Country from request does not match to configuration"});
+						+ ") does not match to configuration:" + eIDASTarget
+						+ " --> Perform additional organisation check ...");
+					
+					//check if eIDAS domain for bPK calculation is a valid target  
+					if (!iseIDASTargetAValidOrganisation(reqCC, splittedTarget[2])) {						
+						throw new MOAIDException("eIDAS.01", 
+								new Object[]{"Destination Country from request does not match to configuration"});
+						
+					}
+					
 					
 				}
-				Logger.debug("CountryCode from request matches eIDAS-node configuration target");
+				Logger.debug("CountryCode from request matches eIDAS-node configuration target: " + eIDASTarget);
+				
 			}
 			
 						
@@ -439,6 +448,20 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
     public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) {
         return false;
     }
+    
+    private boolean iseIDASTargetAValidOrganisation(String reqCC, String bPKTargetArea) {
+    	if (MiscUtil.isNotEmpty(reqCC)) {    	
+    		List<String> allowedOrganisations = KeyValueUtils.getListOfCSVValues(
+    				authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX + reqCC.toLowerCase()));
+    		if (allowedOrganisations.contains(bPKTargetArea)) {
+    			Logger.debug(bPKTargetArea + " is a valid OrganisationIdentifier for request-country: "+ reqCC);
+    			return true;
+    		}
+    	}
+    	
+    	Logger.info("OrganisationIdentifier: " + bPKTargetArea + " is not allowed for country: " + reqCC);
+    	return false;
+    }
 }
 
 
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd b/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd
new file mode 100644
index 000000000..76b82a267
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:eidas="http://eidas.europa.eu/saml-extensions" targetNamespace="http://eidas.europa.eu/saml-extensions" elementFormDefault="qualified" attributeFormDefault="unqualified">
+
+	<xsd:element name="SPType" type="eidas:SPTypeType"/>
+	<xsd:simpleType name="SPTypeType">
+		<xsd:restriction base="xsd:string">
+			<xsd:enumeration value="public"/>
+			<xsd:enumeration value="private"/>
+		</xsd:restriction>
+	</xsd:simpleType>
+	
+	<xsd:element name="RequestedAttributes" type="eidas:RequestedAttributesType"/>
+	<xsd:complexType name="RequestedAttributesType">
+		<xsd:sequence>
+			<xsd:element minOccurs="0" maxOccurs="unbounded" ref="eidas:RequestedAttribute"/>
+		</xsd:sequence>
+	</xsd:complexType>
+
+	<xsd:element name="RequestedAttribute" type="eidas:RequestedAttributeType"/>
+	<xsd:complexType name="RequestedAttributeType">
+		<xsd:sequence>
+			<xsd:element name="AttributeValue" minOccurs="0" maxOccurs="unbounded" type="xsd:anyType"/>
+		</xsd:sequence>
+		<xsd:attribute name="Name" type="xsd:string" use="required"/>
+		<xsd:attribute name="NameFormat" type="xsd:anyURI" use="required" />
+		<xsd:attribute name="isRequired" type="xsd:boolean" use="required"/>
+		<xsd:attribute name="FriendlyName" type="xsd:string" use="optional"/>
+		<xsd:anyAttribute namespace="##other" processContents="lax" />
+	</xsd:complexType>
+	
+</xsd:schema>
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java
index 98f8d13c7..52970e240 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java
@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
 
 import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration;
 import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
-import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithFileSystemLoad;
 import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
@@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConsta
 import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateUtils;
 import at.gv.egovernment.moa.id.auth.servlet.GeneralProcessEngineSignalController;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.logging.Logger;
 
@@ -60,11 +61,13 @@ public class SelectMandateServiceTask extends AbstractAuthServletTask {
 			//check if Service-Provider allows ELGA-mandates
 			if (ELGAMandateUtils.checkServiceProviderAgainstELGAModulConfigration(authConfig, pendingReq)) {			
 				Logger.trace("Build GUI for mandate-service selection ...");
-						
-				IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
-						pendingReq, 
-						ELGAMandatesAuthConstants.TEMPLATE_MANDATE_SERVICE_SELECTION, 
-						GeneralProcessEngineSignalController.ENDPOINT_GENERIC);
+						 
+				IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithFileSystemLoad(
+						pendingReq,  
+						ELGAMandatesAuthConstants.TEMPLATE_MANDATE_SERVICE_SELECTION,
+						MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL,
+						GeneralProcessEngineSignalController.ENDPOINT_GENERIC,
+						authConfig.getRootConfigFileDir());
 			
 				guiBuilder.build(response, config, "Mandate-Service selection");