Merge branch 'eIDAS_node_implementation' of https://gitlab.iaik.tugraz.at/egiz/moa-idspss into eIDAS_node_implementation

125 files changed, 3627 insertions, 1980 deletions

diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
index 728ce989a..4b29f901a 100644
--- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
+++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
@@ -132,7 +132,7 @@ webpages.moaconfig.defaultbkus.header=Default BKUs
 webpages.moaconfig.slrequesttemplates.header=SecurityLayer Request Templates
 webpages.moaconfig.slrequesttemplates.local=Locale BKU
 webpages.moaconfig.slrequesttemplates.handy=Handy BKU
-webpages.moaconfig.slrequesttemplates.online=Online BKU
+webpages.moaconfig.slrequesttemplates.online=Dritte BKU
 webpages.moaconfig.certificates.header=Zertifikatspr\u00FCfung
 webpages.moaconfig.certificates.certstore=CertStoreDirecorty
 webpages.moaconfig.certificates.trustmanagerrev=TrustManagerRevocationChecking
@@ -202,7 +202,7 @@ webpages.oaconfig.header=Konfiguration der Onlineapplikation
 webpages.oaconfig.general.isActive=Online-Applikation ist aktiviert
 webpages.oaconfig.general.bku.header=BKU Konfiguration
 webpages.oaconfig.general.bku.local=Locale BKU
-webpages.oaconfig.general.bku.online=Online BKU
+webpages.oaconfig.general.bku.online=Dritte BKU
 webpages.oaconfig.general.bku.handy=Handy BKU
 webpages.oaconfig.general.bku.slversion=SecurityLayer Version
 webpages.oaconfig.general.bku.keyboxidentifier=KeyBoxIdentifier
@@ -442,8 +442,8 @@ validation.general.slrequest.handy.empty=Die URL zum SecurityLayer Template f\u0
 validation.general.slrequest.handy.valid=Die URL zum SecurityLayer Template f\u00F6r die Handy-BKU hat kein g\u00F6ltiges Format.
 validation.general.slrequest.local.empty=Die URL zum SecurityLayer Template f\u00F6r die locale BKU ist leer.
 validation.general.slrequest.local.valid=Die URL zum SecurityLayer Template f\u00F6r die locale BKU hat kein g\u00F6ltiges Format.
-validation.general.slrequest.online.empty=Die URL zum SecurityLayer Template f\u00F6r die Online-BKU ist leer.
-validation.general.slrequest.online.valid=Die URL zum SecurityLayer Template f\u00F6r die Online-BKU hat kein g\u00F6ltiges Format.
+validation.general.slrequest.online.empty=Die URL zum SecurityLayer Template f\u00F6r die Dritte-BKU ist leer.
+validation.general.slrequest.online.valid=Die URL zum SecurityLayer Template f\u00F6r die Dritte-BKU hat kein g\u00F6ltiges Format.
 validation.general.sso.friendlyname.valid=Der SSO Service Name enth\u00E4lt ein ung\u00FCltiges Zeichen. Folgende Zeichen sind nicht erlaubt\: {0}
 validation.general.sso.identificationnumber.valid=Die SSO IdentificationNumber enth\u00E4lt ein ung\u00FCltiges Zeichen. Folgende Zeichen sind nicht erlaubt\: {0}
 validation.general.sso.publicurl.valid=Der SSO Service URL-Prefix hat kein g\u00F6ltiges Format.
@@ -461,8 +461,8 @@ validation.general.bku.handy.empty=Die URL f\u00FCr die Handy-BKU ist leer.
 validation.general.bku.handy.valid=Die URL f\u00FCr die Handy-BKU hat kein g\u00FCltiges Format.
 validation.general.bku.local.empty=Die URL f\u00FCr die lokale BKU ist leer.
 validation.general.bku.local.valid=Die URL f\u00FCr die locale BKU hat kein g\u00FCltiges Format.
-validation.general.bku.online.empty=Die URL f\u00FCr die Online-BKU ist leer.
-validation.general.bku.online.valid=Die URL f\u00FCr die Online-BKU hat kein g\u00FCltiges Format.
+validation.general.bku.online.empty=Die URL f\u00FCr die Dritte-BKU ist leer.
+validation.general.bku.online.valid=Die URL f\u00FCr die Dritte-BKU hat kein g\u00FCltiges Format.
 validation.general.oafriendlyname.empty=Es wurde kein Name f\u00FCr die Online-Applikation angegeben.
 validation.general.oafriendlyname.valid=Der Name der Online-Applikation enth\u00E4lt nicht erlaubte Zeichen. Folgende Zeichen sind nicht erlaubt\: {0}
 validation.general.keyboxidentifier.empty=Es wurde kein KeyBoxIdentifier ausgew\u00E4hlt.
diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
index a8f4be796..d642994de 100644
--- a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
+++ b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
@@ -131,7 +131,7 @@ webpages.moaconfig.defaultbkus.header=Default CCE
 webpages.moaconfig.slrequesttemplates.header=SecurityLayer Request Templates
 webpages.moaconfig.slrequesttemplates.local=Local CCE
 webpages.moaconfig.slrequesttemplates.handy=Mobile CCE
-webpages.moaconfig.slrequesttemplates.online=Online CCE
+webpages.moaconfig.slrequesttemplates.online=Third CCE
 webpages.moaconfig.certificates.header=Certificate check
 webpages.moaconfig.certificates.certstore=CertStoreDirectory
 webpages.moaconfig.certificates.trustmanagerrev=TrustManagerRevocationChecking
@@ -197,7 +197,7 @@ webpages.oaconfig.header=Configuration of the Online-Application
 webpages.oaconfig.general.isActive=Online-Application is activated
 webpages.oaconfig.general.bku.header=CCE configuration
 webpages.oaconfig.general.bku.local=Local CCE
-webpages.oaconfig.general.bku.online=Online CCE
+webpages.oaconfig.general.bku.online=Third CCE
 webpages.oaconfig.general.bku.handy=Mobile CCE
 webpages.oaconfig.general.bku.slversion=SecurityLayer Version
 webpages.oaconfig.general.bku.keyboxidentifier=KeyBoxIdentifier
@@ -441,8 +441,8 @@ validation.general.slrequest.handy.empty=URL for SecurityLayer Template for die
 validation.general.slrequest.handy.valid=URL for SecurityLayer Template for Mobile-CCE has invalid format.
 validation.general.slrequest.local.empty=URL for SecurityLayer Template for local CCE is blank.
 validation.general.slrequest.local.valid=URL for SecurityLayer Template for local CCE has invalid format.
-validation.general.slrequest.online.empty=URL for SecurityLayer Template for Online-CCE is blank.
-validation.general.slrequest.online.valid=URL for SecurityLayer Template for die Online-CCE has invalid format.
+validation.general.slrequest.online.empty=URL for SecurityLayer Template for Third-CCE is blank.
+validation.general.slrequest.online.valid=URL for SecurityLayer Template for Third-CCE has invalid format.
 validation.general.sso.friendlyname.valid=SSO Service Name contains forbidden characters. The following characters are not allowed\: {0}
 validation.general.sso.identificationnumber.valid=SSO IdentificationNumber contains forbidden characters. The following characters are not allowed\: {0}
 validation.general.sso.publicurl.valid=SSO Service URL-Prefix has invalid format.
@@ -460,8 +460,8 @@ validation.general.bku.handy.empty=URL for Mobile-CCE is blank.
 validation.general.bku.handy.valid=URL for Mobile-CCE has invalid format.
 validation.general.bku.local.empty=URL for local CCE is blank.
 validation.general.bku.local.valid=URL for local CCE has invalid format.
-validation.general.bku.online.empty=URL for Online-CCE is blank.
-validation.general.bku.online.valid=URL for Online-CCE has invalid format.
+validation.general.bku.online.empty=URL for Third-CCE is blank.
+validation.general.bku.online.valid=URL for Third-CCE has invalid format.
 validation.general.oafriendlyname.empty=There is no name for Online-Application provided.
 validation.general.oafriendlyname.valid=The name of Online-Application contains forbidden characters. The following characters are not allowed\: {0}
 validation.general.keyboxidentifier.empty=There is no KeyBoxIdentifier selected.
diff --git a/id/ConfigWebTool/src/main/webapp/js/common.js b/id/ConfigWebTool/src/main/webapp/js/common.js
index 3d5528ad5..d5a7f634a 100644
--- a/id/ConfigWebTool/src/main/webapp/js/common.js
+++ b/id/ConfigWebTool/src/main/webapp/js/common.js
@@ -234,7 +234,7 @@ function newPeps() {
   <td>\
     <div id="wwgrp_loadGeneralConfig_storkconfig_cpepslist_'+nextindex+'__countryCode" class="wwgrp">\
       <div id="wwctrl_loadGeneralConfig_storkconfig_cpepslist_'+nextindex+'__countryCode" class="wwctrl">\
-        <input id="loadGeneralConfig_storkconfig_cpepslist_'+nextindex+'__countryCode" class="textfield_short" type="text" value="" name="storkconfig.cpepslist['+nextindex+'].countryCode"></div>\
+        <input id="loadGeneralConfig_storkconfig_cpepslist_'+nextindex+'__countryCode" class="textfield_PEPS_CC" type="text" value="" name="storkconfig.cpepslist['+nextindex+'].countryCode"></div>\
       </div>\
     </td>\
     <td>\
diff --git a/id/ConfigWebTool/src/main/webapp/jsp/editMOAConfig.jsp b/id/ConfigWebTool/src/main/webapp/jsp/editMOAConfig.jsp
index 6892535a1..79c66f37c 100644
--- a/id/ConfigWebTool/src/main/webapp/jsp/editMOAConfig.jsp
+++ b/id/ConfigWebTool/src/main/webapp/jsp/editMOAConfig.jsp
@@ -73,13 +73,6 @@
 						<div class="oa_config_block">
 							<h3><%=LanguageHelper.getGUIString("webpages.moaconfig.defaultbkus.header", request) %></h3>
 							
-							<s:textfield name="moaconfig.defaultBKUOnline" 
-								value="%{moaconfig.defaultBKUOnline}" 
-								labelposition="left"
-								key="webpages.oaconfig.general.bku.online"
-								cssClass="textfield_long">
-							</s:textfield>
-	
 							<s:textfield name="moaconfig.defaultBKUHandy" 
 								value="%{moaconfig.defaultBKUHandy}" 
 								labelposition="left"
@@ -93,18 +86,18 @@
 								key="webpages.oaconfig.general.bku.local"
 								cssClass="textfield_long">
 							</s:textfield>
-						</div>
-						
-						<div class="oa_config_block">
-							<h3><%=LanguageHelper.getGUIString("webpages.moaconfig.slrequesttemplates.header", request) %></h3>
 							
-							<s:textfield name="moaconfig.SLRequestTemplateOnline" 
-								value="%{moaconfig.SLRequestTemplateOnline}" 
+							<s:textfield name="moaconfig.defaultBKUOnline" 
+								value="%{moaconfig.defaultBKUOnline}" 
 								labelposition="left"
-								key="webpages.moaconfig.slrequesttemplates.online"
+								key="webpages.oaconfig.general.bku.online"
 								cssClass="textfield_long">
 							</s:textfield>
-	
+						</div>
+						
+						<div class="oa_config_block">
+							<h3><%=LanguageHelper.getGUIString("webpages.moaconfig.slrequesttemplates.header", request) %></h3>
+								
 							<s:textfield name="moaconfig.SLRequestTemplateHandy" 
 								value="%{moaconfig.SLRequestTemplateHandy}" 
 								labelposition="left"
@@ -118,6 +111,14 @@
 								key="webpages.moaconfig.slrequesttemplates.local"
 								cssClass="textfield_long">
 							</s:textfield>
+							
+							<s:textfield name="moaconfig.SLRequestTemplateOnline" 
+								value="%{moaconfig.SLRequestTemplateOnline}" 
+								labelposition="left"
+								key="webpages.moaconfig.slrequesttemplates.online"
+								cssClass="textfield_long">
+							</s:textfield>
+							
 						</div>			
 
 						<div class="oa_config_block">
diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/authentication.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/authentication.jsp
index ff2b091c6..59661091b 100644
--- a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/authentication.jsp
+++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/authentication.jsp
@@ -7,14 +7,7 @@
 					<s:if test="authUser.isAdmin()">
 						<div class="oa_config_block">
 							<h3><%=LanguageHelper.getGUIString("webpages.oaconfig.general.bku.header", request) %></h3>
-							
-							<s:textfield name="authOA.bkuOnlineURL" 
-								value="%{authOA.bkuOnlineURL}" 
-								labelposition="left"
-								key="webpages.oaconfig.general.bku.online"
-								cssClass="textfield_long">
-							</s:textfield>
-	
+						
 							<s:textfield name="authOA.bkuHandyURL" 
 								value="%{authOA.bkuHandyURL}" 
 								labelposition="left"
@@ -28,6 +21,13 @@
 								key="webpages.oaconfig.general.bku.local"
 								cssClass="textfield_long">
 							</s:textfield>
+						
+							<s:textfield name="authOA.bkuOnlineURL" 
+								value="%{authOA.bkuOnlineURL}" 
+								labelposition="left"
+								key="webpages.oaconfig.general.bku.online"
+								cssClass="textfield_long">
+							</s:textfield>
 							
 							<s:radio list="authOA.keyBoxIdentifierList"
 								name="authOA.keyBoxIdentifier"
diff --git a/id/history.txt b/id/history.txt
index 1734d69e9..cffdd6ae3 100644
--- a/id/history.txt
+++ b/id/history.txt
@@ -1,5 +1,35 @@
 Dieses Dokument zeigt die Veränderungen und Erweiterungen von MOA-ID auf.

 

+Version MOA-ID Release 3.3.0: Änderungen seit Version MOA-ID 3.2.3

+- Änderungen

+  - Online-applikationspezifische Konfiguration des SAML2 POST-Binding Formulars

+  - Online-applikationspezifische Konfiguration der Weiche für das Auswahlformular des Vollmachtenservices

+  - Update der Logging Funktionalität

+  - Anpassungen des BKU Auswahl(OnlineBKU entfernt, Detection der lokalen BKU hinzugefügt)

+  - Anpassungen der Konfigurationsoberfläche (OnlineBKU entfernt)

+  - Bugfix - Problem mit openSAML welches unsignierte SAML2 AuthnRequests bei Redirect Binding ermöglicht

+  - Bugfix - Ungültig kodierter PVP2 Attributwert 'MANDATOR-NATURAL-PERSON-BPK'

+  - Update von Libraries

+    > org.springframework 4.3.11.RELEASE

+    > org.springframework.data.spring-data-jpa 1.11.7.RELEASE

+    > org.apache.santuario.xmlsec 2.1.0

+    > org.hibernate:hibernate-core 5.2.11.Final

+    > apache:cxf 3.2.0

+    > mysql:mysql-connector-java 6.0.6

+    > org.slf4j:jcl-over-slf4j 1.7.25

+    > org.slf4j:jul-to-slf4j 1.7.25

+    > org.slf4j:slf4j-api 1.7.25

+    > org.slf4j:slf4j-log4j12 1.7.25

+    > joda-time 2.9.9

+    > com.fasterxml.jackson.core 2.9.1

+    > commons-cli 1.4

+    > commons-fileupload 1.3.3

+    > org.apache.httpcomponents:httpcore 4.4.8

+    > org.unitils 3.4.6

+    > org.jvnet.jaxb2_commons.jaxb2-basics-runtime 1.11.1

+    > xml-api-iaik-1.1.jar

+    > eIDAS-saml-engine 1.4.0

+

 Version MOA-ID Release 3.2.3: Änderungen seit Version MOA-ID 3.2.2

 - Änderungen

   - Bug-Fix - Possible problem in combination with IAIK_JCE and JAVA JDK >= 8u141

@@ -15,7 +45,8 @@ Version MOA-ID Release 3.2.2: Änderungen seit Version MOA-ID 3.2.1
   - Bug-Fix - Problem with SSL certificate path-construction in case of worker threads

   - Bug-Fix - Problems with configuration entries in some special cases

   - Bug-Fix - Problem with RandomNumberGeneration in combination with IAIK_JCE and JAVA JDK >= 8u111

-  - Bug-Fix - Problem with Statistic Logger if persist operation on database failes      

+  - Bug-Fix - Problem with Statistic Logger if persist operation on database failes

+  - Bug-Fix - Problem with empty scope parameter in openID Connect request      

 

 ------------------------------------------------------------------------------

 Version MOA-ID Release 3.2.1: Änderungen seit Version MOA-ID 3.2.0

diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralMOAIDConfigurationTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralMOAIDConfigurationTask.java
index f66b4359f..e229b6ef4 100644
--- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralMOAIDConfigurationTask.java
+++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralMOAIDConfigurationTask.java
@@ -59,10 +59,10 @@ public class GeneralMOAIDConfigurationTask extends AbstractTaskValidator impleme
 		temp.add(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_PUBLICURLPREFIX, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL));		
 		temp.add(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL));
 		temp.add(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL));
-		temp.add(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL));
+		temp.add(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL));
 		temp.add(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL));
 		temp.add(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL));
-		temp.add(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL));
+		temp.add(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL));
 		
 		temp.add(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_AUTH_AUTHBLOCK_TRANSFORMATION_BASE64, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL));		
 		temp.add(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_AUTH_AUTHBLOCK_TRANSFORMATION_BASE64, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL));
@@ -239,12 +239,12 @@ public class GeneralMOAIDConfigurationTask extends AbstractTaskValidator impleme
 			
 		}
 		
-		check = input.get(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE, getKeyPrefix()));
+		check = input.get(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD, getKeyPrefix()));
 		if (MiscUtil.isNotEmpty(check)) {
 			if (!ValidationHelper.validateURL(check)) {
 				log.info("Not valid Online-BKU URL");
 				errors.add(new ValidationObjectIdentifier(
-						MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE, 
+						MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD, 
 						"Default BKUs - Online",
 						LanguageHelper.getErrorString("validation.general.bku.online.valid")));
 			}
@@ -411,18 +411,18 @@ public class GeneralMOAIDConfigurationTask extends AbstractTaskValidator impleme
 			}
 		}
 		
-		check = input.get(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE, getKeyPrefix()));
+		check = input.get(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD, getKeyPrefix()));
 		if (MiscUtil.isEmpty(check)) {
 			log.info("Empty SLRequestTemplate Online-BKU");
 			errors.add(new ValidationObjectIdentifier(
-					MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE, 
+					MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD, 
 					"Default SL-Templates - Online ",
 					LanguageHelper.getErrorString("validation.general.slrequest.online.empty")));
 		} else {
 			if (ValidationHelper.isNotValidIdentityLinkSigner(check)) {
 				log.info("SLRequestTemplate Online-BKU is not valid");
 				errors.add(new ValidationObjectIdentifier(
-						MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE, 
+						MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD, 
 						"Default SL-Templates - Online",
 						LanguageHelper.getErrorString("validation.general.slrequest.online.valid")));
 			}
diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesAuthenticationInformationTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesAuthenticationInformationTask.java
index dcbee8e1d..05467c3bc 100644
--- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesAuthenticationInformationTask.java
+++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesAuthenticationInformationTask.java
@@ -144,12 +144,12 @@ public class ServicesAuthenticationInformationTask extends AbstractTaskValidator
 					LanguageHelper.getErrorString("validation.general.bku.local.valid")));
 		}
 		
-		check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE);
+		check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD);
 		if (MiscUtil.isNotEmpty(check) &&
 				!ValidationHelper.validateURL(check)) {
 			log.info("Not valid Online-BKU URL");
 			errors.add(new ValidationObjectIdentifier(
-					MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE, 
+					MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD, 
 					"BKU - Online",
 					LanguageHelper.getErrorString("validation.general.bku.online.valid")));
 		}
@@ -159,7 +159,7 @@ public class ServicesAuthenticationInformationTask extends AbstractTaskValidator
 		if (MiscUtil.isEmpty(check)) {
 			log.info("Empty KeyBoxIdentifier");
 			errors.add(new ValidationObjectIdentifier(
-					MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE, 
+					MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD, 
 					"BKU - KeyBoxIdentifier",
 					LanguageHelper.getErrorString("validation.general.keyboxidentifier.empty")));
 			
@@ -167,7 +167,7 @@ public class ServicesAuthenticationInformationTask extends AbstractTaskValidator
 			if (!MOAIDConfigurationConstants.ALLOWED_KEYBOXIDENTIFIER.contains(check)) {
 				log.info("Not valid KeyBoxIdentifier " + check);
 				errors.add(new ValidationObjectIdentifier(
-						MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE, 
+						MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD, 
 						"BKU - KeyBoxIdentifier",
 						LanguageHelper.getErrorString("validation.general.keyboxidentifier.valid")));
 			}
diff --git a/id/moa-id-webgui/src/main/resources/gui/types/general.json b/id/moa-id-webgui/src/main/resources/gui/types/general.json
index f12b71eea..d45a4d5f1 100644
--- a/id/moa-id-webgui/src/main/resources/gui/types/general.json
+++ b/id/moa-id-webgui/src/main/resources/gui/types/general.json
@@ -458,22 +458,6 @@
                       }
                 }
             }
-        },
-        "reversion.log": {
-            "id": "http://www.egiz.gv.at/dynUI/general/reversion/log",
-            "type": "object",
-            "title": "Revision Logging",
-            "description": "Default Revisions-Logging",
-            "options": {
-    						"collapsed": true
-    				},
-            "properties": {
-                "eventcodes": {
-            				"id": "http://www.egiz.gv.at/dynUI/general/reversion/log/eventcodes",
-            				"type": "string",
-            				"title": "EventCodes (CSV)"
-                }
-            }
         }                                           
     },
     "required": ["publicURLPrefix"]
diff --git a/id/moa-spss-container/pom.xml b/id/moa-spss-container/pom.xml
index 085c731fd..c69990361 100644
--- a/id/moa-spss-container/pom.xml
+++ b/id/moa-spss-container/pom.xml
@@ -117,7 +117,7 @@
 		<dependency>
     	<groupId>iaik.prod</groupId>
       <artifactId>iaik_moa</artifactId>
-      <version>2.05</version>
+      <version>2.05_withOutDB</version>
     </dependency>		
 		<dependency> 
 			<groupId>iaik.prod</groupId>
diff --git a/id/readme_3.3.0.txt b/id/readme_3.3.0.txt
new file mode 100644
index 000000000..aa8ba7007
--- /dev/null
+++ b/id/readme_3.3.0.txt
@@ -0,0 +1,324 @@
+===============================================================================
+MOA ID Version Release 3.3.0 - Wichtige Informationen zur Installation
+===============================================================================
+
+-------------------------------------------------------------------------------
+A. Neuerungen/Änderungen
+-------------------------------------------------------------------------------
+
+Mit MOA ID Version 3.3.0 wurden folgende Neuerungen und Änderungen eingeführt, 
+die jetzt erstmals in der Veröffentlichung enthalten sind (siehe auch 
+history.txt im gleichen Verzeichnis).
+   
+- Änderungen
+  - Online-applikationspezifische Konfiguration des SAML2 POST-Binding Formulars
+  - Online-applikationspezifische Konfiguration der Weiche für das Auswahlformular des Vollmachtenservices
+  - Update der Logging Funktionalität
+  - Anpassungen des BKU Auswahlformulas (OnlineBKU entfernt und Detection 
+    der lokalen BKU hinzugefügt)
+  - Anpassungen der Konfigurationsoberfläche (OnlineBKU entfernt)   
+  - Update von Libraries
+  
+  - Eine detailierte Aufstellung finden Sie in der Datei 'history.txt'
+
+-------------------------------------------------------------------------------
+B. Durchführung eines Updates
+-------------------------------------------------------------------------------
+
+Es wird generell eine Neuinstallation lt. Handbuch empfohlen! Dennoch ist auch
+eine Aktualisierung bestehender Installationen möglich. Je nachdem von welcher
+MOA-ID Version ausgegangen wird ergibt sich eine Kombination der nachfolgend 
+angebebenen Updateschritte.
+
+Hinweis: Wenn Sie die bestehende Konfiguration von MOA-ID 2.x.x in MOA-ID 3.3.x
+reimportieren möchten, so muss diese vor dem Update mit Hilfe der import/export
+Funktion der grafischen Konfigurationsoberfläche in eine Datei exportiert werden.
+Diese Datei dient dann als Basis für den Import in MOA-ID 3.3.x. 
+
+...............................................................................
+B.1 Durchführung eines Updates von Version 3.2.x auf Version 3.3.0
+...............................................................................
+1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+   Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.3.0.zip) in
+   ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST 
+   bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+   beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+   wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation 
+   für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war 
+   als auch das komplette Verzeichnis moa-id-auth. 
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+   CATALINA_HOME_ID/webapps.
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+   CATALINA_HOME_ID/webapps.
+
+6. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis
+	 JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach.
+	
+7. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das 
+   Verzeichnis	JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr 
+   unterstuetzt).
+
+8. Erstellen Sie eine Sicherungskopie aller "*.jar"-Dateien im Verzeichnis
+   CATALINA_HOME_ID\endorsed und loeschen Sie diese Dateien danach.
+   
+9. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\endorsed in das 
+   Verzeichnis	CATALINA_HOME_ID\endorsed.
+
+10. Optionale Updates: 
+10.1. Das BKU Auswahltemplate von MOA-ID wurde um eine Detection der lokalen BKU
+      erweitert und mocca Online wurde entfernt.
+      a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates
+          in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates
+      b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates
+          in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates. 
+10.2. Die mySQL Treiber 'com.mysql.jdbc.Drive' und 'org.hibernate.dialect.MySQLDialect'
+      sind deprecated für aktuelle mySQL DB Versionen. Der neue Treiber 
+      für mySQL Datenbanken lautet 'com.mysql.cj.jdbc.Driver' und ein aktuellerer
+      Hibernate Dialect lautet 'org.hibernate.dialect.MySQL5Dialect'. 
+      Sollte es zu Problemen kommen ersetzen Sie entsprechenden Zeilen durch:
+      a.) Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties
+          moasession.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
+          moasession.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+          configuration.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
+          configuration.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+          advancedlogging.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
+          advancedlogging.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+      b.) Konfigurationsdatei CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties
+          hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+   
+11.  Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+     Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.2 Durchführung eines Updates von Version 3.1.x auf Version 3.3.0
+...............................................................................
+1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+   Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.3.0.zip) in
+   ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST 
+   bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+   beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+   wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation 
+   für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war 
+   als auch das komplette Verzeichnis moa-id-auth. 
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+   CATALINA_HOME_ID/webapps.   
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+   CATALINA_HOME_ID/webapps.
+
+6. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis
+	 JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach.
+	
+7. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das 
+   Verzeichnis	JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr 
+   unterstuetzt).
+
+8. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth
+   Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties     
+     a.)  moasession.jpaVendorAdapter.generateDdl=true
+          moasession.dbcp.connectionProperties=
+          moasession.dbcp.initialSize=5
+          moasession.dbcp.maxActive=100
+          moasession.dbcp.maxIdle=8
+          moasession.dbcp.minIdle=5
+          moasession.dbcp.maxWaitMillis=-1
+          moasession.dbcp.testOnBorrow=true
+          moasession.dbcp.testOnReturn=false
+          moasession.dbcp.testWhileIdle=false
+          moasession.dbcp.validationQuery=select 1
+     b.)  advancedlogging.jpaVendorAdapter.generateDdl=true
+          advancedlogging.dbcp.initialSize=0
+          advancedlogging.dbcp.maxActive=50
+          advancedlogging.dbcp.maxIdle=8
+          advancedlogging.dbcp.minIdle=0
+          advancedlogging.dbcp.maxWaitMillis=-1
+          advancedlogging.dbcp.testOnBorrow=true
+          advancedlogging.dbcp.testOnReturn=false
+          advancedlogging.dbcp.testWhileIdle=false
+          advancedlogging.dbcp.validationQuery=SELECT 1
+     c.)  *.hibernate.connection.url=... um den GET Parameter '&serverTimezone=UTC' erweitern
+     d.)  configuration.ssl.validation.revocation.method.order=crl,ocsp
+     e.) Zusätzliche neu, aber optionale Parameter finden Sie in der Beispielkonfiguration 
+
+9. Optionale Updates:
+9.1 Update der Default html-Templates für die Bürgerkartenauswahl.
+       a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates
+           in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates
+       b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates
+           in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates. 
+9.2 Die mySQL Treiber 'com.mysql.jdbc.Drive' und 'org.hibernate.dialect.MySQLDialect'
+     sind deprecated für aktuelle mySQL DB Versionen. Der neue Treiber 
+     für mySQL Datenbanken lautet 'com.mysql.cj.jdbc.Driver' und ein aktuellerer
+     Hibernate Dialect lautet 'org.hibernate.dialect.MySQL5Dialect'. 
+     Sollte es zu Problemen kommen ersetzen Sie entsprechenden Zeilen durch:
+     a.) Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties
+         moasession.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
+         moasession.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+         configuration.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
+         configuration.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+         advancedlogging.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
+         advancedlogging.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+     b.) Konfigurationsdatei CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties
+         hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+          
+10. Erstellen Sie eine Sicherungskopie aller "*.jar"-Dateien im Verzeichnis
+    CATALINA_HOME_ID\endorsed und loeschen Sie diese Dateien danach.
+   
+11. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\endorsed in das 
+    Verzeichnis	CATALINA_HOME_ID\endorsed.
+
+12. Optionale Updates: 
+12.1. Der mySQL Treiber 'com.mysql.jdbc.Drive' ist deprecated. Der neue Treiber für 
+      mySQL Datenbanken lautet 'com.mysql.cj.jdbc.Driver'. Ersetzen Sie entsprechenden
+      Zeilen durch:
+      a.) Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties
+          moasession.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+          configuration.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+          advancedlogging.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+      b.) Konfigurationsdatei CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties
+          hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+
+13.  Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+    Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.3 Durchführung eines Updates von Version 3.0.x auf Version 3.3.0
+...............................................................................
+1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+   Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.3.0.zip) in
+   ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST 
+   bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+   beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+   wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation 
+   für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war 
+   als auch das komplette Verzeichnis moa-id-auth. 
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+   CATALINA_HOME_ID/webapps.   
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+   CATALINA_HOME_ID/webapps.
+
+6. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis
+	 JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach.
+	
+7. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das 
+   Verzeichnis	JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr 
+   unterstuetzt).
+
+8. Update der TrustStores für WebService Zugriffe.
+     a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\certs\ca-certs
+         in das Verzeichnis CATALINA_HOME\conf\moa-id\certs\ca-certs.         
+     b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\certs\certstore\toBeAdded
+         in das Verzeichnis CATALINA_HOME\conf\moa-id\certs\certstore\toBeAdded.
+
+9. Hinzufügen der zusätzlichen Konfigurationsparameter in der 
+   MOA-ID-Configuration Konfigurationsdatei
+   CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties     
+     a.) dbcp.validationQuery=.....         (SQL Query zum Validieren der
+         Datenbankverbindung 
+           z.B: "SELECT 1" für mySQL
+                "select 1 from dual" für OracleDB)
+
+10. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth
+   Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties     
+     a.) configuration.dbcp.validationQuery=.....         (SQL Query zum 
+         Validieren der Datenbankverbindung 
+           z.B: "SELECT 1" für mySQL
+                "select 1 from dual" für OracleDB)
+     b.)  moasession.jpaVendorAdapter.generateDdl=true
+          moasession.dbcp.connectionProperties=
+          moasession.dbcp.initialSize=5
+          moasession.dbcp.maxActive=100
+          moasession.dbcp.maxIdle=8
+          moasession.dbcp.minIdle=5
+          moasession.dbcp.maxWaitMillis=-1
+          moasession.dbcp.testOnBorrow=true
+          moasession.dbcp.testOnReturn=false
+          moasession.dbcp.testWhileIdle=false
+          moasession.dbcp.validationQuery=select 1
+     c.)  advancedlogging.jpaVendorAdapter.generateDdl=true
+          advancedlogging.dbcp.initialSize=0
+          advancedlogging.dbcp.maxActive=50
+          advancedlogging.dbcp.maxIdle=8
+          advancedlogging.dbcp.minIdle=0
+          advancedlogging.dbcp.maxWaitMillis=-1
+          advancedlogging.dbcp.testOnBorrow=true
+          advancedlogging.dbcp.testOnReturn=false
+          advancedlogging.dbcp.testWhileIdle=false
+          advancedlogging.dbcp.validationQuery=SELECT 1
+     d.)  *.hibernate.connection.url=... um den GET Parameter '&serverTimezone=UTC' erweitern
+     e.)  configuration.ssl.validation.revocation.method.order=crl,ocsp
+     f.) Zusätzliche neu, aber optionale Parameter finden Sie in der Beispielkonfigration 
+
+11. Optionale Updates:
+11.1 Update der Default html-Templates für die Bürgerkartenauswahl.
+       a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates
+           in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates
+       b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates
+           in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates. 
+11.2 Die mySQL Treiber 'com.mysql.jdbc.Drive' und 'org.hibernate.dialect.MySQLDialect'
+      sind deprecated für aktuelle mySQL DB Versionen. Der neue Treiber 
+      für mySQL Datenbanken lautet 'com.mysql.cj.jdbc.Driver' und ein aktuellerer
+      Hibernate Dialect lautet 'org.hibernate.dialect.MySQL5Dialect'. 
+      Sollte es zu Problemen kommen ersetzen Sie entsprechenden Zeilen durch:
+       a.) Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties
+           moasession.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
+           moasession.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+           configuration.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
+           configuration.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+           advancedlogging.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
+           advancedlogging.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+       b.) Konfigurationsdatei CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties
+           hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+
+12. Update der Default eIDAS Konfiguration.
+     a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\eIDAS
+         in das Verzeichnis CATALINA_HOME\conf\moa-id\eIDAS
+
+13. Erstellen Sie eine Sicherungskopie aller "*.jar"-Dateien im Verzeichnis
+    CATALINA_HOME_ID\endorsed und loeschen Sie diese Dateien danach.
+   
+14. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\endorsed in das 
+    Verzeichnis	CATALINA_HOME_ID\endorsed.
+
+15. Optionale Updates: 
+15.1. Der mySQL Treiber 'com.mysql.jdbc.Drive' ist deprecated. Der neue Treiber für 
+      mySQL Datenbanken lautet 'com.mysql.cj.jdbc.Driver'. Ersetzen Sie entsprechenden
+      Zeilen durch:
+      a.) Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties
+          moasession.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+          configuration.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+          advancedlogging.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+      b.) Konfigurationsdatei CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties
+          hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
+
+16. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+    Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.4 Durchführung eines Updates von Version < 3.0.0
+...............................................................................
+
+Bitte führen Sie eine Neuinstallation von MOA ID laut Handbuch durch und passen
+Sie die mitgelieferte Musterkonfiguration entsprechend Ihren Bedürfnissen unter 
+Zuhilfenahme Ihrer bisherigen Konfiguration an.
+
diff --git a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html
index 32f0a7d4d..1f365c104 100644
--- a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html
+++ b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html
@@ -12,7 +12,8 @@
 
 <title>Anmeldung mittels Bürgerkarte oder Handy-Signatur</title>
 </head>
-<body onload="onChangeChecks();checkIfBrowserSupportsJava();" onresize="onChangeChecks();">
+<!--body onload="onChangeChecks();checkIfBrowserSupportsJava();" onresize="onChangeChecks();"-->
+<body onload="onChangeChecks();" onresize="onChangeChecks();">
 	<div id="page">
 		<div id="page1" class="case selected-case" role="main">
 			<h2 class="OA_header" role="heading">Anmeldung an: $OAName</h2>
@@ -37,19 +38,32 @@
 						</div>
 						<div id="bkuselectionarea">
 							<div id="bkukarte">
-								<img id="bkuimage" class="bkuimage" src="$contextPath/img/karte.png"
-									alt="OnlineBKU" /> <input name="bkuButtonOnline" type="button"
-									onClick="bkuOnlineClicked();" tabindex="2" role="button"
-									value="Karte" />
+								<img id="bkuimage" class="bkuimage" src="$contextPath/img/karte.png" alt="OnlineBKU" /> 
+                
+                <!-- Remove support for Online BKU and swith the card button to local BKU-->
+                <!--input name="bkuButtonOnline" type="button" onClick="bkuOnlineClicked();" tabindex="2" role="button" value="Karte" /-->                
+                
+                <form method="get" id="moaidform" action="$contextPath$submitEndpoint" class="verticalcenter" target="_parent">
+								  <input type="hidden" name="bkuURI" value="$bkuLocal" />
+								  <input type="hidden" name="useMandate" id="useMandate" /> 
+								  <input type="hidden" name="SSO" id="useSSO" /> 
+								  <input type="hidden" name="ccc" id="ccc" /> 
+								  <input type="hidden" name="pendingid" value="$pendingReqID" /> 
+                  <input type="submit" value=" Karte " tabindex="4" role="button" onclick="setMandateSelection();">
+                </form>
+                
+                <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"></iframe>
+                
+                <!-- BKU detection with static template-->
+                <!--iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe-->
+                                                            
 							</div>
 							<div id="bkuhandy">
-								<img class="bkuimage" src="$contextPath/img/handysign.png"
-									alt="HandyBKU" /> <input name="bkuButtonHandy" type="button"
-									onClick="bkuHandyClicked();" tabindex="3" role="button"
-									value="HANDY" />
+								<img class="bkuimage" src="$contextPath/img/handysign.png" alt="HandyBKU" />         
+                <input name="bkuButtonHandy" type="button" onClick="bkuHandyClicked();" tabindex="3" role="button" value="HANDY" />
 							</div>
 						</div>
-						<div id="localBKU">
+						<!--div id="localBKU">
 							<form method="get" id="moaidform" action="$contextPath$submitEndpoint"
 								class="verticalcenter" target="_parent">
 								<input type="hidden" name="bkuURI" value="$bkuLocal" />
@@ -60,7 +74,8 @@
                 <input type="submit" value=" Lokale Bürgerkartenumgebung " tabindex="4"
 									     role="button" onclick="setMandateSelection();">
                 </form>
-              </div>
+                <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"><\/iframe>
+              </div-->
               
               <!-- Single Sign-On Session transfer functionality -->
               <!--div id="ssoSessionTransferBlock">
diff --git a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties
index 63b053228..4520dcc14 100644
--- a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties
+++ b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties
@@ -18,10 +18,10 @@ general.moaconfig.key=ConfigurationEncryptionKey
 general.pvp.schemavalidation=true
 
 ##Hibnerate configuration for MOA-ID 2.0 configuration
-hibernate.dialect=org.hibernate.dialect.MySQLDialect
-hibernate.connection.url=jdbc:mysql://localhost/moa-id-config?charSet=utf-8&autoReconnect=true
+hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
+hibernate.connection.url=jdbc:mysql://localhost/moa-id-config?charSet=utf-8&autoReconnect=true&serverTimezone=UTC
 hibernate.connection.charSet=utf-8
-hibernate.connection.driver_class=com.mysql.jdbc.Driver
+hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
 hibernate.connection.username=
 hibernate.connection.password=
 
diff --git a/id/server/data/deploy/conf/moa-id/SLTemplates/template_onlineBKU.html b/id/server/data/deploy/conf/moa-id/SLTemplates/template_thirdBKU.html
index 52abf83fb..52abf83fb 100644
--- a/id/server/data/deploy/conf/moa-id/SLTemplates/template_onlineBKU.html
+++ b/id/server/data/deploy/conf/moa-id/SLTemplates/template_thirdBKU.html
diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html
index 53c4f0d5d..1f365c104 100644
--- a/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html
+++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html
@@ -51,8 +51,12 @@
 								  <input type="hidden" name="pendingid" value="$pendingReqID" /> 
                   <input type="submit" value=" Karte " tabindex="4" role="button" onclick="setMandateSelection();">
                 </form>
-                <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe>
-                              
+                
+                <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"></iframe>
+                
+                <!-- BKU detection with static template-->
+                <!--iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe-->
+                                                            
 							</div>
 							<div id="bkuhandy">
 								<img class="bkuimage" src="$contextPath/img/handysign.png" alt="HandyBKU" />         
@@ -70,7 +74,7 @@
                 <input type="submit" value=" Lokale Bürgerkartenumgebung " tabindex="4"
 									     role="button" onclick="setMandateSelection();">
                 </form>
-                <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"><\/iframe>
+                <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"><\/iframe>
               </div-->
               
               <!-- Single Sign-On Session transfer functionality -->
diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html
index 4ea9a4873..45c183215 100644
--- a/id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html
+++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html
@@ -33,7 +33,7 @@
 		<div>
 			#if($RelayState)   <input type="hidden" name="RelayState" value="${RelayState}"/>     #end 
 			#if($SAMLRequest)  <input type="hidden" name="SAMLRequest" value="${SAMLRequest}" />  #end
-			#if($SAMLResponse) <inputtype="hidden" name="SAMLResponse" value="${SAMLResponse}" /> #end
+			#if($SAMLResponse) <input type="hidden" name="SAMLResponse" value="${SAMLResponse}" /> #end
 		</div>
 		<noscript>
 			<div>
diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/redirectForm.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/redirectForm.html
index ac3242c89..7b064e22a 100644
--- a/id/server/data/deploy/conf/moa-id/htmlTemplates/redirectForm.html
+++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/redirectForm.html
@@ -7,7 +7,27 @@
 
 
 <body onload="document.getElementById('link').click();">
-	<a href="$URL" target="$TARGET" id="link">CLICK to perform a
-		redirect back to Online Application</a>
+		<div id="page">
+
+			<div id="page1" class="case selected-case" role="main">
+
+<!-- 					<h2 class="OA_header">Anmeldung an: #OAName#</h2> -->
+
+					<div id="main">
+					<div id="leftcontent" class="hell">
+            <div id="bku_header" class="dunkel">
+						  <h2 id="tabheader" class="dunkel" role="heading">
+							   >You get redirected ...
+						  </h2>
+            </div>
+					
+						<div id="selectArea" class="hell" role="application">
+	             <a href="$URL" target="$TARGET" id="link">Click here if it does not resume</a>
+               
+						</div>												
+					</div>
+				</div>
+		</div>
+	</div>
 </body>
 </html>
diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/slo_template.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/slo_template.html
index b3eb18082..4d9277152 100644
--- a/id/server/data/deploy/conf/moa-id/htmlTemplates/slo_template.html
+++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/slo_template.html
@@ -77,7 +77,7 @@
 		<!--div id="validation">
 			<a href="http://validator.w3.org/check?uri="> <img
 				style="border: 0; width: 88px; height: 31px"
-				src="$contextpath/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
+				src="$contextPath/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
 			</a> <a href="http://jigsaw.w3.org/css-validator/"> <img
 				style="border: 0; width: 88px; height: 31px"
 				src="http://jigsaw.w3.org/css-validator/images/vcss-blue"
diff --git a/id/server/data/deploy/conf/moa-id/moa-id.properties b/id/server/data/deploy/conf/moa-id/moa-id.properties
index 26ed52176..15084b387 100644
--- a/id/server/data/deploy/conf/moa-id/moa-id.properties
+++ b/id/server/data/deploy/conf/moa-id/moa-id.properties
@@ -68,10 +68,10 @@ protocols.oauth20.jwt.ks.key.password=password
 
 ##Database configuration##
 #Hibnerate configuration for MOA-ID 3.x session store 
-moasession.hibernate.dialect=org.hibernate.dialect.MySQLDialect
+moasession.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
 moasession.hibernate.connection.url=jdbc:mysql://localhost/moa-id-session?charSet=utf-8&serverTimezone=UTC
 moasession.hibernate.connection.charSet=utf-8
-moasession.hibernate.connection.driver_class=com.mysql.jdbc.Driver
+moasession.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
 moasession.hibernate.connection.username=
 moasession.hibernate.connection.password=
 
@@ -97,13 +97,13 @@ moasession.dbcp.validationQuery=select 1
 
 
 #Hibnerate configuration for MOA-ID 3.x configuration
-configuration.hibernate.dialect=org.hibernate.dialect.MySQLDialect
+configuration.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
 configuration.jpaVendorAdapter.generateDdl=true
 configuration.hibernate.show_sql=false
 
 configuration.hibernate.connection.url=jdbc:mysql://localhost/moa-id-config?charSet=utf-8&autoReconnect=true&serverTimezone=UTC
 configuration.hibernate.connection.charSet=utf-8
-configuration.hibernate.connection.driver_class=com.mysql.jdbc.Driver
+configuration.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
 configuration.hibernate.connection.username=
 configuration.hibernate.connection.password=
 configuration.dbcp.connectionProperties=
@@ -120,10 +120,10 @@ configuration.dbcp.validationQuery=SELECT 1
 
 #
 #Hibnerate configuration for MOA-ID 3.x advanced statistic logging
-advancedlogging.hibernate.dialect=org.hibernate.dialect.MySQLDialect
+advancedlogging.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
 advancedlogging.hibernate.connection.url=jdbc:mysql://localhost/moa-id-statistic?charSet=utf-8&autoReconnect=true&serverTimezone=UTC
 advancedlogging.hibernate.connection.charSet=utf-8
-advancedlogging.hibernate.connection.driver_class=com.mysql.jdbc.Driver
+advancedlogging.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
 advancedlogging.hibernate.connection.username=
 advancedlogging.hibernate.connection.password=
 
diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html
index 84590aaee..e6b86204a 100644
--- a/id/server/doc/handbook/config/config.html
+++ b/id/server/doc/handbook/config/config.html
@@ -1070,14 +1070,9 @@ https://&lt;host&gt;:&lt;port&gt;/moa-id-auth/MonitoringServlet</pre>
 <p>Hiermit werden die URLs  zu den Default B&uuml;rgerkartenumgebungen (BKUs) definiert die von MOA-ID-Auth f&uuml;r einen  Anmeldevorgang verwendet werden, wenn die B&uuml;rgerkartenauswahl nicht bereits auf Seiten der Online-Applikation erfolgt ist (siehe <a href="./../protocol/protocol.html#allgemeines_legacy">Legacy Request</a>) oder in der Online-Applikationskonfiguration keine BKU URLs konfiguriert wurden (siehe <a href="#konfigurationsparameter_oa_bku">Kapitel 3.2.2</a>).</p>
 <table class="configtable">
   <tr>
-    <th>Name</th>
-    <th>Beispielwert</th>
-    <th>Beschreibung</th>
-  </tr>
-  <tr>
-    <td>Online BKU</td>
-    <td><p>https://demo.egiz.gv.at/demoportal_bkuonline/https-security-layer-request</p></td>
-    <td>URL zu einer Online-BKU Instanz</td>
+    <th width="16%">Name</th>
+    <th width="42%">Beispielwert</th>
+    <th width="42%">Beschreibung</th>
   </tr>
   <tr>
     <td>Handy BKU</td>
@@ -1089,6 +1084,12 @@ https://&lt;host&gt;:&lt;port&gt;/moa-id-auth/MonitoringServlet</pre>
     <td>https://127.0.0.1:3496/https-security-layer-request</td>
     <td>URL auf die lokale BKU Instanz</td>
   </tr>
+  <tr>
+    <td>Optionale dritte BKU</td>
+    <td><p>https://demo.egiz.gv.at/demoportal_bkuonline/https-security-layer-request</p></td>
+    <td><p>URL zu einer optionalen dritten BKU Instanz.</p>
+      <p><strong>Hinweis:</strong> Hiermit kann z.B. die OnlineBKU eingebunden werden</p></td>
+  </tr>
 </table>
 <h4><a name="konfigurationsparameter_allgemein_sl-templates" id="konfigurationsparameter_allgemein_bku2"></a>3.1.3 Security-Layer Request Templates</h4>
 <p>Security-Layer (SL) Templates dienen der Kommunikation mit der gew&auml;hlten B&uuml;rgerkartenumgebung. Die hier hinterlegen SL-Templates werden f&uuml;r die Kommunikation mit der jeweiligen BKU verwendet. N&auml;here Details zum Aufbau dieser SL-Templates finden Sie im <a href="#import_template_sltemplate">Kapitel 4.3</a>. </p>
@@ -1101,11 +1102,6 @@ https://&lt;host&gt;:&lt;port&gt;/moa-id-auth/MonitoringServlet</pre>
     <th>Beschreibung</th>
   </tr>
   <tr>
-    <td>Online BKU</td>
-    <td><p>SLTemplates/template_onlineBKU.html</p></td>
-    <td><p>SL Template zur Kommunikation mit der Online-BKU.</p></td>
-  </tr>
-  <tr>
     <td>Handy BKU</td>
     <td>SLTemplates/template_handyBKU.html</td>
     <td>SL Template zur Kommunikation mit der Handy-BKU</td>
@@ -1115,6 +1111,11 @@ https://&lt;host&gt;:&lt;port&gt;/moa-id-auth/MonitoringServlet</pre>
     <td>SLTemplates/template_localeBKU.html</td>
     <td>SL Template zur Kommunikation mit einer lokalen BKU Instanz</td>
   </tr>
+  <tr>
+    <td>Dritte BKU</td>
+    <td><p>SLTemplates/template_thirdBKU.html</p></td>
+    <td><p>SL Template zur Kommunikation mit der optionalen dritten BKU Instanz.</p></td>
+  </tr>
 </table>
 <h4><a name="konfigurationsparameter_allgemein_certvalidation" id="konfigurationsparameter_allgemein_bku3"></a>3.1.4 Zertifikatspr&uuml;fung</h4>
 <p>Dieser Bereich behandelt die allgemeine Einstellungen zur Zertifikatspr&uuml;fung und die Konfiguration von vertrauensw&uuml;rdigen Zertifikaten.</p>
@@ -1688,15 +1689,6 @@ Soll die B&uuml;rgerkartenauswahl weiterhin, wie in MOA-ID  1.5.1 im Kontext der
     <th>Beschreibung</th>
   </tr>
   <tr>
-    <td><span id="wwlbl_newOA_generalOA_bkuOnlineURL">Online BKU</span></td>
-    <td><p>https://demo.egiz.gv.at/<br>
-      demoportal_bkuonline/<br>
-      https-security-layer-request</p></td>
-    <td align="center">X</td>
-    <td align="center">X</td>
-    <td>URL zu einer applikationsspezifischen Online-BKU Instanz. Erfolgt keine applikationsspezifische Konfiguration wird die <a href="#konfigurationsparameter_allgemein_bku">Online-BKU der allgemeinen Konfiguration</a> f&uuml;r den Anmeldevorgang verwendet.</td>
-  </tr>
-  <tr>
     <td><p><span id="wwlbl_newOA_generalOA_bkuHandyURL">Handy BKU</span></p></td>
     <td>https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx</td>
     <td align="center">X</td>
@@ -1711,6 +1703,15 @@ Soll die B&uuml;rgerkartenauswahl weiterhin, wie in MOA-ID  1.5.1 im Kontext der
     <td>URL auf die lokale BKU Instanz. Erfolgt keine applikationsspezifischen Konfiguration wird die <a href="#konfigurationsparameter_allgemein_bku">locale BKU der allgemeinen Konfiguration</a> f&uuml;r den Anmeldevorgang verwendet.</td>
   </tr>
   <tr>
+    <td><span id="wwlbl_newOA_generalOA_bkuOnlineURL">Dritte BKU</span></td>
+    <td><p>https://demo.egiz.gv.at/<br>
+      demoportal_bkuonline/<br>
+      https-security-layer-request</p></td>
+    <td align="center">X</td>
+    <td align="center">X</td>
+    <td>URL zu einer applikationsspezifischen dritten BKU Instanz. Erfolgt keine applikationsspezifische Konfiguration wird die <a href="#konfigurationsparameter_allgemein_bku">dritte BKU der allgemeinen Konfiguration</a> f&uuml;r den Anmeldevorgang verwendet.</td>
+  </tr>
+  <tr>
     <td><span id="wwlbl_newOA_generalOA_keyBoxIdentifier">KeyBoxIdentifier</span></td>
     <td><span id="wwctrl_newOA_generalOA_keyBoxIdentifier">SecureSignatureKeypair</span></td>
     <td align="center">X</td>
diff --git a/id/server/doc/handbook/index.html b/id/server/doc/handbook/index.html
index 0eab8f187..e72105816 100644
--- a/id/server/doc/handbook/index.html
+++ b/id/server/doc/handbook/index.html
@@ -29,7 +29,7 @@
   </div>
 
 <div class="container">
-  <h2>&Uuml;bersicht zur Dokumentation der Version 3.1.x </h2>
+  <h2>&Uuml;bersicht zur Dokumentation der Version 3.3.x </h2>
   
   <dl>
     <dt><a href="./intro/intro.html">Einf&uuml;hrung</a></dt>
diff --git a/id/server/doc/htmlTemplates/BKU-selection.html b/id/server/doc/htmlTemplates/BKU-selection.html
index 53c4f0d5d..1f365c104 100644
--- a/id/server/doc/htmlTemplates/BKU-selection.html
+++ b/id/server/doc/htmlTemplates/BKU-selection.html
@@ -51,8 +51,12 @@
 								  <input type="hidden" name="pendingid" value="$pendingReqID" /> 
                   <input type="submit" value=" Karte " tabindex="4" role="button" onclick="setMandateSelection();">
                 </form>
-                <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe>
-                              
+                
+                <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"></iframe>
+                
+                <!-- BKU detection with static template-->
+                <!--iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe-->
+                                                            
 							</div>
 							<div id="bkuhandy">
 								<img class="bkuimage" src="$contextPath/img/handysign.png" alt="HandyBKU" />         
@@ -70,7 +74,7 @@
                 <input type="submit" value=" Lokale Bürgerkartenumgebung " tabindex="4"
 									     role="button" onclick="setMandateSelection();">
                 </form>
-                <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"><\/iframe>
+                <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"><\/iframe>
               </div-->
               
               <!-- Single Sign-On Session transfer functionality -->
diff --git a/id/server/doc/htmlTemplates/BKU-selection_with_OnlineBKU.html b/id/server/doc/htmlTemplates/BKU-selection_with_OnlineBKU.html
index 32f0a7d4d..aaf931b7d 100644
--- a/id/server/doc/htmlTemplates/BKU-selection_with_OnlineBKU.html
+++ b/id/server/doc/htmlTemplates/BKU-selection_with_OnlineBKU.html
@@ -60,6 +60,10 @@
                 <input type="submit" value=" Lokale Bürgerkartenumgebung " tabindex="4"
 									     role="button" onclick="setMandateSelection();">
                 </form>
+                <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"><\/iframe>
+                
+                <!-- BKU detection with static template-->
+                <!--iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe-->
               </div>
               
               <!-- Single Sign-On Session transfer functionality -->
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
index 55b1a7c9a..72aef5fed 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
@@ -116,16 +116,18 @@ public class StatisticLogger implements IStatisticLogger{
 			
 			//set actual date and time
 			dblog.setTimestamp(new Date());
-			
-			//set OA databaseID
-			//dblog.setOaID(dbOA.getHjid());
-			
+						
 			//log basic AuthInformation
 			dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH));
 			dblog.setOafriendlyName(dbOA.getFriendlyName());
 			
-			boolean isbusinessservice = isBusinessService(dbOA);
-			dblog.setBusinessservice(isbusinessservice);			
+			try {
+				dblog.setBusinessservice(dbOA.hasBaseIdTransferRestriction());
+				
+			} catch (Exception e) {
+				Logger.warn("Can not extract some information for StatisticLogger.", e);
+			}
+			
 			dblog.setOatarget(authData.getBPKType());
 
 
@@ -266,9 +268,14 @@ public class StatisticLogger implements IStatisticLogger{
 			if (dbOA != null) {
 				dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH));
 				dblog.setOafriendlyName(dbOA.getFriendlyName());
-				dblog.setOatarget(dbOA.getTarget());
-				//dblog.setOaID(dbOA.getHjid());
-				dblog.setBusinessservice(isBusinessService(dbOA));
+				
+				try {
+					dblog.setOatarget(dbOA.getAreaSpecificTargetIdentifier());
+					dblog.setBusinessservice(dbOA.hasBaseIdTransferRestriction());
+				} catch (Exception e) {	
+					Logger.warn("Can not extract some information for StatisticLogger.", e);
+					
+				}
 				
 				IAuthenticationSession moasession = null;
 				if (MiscUtil.isNotEmpty(errorRequest.getInternalSSOSessionIdentifier())) {
@@ -314,15 +321,7 @@ public class StatisticLogger implements IStatisticLogger{
 			
 		}
 	}
-	
-	private boolean isBusinessService(IOAAuthParameters dbOA) {
 		
-		if (dbOA.getOaType().equals("businessService"))
-			return true;
-		else
-			return false;
-	}
-	
 	private String getMessageWithMaxLength(String msg, int maxlength) {
 		return getErrorMessageWithMaxLength(msg, maxlength);
 		
@@ -391,15 +390,15 @@ public class StatisticLogger implements IStatisticLogger{
 			if (bkuURL.equals(dbOA.getBKUURL(OAAuthParameter.LOCALBKU)))
 				return IOAAuthParameters.LOCALBKU;
 					
-			if (bkuURL.equals(dbOA.getBKUURL(OAAuthParameter.ONLINEBKU)))
-				return IOAAuthParameters.ONLINEBKU;	
+			if (bkuURL.equals(dbOA.getBKUURL(OAAuthParameter.THIRDBKU)))
+				return IOAAuthParameters.THIRDBKU;	
 		}
 		
 		Logger.trace("Staticic Log search BKUType from DefaultBKUs");
 		
 		try {
-			if (bkuURL.equals(authConfig.getDefaultBKUURL(IOAAuthParameters.ONLINEBKU)))
-				return IOAAuthParameters.ONLINEBKU;
+			if (bkuURL.equals(authConfig.getDefaultBKUURL(IOAAuthParameters.THIRDBKU)))
+				return IOAAuthParameters.THIRDBKU;
 			
 			if (bkuURL.equals(authConfig.getDefaultBKUURL(IOAAuthParameters.LOCALBKU)))
 				return IOAAuthParameters.LOCALBKU;
@@ -422,12 +421,7 @@ public class StatisticLogger implements IStatisticLogger{
 			Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.HANDYBKU);
 			return IOAAuthParameters.HANDYBKU;
 		}
-		
-		if (bkuURL.contains(GENERIC_ONLINE_BKU)) {		
-			Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.ONLINEBKU);
-			return IOAAuthParameters.ONLINEBKU;			
-		}
-		
+				
 		Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.AUTHTYPE_OTHERS);
 		return IOAAuthParameters.AUTHTYPE_OTHERS;
 	}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index cad3354f5..5a5d0bcf6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -267,9 +267,9 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 			//####################################################
 			//set general authData info's
 			authData.setIssuer(protocolRequest.getAuthURL());
-			authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality());
-			authData.setIsBusinessService(oaParam.getBusinessService());
-		
+			authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality());			
+			authData.setBaseIDTransferRestrication(oaParam.hasBaseIdTransferRestriction());
+			
 		
 			//####################################################
 			//parse user info's from identityLink
@@ -816,21 +816,11 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 	 * @param oaParam Service-Provider configuration, never null
 	 * @param bPKType bPK-Type to check
 	 * @return true, if bPK-Type matchs to Service-Provider configuration, otherwise false
+	 * @throws ConfigurationException 
 	 */
-	private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) {		
-		String oaTarget = null;
-		if (oaParam.getBusinessService()) {
-			oaTarget = oaParam.getIdentityLinkDomainIdentifier();
-						
-		} else {
-			oaTarget = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget();
-			
-		}
-				
-		if (oaTarget.equals(bPKType))
-			return true;
-		else
-			return false;
+	private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) throws ConfigurationException {						
+		return oaParam.getAreaSpecificTargetIdentifier().equals(bPKType);
+
 	}
 
 	private void parseBasicUserInfosFromIDL(AuthenticationData authData, IIdentityLink identityLink, Collection<String> includedGenericSessionData) {
@@ -918,9 +908,10 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 	 * 
 	 * @return Pair<bPK, bPKType> which was received by PVP-Attribute and could be decrypted for this Service Provider, 
 	 *         or <code>null</code> if no attribute exists or can not decrypted
+	 * @throws ConfigurationException 
 	 */
 	private Pair<String, String> getEncryptedbPKFromPVPAttribute(IAuthenticationSession session,
-			AuthenticationData authData, IOAAuthParameters spConfig) {
+			AuthenticationData authData, IOAAuthParameters spConfig) throws ConfigurationException {
 		//set List of encrypted bPKs to authData DAO		
 		String pvpEncbPKListAttr = session.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class);
 		if (MiscUtil.isNotEmpty(pvpEncbPKListAttr)) {
@@ -935,35 +926,44 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 					String second = fullEncbPK.substring(0, index);					
 					int secIndex = second.indexOf("+");
 					if (secIndex >= 0) {
-						if (spConfig.getTarget().equals(second.substring(secIndex+1))) {
-							Logger.debug("Found encrypted bPK for online-application " 
-									+ spConfig.getPublicURLPrefix()
-									+ " Start decryption process ...");
-							PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey();
-							if (privKey != null) {
-								try {
-									String bPK = BPKBuilder.decryptBPK(encbPK, spConfig.getTarget(), privKey);
-									if (MiscUtil.isNotEmpty(bPK)) {
-										Logger.info("bPK decryption process finished successfully.");
-										return Pair.newInstance(bPK, Constants.URN_PREFIX_CDID + "+" + spConfig.getTarget());
-																														
-									} else {
-										Logger.error("bPK decryption FAILED.");
-									
+						String oaTargetId = spConfig.getAreaSpecificTargetIdentifier();
+						if (oaTargetId.startsWith(MOAIDAuthConstants.PREFIX_CDID)) {						
+							String publicServiceShortTarget = oaTargetId.substring(MOAIDAuthConstants.PREFIX_CDID.length());						
+							if (publicServiceShortTarget.equals(second.substring(secIndex+1))) {
+								Logger.debug("Found encrypted bPK for online-application " 
+										+ spConfig.getPublicURLPrefix()
+										+ " Start decryption process ...");
+								PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey();
+								if (privKey != null) {
+									try {
+										String bPK = BPKBuilder.decryptBPK(encbPK, publicServiceShortTarget, privKey);
+										if (MiscUtil.isNotEmpty(bPK)) {
+											Logger.info("bPK decryption process finished successfully.");
+											return Pair.newInstance(bPK, oaTargetId);
+																															
+										} else {
+											Logger.error("bPK decryption FAILED.");
+										
+										}
+									} catch (BuildException e) {
+										Logger.error("bPK decryption FAILED.", e);
+										
 									}
-								} catch (BuildException e) {
-									Logger.error("bPK decryption FAILED.", e);
 									
-								}
+								} else {
+									Logger.info("bPK decryption FAILED, because no valid decryption key is found.");
+									
+								}							
 								
 							} else {
-								Logger.info("bPK decryption FAILED, because no valid decryption key is found.");
+								Logger.info("Found encrypted bPK but " +
+										"encrypted bPK target does not match to online-application target"); 
 								
-							}							
+							}
 							
 						} else {
-							Logger.info("Found encrypted bPK but " +
-									"encrypted bPK target does not match to online-application target"); 
+							Logger.info("Encrypted bPKs are only allowed for public services with prefix: " + MOAIDAuthConstants.PREFIX_CDID 
+									+ " BUT oaTarget is " + oaTargetId);
 							
 						}
 					}					
@@ -1066,7 +1066,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 	}
 
 	private IIdentityLink buildOAspecificIdentityLink(IOAAuthParameters oaParam, IIdentityLink idl, String bPK, String bPKType) throws MOAIDException {
-		if (oaParam.getBusinessService()) {
+		if (oaParam.hasBaseIdTransferRestriction()) {
             Element idlassertion = idl.getSamlAssertion();
             //set bpk/wpbk;
 	        Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
@@ -1097,69 +1097,45 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 	}		
 
 
-	private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException  {
+	private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException, ConfigurationException  {
 		
-		String bPK;
-		String bPKType; 
-
 		String baseID = authData.getIdentificationValue();
-		String baseIDType = authData.getIdentificationType();
-			
-		 if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) {			 
-			 //Calculate eIDAS identifier
-			 if (oaParam.getBusinessService() && 
-					 oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_EIDAS)) { 
-				 String[] splittedTarget = oaParam.getIdentityLinkDomainIdentifier().split("\\+");
-				 String cititzenCountryCode = splittedTarget[1];
-				 String eIDASOutboundCountry = splittedTarget[2];				 
-				 
-				 if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) {
-					 Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry");
-					 
-				 }
-				 				 
-				 Pair<String, String> eIDASID = new BPKBuilder().buildeIDASIdentifer(baseIDType, baseID, 
-						 cititzenCountryCode, eIDASOutboundCountry);
-				 Logger.debug("Authenticate user with bPK:" + eIDASID.getFirst() + " Type:" + eIDASID.getSecond());	
-				 return eIDASID;
-				 
-			 } else if (oaParam.getBusinessService()) {
-				 //is Austrian private-service application
-				 String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier();
-	                bPK = new BPKBuilder().buildbPKorwbPK(baseID, registerAndOrdNr);
-	                bPKType = registerAndOrdNr; 
-				 
-			 } else {
-		        // only compute bPK if online application is a public service and we have the Stammzahl
-	            String target = null;
-	            Class<?>  saml1RequstTemplate = null;
-	        	try {
-	        		saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl");
-	        		if (saml1RequstTemplate != null && 
-							saml1RequstTemplate.isInstance(pendingReq)) {
-		            	target = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq);
+		String baseIDType = authData.getIdentificationType();		
+		Pair<String, String> sectorSpecId = null;
+		
+		if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) {			
+			//SAML1 legacy target parameter work-around
+			String oaTargetId = null;
+	        Class<?>  saml1RequstTemplate = null;
+	        try {
+	        	saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl");
+	        	if (saml1RequstTemplate != null && 
+	        			saml1RequstTemplate.isInstance(pendingReq)) {
+	        		oaTargetId = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq);
 		            	
-		            }  
+		        }  
 	        		
-	        	} catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException |  java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) {	        			}	
+	        } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException |  java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) {	        			}
+			
+	        if (MiscUtil.isEmpty(oaTargetId)) { 
+	        	oaTargetId = oaParam.getAreaSpecificTargetIdentifier();
+	        	Logger.debug("Use OA target identifier '" + oaTargetId + "' from configuration");
 	        	
-	        	if (MiscUtil.isEmpty(target)) 
-	            	target = oaParam.getTarget();
-	            	
-	            bPK = new BPKBuilder().buildBPK(baseID, target);
-	            bPKType = Constants.URN_PREFIX_CDID + "+" + target;	            	
-	            				 
-			 }
-			 			 			 
+	        } else 
+	        	Logger.info("Use OA target identifier '" + oaTargetId + "' from SAML1 request for bPK calculation");
+	        
+	        //calculate sector specific unique identifier
+	        sectorSpecId = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseID, oaTargetId);
+	        
+				 			 			 
 		 } else {
-			 Logger.warn("!!!baseID-element does not include a baseID. This should not be happen any more!!!");
-			 bPK = baseID;
-             bPKType = baseIDType; 
-			 
+			 Logger.fatal("!!!baseID-element does not include a baseID. This should not be happen any more!!!");                           	
+     		 sectorSpecId = Pair.newInstance(baseID, baseIDType);
+     		 
 		 }
 		
-        Logger.trace("Authenticate user with bPK:" + bPK + " Type:" + bPKType);		
-		return Pair.newInstance(bPK, bPKType);
+		Logger.trace("Authenticate user with bPK:" + sectorSpecId.getFirst() + " Type:" + sectorSpecId.getSecond());
+		return sectorSpecId;
         
 	}
 	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
index 32ac8ad68..a7f6e873f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
@@ -60,6 +60,7 @@ import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.NoSuchPaddingException;
 
 import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.data.Pair;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Base64Utils;
@@ -76,77 +77,192 @@ import at.gv.egovernment.moa.util.MiscUtil;
  */
 public class BPKBuilder {
 
-    /**
-     * Builds the bPK from the given parameters.
-     *
-     * @param identificationValue Base64 encoded "Stammzahl"
-     * @param target              "Bereich lt. Verordnung des BKA"
-     * @return bPK in a BASE64 encoding
-     * @throws BuildException if an error occurs on building the bPK
-     */
-    public String buildBPK(String identificationValue, String target)
-            throws BuildException {
-
-        if ((identificationValue == null ||
-                identificationValue.length() == 0 ||
-                target == null ||
-                target.length() == 0)) {
-            throw new BuildException("builder.00",
-                    new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" +
-                            identificationValue + ",target=" + target});
-        }
-        String basisbegriff;
-        if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
-            basisbegriff = identificationValue + "+" + target;
-        else
-            basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target;
+	/**
+	 * Calculates an area specific unique person-identifier from a baseID
+	 * 
+	 * @param baseID baseId from user but never null
+	 * @param targetIdentifier target identifier for area specific identifier calculation but never null
+	 * @return Pair<unique person identifier for this target, targetArea> but never null
+	 * @throws BuildException if some input data are not valid 
+	 */
+	public Pair<String, String> generateAreaSpecificPersonIdentifier(String baseID, String targetIdentifier) throws BuildException{
+		return generateAreaSpecificPersonIdentifier(baseID, Constants.URN_PREFIX_BASEID, targetIdentifier);
+		
+	}
+	
+	/**
+	 * Calculates an area specific unique person-identifier from an unique identifier with a specific type
+	 * 
+	 * @param baseID baseId from user but never null
+	 * @param baseIdType Type of the baseID but never null
+	 * @param targetIdentifier target identifier for area specific identifier calculation but never null
+	 * @return Pair<unique person identifier for this target, targetArea> but never null
+	 * @throws BuildException if some input data are not valid 
+	 */
+	public Pair<String, String> generateAreaSpecificPersonIdentifier(String baseID, String baseIdType, String targetIdentifier) throws BuildException{
+		if (MiscUtil.isEmpty(baseID))
+			throw new BuildException("builder.00", new Object[]{"baseID is empty or null"});
 
-        return calculatebPKwbPK(basisbegriff);
-    }
+		if (MiscUtil.isEmpty(baseIdType))
+			throw new BuildException("builder.00", new Object[]{"the type of baseID is empty or null"});
+		
+		if (MiscUtil.isEmpty(targetIdentifier)) 
+			throw new BuildException("builder.00", new Object[]{"OA specific target identifier is empty or null"});
 
+		if (baseIdType.equals(Constants.URN_PREFIX_BASEID)) {
+			Logger.trace("Find baseID. Starting unique identifier caluclation for this target");
+			
+			if (targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_CDID) || 
+					targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_WPBK) || 
+					targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_STORK)) {
+				Logger.trace("Calculate bPK, wbPK, or STORK identifier for target: " + targetIdentifier);
+				return Pair.newInstance(calculatebPKwbPK(baseID + "+" + targetIdentifier), targetIdentifier);
+													
+			} else if (targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_EIDAS)) {
+				Logger.trace("Calculate eIDAS identifier for target: " + targetIdentifier);
+				String[] splittedTarget = targetIdentifier.split("\\+");
+				String cititzenCountryCode = splittedTarget[1];
+				String eIDASOutboundCountry = splittedTarget[2];				 
+				 
+				if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) {
+					Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry");
+					 
+				}
+				return buildeIDASIdentifer(baseID, baseIdType, cititzenCountryCode, eIDASOutboundCountry);
+				
+				
+			} else
+				throw new BuildException("builder.00", 
+						new Object[]{"Target identifier: " + targetIdentifier + " is NOT allowed or unknown"});
+		
+		} else {
+			Logger.trace("BaseID is not of type " + Constants.URN_PREFIX_BASEID + ". Check type against requested target ...");
+			if (baseIdType.equals(targetIdentifier)) {
+				Logger.debug("Unique identifier is already area specific. Is nothing todo");
+				return Pair.newInstance(baseID, targetIdentifier);
+				
+			} else {
+				Logger.warn("Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required!");
+				throw new BuildException("builder.00", 
+						new Object[]{"Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required"});
+				
+			}			
+		}						
+	}
+	
+	
     /**
-     * Builds the wbPK from the given parameters.
+     * Builds the storkeid from the given parameters.
      *
-     * @param identificationValue Base64 encoded "Stammzahl"
-     * @param registerAndOrdNr    type of register + "+" + number in register.
-     * @return wbPK in a BASE64 encoding
+     * @param baseID baseID of the citizen
+     * @param baseIDType Type of the baseID
+     * @param sourceCountry CountryCode of that country, which build the eIDAs ID
+     * @param destinationCountry CountryCode of that country, which receives the eIDAs ID
+     * 
+     * @return Pair<eIDAs, bPKType> in a BASE64 encoding
      * @throws BuildException if an error occurs on building the wbPK
      */
-    public String buildWBPK(String identificationValue, String registerAndOrdNr)
-            throws BuildException {
+    private Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry)
+            throws BuildException {        
+        String bPK = null;
+        String bPKType = null;
+        
+        // check if we have been called by public sector application
+        if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) {
+        	bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry;
+            Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType);         
+            bPK = calculatebPKwbPK(baseID + "+"  + bPKType);
+            
+        } else { // if not, sector identification value is already calculated by BKU
+            Logger.debug("eIDAS eIdentifier already provided by BKU");
+            bPK = baseID;
+        }
 
-        if ((identificationValue == null ||
-                identificationValue.length() == 0 ||
-                registerAndOrdNr == null ||
-                registerAndOrdNr.length() == 0)) {
+        if ((MiscUtil.isEmpty(bPK) ||
+                MiscUtil.isEmpty(sourceCountry) ||
+                	MiscUtil.isEmpty(destinationCountry))) {
             throw new BuildException("builder.00",
-                    new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" +
-                            identificationValue + ",Register+Registernummer=" + registerAndOrdNr});
+                    new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" +
+                            bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry});
         }
-
-        String basisbegriff;
-        if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+"))
-            basisbegriff = identificationValue + "+" + registerAndOrdNr;
-        else
-            basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr;
-
-        return calculatebPKwbPK(basisbegriff);
-    }
-
-    public String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException {
-    	if (MiscUtil.isEmpty(baseID) || 
-    			!(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") || 
-    					bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") || 
-    					bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) {
-    		throw new BuildException("builder.00",
-                    new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget 
-    					+ " has an unkown prefix."});
-    		
-    	}
-    	
-    	return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget);
-    	
+        
+        Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]");
+        String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK;
+        
+        return Pair.newInstance(eIdentifier, bPKType);
     }
+	
+//    /**
+//     * Builds the bPK from the given parameters.
+//     *
+//     * @param identificationValue Base64 encoded "Stammzahl"
+//     * @param target              "Bereich lt. Verordnung des BKA"
+//     * @return bPK in a BASE64 encoding
+//     * @throws BuildException if an error occurs on building the bPK
+//     */
+//    private String buildBPK(String identificationValue, String target)
+//            throws BuildException {
+//
+//        if ((identificationValue == null ||
+//                identificationValue.length() == 0 ||
+//                target == null ||
+//                target.length() == 0)) {
+//            throw new BuildException("builder.00",
+//                    new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" +
+//                            identificationValue + ",target=" + target});
+//        }
+//        String basisbegriff;
+//        if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
+//            basisbegriff = identificationValue + "+" + target;
+//        else
+//            basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target;
+//
+//        return calculatebPKwbPK(basisbegriff);
+//    }
+//
+//    /**
+//     * Builds the wbPK from the given parameters.
+//     *
+//     * @param identificationValue Base64 encoded "Stammzahl"
+//     * @param registerAndOrdNr    type of register + "+" + number in register.
+//     * @return wbPK in a BASE64 encoding
+//     * @throws BuildException if an error occurs on building the wbPK
+//     */
+//    private String buildWBPK(String identificationValue, String registerAndOrdNr)
+//            throws BuildException {
+//
+//        if ((identificationValue == null ||
+//                identificationValue.length() == 0 ||
+//                registerAndOrdNr == null ||
+//                registerAndOrdNr.length() == 0)) {
+//            throw new BuildException("builder.00",
+//                    new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" +
+//                            identificationValue + ",Register+Registernummer=" + registerAndOrdNr});
+//        }
+//
+//        String basisbegriff;
+//        if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+"))
+//            basisbegriff = identificationValue + "+" + registerAndOrdNr;
+//        else
+//            basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr;
+//
+//        return calculatebPKwbPK(basisbegriff);
+//    }
+//
+//    private String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException {
+//    	if (MiscUtil.isEmpty(baseID) || 
+//    			!(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") || 
+//    					bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") || 
+//    					bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) {
+//    		throw new BuildException("builder.00",
+//                    new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget 
+//    					+ " has an unkown prefix."});
+//    		
+//    	}
+//    	
+//    	return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget);
+//    	
+//    }
     
 	public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException {
 		MiscUtil.assertNotNull(bpk, "BPK");
@@ -199,48 +315,7 @@ public class BPKBuilder {
 			return null;
 		}		
 	}
-    
-    /**
-     * Builds the storkeid from the given parameters.
-     *
-     * @param baseID baseID of the citizen
-     * @param baseIDType Type of the baseID
-     * @param sourceCountry CountryCode of that country, which build the eIDAs ID
-     * @param destinationCountry CountryCode of that country, which receives the eIDAs ID
-     * 
-     * @return Pair<eIDAs, bPKType> in a BASE64 encoding
-     * @throws BuildException if an error occurs on building the wbPK
-     */
-    public Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry)
-            throws BuildException {        
-        String bPK = null;
-        String bPKType = null;
-        
-        // check if we have been called by public sector application
-        if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) {
-        	bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry;
-            Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType);         
-            bPK = calculatebPKwbPK(baseID + "+"  + bPKType);
-            
-        } else { // if not, sector identification value is already calculated by BKU
-            Logger.debug("eIDAS eIdentifier already provided by BKU");
-            bPK = baseID;
-        }
-
-        if ((MiscUtil.isEmpty(bPK) ||
-                MiscUtil.isEmpty(sourceCountry) ||
-                	MiscUtil.isEmpty(destinationCountry))) {
-            throw new BuildException("builder.00",
-                    new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" +
-                            bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry});
-        }
-        
-        Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]");
-        String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK;
         
-        return Pair.newInstance(eIdentifier, bPKType);
-    }
-    
     private String calculatebPKwbPK(String basisbegriff) throws BuildException {
     	try {
             MessageDigest md = MessageDigest.getInstance("SHA-1");
@@ -281,6 +356,4 @@ public class BPKBuilder {
 		result = cipher.doFinal(encryptedBytes);
 		return result;
 	}
-
-
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java
index 73fe961eb..4c4af4239 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java
@@ -53,9 +53,11 @@ import java.util.List;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper;
 import at.gv.egovernment.moa.util.Constants;
 import at.gv.egovernment.moa.util.DateTimeUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moa.util.StringUtils;
 
 /**
@@ -156,8 +158,9 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
 	 * @param oaParam parameter for the OA
 	 * @param session current session
 	 * @return String representation of <code>&lt;CreateXMLSignatureRequest&gt;</code>
+	 * @throws ConfigurationException 
 	 */
-	public String buildForeignID(String subject, IRequest pendingReq) {
+	public String buildForeignID(String subject, IRequest pendingReq) throws ConfigurationException {
 			
 		String request = "";
 		request += "<sl:CreateXMLSignatureRequest xmlns:sl=\"http://www.buergerkarte.at/namespaces/securitylayer/1.2#\">"; 
@@ -181,11 +184,22 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
 		return request;
 	}
 	
-	public static String buildForeignIDTextToBeSigned(String subject, IRequest pendingReq) {		
+	public static String buildForeignIDTextToBeSigned(String subject, IRequest pendingReq) throws ConfigurationException {		
 		IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();		
-		String target = pendingReq.getGenericData(
-				MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);		
-		String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
+		String target = null;
+		String sectorName = null;
+		
+		
+		String saml1Target = pendingReq.getGenericData(
+				MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
+		if (MiscUtil.isNotEmpty(saml1Target)) {
+			target = saml1Target;
+			sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(saml1Target);
+			
+		} else {
+			target = oaParam.getAreaSpecificTargetIdentifier();
+			sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+		}		
 		
 		Calendar cal = Calendar.getInstance();
 		String date = DateTimeUtils.buildDate(cal);
@@ -243,11 +257,11 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
 		request += oaParam.getPublicURLPrefix();
 		request += "</td>";
 		request += "</tr>";
-		boolean business = oaParam.getBusinessService();
-		if (business) {
+		
+		if (!target.startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
 			// OA is businessservice
-			String identifierType = oaParam.getIdentityLinkDomainIdentifierType();
-			String identifier = oaParam.getIdentityLinkDomainIdentifier();
+			String identifierType = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+			String identifier = oaParam.getAreaSpecificTargetIdentifier();
 			request += "<tr>";
 			request += "<td class=\"italicstyle\">";
 			request += identifierType + ":";
@@ -263,7 +277,7 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
 			request += "<td class=\"italicstyle\">";
 			request += "Sektor (Sector):</td>";
 			request += "<td class=\"normalstyle\">";
-			request += target + " (" + sectorName + ")";
+			request += target.substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
 			request += "</td>";
 			request += "</tr>";
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
index f4f6e82ba..fc5489673 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
@@ -31,14 +31,10 @@ import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.IRequest;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
-import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Constants;
-import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * @author tlenz
@@ -57,13 +53,14 @@ public class DynamicOAAuthParameterBuilder {
 			if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
 				String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent();
 				if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) {
-					dynamicOA.setBusinessService(false);
-					dynamicOA.setTarget(attrValue.substring((Constants.URN_PREFIX_CDID + "+").length()));
+					//dynamicOA.setBusinessService(false);
+					dynamicOA.setAreaSpecificTargetIdentifier(attrValue);
 					
 				} else if( attrValue.startsWith(Constants.URN_PREFIX_WBPK) || 
-						attrValue.startsWith(Constants.URN_PREFIX_STORK) ) {
-					dynamicOA.setBusinessService(true);
-					dynamicOA.setTarget(attrValue);
+						attrValue.startsWith(Constants.URN_PREFIX_STORK) || 
+						attrValue.startsWith(Constants.URN_PREFIX_EIDAS)) {
+					//dynamicOA.setBusinessService(true);
+					dynamicOA.setAreaSpecificTargetIdentifier(attrValue);
 					 					
 				} else {
 					Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea");
@@ -84,13 +81,16 @@ public class DynamicOAAuthParameterBuilder {
 	 * @param oaParam
 	 * @param protocolRequest
 	 * @return
+	 * @throws ConfigurationException 
 	 */
 	public static IOAAuthParameters buildFromAuthnRequest(
-			IOAAuthParameters oaParam, IRequest protocolRequest) {
+			IOAAuthParameters oaParam, IRequest protocolRequest) throws ConfigurationException {
 		
 		DynamicOAAuthParameters dynOAParams = new DynamicOAAuthParameters();
 		dynOAParams.setApplicationID(oaParam.getPublicURLPrefix());
-		dynOAParams.setBusinessService(oaParam.getBusinessService());
+	
+		dynOAParams.setHasBaseIdProcessingRestriction(oaParam.hasBaseIdInternalProcessingRestriction());
+		dynOAParams.setHasBaseIdTransfergRestriction(oaParam.hasBaseIdTransferRestriction());
 		
 		Object storkRequst = null;
 		try {
@@ -98,9 +98,9 @@ public class DynamicOAAuthParameterBuilder {
 			if (storkRequst != null && 
 					protocolRequest.getClass().isInstance(storkRequst)) {
 				
-				dynOAParams.setBusinessTarget(Constants.URN_PREFIX_STORK + "+" + "AT" + "+" 
+				dynOAParams.setAreaSpecificTargetIdentifier(Constants.URN_PREFIX_STORK + "+" + "AT" + "+" 
 						+ protocolRequest.getClass().getMethod("getSpCountry", null).invoke(protocolRequest, null));
-				dynOAParams.setBusinessService(true);
+				//dynOAParams.setBusinessService(true);
 								
 			}
 									
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
index a82ba501c..d5ca89656 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
@@ -56,12 +56,16 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.ConnectionParameterInterface;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.spss.MOAException;
 import at.gv.egovernment.moa.spss.api.SignatureVerificationService;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponse;
 import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureRequestParser;
 import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureResponseBuilder;
 import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest;
 import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse;
 import at.gv.egovernment.moa.util.MiscUtil;
+import at.gv.egovernment.moaspss.logging.Logger;
 
 /**
  * Invoker of the <code>SignatureVerification</code> web service of MOA-SPSS.<br>
@@ -108,6 +112,18 @@ public class SignatureVerificationInvoker {
 	  
   }
   
+  public VerifyCMSSignatureResponse verifyCMSSignature(VerifyCMSSignatureRequest cmsSigVerifyReq) throws ServiceException {	 
+	  try {
+		return svs.verifyCMSSignature(cmsSigVerifyReq);
+		
+	  } catch (MOAException e) {
+		  Logger.warn("CMS signature verification has an error.", e);
+		  throw new ServiceException("service.03", new Object[] { e.toString()}, e);
+		  
+	  }
+	  
+  }
+  
   /**
    * Method verifyXMLSignature.
    * @param request to be sent
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
index 92d76751f..b2db8d5a2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
@@ -52,7 +52,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
 	@Autowired AuthConfiguration authConfig;
 	
 	public void parse(IAuthenticationSession moasession, 
-			String target,
+			String reqTarget,
 			String oaURL,
 			String bkuURL,
 			String templateURL,
@@ -61,10 +61,11 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
 			HttpServletRequest req, 
 			IRequest protocolReq) throws WrongParametersException, MOAIDException {
 		
-		String targetFriendlyName = null;
-				
+		String resultTargetFriendlyName = null;
+		String resultTarget = null;
+		
 	    // escape parameter strings
-		target = StringEscapeUtils.escapeHtml(target);
+		reqTarget = StringEscapeUtils.escapeHtml(reqTarget);
 		bkuURL = StringEscapeUtils.escapeHtml(bkuURL);
 		templateURL = StringEscapeUtils.escapeHtml(templateURL);
 		useMandate = StringEscapeUtils.escapeHtml(useMandate);
@@ -102,66 +103,70 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
 			
 			
 		// get target and target friendly name from config
-		String targetConfig = oaParam.getTarget();
-		String targetFriendlyNameConfig = oaParam.getTargetFriendlyName();
+		String targetConfig = oaParam.getAreaSpecificTargetIdentifier();
+		String targetFriendlyNameConfig = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+		
+		//SAML1 legacy work-around for public area targets in request
+		if (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") && 
+							!StringUtils.isEmpty(reqTarget)) {
+			//INFO: ONLY SAML1 legacy mode
+	    	// if SAML1 is used and target attribute is given in request
+	    	// use requested target
+	    	// check target parameter
+			if (!ParamValidatorUtils.isValidTarget(reqTarget)) {
+				Logger.error("Selected target is invalid. Used target: " + reqTarget);
+				throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12");
+			}
+			resultTarget = MOAIDAuthConstants.PREFIX_CDID + reqTarget;
 			
-		if (!oaParam.getBusinessService()) {
-			if (StringUtils.isEmpty(targetConfig)
-					|| (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") && 
-							!StringUtils.isEmpty(target)) 
-				) {
-					//INFO: ONLY SAML1 legacy mode
-			    	// if SAML1 is used and target attribute is given in request
-			    	// use requested target
-			    	// check target parameter
-				if (!ParamValidatorUtils.isValidTarget(target)) {
-                    Logger.error("Selected target is invalid. Using target: " + target);
-			   		throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12");
-                }
-				if (MiscUtil.isNotEmpty(targetConfig))
-					targetFriendlyName = targetFriendlyNameConfig;
+			String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(reqTarget);
+			if (MiscUtil.isNotEmpty(sectorName))
+				resultTargetFriendlyName = sectorName;
+		
+			else {
+				//check target contains subSector
+				int delimiter = reqTarget.indexOf("-");
+				if (delimiter > 0) {
+					resultTargetFriendlyName = 
+						TargetToSectorNameMapper.getSectorNameViaTarget(reqTarget.substring(0, delimiter));
 				
-				else {
-					String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
-					if (MiscUtil.isNotEmpty(sectorName))
-							targetFriendlyName = sectorName;
-					
-					else {
-						//check target contains subSector
-						int delimiter = target.indexOf("-");
-						if (delimiter > 0) {
-							targetFriendlyName = 
-									TargetToSectorNameMapper.getSectorNameViaTarget(target.substring(0, delimiter));
-							
-						}						
-					}					
-				}
-									
-			} else {
-			    	// use target from config			    	
-			    	target = targetConfig;
-			    	targetFriendlyName = targetFriendlyNameConfig;
+				}						
 			}
 			
-			if (isEmpty(target))
-				throw new WrongParametersException("StartAuthentication",
-						PARAM_TARGET, "auth.05");
-			
-			protocolReq.setGenericDataToSession(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, target);
+			if (MiscUtil.isNotEmpty(targetConfig) && MiscUtil.isEmpty(resultTargetFriendlyName))
+				resultTargetFriendlyName = targetFriendlyNameConfig;
+					
+			//set info's into request-context. (It's required to support SAML1 requested target parameters)			
+			protocolReq.setGenericDataToSession(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, resultTarget);
 			protocolReq.setGenericDataToSession(
-					MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, targetFriendlyName);
-			Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + target);
-            
-		} else {
-			Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + oaParam.getIdentityLinkDomainIdentifier());
+					MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, resultTargetFriendlyName);
 			
-			if (useMandateBoolean) {
-				Logger.error("Online-Mandate Mode for business application not supported.");
-				throw new AuthenticationException("auth.17", null);
-			}
+		} else {
+			Logger.trace("Use oa sector-identifier from configuration");
+			resultTarget = targetConfig;
+			resultTargetFriendlyName = targetFriendlyNameConfig;
 			
 		}
-		 		
+	
+		//check if target is found
+		if (MiscUtil.isEmpty(resultTarget))
+			throw new WrongParametersException("StartAuthentication",
+					PARAM_TARGET, "auth.05");
+
+		//check if mandates are allowed
+		if (useMandateBoolean && oaParam.hasBaseIdInternalProcessingRestriction()) {
+			Logger.error("Online-Mandate Mode for business application not supported.");
+			throw new AuthenticationException("auth.17", null);
+			
+		}	
+		
+		if (resultTarget.startsWith(MOAIDAuthConstants.PREFIX_CDID))
+			Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + resultTarget);	
+		else
+			Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + resultTarget);
+		
+		
+		
 		//Validate BKU URI
 		List<String> allowedbkus = oaParam.getBKUURL();
 		allowedbkus.addAll(authConfig.getDefaultBKUURLs());
@@ -247,16 +252,4 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
 	    parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, req, pendingReq);
 	    
 	}
-	
-	/**
-	 * Checks a parameter.
-	 * 
-	 * @param param
-	 *            parameter
-	 * @return true if the parameter is null or empty
-	 */
-	private boolean isEmpty(String param) {
-		return param == null || param.length() == 0;
-	}
-
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
index 353261085..5f74d8fdd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
@@ -29,6 +29,7 @@ import java.io.StringWriter;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 
@@ -48,7 +49,6 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.IRequest;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
-import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider;
 import at.gv.egovernment.moa.id.data.ExceptionContainer;
 import at.gv.egovernment.moa.id.moduls.IRequestStorage;
@@ -166,8 +166,9 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 
 			return;
 					
-		} catch (MOADatabaseException e) {
-			Logger.warn("Exception can not be stored to Database.", e);
+		} catch (Exception e) {
+			Logger.warn("Default error-handling FAILED. Exception can not be stored to Database.", e);
+			Logger.info("Switch to generic generic backup error-handling ... ");
 			handleErrorNoRedirect(loggedException, req, resp, true);
 			
 		}
@@ -231,7 +232,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 		ErrorResponseUtils utils = ErrorResponseUtils.getInstance();
 		String code = utils.mapInternalErrorToExternalError(
 				((InvalidProtocolRequestException)e).getMessageId());
-		String descr = e.getMessage();
+		String descr = StringEscapeUtils.escapeHtml(e.getMessage());
 		resp.setContentType(MediaType.HTML_UTF_8.toString());
 		resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Protocol validation FAILED!" +
 				"(Errorcode=" + code +
@@ -248,7 +249,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 					null);
 				
 			//add errorcode and errormessage
-			config.putCustomParameter("errorMsg", msg);
+			config.putCustomParameter("errorMsg", StringEscapeUtils.escapeHtml(msg));
 			config.putCustomParameter("errorCode", errorCode);
 		
 			//add stacktrace if debug is enabled
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java
index 416e787a7..49145a850 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java
@@ -33,9 +33,11 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
+import at.gv.egovernment.moa.id.auth.frontend.builder.AbstractServiceProviderSpecificGUIFormBuilderConfiguration;
 import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
 import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.MOAIDConstants;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.IRequest;
 import at.gv.egovernment.moa.id.moduls.IRequestStorage;
@@ -52,6 +54,7 @@ public class GUILayoutBuilderServlet extends AbstractController {
 
 	public static final String ENDPOINT_CSS = "/css/buildCSS";
 	public static final String ENDPOINT_JS = "/js/buildJS";
+	public static final String ENDPOINT_BKUDETECTION = "/feature/bkuDetection";
 	
 	@Autowired AuthConfiguration authConfig;
 	@Autowired IRequestStorage requestStoreage;
@@ -65,6 +68,41 @@ public class GUILayoutBuilderServlet extends AbstractController {
 		
 	}
 	
+	@RequestMapping(value = ENDPOINT_BKUDETECTION, method = {RequestMethod.GET})
+	public void buildBkuDetectionFrame(HttpServletRequest req, HttpServletResponse resp) throws IOException {		
+		try {
+			IRequest pendingReq = extractPendingRequest(req);
+			
+			//initialize GUI builder configuration
+			AbstractServiceProviderSpecificGUIFormBuilderConfiguration config = null;
+			if (pendingReq != null) 
+				config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
+						pendingReq, 
+						SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_BKUDETECTION_SP_SPECIFIC, 
+						null);
+			
+			else {
+				config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
+						HTTPUtils.extractAuthURLFromRequest(req), 
+						SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_BKUDETECTION_GENERIC, 
+						null);
+				config.setTemplateClasspahtDir(
+						SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_MAINGUI_DIRECTORY);
+				
+			}
+		
+			//build GUI component
+			formBuilder.build(resp, config, MOAIDConstants.DEFAULT_CONTENT_TYPE_HTML_UTF8, "BKUDetection-Frame");
+			
+			
+		} catch (Exception e) {
+			Logger.warn("GUI ressource:'BKUDetection' generation FAILED.", e);
+			resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Created resource failed");
+			
+		}
+		
+	}
+	
 	@RequestMapping(value = "/css/buildCSS", method = {RequestMethod.GET})
 	public void buildCSS(HttpServletRequest req, HttpServletResponse resp) throws IOException {		
 		try {
@@ -88,7 +126,7 @@ public class GUILayoutBuilderServlet extends AbstractController {
 			formBuilder.build(resp, config, "text/css; charset=UTF-8", "CSS-Form");
 			
 		} catch (Exception e) {
-			Logger.warn("GUI ressource:'CSS' generation FAILED.");
+			Logger.warn("GUI ressource:'CSS' generation FAILED.", e);
 			resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Created resource failed");
 		}
 							
@@ -117,7 +155,7 @@ public class GUILayoutBuilderServlet extends AbstractController {
 			formBuilder.build(resp, config, "text/javascript; charset=UTF-8", "JavaScript");
 			
 		} catch (Exception e) {
-			Logger.warn("GUI ressource:'JavaScript' generation FAILED.");
+			Logger.warn("GUI ressource:'JavaScript' generation FAILED.", e);
 			resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Created resource failed");
 		}
 						
@@ -142,6 +180,7 @@ public class GUILayoutBuilderServlet extends AbstractController {
 			
 		} catch (Exception e) {
 			Logger.warn("GUI-Layout builder-servlet has an error during request-preprocessing.", e);
+			
 		}	
 		
 		return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
index 1848fa6f7..be511d888 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
@@ -49,6 +49,8 @@ import at.gv.egovernment.moa.util.URLEncoder;
 @Controller
 public class RedirectServlet {
 
+	public static final String SERVICE_ENDPOINT = "/RedirectServlet";
+	
 	public static final String REDIRCT_PARAM_URL = "redirecturl";
 	private static final String DEFAULT_REDIRECTTARGET = "_parent";
 	
@@ -74,6 +76,8 @@ public class RedirectServlet {
 			//validate URL
 			new java.net.URL(url);
 			
+			//url = URLDecoder.decode(url, "UTF-8");
+			
 			oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(url);
 			String authURL = HTTPUtils.extractAuthURLFromRequest(req);
 			
@@ -128,12 +132,24 @@ public class RedirectServlet {
 					resp.addHeader("Location", url);
 					
 				} else {					
-					Logger.debug("Redirect to " + url);					
+					Logger.debug("Redirect to " + url);
+					
+					try {
+						String test = oa.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETREDIRECTTARGET);
+						if (MiscUtil.isNotEmpty(test))
+							redirectTarget = test;
+					
+					} catch (Exception e) {
+						Logger.debug("Use default redirectTarget.");
+					}
+					
 					DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration(
 							authURL, 
 							DefaultGUIFormBuilderConfiguration.VIEW_REDIRECT, 
 							null);
 					config.putCustomParameter(URL, StringEscapeUtils.escapeHtml(url));
+					config.putCustomParameter(TARGET, redirectTarget);
+					
 					guiBuilder.build(resp, config, "RedirectForm.html");
 						
 				}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java
index c31666bbb..fc5cc0495 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java
@@ -52,6 +52,8 @@ package at.gv.egovernment.moa.id.config;
 import java.util.HashMap;

 import java.util.Map;

 

+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;

+

 /**

  * @author bzwattendorfer

  *

@@ -106,6 +108,8 @@ public class TargetToSectorNameMapper implements TargetsAndSectorNames {
 	}

 	

 	public static String getSectorNameViaTarget(String target) {

+		if (target.startsWith(MOAIDAuthConstants.PREFIX_CDID))

+			target = target.substring(MOAIDAuthConstants.PREFIX_CDID.length());

 		

 		return targetMap.get(target) != null ? (String) targetMap.get(target) : ""; 

 	}

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index 6a6359058..99b4154e0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -60,7 +60,9 @@ import java.util.Set;
 import org.apache.commons.lang.SerializationUtils;
 
 import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.MOAIDConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.IStorkConfig;
 import at.gv.egovernment.moa.id.commons.api.data.BPKDecryptionParameters;
@@ -96,10 +98,31 @@ public class OAAuthParameter implements IOAAuthParameters, Serializable{
 	final public static String DEFAULT_KEYBOXIDENTIFIER = "SecureSignatureKeypair";
 	
 	private Map<String, String> oaConfiguration;
+	private List<String> targetAreasWithNoInteralBaseIdRestriction = new ArrayList<String>();
+	private List<String> targetAreasWithNoBaseIdTransmissionRestriction = new ArrayList<String>();		
 		
-		
-  public OAAuthParameter(final Map<String, String> oa) {	  
+  public OAAuthParameter(final Map<String, String> oa, AuthConfiguration authConfig) {	  
 	  this.oaConfiguration = oa;
+	  
+	  //set oa specific restrictions
+	  targetAreasWithNoInteralBaseIdRestriction = KeyValueUtils.getListOfCSVValues(
+			  authConfig.getBasicMOAIDConfiguration(
+					  CONFIG_KEY_RESTRICTIONS_BASEID_INTERNAL, 
+					  MOAIDAuthConstants.PREFIX_CDID));
+	  
+	  targetAreasWithNoBaseIdTransmissionRestriction = KeyValueUtils.getListOfCSVValues(
+			  authConfig.getBasicMOAIDConfiguration(
+					  CONFIG_KEY_RESTRICTIONS_BASEID_TRANSMISSION, 
+					  MOAIDAuthConstants.PREFIX_CDID));
+	  
+	  if (Logger.isTraceEnabled()) {
+		  Logger.trace("Internal policy for OA: " + getPublicURLPrefix());
+		  for (String el : targetAreasWithNoInteralBaseIdRestriction)
+			  Logger.trace(" Allow baseID processing for prefix " + el);		  
+		  for (String el : targetAreasWithNoBaseIdTransmissionRestriction)
+			  Logger.trace(" Allow baseID transfer for prefix " + el);
+		  		  
+	  }
   }
 
   
@@ -111,12 +134,54 @@ public class OAAuthParameter implements IOAAuthParameters, Serializable{
 	  return this.oaConfiguration.get(key);
   }
   
+  @Override
+  public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException {
+	  String targetAreaIdentifier = getAreaSpecificTargetIdentifier();
+	  for (String el : targetAreasWithNoInteralBaseIdRestriction) {
+		  if (targetAreaIdentifier.startsWith(el))
+			  return false;
+		  
+	  }	  
+	  return true;
+	  
+  }
+
+  @Override
+  public boolean hasBaseIdTransferRestriction() throws ConfigurationException {
+	  String targetAreaIdentifier = getAreaSpecificTargetIdentifier();
+	  for (String el : targetAreasWithNoBaseIdTransmissionRestriction) {
+		  if (targetAreaIdentifier.startsWith(el))
+			  return false;
+		  
+	  }	  
+	  return true;
+	  
+  }
+    
+  @Override
+  public String getAreaSpecificTargetIdentifier() throws ConfigurationException {	  
+	  if (getBusinessService())
+		  return getIdentityLinkDomainIdentifier();
+	  else
+		  return MOAIDAuthConstants.PREFIX_CDID + getTarget();
+	  		  
+  }
+  
+  @Override
+  public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException{
+	  if (getBusinessService())
+		  return getIdentityLinkDomainIdentifierType();
+	  else
+		  return getTargetFriendlyName();
+	  
+  }
+  
   
 /* (non-Javadoc)
  * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier()
  */
-@Override
-public String getIdentityLinkDomainIdentifier() {
+//@Override
+private String getIdentityLinkDomainIdentifier() {
 	String type = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE);
 	String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE);
 	if (MiscUtil.isNotEmpty(type) && MiscUtil.isNotEmpty(value)) {
@@ -138,8 +203,8 @@ public String getIdentityLinkDomainIdentifier() {
 /* (non-Javadoc)
  * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType()
  */
-@Override
-public String getIdentityLinkDomainIdentifierType() {
+//@Override
+private String getIdentityLinkDomainIdentifierType() {
 	String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE);
 	if (MiscUtil.isNotEmpty(value))
 		return MOAIDConfigurationConstants.BUSINESSSERVICENAMES.get(value);
@@ -151,8 +216,8 @@ public String getIdentityLinkDomainIdentifierType() {
 /* (non-Javadoc)
  * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget()
  */
-@Override
-public String getTarget() {
+//@Override
+private String getTarget() {
 	if (Boolean.parseBoolean(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_USE_OWN)))
 		return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_TARGET);
 		
@@ -171,8 +236,8 @@ public String getTarget() {
 /* (non-Javadoc)
  * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName()
  */
-@Override
-public String getTargetFriendlyName() {
+//@Override
+private String getTargetFriendlyName() {
 	if (Boolean.parseBoolean(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_USE_OWN)))
 		return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME);
 		
@@ -265,8 +330,8 @@ public String getKeyBoxIdentifier() {
 	 */
 	@Override
 	public String getBKUURL(String bkutype) {
-		if (bkutype.equals(ONLINEBKU)) {
-			return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE);
+		if (bkutype.equals(THIRDBKU)) {
+			return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD);
 			
 		} else if (bkutype.equals(HANDYBKU)) {
 			return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY);
@@ -274,10 +339,15 @@ public String getKeyBoxIdentifier() {
 		} else if (bkutype.equals(LOCALBKU)) {
 			return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL);
 			
+		} else if (bkutype.equals(ONLINEBKU)) {
+			return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD);
+			
 		}
+		
+		
 			
 		Logger.warn("BKU Type does not match: " 
-				+ ONLINEBKU + " or " + HANDYBKU + " or " + LOCALBKU);
+				+ THIRDBKU + " or " + HANDYBKU + " or " + LOCALBKU);
 		return null;
 	}
 	
@@ -288,8 +358,8 @@ public String getKeyBoxIdentifier() {
 	public List<String> getBKUURL() {		
 		List<String> list = new ArrayList<String>();
 	
-		if (oaConfiguration.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE))
-			list.add(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE));
+		if (oaConfiguration.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD))
+			list.add(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD));
 		
 		if (oaConfiguration.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY))
 			list.add(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY));
@@ -572,7 +642,7 @@ public Collection<CPEPS> getPepsList() {
 								MOAIDConfigurationConstants.SERVICE_AUTH_STORK_COUNTRIES_LIST
 								+ "." + index + "."
 								+ MOAIDConfigurationConstants.SERVICE_AUTH_STORK_COUNTRIES_LIST_ENABLED))) {
-							CPEPS availableCPEPS = availableSTORKConfig.getCPEPS(
+							CPEPS availableCPEPS = availableSTORKConfig.getCPEPSWithFullName(
 									oaConfiguration.get(
 											MOAIDConfigurationConstants.SERVICE_AUTH_STORK_COUNTRIES_LIST
 											+ "." + index + "."
@@ -648,8 +718,8 @@ public boolean isInterfederationSSOStorageAllowed() {
 		return false;		
 }
 
-public boolean isIDPPublicService() {
-	return !getBusinessService();
+public boolean isIDPPublicService() throws ConfigurationException {
+	return !hasBaseIdTransferRestriction();
 	
 }
 
@@ -735,11 +805,7 @@ public String getPublicURLPrefix() {
 }
 
 
-/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService()
- */
-@Override
-public boolean getBusinessService() {
+private boolean getBusinessService() {
 	String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_BUSINESSSERVICE);
 	if (MiscUtil.isNotEmpty(value))
 		return Boolean.parseBoolean(value);	
@@ -780,16 +846,16 @@ public String getFriendlyName() {
 }
 
 
-/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType()
- */
-@Override
-public String getOaType() {
-	if (getBusinessService())
-		return "businessService";
-	else
-		return "publicService";
-}
+///* (non-Javadoc)
+// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType()
+// */
+//@Override
+//public String getOaType() {
+//	if (getBusinessService())
+//		return "businessService";
+//	else
+//		return "publicService";
+//}
 
 
 /**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
index 35d052acd..332604257 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
@@ -412,7 +412,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
 			return null;
 		}
 
-		return new OAAuthParameter(oa);
+		return new OAAuthParameter(oa, this);
 	}
 
 	/**
@@ -676,7 +676,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
 			templatesList.add(configuration.getStringValue(
 					MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL));
 			templatesList.add(configuration.getStringValue(
-					MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE));
+					MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD));
 			templatesList.add(configuration.getStringValue(
 					MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY));
 		
@@ -701,9 +701,9 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
 
 		try {
 			switch (type) {
-			case IOAAuthParameters.ONLINEBKU:
+			case IOAAuthParameters.THIRDBKU:
 				slRequestTemplate = configuration.getStringValue(
-						MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE);
+						MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD);
 				break;
 			case IOAAuthParameters.LOCALBKU:
 				slRequestTemplate = configuration.getStringValue(
@@ -714,7 +714,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
 						MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY);
 				break;
 			default:
-				Logger.warn("getSLRequestTemplates: BKU Type does not match: " + IOAAuthParameters.ONLINEBKU + " or " + IOAAuthParameters.HANDYBKU + " or "
+				Logger.warn("getSLRequestTemplates: BKU Type does not match: " + IOAAuthParameters.THIRDBKU + " or " + IOAAuthParameters.HANDYBKU + " or "
 						+ IOAAuthParameters.LOCALBKU);
 			}
 		
@@ -736,7 +736,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
 		List<String> bkuurlsList = new ArrayList<String>();
 		try {
 			bkuurlsList.add(configuration.getStringValue(
-					MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE));
+					MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD));
 			bkuurlsList.add(configuration.getStringValue(
 					MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL));
 			bkuurlsList.add(configuration.getStringValue(
@@ -762,9 +762,9 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
 		String defaultBKUUrl = null;
 		try {
 			switch (type) {
-			case IOAAuthParameters.ONLINEBKU:
+			case IOAAuthParameters.THIRDBKU:
 				defaultBKUUrl = configuration.getStringValue(
-						MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE);
+						MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD);
 				break;
 			case IOAAuthParameters.LOCALBKU:
 				defaultBKUUrl = configuration.getStringValue(
@@ -775,7 +775,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
 						MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY);
 				break;
 			default:
-				Logger.warn("getDefaultBKUURL: BKU Type does not match: " + IOAAuthParameters.ONLINEBKU + " or " + IOAAuthParameters.HANDYBKU + " or "
+				Logger.warn("getDefaultBKUURL: BKU Type does not match: " + IOAAuthParameters.THIRDBKU + " or " + IOAAuthParameters.HANDYBKU + " or "
 						+ IOAAuthParameters.LOCALBKU);
 			}
 		
@@ -817,7 +817,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
 	public String getSSOFriendlyName() {
 		try {
 			return configuration.getStringValue(
-					MOAIDConfigurationConstants.GENERAL_AUTH_SSO_TARGET, "Default MOA-ID friendly name for SSO");
+					MOAIDConfigurationConstants.GENERAL_AUTH_SSO_SERVICENAME, "Default MOA-ID friendly name for SSO");
 			
 		} catch (at.gv.egiz.components.configuration.api.ConfigurationException e) {
 			Logger.warn("Single Sign-On FriendlyName can not be read from configuration.", e);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
index 9fd58b5c7..f3db82315 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
@@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters;
 import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute;
 import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 
 /**
  * @author tlenz
@@ -45,33 +46,84 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
 	private static final long serialVersionUID = 1648437815185614566L;
 
 	private String publicURLPrefix;
-	
-	private String businessTarget;
-	
-	private boolean businessService;
-	
+		
 	private boolean isInderfederationIDP;
-	
 	private String IDPQueryURL;
 
-	private String target;
-		
+	private boolean hasBaseIdProcessingRestriction;
+	private boolean hasBaseIdTransfergRestriction;
+	private String oaTargetAreaIdentifier;
+	
+	
 	/* (non-Javadoc)
-	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget()
+	 * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdInternalProcessingRestriction()
 	 */
 	@Override
-	public String getTarget() {
-		return this.target;
+	public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException {
+		return this.hasBaseIdProcessingRestriction;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdTransferRestriction()
+	 */
+	@Override
+	public boolean hasBaseIdTransferRestriction() throws ConfigurationException {
+		return this.hasBaseIdTransfergRestriction;
 	}
 	
 	/* (non-Javadoc)
-	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier()
+	 * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifier()
+	 */
+	@Override
+	public String getAreaSpecificTargetIdentifier() throws ConfigurationException {
+		return this.oaTargetAreaIdentifier;
+	}
+
+	/**
+	 * @param hasBaseIdProcessingRestriction the hasBaseIdProcessingRestriction to set
+	 */
+	public void setHasBaseIdProcessingRestriction(boolean hasBaseIdProcessingRestriction) {
+		this.hasBaseIdProcessingRestriction = hasBaseIdProcessingRestriction;
+	}
+
+	/**
+	 * @param hasBaseIdTransfergRestriction the hasBaseIdTransfergRestriction to set
+	 */
+	public void setHasBaseIdTransfergRestriction(boolean hasBaseIdTransfergRestriction) {
+		this.hasBaseIdTransfergRestriction = hasBaseIdTransfergRestriction;
+	}
+
+	/**
+	 * @param oaTargetAreaIdentifier the oaTargetAreaIdentifier to set
+	 */
+	public void setAreaSpecificTargetIdentifier(String oaTargetAreaIdentifier) {
+		this.oaTargetAreaIdentifier = oaTargetAreaIdentifier;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifierFriendlyName()
 	 */
 	@Override
-	public String getIdentityLinkDomainIdentifier() {
-		return this.businessTarget;
+	public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException {
+		return null;
 	}
 	
+//	/* (non-Javadoc)
+//	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget()
+//	 */
+//	//@Override
+//	public String getTarget() {
+//		return this.target;
+//	}
+//	
+//	/* (non-Javadoc)
+//	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier()
+//	 */
+//	//@Override
+//	public String getIdentityLinkDomainIdentifier() {
+//		return this.businessTarget;
+//	}
+	
 	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIDPAttributQueryServiceURL()
 	 */
@@ -164,7 +216,7 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
 	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType()
 	 */
-	@Override
+	//@Override
 	public String getIdentityLinkDomainIdentifierType() {
 		// TODO Auto-generated method stub
 		return null;
@@ -251,26 +303,26 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
 		return null;
 	}
 
-	/**
-	 * @param isBusinessService the isBusinessService to set
-	 */
-	public void setBusinessService(boolean isBusinessService) {
-		businessService = isBusinessService;
-	}
-
-	/**
-	 * @param target the target to set
-	 */
-	public void setTarget(String target) {
-		this.target = target;
-	}
-
-	/**
-	 * @param businessTarget the businessTarget to set
-	 */
-	public void setBusinessTarget(String businessTarget) {
-		this.businessTarget = businessTarget;
-	}
+//	/**
+//	 * @param isBusinessService the isBusinessService to set
+//	 */
+//	public void setBusinessService(boolean isBusinessService) {
+//		businessService = isBusinessService;
+//	}
+
+//	/**
+//	 * @param target the target to set
+//	 */
+//	public void setTarget(String target) {
+//		this.target = target;
+//	}
+//
+//	/**
+//	 * @param businessTarget the businessTarget to set
+//	 */
+//	public void setBusinessTarget(String businessTarget) {
+//		this.businessTarget = businessTarget;
+//	}
 
 	/**
 	 * @param inderfederatedIDP the inderfederatedIDP to set
@@ -400,27 +452,18 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
 		return this.publicURLPrefix;
 	}
 
-	/* (non-Javadoc)
-	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType()
-	 */
-	@Override
-	public String getOaType() {
-		// TODO Auto-generated method stub
-		return null;
-	}
-
-	/* (non-Javadoc)
-	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService()
-	 */
-	@Override
-	public boolean getBusinessService() {
-		return this.businessService;
-	}
+//	/* (non-Javadoc)
+//	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService()
+//	 */
+//	//@Override
+//	public boolean getBusinessService() {
+//		return this.businessService;
+//	}
 
 	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName()
 	 */
-	@Override
+	//@Override
 	public String getTargetFriendlyName() {
 		// TODO Auto-generated method stub
 		return null;
@@ -487,4 +530,6 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
 		// TODO Auto-generated method stub
 		return false;
 	}
+
+	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java
index b85938bb7..a04236288 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java
@@ -178,7 +178,7 @@ public class STORKConfig implements IStorkConfig {
 	 * @see at.gv.egovernment.moa.id.config.stork.IStorkConfig#getCPEPS(java.lang.String)

 	 */

 	@Override

-	public CPEPS getCPEPS(String ccc) {

+	public CPEPS getCPEPSWithFullName(String ccc) {

 		if (isSTORKAuthentication(ccc))

 			return this.cpepsMap.get(ccc);

 		else

@@ -186,6 +186,23 @@ public class STORKConfig implements IStorkConfig {
 	}

 

 	/* (non-Javadoc)

+	 * @see at.gv.egovernment.moa.id.config.stork.IStorkConfig#getCPEPS(java.lang.String)

+	 */

+	@Override

+	public CPEPS getCPEPSWithCC(String ccc) {

+		if (isSTORKAuthentication(ccc)) {

+			for (CPEPS el :this.cpepsMap.values()) {

+				if (el.getCountryCode().equals(ccc))

+					return el;

+				

+			}	

+		}

+		

+		return null;

+	}

+	

+	

+	/* (non-Javadoc)

 	 * @see at.gv.egovernment.moa.id.config.stork.IStorkConfig#getStorkAttributes()

 	 */

 	@Override

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
index f5f056ccc..7f56f519b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
@@ -120,7 +120,8 @@ public class AuthenticationData  implements IAuthData, Serializable {
 	   * the corresponding <code>lt;saml:Assertion&gt;</code>
 	   */
 
-	  private boolean businessService;
+	  private boolean isBaseIDTransferRestrication = true;
+	  
 	  
 	 /**
 	  * STORK attributes from response
@@ -742,13 +743,15 @@ public class AuthenticationData  implements IAuthData, Serializable {
 	 * @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService()
 	 */
 	@Override
-	public boolean isBusinessService() {
-		return this.businessService;
+	public boolean isBaseIDTransferRestrication() {
+		return isBaseIDTransferRestrication;
 	}
-	
-	public void setIsBusinessService(boolean flag) {
-		this.businessService = flag;
-		
+
+	/**
+	 * @param isBaseIDTransmittionAllowed the isBaseIDTransmittionAllowed to set
+	 */
+	public void setBaseIDTransferRestrication(boolean isBaseIDTransferRestrication) {
+		this.isBaseIDTransferRestrication = isBaseIDTransferRestrication;
 	}
 	
 	/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
index 4c15cd3d1..e9fef4676 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
@@ -38,8 +38,8 @@ public interface IAuthData {
 
 	 Date getIssueInstant();
 	 String getIssuer();
-
-	 boolean isBusinessService();
+	 boolean isBaseIDTransferRestrication();
+	 
 	 boolean isSsoSession();
 	 //boolean isInterfederatedSSOSession();
 	 boolean isUseMandate();
@@ -90,5 +90,6 @@ public interface IAuthData {
 	 String getCcc();
 	 
 	 public <T> T getGenericData(String key, final Class<T> clazz);
+
 	 	 
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 7c581d470..aff2c83ad 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -23,6 +23,7 @@
 package at.gv.egovernment.moa.id.moduls;
 
 import java.io.IOException;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Enumeration;
@@ -90,6 +91,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
 @Service("MOAID_AuthenticationManager")
 public class AuthenticationManager extends MOAIDAuthConstants {
 
+	private static List<String> reqParameterWhiteListeForModules = new ArrayList<String>();
 	
 	public static final String MOA_SESSION = "MoaAuthenticationSession";
 	public static final String MOA_AUTHENTICATED = "MoaAuthenticated";
@@ -309,6 +311,18 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 	}
 	
 	/**
+	 * Add a request parameter to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext} 
+	 * 
+	 * @param httpReqParam http parameter name, but never null
+	 */
+	public void addParameterNameToWhiteList(String httpReqParam) {
+		if (MiscUtil.isNotEmpty(httpReqParam))
+			reqParameterWhiteListeForModules.add(httpReqParam);
+		
+	}
+	
+	
+	/**
 	 * Checks if a authenticated MOASession already exists and if {protocolRequest} is authenticated
 	 * 
 	 * @param protocolRequest Authentication request which is actually in process
@@ -386,17 +400,25 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 		executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_ISLEGACYREQUEST, leagacyMode);
 		executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, !leagacyMode 
 				&& MiscUtil.isEmpty(pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class)));
+		
+		//add X509 SSL client certificate if exist
+		if (httpReq.getAttribute("javax.servlet.request.X509Certificate") != null) {
+			Logger.debug("Find SSL-client-certificate on request --> Add it to context");
+			executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE, 
+					((X509Certificate[])httpReq.getAttribute("javax.servlet.request.X509Certificate")));
+			
+		}
 						
-		//add leagcy parameters to context
-		if (leagacyMode) {
+		//add additional http request parameter to context
+		if (!reqParameterWhiteListeForModules.isEmpty() || leagacyMode) {
 			Enumeration<String> reqParamNames = httpReq.getParameterNames();
 			while(reqParamNames.hasMoreElements()) {
 				String paramName = reqParamNames.nextElement();
 				if (MiscUtil.isNotEmpty(paramName) && 
-						MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName))
+						( MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName) 
+								|| reqParameterWhiteListeForModules.contains(paramName) ))
 					executionContext.put(paramName, 
-							StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName)));
-				
+							StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName)));				
 			}			
 		}
 		
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java
index eff839e4e..c13c5e288 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java
@@ -23,7 +23,6 @@
 package at.gv.egovernment.moa.id.protocols.builder.attributes;
 
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.data.IAuthData;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
@@ -51,6 +50,9 @@ public class BPKAttributeBuilder implements IPVPAttributeBuilder {
 		else if (type.startsWith(Constants.URN_PREFIX_CDID)) 
 			type = type.substring((Constants.URN_PREFIX_CDID + "+").length());
 		
+		else if (type.startsWith(Constants.URN_PREFIX_EIDAS)) 
+			type = type.substring((Constants.URN_PREFIX_EIDAS + "+").length());
+		
 		if (bpk.length() > BPK_MAX_LENGTH) {
 			bpk = bpk.substring(0, BPK_MAX_LENGTH);
 		}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java
index a6a5f1dd4..b4846db12 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java
@@ -38,7 +38,7 @@ public class EIDSourcePIN implements IPVPAttributeBuilder  {
 	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
 			IAttributeGenerator<ATT> g) throws AttributeException {
 		
-		if (authData.isBusinessService())
+		if (authData.isBaseIDTransferRestrication())
 			throw new AttributePolicyException(EID_SOURCE_PIN_NAME);
 		
 		else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java
index 1d836802a..ccaecb3b6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java
@@ -23,7 +23,6 @@
 package at.gv.egovernment.moa.id.protocols.builder.attributes;
 
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.data.IAuthData;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
@@ -37,7 +36,7 @@ public class EIDSourcePINType implements IPVPAttributeBuilder {
 	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
 			IAttributeGenerator<ATT> g) throws AttributeException {
 		
-		if (authData.isBusinessService())
+		if (authData.isBaseIDTransferRestrication())
 			throw new UnavailableAttributeException(EID_SOURCE_PIN_TYPE_NAME);
 		
 		else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java
index 97043a3a0..f85fd7cae 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java
@@ -60,7 +60,7 @@ public class MandateLegalPersonFullNameAttributeBuilder implements IPVPAttribute
 				}
 				CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
 				if (corporation == null) {
-					Logger.error("No corporation mandate");
+					Logger.info("No corporation mandate");
 					throw new NoMandateDataAttributeException();
 					
 				}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java
index 46472c983..7e0815ab2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java
@@ -42,41 +42,12 @@ public class MandateLegalPersonSourcePinAttributeBuilder  implements IPVPAttribu
 
 	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
 			IAttributeGenerator<ATT> g) throws AttributeException {
-		if(authData.isUseMandate()) {
-			
-			//get PVP attribute directly, if exists 
-			String sourcePin = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class);
-			
-			if (MiscUtil.isEmpty(sourcePin)) {
-				Element mandate = authData.getMandate();
-				if(mandate == null) {
-					throw new NoMandateDataAttributeException();
-					
-				}
-				Mandate mandateObject = MandateBuilder.buildMandate(mandate);
-				if(mandateObject == null) {
-					throw new NoMandateDataAttributeException();
-					
-				}
-				CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
-				if(corporation == null) {
-					Logger.error("No corporation mandate");
-					throw new NoMandateDataAttributeException();
-					
-				}
-				if(corporation.getIdentification().size() == 0) {
-					Logger.error("Failed to generate IdentificationType");
-					throw new NoMandateDataAttributeException();
-					
-				}
-				
-				sourcePin =  corporation.getIdentification().get(0).getValue().getValue();
-				
-			}
-				
+		if(authData.isUseMandate()) {				
 			return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, 
-					MANDATE_LEG_PER_SOURCE_PIN_NAME, sourcePin);
+					MANDATE_LEG_PER_SOURCE_PIN_NAME, getLegalPersonIdentifierFromMandate(authData));
+			
 		}
+		
 		return null;
 		
 	}
@@ -84,4 +55,39 @@ public class MandateLegalPersonSourcePinAttributeBuilder  implements IPVPAttribu
 	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
 		return g.buildEmptyAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, MANDATE_LEG_PER_SOURCE_PIN_NAME);
 	}
+	
+	
+	protected String getLegalPersonIdentifierFromMandate(IAuthData authData) throws NoMandateDataAttributeException {
+		//get PVP attribute directly, if exists 
+		String sourcePin = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class);
+		
+		if (MiscUtil.isEmpty(sourcePin)) {
+			Element mandate = authData.getMandate();
+			if(mandate == null) {
+				throw new NoMandateDataAttributeException();
+				
+			}
+			Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+			if(mandateObject == null) {
+				throw new NoMandateDataAttributeException();
+				
+			}
+			CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
+			if(corporation == null) {
+				Logger.info("No corporation mandate");
+				throw new NoMandateDataAttributeException();
+				
+			}
+			if(corporation.getIdentification().size() == 0) {
+				Logger.info("Failed to generate IdentificationType");
+				throw new NoMandateDataAttributeException();
+				
+			}
+			
+			sourcePin =  corporation.getIdentification().get(0).getValue().getValue();
+			
+		}
+		
+		return sourcePin;
+	}
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java
index 41c35dad3..8b22acc01 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java
@@ -59,12 +59,12 @@ public class MandateLegalPersonSourcePinTypeAttributeBuilder implements IPVPAttr
 				}
 				CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
 				if (corporation == null) {
-					Logger.error("No corporate mandate");
+					Logger.info("No corporate mandate");
 					throw new NoMandateDataAttributeException();
 					
 				}
 				if (corporation.getIdentification().size() == 0) {
-					Logger.error("Failed to generate IdentificationType");
+					Logger.info("Failed to generate IdentificationType");
 					throw new NoMandateDataAttributeException();
 					
 				}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
index df8f86f7e..6ac517e19 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
@@ -30,9 +30,12 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPers
 import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
 import at.gv.egovernment.moa.id.auth.exception.BuildException;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
 import at.gv.egovernment.moa.id.util.MandateBuilder;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Constants;
@@ -45,12 +48,60 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui
 	}
 	
 	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
-			IAttributeGenerator<ATT> g) throws AttributeException {		
-		if (authData.isUseMandate()) {			
+			IAttributeGenerator<ATT> g) throws AttributeException {						
+		try {	
+			Pair<String, String> calcResult = internalBPKGenerator(oaParam, authData);
+			if (calcResult != null) {					
+				String bpk = calcResult.getFirst();
+				String type = calcResult.getSecond();
+				
+				if (MiscUtil.isEmpty(bpk))
+					throw new UnavailableAttributeException(BPK_NAME);
+					
+				if (type.startsWith(Constants.URN_PREFIX_WBPK))
+					type = type.substring((Constants.URN_PREFIX_WBPK + "+").length());
+				
+				else if (type.startsWith(Constants.URN_PREFIX_CDID)) 
+					type = type.substring((Constants.URN_PREFIX_CDID + "+").length());
+				
+				else if (type.startsWith(Constants.URN_PREFIX_EIDAS)) 
+					type = type.substring((Constants.URN_PREFIX_EIDAS + "+").length());
+				
+				if (bpk.length() > BPK_MAX_LENGTH) {
+					bpk = bpk.substring(0, BPK_MAX_LENGTH);
+				}
+				
+				Logger.trace("Authenticate user with bPK/wbPK " + bpk + " and Type=" + type);
+				
+				if (type != null)
+					return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, type + ":" + bpk);
+				else
+					return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, bpk);
 			
-			//get PVP attribute directly, if exists 
-			String bpk = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class);
+			}
 			
+		}
+		catch (BuildException | ConfigurationException e) {
+			Logger.error("Failed to generate IdentificationType");
+			throw new NoMandateDataAttributeException();
+			
+		}
+
+		return null;
+		
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME);
+	}
+	
+	protected Pair<String, String> internalBPKGenerator(IOAAuthParameters oaParam, IAuthData authData) throws NoMandateDataAttributeException, BuildException, ConfigurationException {		
+		//get PVP attribute directly, if exists 
+		Pair<String, String> calcResult = null;
+		
+		if (authData.isUseMandate()) {	
+			String bpk = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class);
+		
 			if (MiscUtil.isEmpty(bpk)) {
 				//read bPK from mandate if it is not directly included
 				Element mandate = authData.getMandate();
@@ -63,45 +114,31 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui
 				}
 				PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
 				if (physicalPerson == null) {
-					Logger.error("No physicalPerson mandate");
+					Logger.debug("No physicalPerson mandate");
 					throw new NoMandateDataAttributeException();
 				}
 				IdentificationType id = null;
 				id = physicalPerson.getIdentification().get(0);
 				if (id == null) {
-					Logger.error("Failed to generate IdentificationType");
+					Logger.info("Failed to generate IdentificationType");
 					throw new NoMandateDataAttributeException();
 				}
+			
+								
+				if (id.getType().equals(Constants.URN_PREFIX_BASEID))									
+					calcResult = new BPKBuilder().generateAreaSpecificPersonIdentifier(id.getValue().getValue(), 
+							oaParam.getAreaSpecificTargetIdentifier());								
+				else
+					calcResult = Pair.newInstance(id.getValue().getValue(), id.getType());
+
+			
+			} else {
+				Logger.info("Find '" + MANDATE_NAT_PER_BPK_NAME + "' in AuthData. Use it what is is.");
+				calcResult = Pair.newInstance(bpk, null);
 				
-				try {					
-					if (id.getType().equals(Constants.URN_PREFIX_BASEID)) {
-						if (oaParam.getBusinessService()) {
-							bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier());
-							
-						} else {
-							bpk = new BPKBuilder().buildBPK(id.getValue().getValue(), oaParam.getTarget());
-							
-						}
-						
-					} else
-						bpk = id.getValue().getValue();
-					
-				}
-				catch (BuildException e) {
-					Logger.error("Failed to generate IdentificationType");
-					throw new NoMandateDataAttributeException();
-					
-				}
 			}
-			
-			return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, bpk);
 		}
-		return null;
 		
+		return calcResult;
 	}
-	
-	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
-		return g.buildEmptyAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME);
-	}
-	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java
index a64880889..ebba376f8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java
@@ -48,6 +48,21 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib
 	
 	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
 			IAttributeGenerator<ATT> g) throws AttributeException {
+		
+		String attrValue = internalAttributGeneration(oaParam, authData);
+		if (attrValue != null)
+			return g.buildStringAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME, attrValue);		
+		else 
+			return null;
+				
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME);
+	}
+	
+	
+	protected String internalAttributGeneration(IOAAuthParameters oaParam, IAuthData authData) throws InvalidDateFormatAttributeException, NoMandateDataAttributeException {		
 		if (authData.isUseMandate()) {
 			
 			//get PVP attribute directly, if exists 
@@ -65,7 +80,7 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib
 				}
 				PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
 				if (physicalPerson == null) {
-					Logger.error("No physicalPerson mandate");
+					Logger.info("No physicalPerson mandate");
 					throw new NoMandateDataAttributeException();
 				}
 				
@@ -98,14 +113,12 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib
 				
 			}
 			
-			return g.buildStringAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME, birthDayString);
+			return birthDayString;			
+			
 		}
-		return null;
 		
+		return null;
 	}
 	
-	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
-		return g.buildEmptyAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME);
-	}
 	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java
index 085579108..07e5c9d09 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java
@@ -62,7 +62,7 @@ public class MandateNaturalPersonFamilyNameAttributeBuilder  implements IPVPAttr
 				}
 				PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
 				if(physicalPerson == null) {
-					Logger.error("No physicalPerson mandate");
+					Logger.debug("No physicalPerson mandate");
 					throw new NoMandateDataAttributeException();
 				}
 				
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java
index 4cd2ca670..51a3d2e74 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java
@@ -59,7 +59,7 @@ public class MandateNaturalPersonGivenNameAttributeBuilder implements IPVPAttrib
 				}
 				PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
 				if (physicalPerson == null) {
-					Logger.error("No physicalPerson mandate");
+					Logger.debug("No physicalPerson mandate");
 					throw new NoMandateDataAttributeException();
 				}
 				
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
index 69a731e53..8be85415e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
@@ -27,10 +27,7 @@ import org.w3c.dom.Element;
 import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
 import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
 import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
-import at.gv.egovernment.moa.id.data.AuthenticationData;
 import at.gv.egovernment.moa.id.data.IAuthData;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException;
@@ -58,18 +55,18 @@ public class MandateNaturalPersonSourcePinAttributeBuilder  implements IPVPAttri
 			PhysicalPersonType physicalPerson = mandateObject.getMandator()
 					.getPhysicalPerson();
 			if (physicalPerson == null) {
-				Logger.error("No physicalPerson mandate");
+				Logger.debug("No physicalPerson mandate");
 				throw new NoMandateDataAttributeException();
 			}
 			IdentificationType id = null;
 			id = physicalPerson.getIdentification().get(0);
 			
-			if(oaParam.getBusinessService()) {
+			if(authData.isBaseIDTransferRestrication()) {
 				throw new AttributePolicyException(this.getName());
 			}
 			
 			if(id == null) {
-				Logger.error("Failed to generate IdentificationType");
+				Logger.info("Failed to generate IdentificationType");
 				throw new NoMandateDataAttributeException();
 			}
 			
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
index 41a821c98..d89ae0225 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
@@ -28,7 +28,6 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
 import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
 import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.data.IAuthData;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
@@ -55,13 +54,13 @@ public class MandateNaturalPersonSourcePinTypeAttributeBuilder implements IPVPAt
 			PhysicalPersonType physicalPerson = mandateObject.getMandator()
 					.getPhysicalPerson();
 			if (physicalPerson == null) {
-				Logger.error("No physicalPerson mandate");
+				Logger.debug("No physicalPerson mandate");
 				throw new NoMandateDataAttributeException();
 			}
 			IdentificationType id = null;
 			id = physicalPerson.getIdentification().get(0);
 			if(id == null) {
-				Logger.error("Failed to generate IdentificationType");
+				Logger.info("Failed to generate IdentificationType");
 				throw new NoMandateDataAttributeException();
 			}
 			
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index 643e30ac9..72691a034 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -227,9 +227,9 @@ public class AttributQueryAction implements IAction {
 				}
 				
 				//check next IDP service area policy. BusinessService IDPs can only request wbPKs 
-				if (!spConfig.getBusinessService() && !idp.isIDPPublicService()) {
+				if (!spConfig.hasBaseIdTransferRestriction() && !idp.isIDPPublicService()) {
 					Logger.error("Interfederated IDP " + idp.getPublicURLPrefix() 
-							+ " has a BusinessService-IDP but requests PublicService attributes.");
+							+ " is a BusinessService-IDP but requests PublicService attributes.");
 					throw new MOAIDException("auth.34", new Object[]{nextIDPInformation.getIdpurlprefix()});
 					
 				}	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
index 73d6e978e..95e3c5bc2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
@@ -22,13 +22,19 @@
  *******************************************************************************/
 package at.gv.egovernment.moa.id.protocols.pvp2x;
 
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
 import org.opensaml.xml.encryption.EncryptionConstants;
 import org.opensaml.xml.signature.SignatureConstants;
 
+import at.gv.egovernment.moa.id.data.Trible;
+
 public interface PVPConstants {
 	
 	public static final String SSLSOCKETFACTORYNAME = "MOAMetaDataProvider";
-	
+		
 	public static final String DEFAULT_SIGNING_METHODE = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256;
 	public static final String DEFAULT_DIGESTMETHODE = SignatureConstants.ALGO_ID_DIGEST_SHA256;
 	public static final String DEFAULT_SYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256;
@@ -54,8 +60,12 @@ public interface PVPConstants {
 	public static final String PVP_VERSION_NAME = URN_OID_PREFIX + PVP_VERSION_OID;
 	public static final String PVP_VERSION_FRIENDLY_NAME = "PVP-VERSION";
 	public static final String PVP_VERSION_2_1 = "2.1";
+
 	
+	public static final String SECCLASS_OID = "1.2.40.0.10.2.1.1.261.110";
 	public static final String SECCLASS_FRIENDLY_NAME = "SECCLASS";
+	public static final String SECCLASS_NAME = URN_OID_PREFIX + SECCLASS_OID;
+	public static final int SECCLASS_MAX_LENGTH = 128;
 	
 	public static final String PRINCIPAL_NAME_OID = "1.2.40.0.10.2.1.1.261.20";
 	public static final String PRINCIPAL_NAME_NAME = URN_OID_PREFIX + PRINCIPAL_NAME_OID;
@@ -136,9 +146,13 @@ public interface PVPConstants {
 	public static final String ROLES_FRIENDLY_NAME = "ROLES";
 	public static final int ROLES_MAX_LENGTH = 32767;
 	
-	public static final String EID_CITIZEN_QAA_LEVEL_OID = "1.2.40.0.10.2.1.1.261.94";
-	public static final String EID_CITIZEN_QAA_LEVEL_NAME = URN_OID_PREFIX + EID_CITIZEN_QAA_LEVEL_OID;
-	public static final String EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME = "EID-CITIZEN-QAA-LEVEL";
+	@Deprecated public static final String EID_CITIZEN_QAA_LEVEL_OID = "1.2.40.0.10.2.1.1.261.94";	
+	@Deprecated public static final String EID_CITIZEN_QAA_LEVEL_NAME = URN_OID_PREFIX + EID_CITIZEN_QAA_LEVEL_OID;
+	@Deprecated public static final String EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME = "EID-CITIZEN-QAA-LEVEL";
+	
+	public static final String EID_CITIZEN_EIDAS_QAA_LEVEL_OID = "1.2.40.0.10.2.1.1.261.108";	
+	public static final String EID_CITIZEN_EIDAS_QAA_LEVEL_NAME = URN_OID_PREFIX + EID_CITIZEN_EIDAS_QAA_LEVEL_OID;
+	public static final String EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME = "EID-CITIZEN-QAA-EIDAS-LEVEL";
 	
 	public static final String EID_ISSUING_NATION_OID = "1.2.40.0.10.2.1.1.261.32";
 	public static final String EID_ISSUING_NATION_NAME = URN_OID_PREFIX + EID_ISSUING_NATION_OID;
@@ -283,4 +297,81 @@ public interface PVPConstants {
 	public static final String PVP_HOLDEROFKEY_OID = "1.2.40.0.10.2.1.1.261.xx.xx";
 	public static final String PVP_HOLDEROFKEY_NAME = URN_OID_PREFIX + PVP_HOLDEROFKEY_OID;
 	public static final String PVP_HOLDEROFKEY_FRIENDLY_NAME = "HOLDER-OF-KEY-CERTIFICATE";
+	
+	
+	
+	public static final String ENTITY_CATEGORY_ATTRIBITE = "http://macedir.org/entity-category";
+	public static final String EGOVTOKEN = "http://www.ref.gv.at/ns/names/agiz/pvp/egovtoken";
+	public static final String CITIZENTOKEN = "http://www.ref.gv.at/ns/names/agiz/pvp/citizentoken";
+	
+	/** 
+	 * 
+	 * Get required PVP attributes for egovtoken
+	 * First : PVP attribute name (OID) 
+	 * Second: FriendlyName
+	 * Third: Required
+	 * 
+	 */
+	public static final List<Trible<String, String, Boolean>> EGOVTOKEN_PVP_ATTRIBUTES = 
+			Collections.unmodifiableList(new ArrayList<Trible<String, String, Boolean>>() {
+				private static final long serialVersionUID = 1L;
+				{	
+					//currently supported attributes
+					add(Trible.newInstance(PVP_VERSION_NAME, PVP_VERSION_FRIENDLY_NAME, true));
+					add(Trible.newInstance(PRINCIPAL_NAME_NAME, PRINCIPAL_NAME_FRIENDLY_NAME, true));
+					
+					//currently not supported attributes
+					add(Trible.newInstance(USERID_NAME, USERID_FRIENDLY_NAME, false));
+					add(Trible.newInstance(GID_NAME, GID_FRIENDLY_NAME, false));
+					add(Trible.newInstance(PARTICIPANT_ID_NAME, PARTICIPANT_ID_FRIENDLY_NAME, false));
+					add(Trible.newInstance(OU_GV_OU_ID_NAME, OU_GV_OU_ID_FRIENDLY_NAME, false));
+					add(Trible.newInstance(OU_NAME, OU_FRIENDLY_NAME, false));
+					add(Trible.newInstance(SECCLASS_NAME, SECCLASS_FRIENDLY_NAME, false));
+					
+					
+				}
+			});
+	
+	/** 
+	 * 
+	 * Get required PVP attributes for citizenToken
+	 * First : PVP attribute name (OID) 
+	 * Second: FriendlyName
+	 * Third: Required
+	 * 
+	 */
+	public static final List<Trible<String, String, Boolean>> CITIZENTOKEN_PVP_ATTRIBUTES = 
+			Collections.unmodifiableList(new ArrayList<Trible<String, String, Boolean>>() {
+				private static final long serialVersionUID = 1L;
+				{	
+					//required attributes - eIDAS minimal-data set
+					add(Trible.newInstance(PVP_VERSION_NAME, PVP_VERSION_FRIENDLY_NAME, true));
+					add(Trible.newInstance(PRINCIPAL_NAME_NAME, PRINCIPAL_NAME_FRIENDLY_NAME, true));
+					add(Trible.newInstance(GIVEN_NAME_NAME, GIVEN_NAME_FRIENDLY_NAME, true));
+					add(Trible.newInstance(BIRTHDATE_NAME, BIRTHDATE_FRIENDLY_NAME, true));
+					add(Trible.newInstance(BPK_NAME, BPK_FRIENDLY_NAME, true));
+					
+					
+					//not required attributes
+					add(Trible.newInstance(EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME, false));
+					add(Trible.newInstance(EID_ISSUING_NATION_NAME, EID_ISSUING_NATION_FRIENDLY_NAME, false));
+					add(Trible.newInstance(EID_SECTOR_FOR_IDENTIFIER_NAME, EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, false));
+					add(Trible.newInstance(MANDATE_TYPE_NAME, MANDATE_TYPE_FRIENDLY_NAME, false));
+					add(Trible.newInstance(MANDATE_TYPE_OID_NAME, MANDATE_TYPE_OID_FRIENDLY_NAME, false));
+					add(Trible.newInstance(MANDATE_LEG_PER_SOURCE_PIN_NAME, MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, false));
+					add(Trible.newInstance(MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, false));
+					add(Trible.newInstance(MANDATE_NAT_PER_BPK_NAME, MANDATE_NAT_PER_BPK_FRIENDLY_NAME, false));
+					add(Trible.newInstance(MANDATE_NAT_PER_GIVEN_NAME_NAME, MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, false));
+					add(Trible.newInstance(MANDATE_NAT_PER_FAMILY_NAME_NAME, MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME, false));
+					add(Trible.newInstance(MANDATE_NAT_PER_BIRTHDATE_NAME, MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, false));
+					add(Trible.newInstance(MANDATE_LEG_PER_FULL_NAME_NAME, MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME, false));
+					add(Trible.newInstance(MANDATE_PROF_REP_OID_NAME, MANDATE_PROF_REP_OID_FRIENDLY_NAME, false));
+					add(Trible.newInstance(MANDATE_PROF_REP_DESC_NAME, MANDATE_PROF_REP_DESC_FRIENDLY_NAME, false));
+					add(Trible.newInstance(MANDATE_REFERENCE_VALUE_NAME, MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, false));
+					
+					
+										
+				}
+			});
+	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 4f44a6202..95c4f1726 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -31,7 +31,6 @@ import org.opensaml.common.binding.decoding.URIComparator;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
 import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
-import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
 import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
 import org.opensaml.saml2.core.RequestAbstractType;
 import org.opensaml.saml2.core.StatusResponseType;
@@ -60,6 +59,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
 import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.IMOARefreshableMetadataProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.validation.MOASAML2AuthRequestSignedRole;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
@@ -159,10 +159,10 @@ public class RedirectBinding implements IDecoder, IEncoder {
 				
 		SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
 				TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
-		SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
+		MOASAML2AuthRequestSignedRole signedRole = new MOASAML2AuthRequestSignedRole();
 		BasicSecurityPolicy policy = new BasicSecurityPolicy();
-		policy.getPolicyRules().add(signatureRule);
-		policy.getPolicyRules().add(signedRole);		
+		policy.getPolicyRules().add(signedRole);
+		policy.getPolicyRules().add(signatureRule);		
 		SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
 				policy);		
 		messageContext.setSecurityPolicyResolver(resolver);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
index 2df72637d..4aa4f7419 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
@@ -59,7 +59,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableEx
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.Constants;
 
 /**
  * @author tlenz
@@ -70,7 +69,7 @@ public class AttributQueryBuilder {
 
 	@Autowired IDPCredentialProvider credentialProvider;
 	
-	public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) {
+	public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) throws ConfigurationException {
 		
 		Logger.debug("Build OA specific Attributes for AttributQuery request");
 		
@@ -87,17 +86,13 @@ public class AttributQueryBuilder {
 			} else {				
 				//add OA specific information
 				if (rA.equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
-					if (oa.getBusinessService())
-						attr = generator.buildStringAttribute(attr.getFriendlyName(), 
-								attr.getName(), oa.getIdentityLinkDomainIdentifier());
-					else
-						attr = generator.buildStringAttribute(attr.getFriendlyName(), 
-								attr.getName(), Constants.URN_PREFIX_CDID + "+" + oa.getTarget());					
+					attr = generator.buildStringAttribute(attr.getFriendlyName(), 
+								attr.getName(), oa.getAreaSpecificTargetIdentifier());					
+					
 				}
 				
 				//TODO: add attribute values for SSO with mandates (ProfileList)
-				
-				
+								
 				attrList.add(attr);
 			}			
 		}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 55d8fa1ff..45539da3f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -60,11 +60,11 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBod
 import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
 import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
 import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
 import at.gv.egovernment.moa.id.data.SLOInformationImpl;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
@@ -338,20 +338,8 @@ public class PVP2AssertionBuilder implements PVPConstants {
 					}
 					
 					//set bPK-Type from configuration, because it MUST be equal to service-provider type
-					if (oaParam.getBusinessService()) {
-						if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
-							bpktype = oaParam.getIdentityLinkDomainIdentifier();
-						else
-							bpktype = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier();
-						
-					} else {
-						if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+"))
-							bpktype = oaParam.getTarget();
-						else
-							bpktype = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget();
-						
-					}
-					
+					bpktype = oaParam.getAreaSpecificTargetIdentifier();
+										
 				} else {
 					//sourcePin is include --> check sourcePinType
 					if (MiscUtil.isEmpty(bpktype))
@@ -365,21 +353,10 @@ public class PVP2AssertionBuilder implements PVPConstants {
 				
 			}
 			
-			if (bpktype.equals(Constants.URN_PREFIX_BASEID)) {
-				if (oaParam.getBusinessService()) {						    
-					subjectNameID.setValue(new BPKBuilder().buildWBPK(bpk, oaParam.getIdentityLinkDomainIdentifier()));
-					if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
-						subjectNameID.setNameQualifier(oaParam.getIdentityLinkDomainIdentifier());
-					else
-						subjectNameID.setNameQualifier(Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier());
-					
-				} else {
-					subjectNameID.setValue(new BPKBuilder().buildBPK(bpk, oaParam.getTarget()));
-					if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+"))
-						subjectNameID.setNameQualifier(oaParam.getTarget());
-					else
-						subjectNameID.setNameQualifier(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
-				}
+			if (bpktype.equals(Constants.URN_PREFIX_BASEID)) {				
+				Pair<String, String> calcbPK = new BPKBuilder().generateAreaSpecificPersonIdentifier(bpk, oaParam.getAreaSpecificTargetIdentifier());								
+				subjectNameID.setValue(calcbPK.getFirst());
+				subjectNameID.setNameQualifier(calcbPK.getSecond());
 				
 				
 			} else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index 5380d7f53..585aac805 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -55,6 +55,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPEntityCategoryFilter;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPMetadataFilterChain;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter;
 import at.gv.egovernment.moa.logging.Logger;
@@ -217,6 +218,9 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
 			Logger.warn("Refresh PVP2X metadata for onlineApplication: " 
 					+ entityID + " FAILED.", e);
 			
+		} catch (ConfigurationException e) {
+			Logger.warn("Refresh PVP2X metadata for onlineApplication: " 
+					+ entityID + " FAILED.", e);
 		}
 		
 		return false;
@@ -484,13 +488,14 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
 				
 	}
 		
-	private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException {
+	private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException {
 		PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate);
 		filterChain.getFilters().add(new SchemaValidationFilter());
+		filterChain.getFilters().add(new PVPEntityCategoryFilter());
 		
 		if (oaParam.isInderfederationIDP()) {
 			Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies");
-			filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.getBusinessService()));
+			filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.hasBaseIdTransferRestriction()));
 			
 		}
 		
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java
new file mode 100644
index 000000000..efcf21b50
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.validation;
+
+import org.opensaml.common.binding.SAMLMessageContext;
+import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
+import org.opensaml.ws.transport.http.HTTPInTransport;
+import org.opensaml.xml.util.DatatypeHelper;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOASAML2AuthRequestSignedRole extends SAML2AuthnRequestsSignedRule {
+
+	@Override
+    protected boolean isMessageSigned(SAMLMessageContext messageContext) {        
+        // This handles HTTP-Redirect and HTTP-POST-SimpleSign bindings.
+        HTTPInTransport inTransport = (HTTPInTransport) messageContext.getInboundMessageTransport();
+        String sigParam = inTransport.getParameterValue("Signature");
+        boolean isSigned = !DatatypeHelper.isEmpty(sigParam);
+        
+        String sigAlgParam = inTransport.getParameterValue("SigAlg");
+        boolean isSigAlgExists = !DatatypeHelper.isEmpty(sigAlgParam);
+        
+        return isSigned && isSigAlgExists;
+               
+    }
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java
new file mode 100644
index 000000000..95d30db49
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java
@@ -0,0 +1,207 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.common.Extensions;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.metadata.AttributeConsumingService;
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.LocalizedString;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.ServiceName;
+import org.opensaml.saml2.metadata.provider.FilterException;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.samlext.saml2mdattr.EntityAttributes;
+import org.opensaml.xml.XMLObject;
+
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.data.Trible;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moaspss.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class PVPEntityCategoryFilter implements MetadataFilter {
+
+
+	
+	
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject)
+	 */
+	@Override
+	public void doFilter(XMLObject metadata) throws FilterException {
+		String entityId = null;
+		try {
+			if (metadata instanceof EntitiesDescriptor) {
+				Logger.trace("Find EnitiesDescriptor ... ");
+				EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata;
+				if (entitiesDesc.getEntityDescriptors() != null) {
+					for (EntityDescriptor el : entitiesDesc.getEntityDescriptors()) 
+						resolveEntityCategoriesToAttributes(el);
+					
+				}
+								
+			} else if (metadata instanceof EntityDescriptor) {
+				Logger.trace("Find EntityDescriptor");
+				resolveEntityCategoriesToAttributes((EntityDescriptor)metadata);
+				
+				
+			} else
+				throw new MOAIDException("Invalid Metadata file Root element is no Entities- or EntityDescriptor", null);
+			
+			
+			
+		} catch (Exception e) {
+			Logger.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + entityId, e);
+			
+		}
+	}
+
+	private void resolveEntityCategoriesToAttributes(EntityDescriptor metadata) {
+		Logger.debug("Resolving EntityCategorie for Entity: " + metadata.getEntityID() + " ...");
+		Extensions extensions = metadata.getExtensions();
+		if (extensions != null) {
+			List<XMLObject> listOfExt = extensions.getUnknownXMLObjects();
+			if (listOfExt != null && !listOfExt.isEmpty()) {
+				for (XMLObject el : listOfExt) {
+					Logger.trace("Find ExtensionElement: " + el.getElementQName().toString());
+					if (el instanceof EntityAttributes) {
+						EntityAttributes entityAttrElem = (EntityAttributes)el;
+						if (entityAttrElem.getAttributes() != null) {
+							Logger.trace("Find EntityAttributes. Start attribute processing ...");
+							for (Attribute entityAttr : entityAttrElem.getAttributes()) {
+								if (entityAttr.getName().equals(PVPConstants.ENTITY_CATEGORY_ATTRIBITE)) {
+									if (!entityAttr.getAttributeValues().isEmpty()) {
+										String entityAttrValue = entityAttr.getAttributeValues().get(0).getDOM().getTextContent();
+										if (PVPConstants.EGOVTOKEN.equals(entityAttrValue)) {
+											Logger.debug("Find 'EGOVTOKEN' EntityAttribute. Adding single pvp attributes ... ");
+											addAttributesToEntityDescriptor(metadata, 
+													buildAttributeList(PVPConstants.EGOVTOKEN_PVP_ATTRIBUTES), 
+													entityAttrValue);
+											
+																													
+										} else if (PVPConstants.CITIZENTOKEN.equals(entityAttrValue)) {
+											Logger.debug("Find 'CITIZENTOKEN' EntityAttribute. Adding single pvp attributes ... ");
+											addAttributesToEntityDescriptor(metadata, 
+													buildAttributeList(PVPConstants.CITIZENTOKEN_PVP_ATTRIBUTES), 
+													entityAttrValue);
+											
+										} else
+											Logger.info("EntityAttributeValue: " + entityAttrValue + " is UNKNOWN!");
+																			
+									} else
+										Logger.info("EntityAttribute: No attribute value");
+																		
+								} else 
+									Logger.info("EntityAttribute: " + entityAttr.getName() + " is NOT supported");
+								
+							}
+										
+						} else
+							Logger.info("Can NOT resolve EntityAttributes! Reason: Only EntityAttributes are supported!");
+						
+					}					
+				}				
+			}			
+		}
+				
+	}
+	
+	/**
+	 * @param metadata
+	 * @param attrList
+	 */
+	private void addAttributesToEntityDescriptor(EntityDescriptor metadata, List<RequestedAttribute> attrList, String entityAttr) {
+		SPSSODescriptor spSSODesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
+		if (spSSODesc != null) {
+			if (spSSODesc.getAttributeConsumingServices() == null || 
+					spSSODesc.getAttributeConsumingServices().isEmpty()) {
+				Logger.trace("No 'AttributeConsumingServices' found. Added it ...");
+				
+				AttributeConsumingService attributeService = SAML2Utils.createSAMLObject(AttributeConsumingService.class);						
+				attributeService.setIndex(0);
+				attributeService.setIsDefault(true);
+				ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class);
+				serviceName.setName(new LocalizedString("Default Service", "en"));
+				attributeService.getNames().add(serviceName);
+				
+				if (attrList != null && !attrList.isEmpty()) {
+					attributeService.getRequestAttributes().addAll(attrList);
+					Logger.info("Add  " + attrList.size() + " attributes for 'EntityAttribute': " + entityAttr);
+					
+				}
+				
+				spSSODesc.getAttributeConsumingServices().add(attributeService);
+				
+			} else {
+				Logger.debug("Find 'AttributeConsumingServices'. Starting updating process ... ");
+				for (AttributeConsumingService el : spSSODesc.getAttributeConsumingServices()) {
+					Logger.debug("Update 'AttributeConsumingService' with Index: " + el.getIndex());
+					
+					//load currently requested attributes
+					List<String> currentlyReqAttr = new ArrayList<String>();
+					for (RequestedAttribute reqAttr : el.getRequestAttributes())
+						currentlyReqAttr.add(reqAttr.getName());
+						
+
+					//check against EntityAttribute List
+					for (RequestedAttribute entityAttrListEl : attrList) {
+						if (!currentlyReqAttr.contains(entityAttrListEl.getName())) {
+							el.getRequestAttributes().add(entityAttrListEl);
+							
+						} else
+							Logger.debug("'AttributeConsumingService' already contains attr: " + entityAttrListEl.getName());
+						
+					}
+					
+				}
+				
+			}
+			
+		} else
+			Logger.info("Can ONLY add 'EntityAttributes' to 'SPSSODescriptor'");
+		
+	}
+
+	private List<RequestedAttribute> buildAttributeList(List<Trible<String, String, Boolean>> attrSet) {
+		List<RequestedAttribute> requestedAttributes = new ArrayList<RequestedAttribute>();
+		for (Trible<String, String, Boolean> el : attrSet)
+			requestedAttributes.add(PVPAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), el.getThird()));	
+					
+		return requestedAttributes;
+		
+		
+	}
+	 	
+}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 50b2c5ece..05f58d5bc 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -88,6 +88,8 @@ config.24=MOA-ID-Auth Configfile {1} does not start with {0} prefix.
 config.25=Der verwendete IDP PublicURLPrefix {0} ist nicht erlaubt. 

 config.26=Federated IDP {0} contains no AttributeQuery URL.

 config.27=Fehler beim Verarbeiten eines Konfigurationsparameters. Msg:{0} 

+config.28=Fehler beim initialisieren des SSL-TrustManagers. Zertifikat {0} kann nicht geladen werden; Ursache: {1}

+config.29=Fehler beim initialisieren des SSL-TrustManagers. TrustStore: {0} | Ursache: {1}

 

 parser.00=Leichter Fehler beim Parsen: {0}

 parser.01=Fehler beim Parsen: {0}

@@ -273,6 +275,7 @@ eIDAS.13=Generation of eIDAS Response FAILED. Reason:{0}
 eIDAS.14=eIDAS Response validation FAILED: LevelOfAssurance {0} is to low.

 eIDAS.15=Generation of eIDAS Response FAILED. Required attribute: {0} is NOT available.

 eIDAS.16=eIDAS Response attribute-validation FAILED. Attribute:{0} Reason: {1}.

+eIDAS.17=Generation of eIDAS Response FAILED. Citzen use mandates for authentication but there are no mandate attributes requested

 

 pvp2.01=Fehler beim kodieren der PVP2 Antwort

 pvp2.02=Ungueltiges Datumsformat

diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index c6d0844ce..0a37fdc91 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -230,6 +230,7 @@ eIDAS.13=1307
 eIDAS.14=1301
 eIDAS.15=1307
 eIDAS.16=1301
+eIDAS.17=1307
 
 pvp2.01=6100
 pvp2.06=6100
diff --git a/id/server/moa-id-commons/pom.xml b/id/server/moa-id-commons/pom.xml
index c4007fc80..fd8ddc7fb 100644
--- a/id/server/moa-id-commons/pom.xml
+++ b/id/server/moa-id-commons/pom.xml
@@ -215,7 +215,7 @@
 				<dependency>
 					<groupId>com.sun.xml.bind</groupId>
 					<artifactId>jaxb-xjc</artifactId>
-					<version>2.2.11</version>
+					<version>2.3.0</version>
 				</dependency>
 
 				<dependency>
@@ -227,7 +227,7 @@
 				<dependency>
 					<groupId>org.jvnet.jaxb2_commons</groupId>
 					<artifactId>jaxb2-basics-runtime</artifactId>
-					<version>0.11.0</version>
+					<version>1.11.1</version>
 				</dependency>
         
         <dependency>
@@ -257,7 +257,7 @@
 		<dependency>
     	<groupId>org.springframework.data</groupId>
     	<artifactId>spring-data-jpa</artifactId>
-    	<version>1.10.4.RELEASE</version>
+    	<version>${org.springframework.data.spring-data-jpa}</version>
 		</dependency>
 		
 		
@@ -301,7 +301,7 @@
 		<dependency>
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-dbcp2</artifactId>
-			<version>2.1.1</version>
+			<version>${org.apache.commons.commons.dbcp2}</version>
 		</dependency>
 
 		<dependency>
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
index d8d3dbeee..6f6735d48 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
@@ -9,6 +9,7 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import iaik.asn1.ObjectID;
 
 
@@ -123,12 +124,12 @@ public class MOAIDAuthConstants extends MOAIDConstants{
   /** List of OWs */
   public static final List<ObjectID> OW_LIST = Arrays.asList( 
 		  new ObjectID(OW_ORGANWALTER));  
-  
-  /**BKU type identifiers to use bkuURI from configuration*/ 
-  public static final String REQ_BKU_TYPE_LOCAL = "local";
-  public static final String REQ_BKU_TYPE_ONLINE = "online"; 
-  public static final String REQ_BKU_TYPE_HANDY = "handy"; 
-  public static final List<String> REQ_BKU_TYPES = Arrays.asList(REQ_BKU_TYPE_LOCAL, REQ_BKU_TYPE_ONLINE, REQ_BKU_TYPE_HANDY);
+    
+  public static final List<String> REQ_BKU_TYPES = Arrays.asList(
+		  IOAAuthParameters.HANDYBKU, 
+		  IOAAuthParameters.LOCALBKU, 
+		  IOAAuthParameters.THIRDBKU, 
+		  IOAAuthParameters.ONLINEBKU);
 
   public static final List<String> LEGACYPARAMETERWHITELIST 
   	= Arrays.asList(PARAM_TARGET, PARAM_BKU, PARAM_OA, PARAM_TEMPLATE, PARAM_USEMANDATE, PARAM_CCC, PARAM_SOURCEID);
@@ -178,19 +179,25 @@ public class MOAIDAuthConstants extends MOAIDConstants{
   
   //AuthnRequest IssueInstant validation
   public static final int TIME_JITTER = 5;  //all 5 minutes time jitter 
-  
+
+  //General MOASession data-store keys
+  public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert";
+
+  //Process context keys
   public static final String PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH = "interfederationAuthentication";
   public static final String PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION = "requireLocalAuthentication";
   public static final String PROCESSCONTEXT_PERFORM_BKUSELECTION = "performBKUSelection";
   public static final String PROCESSCONTEXT_ISLEGACYREQUEST = "isLegacyRequest";
   public static final String PROCESSCONTEXT_UNIQUE_OA_IDENTFIER = "uniqueSPId";
+  public static final String PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE = MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE;
   
   //General protocol-request data-store keys
+  public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate";
+  
+  @Deprecated
   public static final String AUTHPROCESS_DATA_TARGET = "authProces_Target";
+  @Deprecated
   public static final String AUTHPROCESS_DATA_TARGETFRIENDLYNAME = "authProces_TargetFriendlyName";
-  public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate";
   
-  //General MOASession data-store keys
-  public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert";
-    
+
 }
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
index e9f9a7e80..98f0616a5 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
@@ -28,6 +28,8 @@ import java.util.Hashtable;
 import java.util.List;
 import java.util.Map;
 
+import at.gv.egovernment.moa.util.Constants;
+
 /**
  * @author tlenz
  *
@@ -40,9 +42,15 @@ public class MOAIDConstants {
 	
 	public static final String FILE_URI_PREFIX = "file:/";
 	
-	public static final String PREFIX_WPBK = "urn:publicid:gv.at:wbpk+";
-    public static final String PREFIX_STORK = "urn:publicid:gv.at:storkid+";
-    public static final String PREFIX_EIDAS = "urn:publicid:gv.at:eidasid+";
+	public static final String PREFIX_BASEID = Constants.URN_PREFIX_BASEID;	
+	public static final String PREFIX_PBK    = Constants.URN_PREFIX_BPK;
+	public static final String PREFIX_HPI    = Constants.URN_PREFIX_HPI;
+	
+	public static final String PREFIX_CDID   = Constants.URN_PREFIX_CDID + "+";
+	public static final String PREFIX_WPBK   = Constants.URN_PREFIX_WBPK + "+";
+    public static final String PREFIX_STORK  = Constants.URN_PREFIX_STORK + "+";
+    public static final String PREFIX_EIDAS  = Constants.URN_PREFIX_EIDAS + "+";
+    
 	
 	public static final String IDENIFICATIONTYPE_FN = "FN";
 	public static final String IDENIFICATIONTYPE_ERSB = "ERSB";
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
index bba6d0541..1e1bfa94b 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
@@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.commons.api.data.CPEPS;
 import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters;
 import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute;
 import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 
 /**
  * @author tlenz
@@ -38,9 +39,16 @@ import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
  */
 public interface IOAAuthParameters {
 
-	public static final String ONLINEBKU = "online";
+	public static final String CONFIG_KEY_RESTRICTIONS_BASEID_INTERNAL = "configuration.restrictions.baseID.idpProcessing";
+	public static final String CONFIG_KEY_RESTRICTIONS_BASEID_TRANSMISSION = "configuration.restrictions.baseID.spTransmission";
+	
+	public static final String THIRDBKU = "thirdBKU";
 	public static final String HANDYBKU = "handy";
 	public static final String LOCALBKU = "local";
+	
+	@Deprecated
+	public static final String ONLINEBKU = "online";
+	
 	public static final String INDERFEDERATEDIDP = "interfederated";
 	public static final String EIDAS = "eIDAS";
 	public static final String AUTHTYPE_OTHERS = "others";
@@ -63,20 +71,52 @@ public interface IOAAuthParameters {
 	public String getFriendlyName();
 	
 	public String getPublicURLPrefix();
-
-	public String getOaType();
 	
-	public boolean getBusinessService();
+	/**
+	 * Indicates if this online applications has private area restrictions that disallow baseId processing in general
+	 * This restriction is evaluated from area-identifier of this online application and a policy from configuration. 
+	 * The configuration key 'configuration.restrictions.baseID.idpProcessing' specifies a list of comma-separated values 
+	 * of area-identifier prefixes that are allowed to receive a baseID. By default only the prefix 
+	 * 'urn:publicid:gv.at:cdid+' is allowed to receive baseIDs
+	 * 
+	 * @return true if there is a restriction, otherwise false
+	 * @throws ConfigurationException In case of online-application configuration has public and private identifies
+	 */
+	public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException;
+	
 	
 	/**
-	 * Get target of a public service-provider
+	 * Indicates if this online applications has private area restrictions that disallow baseId transfer to OA
+	 * This restriction is evaluated from area-identifier of this online application and a policy from configuration. 
+	 * The configuration key 'configuration.restrictions.baseID.spTransmission' specifies a list of comma-separated values 
+	 * of area-identifier prefixes that are allowed to receive a baseID. By default only the prefix 
+	 * 'urn:publicid:gv.at:cdid+' is allowed to receive baseIDs
 	 * 
-	 * @return target identifier without prefix
+	 * @return true if there is a restriction, otherwise false
+	 * @throws ConfigurationException In case of online-application configuration has public and private identifies
 	 */
-	public String getTarget();
+	public boolean hasBaseIdTransferRestriction() throws ConfigurationException;
 	
-	public String getTargetFriendlyName();
 	
+	/**
+	 * Get the full area-identifier for this online application to calculate the 
+	 * area-specific unique person identifier (bPK, wbPK, eIDAS unique identifier, ...). 
+	 * This identifier always contains the full prefix 
+	 * 
+	 * @return area identifier with prefix
+	 * @throws ConfigurationException In case of online-application configuration has public and private identifies  
+	 */
+	public String getAreaSpecificTargetIdentifier() throws ConfigurationException;
+	
+	/**
+	 * Get a friendly name for the specific area-identifier of this online application
+	 * 
+	 * @return fiendly name of the area-identifier
+	 * @throws ConfigurationException In case of online-application configuration has public and private identifies
+	 */
+	public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException;
+	
+		
 	public boolean isInderfederationIDP();
 	
 	public boolean isSTORKPVPGateway();
@@ -84,13 +124,6 @@ public interface IOAAuthParameters {
 	public boolean isRemovePBKFromAuthBlock();
 	
 	/**
-	 * Return the private-service domain-identifier with PreFix
-	 * 
-	 * @return the identityLinkDomainIdentifier
-	 */
-	public String getIdentityLinkDomainIdentifier();
-
-	/**
 	 * @return the keyBoxIdentifier
 	 */
 	public String getKeyBoxIdentifier();
@@ -138,11 +171,6 @@ public interface IOAAuthParameters {
 	 */
 	public List<String> getMandateProfiles();
 
-	/**
-	 * @return the identityLinkDomainIdentifierType
-	 */
-	public String getIdentityLinkDomainIdentifierType();
-
 	public boolean isShowMandateCheckBox();
 
 	public boolean isOnlyMandateAllowed();
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java
index b2d90aed4..bc4cd72af 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java
@@ -44,7 +44,8 @@ public interface IStorkConfig {
 
 	boolean isSTORKAuthentication(String ccc);
 
-	CPEPS getCPEPS(String ccc);
+	CPEPS getCPEPSWithFullName(String ccc);
+	CPEPS getCPEPSWithCC(String ccc);
 
 	List<StorkAttribute> getStorkAttributes();
 
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
index 5091195d8..93f26051c 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
@@ -208,7 +208,7 @@ public class ConfigurationMigrationUtils {
 				if (bkuurls != null) {
 					result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY, bkuurls.getHandyBKU());
 					result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL, bkuurls.getLocalBKU());
-					result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE, bkuurls.getOnlineBKU());
+					result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD, bkuurls.getOnlineBKU());
 					
 				}
 	
@@ -831,7 +831,7 @@ public class ConfigurationMigrationUtils {
             authoa.setBKUURLS(bkuruls);
             bkuruls.setHandyBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY));
             bkuruls.setLocalBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL));
-            bkuruls.setOnlineBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE));
+            bkuruls.setOnlineBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD));
         	
             //store SecurtiyLayerTemplates            
             TemplatesType templates = authoa.getTemplates();
@@ -1438,7 +1438,7 @@ public class ConfigurationMigrationUtils {
 						defaultbkus.getHandyBKU());
 				result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL, 
 						defaultbkus.getLocalBKU());
-				result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE, 
+				result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD, 
 						defaultbkus.getOnlineBKU());
 			}
 			
@@ -1448,7 +1448,7 @@ public class ConfigurationMigrationUtils {
 						slreq.getHandyBKU());
 				result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL, 
 						slreq.getLocalBKU());
-				result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE, 
+				result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD, 
 						slreq.getOnlineBKU());
 
 			}
@@ -1711,8 +1711,8 @@ public class ConfigurationMigrationUtils {
 		if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY)))
 			dbbkus.setHandyBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY));
 		
-		if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE)))
-			dbbkus.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE));
+		if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD)))
+			dbbkus.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD));
 		
 		if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL)))
 			dbbkus.setLocalBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL));
@@ -1900,8 +1900,8 @@ public class ConfigurationMigrationUtils {
 			slrequesttempl.setHandyBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY));
 		if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL)))
 			slrequesttempl.setLocalBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL));
-		if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE)))
-			slrequesttempl.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE));
+		if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD)))
+			slrequesttempl.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD));
 		
 		if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_AUTH_TRUSTSTORE_URL)))
 				dbconfig.setTrustedCACertificates(moaconfig.get(MOAIDConfigurationConstants.GENERAL_AUTH_TRUSTSTORE_URL));
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
index b72034002..695df3123 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
@@ -70,7 +70,7 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants {
 	public static final String SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME = SERVICE_AUTH_TARGET_PUBLIC + ".own.name";
 	
 	private static final String SERVICE_AUTH_BKU = AUTH + "." + BKU;
-	public static final String SERVICE_AUTH_BKU_ONLINE = SERVICE_AUTH_BKU + ".onlineBKU";
+	public static final String SERVICE_AUTH_BKU_THIRD = SERVICE_AUTH_BKU + ".onlineBKU";
 	public static final String SERVICE_AUTH_BKU_LOCAL = SERVICE_AUTH_BKU + ".localBKU";
 	public static final String SERVICE_AUTH_BKU_HANDY = SERVICE_AUTH_BKU + ".handyBKU";
 	public static final String SERVICE_AUTH_BKU_KEYBOXIDENTIFIER = SERVICE_AUTH_BKU + ".keyBoxIdentifier";
@@ -196,13 +196,13 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants {
 	
 	private static final String GENERAL_DEFAULTS = PREFIX_MOAID_GENERAL + ".defaults";	
 	private static final String GENERAL_DEFAULTS_BKU = GENERAL_DEFAULTS + "." + BKU;
-	public static final String GENERAL_DEFAULTS_BKU_ONLINE = GENERAL_DEFAULTS_BKU + ".onlineBKU";
+	public static final String GENERAL_DEFAULTS_BKU_THIRD = GENERAL_DEFAULTS_BKU + ".onlineBKU";
 	public static final String GENERAL_DEFAULTS_BKU_HANDY = GENERAL_DEFAULTS_BKU + ".handyBKU";
 	public static final String GENERAL_DEFAULTS_BKU_LOCAL = GENERAL_DEFAULTS_BKU + ".localBKU";
 	private static final String GENERAL_DEFAULTS_TEMPLATES = GENERAL_DEFAULTS + "." + TEMPLATES;
 	public static final String GENERAL_DEFAULTS_TEMPLATES_LOCAL = GENERAL_DEFAULTS_TEMPLATES + ".localBKU";
 	public static final String GENERAL_DEFAULTS_TEMPLATES_HANDY = GENERAL_DEFAULTS_TEMPLATES + ".handyBKU";
-	public static final String GENERAL_DEFAULTS_TEMPLATES_ONLINE = GENERAL_DEFAULTS_TEMPLATES + ".onlineBKU";
+	public static final String GENERAL_DEFAULTS_TEMPLATES_THIRD = GENERAL_DEFAULTS_TEMPLATES + ".onlineBKU";
 	
 	private static final String GENERAL_AUTH = PREFIX_MOAID_GENERAL + ".auth";
 	private static final String GENERAL_AUTH_CERTIFICATE = GENERAL_AUTH + ".certificate";
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
index 9fc6f799d..dd606ea18 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
@@ -57,6 +57,8 @@ import java.util.ArrayList;
 import java.util.List;
 
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Base64Utils;
+import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moaspss.logging.LoggingContext;
 import at.gv.egovernment.moaspss.logging.LoggingContextManager;
 import iaik.pki.jsse.IAIKX509TrustManager;
@@ -72,21 +74,27 @@ import iaik.pki.jsse.IAIKX509TrustManager;
 public class MOAIDTrustManager extends IAIKX509TrustManager {
   
   /** an x509Certificate array containing all accepted server certificates*/
-  private X509Certificate[] acceptedServerCertificates;
+  private X509Certificate[] acceptedServerCertificates = null;
 
   /**
    * Constructor
    * @param acceptedServerCertificateStoreURL the url leading to the acceptedServer cert store
    * @throws GeneralSecurityException occurs on security errors
    * @throws IOException occurs on IO errors
+ * @throws SSLConfigurationException 
    */
   public MOAIDTrustManager(String acceptedServerCertificateStoreURL) 
-    throws IOException, GeneralSecurityException {
+    throws IOException, GeneralSecurityException, SSLConfigurationException {
     
-    if (acceptedServerCertificateStoreURL != null)
-      buildAcceptedServerCertificates(acceptedServerCertificateStoreURL);
-    else
-      acceptedServerCertificates = null;
+    if (acceptedServerCertificateStoreURL != null && MiscUtil.isNotEmpty(acceptedServerCertificateStoreURL.trim())) {
+    	Logger.info("Initialize SSL-TrustStore with explicit accepted server-certificates");
+    	buildAcceptedServerCertificates(acceptedServerCertificateStoreURL);
+    	
+    } else {
+    	Logger.info("Initialize SSL-TrustStore without explicit accepted server-certificates");
+    	acceptedServerCertificates = null;
+    	
+    }
   }
 
  
@@ -111,26 +119,72 @@ public class MOAIDTrustManager extends IAIKX509TrustManager {
    *         containing accepted server X509 certificates
    * @throws GeneralSecurityException on security errors
    * @throws IOException on any IO errors
+ * @throws SSLConfigurationException 
    */
   private void buildAcceptedServerCertificates(String acceptedServerCertificateStoreURL) 
-    throws IOException, GeneralSecurityException {
-
+    throws IOException, GeneralSecurityException, SSLConfigurationException {	  
     List<X509Certificate> certList = new ArrayList<X509Certificate>();
     URL storeURL = new URL(acceptedServerCertificateStoreURL);
+    
+    //check URL to TrustStore
+    if (storeURL.getFile() == null) {
+    	Logger.error("Can NOT initialize SSLTrustManager. TrustStore: " + acceptedServerCertificateStoreURL 
+   			+ " is NOT found");
+    	throw new SSLConfigurationException("config.29", new Object[]{acceptedServerCertificateStoreURL, "File or Directory NOT found!"});
+    	
+    }    
     File storeDir = new File(storeURL.getFile());
-    // list certificate files in directory
-    File[] certFiles = storeDir.listFiles(); 
+    
+    //check directory and files
+    if (storeDir == null || storeDir.listFiles() == null) {
+    	Logger.error("Can NOT initialize SSLTrustManager. TrustStore: " + acceptedServerCertificateStoreURL 
+       			+ " is NOT found");
+        	throw new SSLConfigurationException("config.29", new Object[]{acceptedServerCertificateStoreURL, "Files or Directory NOT found!"});
+        	
+    }
+    
+    // list certificate files in directory    
+    File[] certFiles = storeDir.listFiles();    
     for (int i = 0; i < certFiles.length; i++) {
-      // for each: create an X509Certificate and store it in list
-      File certFile = certFiles[i];
-      FileInputStream fis = new FileInputStream(certFile.getPath());
-      CertificateFactory certFact = CertificateFactory.getInstance("X.509");
-      X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis);
-      fis.close();
-      certList.add(cert);
+    	// for each: create an X509Certificate and store it in list
+    	File certFile = certFiles[i];
+    	FileInputStream fis = null;
+    	try {
+    		fis = new FileInputStream(certFile.getPath());
+    		CertificateFactory certFact = CertificateFactory.getInstance("X.509");
+    		X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis);
+    		certList.add(cert);
+    		
+    	} catch (Exception e) {
+    	   	Logger.error("Can NOT initialize SSLTrustManager. Certificate: " + certFile.getPath() 
+    	   		+ " is not loadable, Reason: " + e.getMessage());
+    	   	
+    	   	if (Logger.isDebugEnabled()) {
+    	   		try {
+    	   			if (fis != null)
+    	   				Logger.debug("Certificate: " + Base64Utils.encode(fis));
+    	   			
+    	   		} catch (Exception e1) {
+    	   			Logger.warn("Can NOT log content of certificate: " + certFile.getPath() 
+    	   				+ ". Reason: " + e.getMessage(), e);
+    	   			
+    	   		}
+    	   	}
+    	   	
+    	    throw new SSLConfigurationException("config.28", new Object[]{certFile.getPath(), e.getMessage()}, e);
+    	    
+    	} finally {
+			if (fis != null)
+				fis.close();
+			
+		}
     }
+    
     // store acceptedServerCertificates
     acceptedServerCertificates = (X509Certificate[]) certList.toArray(new X509Certificate[0]);
+    Logger.debug("Add #" + acceptedServerCertificates.length 
+    		+ " certificates as 'AcceptedServerCertificates' from: " + acceptedServerCertificateStoreURL );
+    	    
   }
 
   /**
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
index 2a4e3b362..c94222ea0 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
@@ -396,10 +396,16 @@ public interface Constants {
   
   
   /* Prefix and Schema definition for eIDAS specific SAML2 extensions*/
-  public static final String  SAML2_eIDAS_EXTENSIONS_PREFIX = "eidas";
+  public static final String SAML2_eIDAS_EXTENSIONS_PREFIX = "eidas";
   public static final String SAML2_eIDAS_EXTENSIONS = "http://eidas.europa.eu/saml-extensions";
   public static final String SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION = SCHEMA_ROOT + "eIDAS_saml_extensions.xsd";
   
+  
+  /* Prefix and Schema for SAML2 Entity Attributes */
+  public static final String SAML2_MDATTR_EXTENSIONS_PREFIX = "mdattr";
+  public static final String SAML2_MDATTR_EXTENSIONS = "urn:oasis:names:tc:SAML:metadata:attribute";
+  public static final String SAML2_MDATTR_EXTENSIONS_SCHEMA_LOCATION = SCHEMA_ROOT + "sstc-metadata-attr.xsd";
+  
   /**
    * Contains all namespaces and local schema locations for XML schema
    * definitions relevant for MOA. For use in validating XML parsers.
@@ -433,8 +439,9 @@ public interface Constants {
       + (STORK_NS_URI + " " + STORK_SCHEMA_LOCATION + " ")
       + (STORKP_NS_URI + " " + STORKP_SCHEMA_LOCATION + " ")
       + (SAML2_METADATA_URI + " " + SAML2_METADATA_SCHEMA_LOCATION + " ")
-      + (XENC_NS_URI + " " + XENC_SCHEMA_LOCATION)
-      + (SAML2_eIDAS_EXTENSIONS + " " + SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION);
+      + (XENC_NS_URI + " " + XENC_SCHEMA_LOCATION + " ")
+      + (SAML2_eIDAS_EXTENSIONS + " " + SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION + " ")
+  	  + (SAML2_MDATTR_EXTENSIONS + " " + SAML2_MDATTR_EXTENSIONS_SCHEMA_LOCATION);
 
   /** URN prefix for bPK and wbPK. */
   public static final String URN_PREFIX = "urn:publicid:gv.at";
@@ -454,7 +461,6 @@ public interface Constants {
   /** URN prefix for context dependent id (stork). */
   public static final String URN_PREFIX_STORK = URN_PREFIX + ":storkid";
   
-  //TODO: update to eIDAS prefix
   /** URN prefix for context dependent id (eIDAS). */
   public static final String URN_PREFIX_EIDAS = URN_PREFIX + ":eidasid";
 
diff --git a/id/server/moa-id-commons/src/main/resources/resources/schemas/sstc-metadata-attr.xsd b/id/server/moa-id-commons/src/main/resources/resources/schemas/sstc-metadata-attr.xsd
new file mode 100644
index 000000000..f23e462a5
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/resources/resources/schemas/sstc-metadata-attr.xsd
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema 
+  targetNamespace="urn:oasis:names:tc:SAML:metadata:attribute"
+  xmlns="http://www.w3.org/2001/XMLSchema"
+  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+  xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+  elementFormDefault="unqualified"
+  attributeFormDefault="unqualified"
+  blockDefault="substitution"
+  version="2.0">
+
+  <annotation>
+    <documentation>
+      Document title: SAML V2.0 Metadata Extention for Entity Attributes Schema
+      Document identifier: sstc-metadata-attr.xsd
+      Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
+      Revision history:
+      V1.0 (November 2008):
+        Initial version.
+    </documentation>
+  </annotation>
+
+  <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+      schemaLocation="saml-schema-assertion-2.0.xsd"/>
+
+  <element name="EntityAttributes" type="mdattr:EntityAttributesType"/>
+  <complexType name="EntityAttributesType">
+    <choice maxOccurs="unbounded">
+      <element ref="saml:Attribute"/>
+      <element ref="saml:Assertion"/>
+    </choice>
+  </complexType>
+
+</schema>
+
diff --git a/id/server/moa-id-frontend-resources/pom.xml b/id/server/moa-id-frontend-resources/pom.xml
index 64ebc14b6..342cedac8 100644
--- a/id/server/moa-id-frontend-resources/pom.xml
+++ b/id/server/moa-id-frontend-resources/pom.xml
@@ -29,6 +29,78 @@
 		<repositoryPath>${basedir}/../../../../repository</repositoryPath>
 	</properties>
   
+  <build>
+  	<plugins>
+  	<plugin>
+    	<groupId>org.codehaus.mojo</groupId>
+    	<artifactId>groovy-maven-plugin</artifactId>
+    	<version>1.5</version>
+    <executions>
+      <execution>
+        <phase>generate-resources</phase>
+        <goals>
+          <goal>execute</goal>
+        </goals>
+        <configuration>
+          <source>
+        	<![CDATA[
+        	println("==== Creating version.txt ====");
+        	File mainDir = new File("${basedir}/src/main/resources");
+        	if(mainDir.exists() && !mainDir.isDirectory()) {
+            println("Main dir does not exist, wont create version.txt!");
+            return;
+        	}
+        	File confDir = new File("${basedir}/src/main/resources/mainGUI");
+        	if(confDir.exists() && !confDir.isDirectory()) {
+            println("Conf dir is not a directory, wont create version.txt!");
+            return;
+        	}
+        	if(!confDir.exists()) {
+            confDir.mkdir();
+        	}
+        	File versionFile = new File("${basedir}/src/main/resources/mainGUI/version.txt");
+        	if(versionFile.exists() && versionFile.isDirectory()) {
+            println("Version file exists and is directory! Wont overwrite");
+            return;
+        	}
+        	if(versionFile.exists() && !versionFile.isDirectory()) {
+          	 println("Version file already exists, overwriting!");
+        	}
+        	println("Creating Version File");
+        	BufferedWriter writer = new BufferedWriter(new FileWriter(versionFile));
+
+        	writer.write("groupId = ${project.groupId}");
+        	writer.newLine();
+        	writer.write("version = ${project.version}");
+        	writer.newLine();
+        	writer.write("timestamp = ${maven.build.timestamp}");
+
+        	String buildTag = "";
+        	String buildNumber = "";
+        	String buildId = "";
+        	try {
+            	buildTag = "${BUILD_TAG}";
+            	buildNumber = "${BUILD_NUMBER}";
+            	buildId = "${BUILD_ID}";
+
+            	writer.write("BUILD_TAG = " + buildTag + "\n");
+            	writer.write("BUILD_NUMBER = " + buildNumber + "\n");
+            	writer.write("BUILD_ID = " + buildId + "\n");
+
+        		} catch (Exception e) {
+            		println("============= Could not find BUILD_TAG probably this is not a Jenkins/Hudson build ===========");
+        		}
+
+        		writer.close();
+        		]]>
+          		</source>
+        		</configuration>
+      		</execution>
+    		</executions>
+  		</plugin>
+  	</plugins>
+  </build>
+  
   <dependencies>  	
    	 <dependency>
   		<groupId>MOA.id.server</groupId>
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
index 4bb4b0e27..15bc92a54 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
@@ -27,6 +27,8 @@ import java.io.InputStream;
 import java.util.HashMap;
 import java.util.Map;
 
+import org.apache.commons.lang.StringEscapeUtils;
+
 import at.gv.egovernment.moa.id.auth.frontend.utils.FormBuildUtils;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
@@ -41,19 +43,28 @@ import at.gv.egovernment.moa.util.MiscUtil;
  */
 public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration extends AbstractGUIFormBuilderConfiguration {
 
+	public static final String VIEW_TEMPLATE_MAINGUI_DIRECTORY = "mainGUI/";
+	
 	public static final String VIEW_BKUSELECTION = "loginFormFull.html";
 	public static final String VIEW_SENDASSERTION = "sendAssertionFormFull.html";	
 	public static final String VIEW_TEMPLATE_CSS = "css_template.css";
-	public static final String VIEW_TEMPLATE_JS = "javascript_tempalte.js";
+	public static final String VIEW_TEMPLATE_JS = "javascript_tempalte.js";	
+	public static final String VIEW_TEMPLATE_BKUDETECTION_SP_SPECIFIC = "iframeLBKUdetectSPSpecific.html";
+	public static final String VIEW_TEMPLATE_BKUDETECTION_GENERIC = "iframeLBKUdetect.html";
 	
 	public static final String PARAM_BKU_ONLINE = "bkuOnline";
 	public static final String PARAM_BKU_HANDY = "bkuHandy";
-	public static final String PARAM_BKU_LOCAL = "bkuLocal";
+	public static final String PARAM_BKU_LOCAL = "bkuLocal";	
+	
+	public static final String PARAM_BKU_URL_HANDY = "bkuURLHandy";
+	public static final String PARAM_BKU_URL_LOCAL = "bkuURLLocal"; 
+	public static final String PARAM_BKU_URL_THIRD = "bkuURLThird";
 	
 	public static final String PARAM_OANAME = "OAName";
 	public static final String PARAM_COUNTRYLIST = "countryList";
 	
 	protected IRequest pendingReq = null;
+	protected String templateClasspahtDir = null;
 	
 	/**
 	 * @param authURL PublicURLPrefix of the IDP but never null
@@ -86,18 +97,30 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration
 	@Override
 	public Map<String, Object> getSpecificViewParameters() {
 		Map<String, Object> params =  new HashMap<String, Object>();
-		params.put(PARAM_BKU_ONLINE, IOAAuthParameters.ONLINEBKU);
+		params.put(PARAM_BKU_ONLINE, IOAAuthParameters.THIRDBKU);
 		params.put(PARAM_BKU_HANDY, IOAAuthParameters.HANDYBKU);
 		params.put(PARAM_BKU_LOCAL, IOAAuthParameters.LOCALBKU);
 		
 		if (pendingReq != null) {							
-			params.put(PARAM_PENDINGREQUESTID, pendingReq.getRequestID());
+			params.put(PARAM_PENDINGREQUESTID, StringEscapeUtils.escapeHtml(pendingReq.getRequestID()));
 
 			//add service-provider specific GUI parameters
 			IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
 			if (oaParam != null) {
 				params.put(PARAM_OANAME, oaParam.getFriendlyName());
-								
+
+				//set BKU URLs
+				if (MiscUtil.isNotEmpty(oaParam.getBKUURL(IOAAuthParameters.LOCALBKU)))
+					params.put(PARAM_BKU_URL_LOCAL, oaParam.getBKUURL(IOAAuthParameters.LOCALBKU));
+				else
+					params.put(PARAM_BKU_URL_LOCAL, MOAIDAuthConstants.DEFAULT_BKU_HTTPS);
+				
+				if (MiscUtil.isNotEmpty(oaParam.getBKUURL(IOAAuthParameters.HANDYBKU)))
+					params.put(PARAM_BKU_URL_HANDY, oaParam.getBKUURL(IOAAuthParameters.HANDYBKU));
+				if (MiscUtil.isNotEmpty(oaParam.getBKUURL(IOAAuthParameters.THIRDBKU)))
+					params.put(PARAM_BKU_URL_THIRD, oaParam.getBKUURL(IOAAuthParameters.THIRDBKU));
+				
+				//set eIDAS login information if requird
 				if (oaParam.isShowStorkLogin())
 					addCountrySelection(params, oaParam);
 				else
@@ -151,7 +174,7 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration
 	 */
 	@Override
 	public String getClasspathTemplateDir() {
-		return null;
+		return templateClasspahtDir;
 	}
 
 	/* (non-Javadoc)
@@ -184,4 +207,17 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration
 		return null;		
 	}
 
+	/**
+	 * Set a specific classPath directory for this template configuration. 
+	 * <br> If the directory is null then the default directory /templates is used.
+	 * 
+	 * @param templateClasspahtDir the templateClasspahtDir to set
+	 */
+	public void setTemplateClasspahtDir(String templateClasspahtDir) {
+		this.templateClasspahtDir = templateClasspahtDir;
+	}
+
+	
+	
+	
 }
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java
index 2c2792b84..0c07ad3fb 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java
@@ -26,6 +26,8 @@ import java.io.InputStream;
 import java.util.HashMap;
 import java.util.Map;
 
+import org.apache.commons.lang.StringEscapeUtils;
+
 import at.gv.egovernment.moa.id.commons.api.IRequest;
 	
 /**
@@ -68,6 +70,13 @@ public class DefaultGUIFormBuilderConfiguration extends AbstractGUIFormBuilderCo
 		
 	}
 	
+	/**
+	 * Add a key/value pair into Velocity context.<br>
+	 * <b>IMPORTANT:</b> external HTML escapetion is required, because it is NOT done internally
+	 * 
+	 * @param key velocity context key
+	 * @param value of this key
+	 */
 	public void putCustomParameter(String key, Object value) {
 		if (customParameters == null)
 			customParameters = new HashMap<String, Object>();
@@ -82,7 +91,7 @@ public class DefaultGUIFormBuilderConfiguration extends AbstractGUIFormBuilderCo
 	public Map<String, Object> getSpecificViewParameters() {
 		Map<String, Object> params =  new HashMap<String, Object>();
 		if (pendingReq != null) {							
-			params.put(PARAM_PENDINGREQUESTID, pendingReq.getRequestID());
+			params.put(PARAM_PENDINGREQUESTID, StringEscapeUtils.escapeHtml(pendingReq.getRequestID()));
 			
 		}		
 		if (customParameters != null)
diff --git a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
index 54dc9d910..261e19a33 100644
--- a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
+++ b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
@@ -24,7 +24,7 @@
 		document.write('</form>');
 		try {
 			document.bkudetectform.submit();
-		} catch(e) {}
+		} catch(e) {console.log(e)}
 	}
 //-->
 </script>
diff --git a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/index.html b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/index.html
index 5f7e92321..7fc2b0298 100644
--- a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/index.html
+++ b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/index.html
@@ -2,7 +2,7 @@
 <html>
     <head>
         <meta http-equiv="content-type" content="text/html; charset=utf8" >
-        <title>MOA-ID 3.2.x</title>
+        <title>MOA-ID 3.3.x</title>
         <link rel="stylesheet" href="./common/main.css" type="text/css">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
         <link href='https://fonts.googleapis.com/css?family=Roboto:300,400' rel='stylesheet' type='text/css'>
diff --git a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/template_thirdBKU.html b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/template_thirdBKU.html
new file mode 100644
index 000000000..a9932d49d
--- /dev/null
+++ b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/template_thirdBKU.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="de">
+	<head>
+		<title></title>
+		<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+		<script language="javascript" type="text/javascript">
+			function onAnmeldeSubmit() {
+				document.CustomizedForm.submit();
+				document.CustomizedForm.Senden.disabled=true;
+			}
+		</script>
+	</head>
+	<body onLoad="onAnmeldeSubmit()">	 
+		<form name="CustomizedForm" action="<BKU>" method="post" enctype="multipart/form-data">
+			Falls Sie nicht automatisch weitergeleitet werden klicken Sie bitte hier: 
+		    <input class="button" type="hidden" value="Starte Anmeldung" name="Senden">
+			<input type="hidden" name="XMLRequest" value="<XMLRequest>">
+			<input type="hidden" name="DataURL" value="<DataURL>">
+			<input type="hidden" name="PushInfobox" value="<PushInfobox>">
+		
+			<!-- Angabe der Parameter fuer die Online-BKU -->
+			<input type="hidden" name="appletWidth" value="<APPLETWIDTH>">
+			<input type="hidden" name="appletHeight" value="<APPLETHEIGHT>">
+			
+			<!-- [OPTIONAL] Aendern Sie hier die Hintergrundfarbe der Online-BKU -->
+	      <input type="hidden" name="appletBackgroundColor" value="<COLOR>">
+	      <input type="hidden" name="redirectTarget" value="<REDIRECTTARGET>">
+		</form>
+		
+		<form name="CustomizedInfoForm" action="<BKU>" method="post">
+			<input type="hidden" name="XMLRequest" value="<CertInfoXMLRequest>">
+			<input type="hidden" name="DataURL" value="<CertInfoDataURL>">
+		</form>
+		<form name="DummyForm" action="<BKU>" method="post">
+		</form>
+	</body>
+</html>
diff --git a/id/server/moa-id-frontend-resources/src/main/resources/templates/iframeLBKUdetectSPSpecific.html b/id/server/moa-id-frontend-resources/src/main/resources/templates/iframeLBKUdetectSPSpecific.html
new file mode 100644
index 000000000..79a217946
--- /dev/null
+++ b/id/server/moa-id-frontend-resources/src/main/resources/templates/iframeLBKUdetectSPSpecific.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="de">
+<head>
+<title>BKU-Erkennung</title>
+</head>
+<body style="background-color:transparent" onload="parent.setBKUAvailable(false);document.forms[0].submit();">
+	<form name="bkudetectform" method="POST" target="bkudetect" action="$bkuURLLocal" enctype="application/x-www-form-urlencoded">
+		<input type="hidden" name="XMLRequest" value="&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;&lt;NullOperationRequest xmlns=&quot;http://www.buergerkarte.at/namespaces/securitylayer/1.2#&quot;/&gt;" />
+		<input type="hidden" name="RedirectURL" value="$contextPath/iframeLBKUdetected.html"/>
+	</form>	
+</body>
+</html>
diff --git a/id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html b/id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html
index 53c4f0d5d..c4da51dc1 100644
--- a/id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html
+++ b/id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html
@@ -50,8 +50,11 @@
 								  <input type="hidden" name="ccc" id="ccc" /> 
 								  <input type="hidden" name="pendingid" value="$pendingReqID" /> 
                   <input type="submit" value=" Karte " tabindex="4" role="button" onclick="setMandateSelection();">
-                </form>
-                <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe>
+                </form>                
+                <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"></iframe>
+                
+                <!-- BKU detection with static template-->
+                <!--iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe-->
                               
 							</div>
 							<div id="bkuhandy">
@@ -59,6 +62,7 @@
                 <input name="bkuButtonHandy" type="button" onClick="bkuHandyClicked();" tabindex="3" role="button" value="HANDY" />
 							</div>
 						</div>
+						
 						<!--div id="localBKU">
 							<form method="get" id="moaidform" action="$contextPath$submitEndpoint"
 								class="verticalcenter" target="_parent">
@@ -70,7 +74,7 @@
                 <input type="submit" value=" Lokale Bürgerkartenumgebung " tabindex="4"
 									     role="button" onclick="setMandateSelection();">
                 </form>
-                <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"><\/iframe>
+                <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection"><\/iframe>
               </div-->
               
               <!-- Single Sign-On Session transfer functionality -->
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 9294f3658..c9bc31f6c 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -65,6 +65,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IMISMandate;
 import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.data.Pair;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.util.XMLUtil;
 import at.gv.egovernment.moa.logging.Logger;
@@ -192,8 +193,8 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 			Logger.debug("Non-SSO Login requested or SSO not allowed/possible");
 			//build ReadInfobox request
 			infoboxReadRequest = new InfoboxReadRequestBuilder().build(
-					oaParam.getBusinessService(), oaParam
-					.getIdentityLinkDomainIdentifier());
+					oaParam.hasBaseIdInternalProcessingRestriction(), oaParam
+					.getAreaSpecificTargetIdentifier());
 
 		}
 
@@ -401,9 +402,9 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		try {
 			// sets the extended SAML attributes for OID (Organwalter)
 			setExtendedSAMLAttributeForMandatesOID(session, mandate, oaParam
-					.getBusinessService());
+					.hasBaseIdTransferRestriction());
 
-			validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService());
+			validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.hasBaseIdTransferRestriction());
 
 
 		} catch (SAXException e) {
@@ -523,9 +524,10 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 	 * @return <code>&lt;saml:Assertion&gt;</code> as a String
 	 * @throws BuildException If an error occurs on serializing an extended SAML attribute
 	 *                        to be appended to the AUTH-Block.
+	 * @throws ConfigurationException 
 	 */
 	private String buildAuthenticationBlock(IAuthenticationSession session,
-			IOAAuthParameters oaParam, IRequest pendingReq) throws BuildException {
+			IOAAuthParameters oaParam, IRequest pendingReq) throws BuildException, ConfigurationException {
 
 		IIdentityLink identityLink = session.getIdentityLink();
 		String issuer = identityLink.getName();
@@ -533,12 +535,16 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 
 		String identificationValue = null;
 		String identificationType = null;
+		String identificationTypeFriendlyName = null;
 
 		//get processing data from pending-request
 		String authURL = pendingReq.getAuthURL();
-		String requestedTarget = pendingReq.getGenericData(
-				MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);		
-		String targetFriendlyName = pendingReq.getGenericData(
+		
+		@Deprecated
+		String saml1RequestedTarget = pendingReq.getGenericData(
+				MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
+		@Deprecated
+		String saml1RequestedFriendlyName = pendingReq.getGenericData(
 				MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class);
 
 		
@@ -546,45 +552,45 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		if (session.isOW() || pendingReq.needSingleSignOnFunctionality() || oaParam.isRemovePBKFromAuthBlock()) {
 			identificationType = "";
 			identificationValue = "";
-
+				
 		} else if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
 
-			if (oaParam.getBusinessService()) {
-
-				String bpkBase64 = new BPKBuilder().buildWBPK(identityLink
-						.getIdentificationValue(), oaParam.getIdentityLinkDomainIdentifier());
-				identificationValue = bpkBase64;
-
-				if (oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_WBPK + "+"))
-					identificationType = oaParam.getIdentityLinkDomainIdentifier();
-				else
-					identificationType = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier();
-
-			} else {				
-				String bpkBase64 = new BPKBuilder().buildBPK(identityLink
-						.getIdentificationValue(), requestedTarget);
-				identificationValue = bpkBase64;
-				identificationType = Constants.URN_PREFIX_CDID + "+" + requestedTarget;
+			if (MiscUtil.isNotEmpty(saml1RequestedTarget)) {
+				Logger.debug("Build AuthBlock bPK from SAML1 requested target");
+				Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+						identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
+						saml1RequestedTarget);
+				identificationValue = calcId.getFirst();
+				identificationType = calcId.getSecond();
+				identificationTypeFriendlyName = saml1RequestedFriendlyName;
+				
+			} else {
+				Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+						identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
+						oaParam.getAreaSpecificTargetIdentifier());
+				identificationValue = calcId.getFirst();
+				identificationType = calcId.getSecond();
+				identificationTypeFriendlyName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
 			}
 
-
 		} else {
 			identificationValue = identityLink.getIdentificationValue();
 			identificationType = identityLink.getIdentificationType();
+			identificationTypeFriendlyName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
 
 		}
 
 		//set AuthBlock generation time to session
-		String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar
-				.getInstance());
+		String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar.getInstance());
 		session.setIssueInstant(issueInstant);
 
-		// Bug #485
-		// (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105)
-		// String oaURL = session.getPublicOAURLPrefix();
-
+		//load extend attributes
 		List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
 
+		//load special authblock text patterns for replacement
+		Map<String, String> authBlockTextPatterns = AuthenticationBlockAssertionBuilder.
+				generateSpezialAuthBlockPatternMap(pendingReq, issuer, gebDat, issueInstant);
+		
 		String authBlock = null;
 		if (pendingReq.needSingleSignOnFunctionality()) {
 			String oaURL = pendingReq.getAuthURL();
@@ -592,19 +598,20 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 				oaURL = oaURL.replaceAll("&", "&amp;");
 
 			authBlock = new AuthenticationBlockAssertionBuilder()
-					.buildAuthBlockSSO(issuer, issueInstant, authURL, requestedTarget,
-							targetFriendlyName, identificationValue,
-							identificationType, oaURL, gebDat,
-							extendedSAMLAttributes, session, oaParam);
-
+					.buildAuthBlockSSO(issuer, issueInstant, authURL, 
+							oaURL, gebDat,
+							extendedSAMLAttributes, session, oaParam, authBlockTextPatterns);
 
 		} else {			
 			String oaURL = oaParam.getPublicURLPrefix().replaceAll("&", "&amp;");
 			authBlock = new AuthenticationBlockAssertionBuilder()
-					.buildAuthBlock(issuer, issueInstant, authURL, requestedTarget,
-							targetFriendlyName, identificationValue,
-							identificationType, oaURL, gebDat,
-							extendedSAMLAttributes, session, oaParam);
+					.buildAuthBlock(issuer, issueInstant, authURL, 
+							identificationValue,
+							identificationType,
+							gebDat,
+							oaURL, 							
+							identificationTypeFriendlyName, 							 
+							extendedSAMLAttributes, session, oaParam, authBlockTextPatterns);
 			
 		}
 		
@@ -938,10 +945,10 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 			session.setAuthBlock(serializedAssertion);
 		} catch (TransformerException e) {
 			throw new ParseException("parser.04", new Object[]{
-					REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE});
+					REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}, e);
 		} catch (IOException e) {
 			throw new ParseException("parser.04", new Object[]{
-					REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE});
+					REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}, e);
 		}
 		// validates <CreateXMLSignatureResponse>
 		if (pendingReq.needSingleSignOnFunctionality())
@@ -1062,9 +1069,10 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		Element valueBpK = mandatePerson.getOwnerDocument().createElementNS(
 				Constants.PD_NS_URI, "Value");
 
-		String bpkBase64 = new BPKBuilder().buildBPK(baseid, target);
+		Pair<String, String> targedId  = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseid, target);
+		
 		valueBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode(
-				bpkBase64));
+				targedId.getFirst()));
 		Element typeBpK = mandatePerson.getOwnerDocument().createElementNS(
 				Constants.PD_NS_URI, "Type");
 		typeBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode(
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
index ecc91991e..80702795b 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
@@ -28,7 +28,11 @@ import java.io.StringWriter;
 import java.text.MessageFormat;
 import java.text.SimpleDateFormat;
 import java.util.Calendar;
+import java.util.HashMap;
+import java.util.Iterator;
 import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
 
 import javax.xml.bind.DatatypeConverter;
 import javax.xml.transform.Result;
@@ -46,7 +50,9 @@ import org.w3c.dom.Node;
 import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl;
 import at.gv.egovernment.moa.id.auth.exception.BuildException;
 import at.gv.egovernment.moa.id.auth.exception.ParseException;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
 import at.gv.egovernment.moa.id.commons.api.data.ExtendedSAMLAttribute;
 import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
@@ -126,6 +132,15 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
   public static final int NUM_OF_SAML_ATTRIBUTES = 5;
   public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 4;
   
+  public static final String bPKwbPKNSDECLARATION = " xmlns:pr=\"" + PD_NS_URI + "\"";
+  
+  public static final String AUTHBLOCK_TEXT_PATTERN_NAME = "#NAME#";
+  public static final String AUTHBLOCK_TEXT_PATTERN_BIRTHDAY = "#BIRTHDAY#";
+  public static final String AUTHBLOCK_TEXT_PATTERN_DATE = "#DATE#";
+  public static final String AUTHBLOCK_TEXT_PATTERN_TIME = "#TIME#";
+  
+  public static final String PENDING_REQ_AUTHBLOCK_TEXT_KEY = "specialAuthBlockTextKeyValueMap";
+  
   /**
    * Constructor for AuthenticationBlockAssertionBuilder.
    */
@@ -133,322 +148,210 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
     super();
   }
   
+  public static Map<String, String> generateSpezialAuthBlockPatternMap(IRequest pendingReq, String issuer, String gebDat, String issueInstant) {
+	  Map<String, String> result = new HashMap<String, String>();
+	  
+	  //convert issueInstant
+	  Calendar datetime = DatatypeConverter.parseDateTime(issueInstant);
+	  SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy");
+	  SimpleDateFormat timeformat = new SimpleDateFormat("HH:mm:ss");
+	  
+	  //set default values
+	  result.put(AUTHBLOCK_TEXT_PATTERN_NAME, issuer);
+	  result.put(AUTHBLOCK_TEXT_PATTERN_BIRTHDAY, gebDat);
+	  result.put(AUTHBLOCK_TEXT_PATTERN_DATE, dateformat.format(datetime.getTime()));
+	  result.put(AUTHBLOCK_TEXT_PATTERN_TIME, timeformat.format(datetime.getTime()));
+	  	  
+	  //set other values from pendingReq if exists
+	  Map<?,?> processSpecificElements = pendingReq.getGenericData(PENDING_REQ_AUTHBLOCK_TEXT_KEY, Map.class);
+	  if (processSpecificElements != null && !processSpecificElements.isEmpty()) {
+		  Logger.debug("Find process-specific patterns for 'special AuthBlock-Text'. Start processing ...");
+		  Iterator<?> mapIterator = processSpecificElements.entrySet().iterator();
+		  while (mapIterator.hasNext()) {
+			  Object objEl = mapIterator.next();
+			  if (objEl instanceof Entry<?, ?>) {
+				  try {
+					  @SuppressWarnings("unchecked")
+					  Entry<String, String> el = (Entry<String, String>) objEl;
+					  Logger.trace("  Add pattern-> Key: " + el.getKey() + " Value:" + el.getValue());
+					  if (result.containsKey(el.getKey()))
+						  Logger.warn("  Can not add pattern: " + el.getKey() + " , because it already exists.");
+					  else
+						  result.put(el.getKey(), el.getValue());
+					  
+				  } catch (Exception e) {
+					  Logger.warn("A pendingReq. specific 'special AuthBlock-Text' element has a suspect type. Ignore it!", e);
+					  
+				  }
+			  }
+		  }			  			 
+	  }		  
+	  	  
+	  return result;
+  }
+  
+  
   /**
-   * Builds the authentication block <code>&lt;saml:Assertion&gt;</code> 
-   * 
-   * @param issuer authentication block issuer; <code>"GivenName FamilyName"</code>
-   * @param issueInstant current timestamp
-   * @param authURL URL of MOA-ID authentication component
-   * @param target "Gesch&auml;ftsbereich"; maybe <code>null</code> if the application
-   *               is a business application
-   * @param identityLinkValue the content of the <code>&lt;pr:Value&gt;</code>
-   *                          child element of the <code>&lt;pr:Identification&gt;</code>
-   *                          element derived from the Identitylink; this is the
-   *                          value of the <code>wbPK</code>;
-   *                          maybe <code>null</code> if the application is a public service
-   * @param identityLinkType  the content of the <code>&lt;pr:Type&gt;</code>
-   *                          child element of the <code>&lt;pr:Identification&gt;</code>
-   *                          element derived from the Identitylink; this includes the
-   *                          URN prefix and the identification number of the business
-   *                          application used as input for wbPK computation;
-   *                          maybe <code>null</code> if the application is a public service
-   * @param oaURL public URL of online application requested
-   * @param gebDat The date of birth from the identity link.
-   * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock.
    * 
-   * @return String representation of authentication block 
-   *          <code>&lt;saml:Assertion&gt;</code> built
-   *          
-   * @throws BuildException If an error occurs on serializing an extended SAML attribute 
-   *                        to be appended to the AUTH-Block.
+   * @param issuer
+   * @param issueInstant
+   * @param authURL
+   * @param sectorSpecificUniqueId
+   * @param sectorSpecificUniqueIdType
+   * @param gebDat
+   * @param oaURL
+   * @param spTargetAreaFriendlyName
+   * @param extendedSAMLAttributes
+   * @param session
+   * @param oaParam
+   * @return
+   * @throws BuildException
+ * @throws ConfigurationException 
    */
   public String buildAuthBlock(
     String issuer, 
     String issueInstant, 
-    String authURL, 
-    String target,
-    String targetFriendlyName,
-    String identityLinkValue, 
-    String identityLinkType,
-    String oaURL, 
-    String gebDat,
+    String authURL,     
+    String sectorSpecificUniqueId, 
+    String sectorSpecificUniqueIdType,
+    String gebDat,        
+    String oaURL,
+    String spTargetAreaFriendlyName,
     List<ExtendedSAMLAttribute> extendedSAMLAttributes,
     IAuthenticationSession session,
-    IOAAuthParameters oaParam)
-  throws BuildException
-  
-  {
-    session.setSAMLAttributeGebeORwbpk(true);
-    String gebeORwbpk = "";
-    String wbpkNSDeclaration = "";
-           
-    if (target == null) {
-    	
-      // OA is a business application
-      if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) {
-        // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator
-         gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
-         wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
+    IOAAuthParameters oaParam,
+    Map<String, String> specialAuthBlockTextPatterns)
+  throws BuildException, ConfigurationException {
+	  
+	  //initialize state
+	  session.setSAMLAttributeGebeORwbpk(true);
+      String usedwbPKbPKNamespaceDeclaration = org.apache.commons.lang3.StringUtils.EMPTY;
+	  String publicSectorIdOrwbPK = org.apache.commons.lang3.StringUtils.EMPTY;
+
+	 	  
+	  if (!sectorSpecificUniqueIdType.startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+		  //service provider has not an sector Id from Austrian public-domain --> build AuthBlock like a wbPK
+		 
+		  if (!Constants.URN_PREFIX_HPI.equals(sectorSpecificUniqueIdType)) {
+			  //Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator
+			  publicSectorIdOrwbPK = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] {sectorSpecificUniqueId, sectorSpecificUniqueIdType});
+			  usedwbPKbPKNamespaceDeclaration = bPKwbPKNSDECLARATION;
          
-         //adding type of wbPK domain identifier        
-        ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = 
-             new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
+			  //adding type of wbPK domain identifier        
+			  ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = 
+					  new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", spTargetAreaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
             
-        extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute);
+			  extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute);
          
-      } else {
-        // We do not have a wbPK, therefore no SAML-Attribute is provided
-        session.setSAMLAttributeGebeORwbpk(false);
-      }
+		  } else {
+			  // We do not have a wbPK, therefore no SAML-Attribute is provided
+			  session.setSAMLAttributeGebeORwbpk(false);
+			  
+		  }      
+	  } else {		  
+		  // OA is a govermental application
+		  
+		  //convert sector identifier into friendly name and add it to AuthBlock
+		  String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(sectorSpecificUniqueIdType);		  
+		  if (StringUtils.isEmpty(sectorName)) {
+			  if (spTargetAreaFriendlyName != null)
+				  sectorName = spTargetAreaFriendlyName;
+			  
+		  }             
+		  publicSectorIdOrwbPK = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, 
+				  new Object[] {sectorSpecificUniqueIdType.substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")" });
       
-    } else {
-      // OA is a govermental application
-      String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
-      if (StringUtils.isEmpty(sectorName)) {
-    	  if (targetFriendlyName != null)
-    		  sectorName = targetFriendlyName; 
-      }
-      
-        
-      //gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target });
-      gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" });
-      
-      //no business service, adding bPK
 
-      if (identityLinkValue != null) {
-    	  Element bpkSamlValueElement;
-    	  try {
-    		  bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement();
-    	  } catch (Exception e) {
-    		  Logger.error("Error on building AUTH-Block: " + e.getMessage());
-    		  throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
-    	  } 
-	      
-	//      String s = xmlToString(bpkSamlValueElement);
-	//      System.out.println("bpkSamlValueElement: " + s);
-	      
-    	  ExtendedSAMLAttribute bpkAttribute = 
-    		  new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-    	  extendedSAMLAttributes.add(bpkAttribute);
-      }
-      
-      boolean useMandate = session.isMandateUsed();
-      if (useMandate) {
-    	  //String mandateReferenceValue = Random.nextRandom();
-    	  String mandateReferenceValue = Random.nextProcessReferenceValue();
-    	  // remove leading "-"
-    	  if (mandateReferenceValue.startsWith("-"))
-    		  mandateReferenceValue = mandateReferenceValue.substring(1);
-    		 
-    	  session.setMandateReferenceValue(mandateReferenceValue);
-    		 
-    	  ExtendedSAMLAttribute mandateReferenceValueAttribute = 
-    		  new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK);
-    	            
-    	  extendedSAMLAttributes.add(mandateReferenceValueAttribute);
-      }
-    	
-      
-
-     //gebeORwbpk = gebeORwbpk  + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
-     wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
-    }
-    
-    //adding friendly name of OA    
-    String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); 
-    
-    ExtendedSAMLAttribute oaFriendlyNameAttribute = 
-         new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-    
-    extendedSAMLAttributes.add(oaFriendlyNameAttribute);
+		  //add bPK to AuthBlock if it is not empty
+		  if (MiscUtil.isNotEmpty(sectorSpecificUniqueId)) {
+			  Element bpkSamlValueElement;
+			  try {
+				  bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { sectorSpecificUniqueId, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement();
+				  
+			  } catch (Exception e) {
+				  Logger.error("Error on building AUTH-Block: " + e.getMessage());
+				  throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
+				  
+			  } 
+	      	      
+			  ExtendedSAMLAttribute bpkAttribute = 
+					  new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
+			  extendedSAMLAttributes.add(bpkAttribute);
+		  }
+          	
+		  usedwbPKbPKNamespaceDeclaration = bPKwbPKNSDECLARATION;
+	  }
     
+	  //check if mandates should be used
+	  if (session.isMandateUsed()) {
+		  
+		  //generate mandate reference value
+		  String mandateReferenceValue = Random.nextProcessReferenceValue();    		 
+		  session.setMandateReferenceValue(mandateReferenceValue);
+		 
+		  ExtendedSAMLAttribute mandateReferenceValueAttribute = 
+				  new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK);
+	            
+		  extendedSAMLAttributes.add(mandateReferenceValueAttribute);
+	  }
+	  
+	  //adding friendly name of OA    
+	  String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName();     
+	  ExtendedSAMLAttribute oaFriendlyNameAttribute = 
+			  new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);    
+	  extendedSAMLAttributes.add(oaFriendlyNameAttribute);
     
-    String text = "";
-    if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
-		Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
-		text = oaParam.getAditionalAuthBlockText();
-	}
     
-   	String specialText =  MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, 
-   			new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) });
+	  //generate special AuthBlock text
+	  String text = "";
+	  if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
+		  Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
+		  text = oaParam.getAditionalAuthBlockText();
+	  }    
+	  String specialText =  MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, 
+			  new Object[] { generateSpecialText(text, specialAuthBlockTextPatterns) });
     
-   	//generate unique AuthBlock tokken
-   	String uniquetokken = Random.nextRandom();
-   	session.setAuthBlockTokken(uniquetokken);
+	  
+	  //generate unique AuthBlock tokken
+	  String uniquetokken = Random.nextProcessReferenceValue();
+	  session.setAuthBlockTokken(uniquetokken);
    	
     String assertion;
     try {    	
       assertion = MessageFormat.format(
         AUTH_BLOCK, new Object[] { 
-          wbpkNSDeclaration, 
+          usedwbPKbPKNamespaceDeclaration, 
           issuer, 
           issueInstant, 
           authURL, 
-          gebeORwbpk, 
+          publicSectorIdOrwbPK, 
           oaURL, 
           gebDat,
           specialText,
-          MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, 
-         			new Object[] { uniquetokken }),
+          MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, new Object[] {uniquetokken}),
           buildExtendedSAMLAttributes(extendedSAMLAttributes)});
-    } catch (ParseException e) {
-      Logger.error("Error on building AUTH-Block: " + e.getMessage());
-      throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
-    }
-    
-    return assertion;
-    
-  }
-  
-  /**
-   * Builds the authentication block <code>&lt;saml:Assertion&gt;</code> 
-   * 
-   * @param issuer authentication block issuer; <code>"GivenName FamilyName"</code>
-   * @param issueInstant current timestamp
-   * @param authURL URL of MOA-ID authentication component
-   * @param target "Gesch&auml;ftsbereich"; maybe <code>null</code> if the application
-   *               is a business application
-   * @param identityLinkValue the content of the <code>&lt;pr:Value&gt;</code>
-   *                          child element of the <code>&lt;pr:Identification&gt;</code>
-   *                          element derived from the Identitylink; this is the
-   *                          value of the <code>wbPK</code>;
-   *                          maybe <code>null</code> if the application is a public service
-   * @param identityLinkType  the content of the <code>&lt;pr:Type&gt;</code>
-   *                          child element of the <code>&lt;pr:Identification&gt;</code>
-   *                          element derived from the Identitylink; this includes the
-   *                          URN prefix and the identification number of the business
-   *                          application used as input for wbPK computation;
-   *                          maybe <code>null</code> if the application is a public service
-   * @param oaURL public URL of online application requested
-   * @param gebDat The date of birth from the identity link.
-   * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock.
-   * 
-   * @return String representation of authentication block 
-   *          <code>&lt;saml:Assertion&gt;</code> built
-   *          
-   * @throws BuildException If an error occurs on serializing an extended SAML attribute 
-   *                        to be appended to the AUTH-Block.
-   */
-  public String buildAuthBlockForeignID(
-    String issuer, 
-    String issueInstant, 
-    String authURL, 
-    String target,
-    String identityLinkValue, 
-    String identityLinkType,
-    String oaURL, 
-    String gebDat,
-    List<ExtendedSAMLAttribute> extendedSAMLAttributes,
-    IAuthenticationSession session,
-    IOAAuthParameters oaParam)
-  throws BuildException
-  {
-    session.setSAMLAttributeGebeORwbpk(true);
-    String gebeORwbpk = "";
-    String wbpkNSDeclaration = "";
-        
-    if (target == null) {
-      // OA is a business application
-      if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) {
-        // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator
-         gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
-         wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
-         
-         //BZ.., adding type of wbPK domain identifier        
-        ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = 
-             new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-            
-        extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute);
-        //..BZ
-         
-      } else {
-        // We do not have a wbPK, therefore no SAML-Attribute is provided
-        session.setSAMLAttributeGebeORwbpk(false);
-      }
-    } else {
-      // OA is a govermental application
-      //BZ..
-      String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);      
-      //gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target });
-      gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" });
-      //..BZ
-      
-      //BZ.., no business service, adding bPK
       
-      Element bpkSamlValueElement;
-      try {
-         bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement();
-      } catch (Exception e) {
-         Logger.error("Error on building AUTH-Block: " + e.getMessage());
-          throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
-      } 
-            
-      ExtendedSAMLAttribute bpkAttribute = 
-          new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-         
-     extendedSAMLAttributes.add(bpkAttribute);
-      //gebeORwbpk = gebeORwbpk  + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
-     wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
-     //..BZ     
-    }
-    
-    //BZ.., adding friendly name of OA    
-    String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); 
-    
-    ExtendedSAMLAttribute oaFriendlyNameAttribute = 
-         new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-    
-    extendedSAMLAttributes.add(oaFriendlyNameAttribute);
-    //..BZ
-    
-    String text = "";
-    if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
-		Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
-		text = oaParam.getAditionalAuthBlockText();
-	}
-    
-   	String specialText =  MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, 
-   			new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) });
-    
-   	//generate unique AuthBlock tokken
-   	String uniquetokken = Random.nextRandom();
-   	session.setAuthBlockTokken(uniquetokken);
-   	
-    String assertion;
-    try {
-      assertion = MessageFormat.format(
-        AUTH_BLOCK, new Object[] { 
-          wbpkNSDeclaration, 
-          issuer, 
-          issueInstant, 
-          authURL, 
-          gebeORwbpk, 
-          oaURL, 
-          gebDat,
-          specialText,
-          MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, 
-       			new Object[] { uniquetokken }),
-          buildExtendedSAMLAttributes(extendedSAMLAttributes)});
     } catch (ParseException e) {
       Logger.error("Error on building AUTH-Block: " + e.getMessage());
       throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
+      
     }
     
     return assertion;
     
   }
   
-  public static String generateSpecialText(String inputtext, String issuer, String gebDat, String issueInstant) {
-	   	Calendar datetime = DatatypeConverter.parseDateTime(issueInstant);
-	   	SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy");
-	   	SimpleDateFormat timeformat = new SimpleDateFormat("HH:mm:ss");
-	 
-	   	String text = inputtext.replaceAll("#NAME#", issuer);
-	    text = text.replaceAll("#BIRTHDAY#", gebDat);
-	   	text = text.replaceAll("#DATE#", dateformat.format(datetime.getTime()));
-	   	text = text.replaceAll("#TIME#", timeformat.format(datetime.getTime()));
-	   	
-	   	return text;
+  public static String generateSpecialText(String inputtext, Map<String, String> specialAuthBlockTextPatterns) {	   	
+	  Iterator<Entry<String, String>> it = specialAuthBlockTextPatterns.entrySet().iterator();
+	  String text = inputtext;
+	  while (it.hasNext()) {
+		  Entry<String, String> el = it.next();
+		  text = text.replaceAll(el.getKey(), el.getValue());
+		  
+	  }
+	  
+	  return text;
+	
   }
   
   public static String xmlToString(Node node) {
@@ -472,65 +375,52 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
 		    String issuer, 
 		    String issueInstant, 
 		    String authURL, 
-		    String target,
-		    String targetFriendlyName,
-		    String identityLinkValue, 
-		    String identityLinkType,
 		    String oaURL, 
 		    String gebDat,
 		    List<ExtendedSAMLAttribute> extendedSAMLAttributes,
 		    IAuthenticationSession session,
-		    IOAAuthParameters oaParam)
+		    IOAAuthParameters oaParam,
+		    Map<String, String> specialAuthBlockTextPatterns)
 		  throws BuildException
 		  {
 		    session.setSAMLAttributeGebeORwbpk(true);
 		    String gebeORwbpk = "";
 		    String wbpkNSDeclaration = "";
-		           
-		    if (target != null) {
-		      
-		      boolean useMandate = session.isMandateUsed();
-		      if (useMandate) {
-		    	  //String mandateReferenceValue = Random.nextRandom();
-		    	  String mandateReferenceValue = Random.nextProcessReferenceValue();
-		    	  // remove leading "-"
-		    	  if (mandateReferenceValue.startsWith("-"))
-		    		  mandateReferenceValue = mandateReferenceValue.substring(1);
-		    		 
-		    	  session.setMandateReferenceValue(mandateReferenceValue);
+
+		    //add mandate reference-value if mandates are used
+		    if (session.isMandateUsed()) {
+		    	String mandateReferenceValue = Random.nextProcessReferenceValue();		    		 
+		    	session.setMandateReferenceValue(mandateReferenceValue);
 		    		 
-		    	  ExtendedSAMLAttribute mandateReferenceValueAttribute = 
-		    		  new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK);
+		    	ExtendedSAMLAttribute mandateReferenceValueAttribute = 
+	    			  new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK);
 		    	            
-		    	  extendedSAMLAttributes.add(mandateReferenceValueAttribute);
-		      }
+		    	extendedSAMLAttributes.add(mandateReferenceValueAttribute);
 		    }
+
 		    
 		    //adding friendly name of OA
 		    String friendlyname;
 			try {
-				friendlyname = AuthConfigurationProviderFactory.getInstance().getSSOFriendlyName();
-	
-		    ExtendedSAMLAttribute oaFriendlyNameAttribute = 
-		         new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-		    
-		    extendedSAMLAttributes.add(oaFriendlyNameAttribute);
-		    
-		    
-		    String text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText();
+				friendlyname = AuthConfigurationProviderFactory.getInstance().getSSOFriendlyName();	
+				ExtendedSAMLAttribute oaFriendlyNameAttribute = 
+						new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
+				extendedSAMLAttributes.add(oaFriendlyNameAttribute);
 		    
+				
+		    //generate special AuthBlock text
+		    String text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText();		    
 		    if (MiscUtil.isEmpty(text))
 		    	text="";
 		   	String specialText =  MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, 
-		   			new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) });
+		   			new Object[] { generateSpecialText(text, specialAuthBlockTextPatterns) });
 	
+		   	
 		   	//generate unique AuthBlock tokken
-		   	String uniquetokken = Random.nextRandom();
+		   	String uniquetokken = Random.nextProcessReferenceValue();
 		   	session.setAuthBlockTokken(uniquetokken);
 		
-		    String assertion;
-    	
-		      assertion = MessageFormat.format(
+		    String assertion = MessageFormat.format(
 		        AUTH_BLOCK, new Object[] { 
 		          wbpkNSDeclaration, 
 		          issuer, 
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
index 608f50200..88a235978 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
@@ -120,12 +120,11 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 				
 		    	//get Target from config or from request in case of SAML 1				
 				String target = null;
-				if (MiscUtil.isNotEmpty(pendingReq.getGenericData("target", String.class)) && 
+				if (MiscUtil.isNotEmpty(pendingReq.getGenericData("saml1_target", String.class)) && 
 						pendingReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol"))
-					target = pendingReq.getGenericData("target", String.class);
-				else
-					target = oaParam.getTarget();
-								
+					target = pendingReq.getGenericData("saml1_target", String.class);
+
+				
 		    	String bkuURL = oaParam.getBKUURL(bkuid);
 		    	if (MiscUtil.isEmpty(bkuURL)) {
 		    		Logger.info("No OA specific BKU defined. Use BKU from default configuration");
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java
index 975dec429..d2fd4d1de 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java
@@ -35,7 +35,6 @@ import org.w3c.dom.Element;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MISSimpleClientException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
@@ -100,14 +99,7 @@ public class PrepareGetMISMandateTask extends AbstractAuthServletTask {
 	        byte[] authBlock = moasession.getAuthBlock().getBytes("UTF-8");
 	        
 	        //TODO: check in case of SSO!!!
-	        String targetType = null;  
-	        if(oaParam.getBusinessService()){
-	        	targetType = oaParam.getIdentityLinkDomainIdentifier();
-	        	
-	        } else {
-	        	targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget();
-	        	
-	        }
+	        String targetType = oaParam.getAreaSpecificTargetIdentifier();  
 	        
 	        revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 					pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATE_SERVICE_REQUESTED, mandateReferenceValue);
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index a227ab5be..da96bfe54 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -57,8 +57,10 @@ import org.jaxen.SimpleNamespaceContext;
 import org.w3c.dom.Element;
 
 import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder;
+import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
 import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
 import at.gv.egovernment.moa.id.auth.data.SAMLAttribute;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
 import at.gv.egovernment.moa.id.auth.exception.ValidateException;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
@@ -69,6 +71,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.data.Pair;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Constants;
 import at.gv.egovernment.moa.util.MiscUtil;
@@ -128,42 +131,46 @@ public class CreateXMLSignatureResponseValidator {
    * @param session
  * @param pendingReq 
    * @throws ValidateException
+ * @throws BuildException 
+ * @throws ConfigurationException 
    */
   public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq)
-   throws ValidateException {
+   throws ValidateException, BuildException, ConfigurationException {
       
       // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
     IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
-	  
-    String gbTarget = pendingReq.getGenericData(
-    		MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
-    String targetFriendlyName = pendingReq.getGenericData(
-    		MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class);
     String oaURL = oaParam.getPublicURLPrefix(); 
-    boolean businessService = oaParam.getBusinessService();
-    
     IIdentityLink identityLink = session.getIdentityLink();
     
+    @Deprecated
+	String saml1RequestedTarget = pendingReq.getGenericData(
+			MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
+	@Deprecated
+	String saml1RequestedFriendlyName = pendingReq.getGenericData(
+			MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class);
+    
+                
     Element samlAssertion = createXMLSignatureResponse.getSamlAssertion(); 
+        
+    //validate issuer
     String issuer = samlAssertion.getAttribute("Issuer");
     if (issuer == null) {
       // should not happen, because parser would dedect this
       throw new ValidateException("validator.32", null);
     }
     // replace ' in name with &#39;
-    issuer = issuer.replaceAll("'", "&#39;");
+    issuer = issuer.replaceAll("'", "&#39;");    
+    if (!issuer.equals(identityLink.getName()))
+        throw new ValidateException("validator.33", new Object[] {issuer, identityLink.getName()});
+        
     
+    //validate issuerInstant
     String issueInstant = samlAssertion.getAttribute("IssueInstant");
-    if (!issueInstant.equals(session.getIssueInstant())) {
-      throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
-    }
+    if (!issueInstant.equals(session.getIssueInstant()))
+    	throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
     
-    String name = identityLink.getName();
     
-    if (!issuer.equals(name)) {
-      throw new ValidateException("validator.33", new Object[] {issuer, name});
-    }     
-       
+    //validate extended attributes            
     SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
 
     boolean foundOA = false;
@@ -171,241 +178,253 @@ public class CreateXMLSignatureResponseValidator {
     boolean foundWBPK = false;
     int offset = 0;
     
-    // check number of SAML aatributes
+    // check number of SAML attributes
     List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
     int extendedSAMLAttributesNum = 0;
     if (extendedSAMLAttributes != null) {
-      extendedSAMLAttributesNum = extendedSAMLAttributes.size();
+    	extendedSAMLAttributesNum = extendedSAMLAttributes.size();
     }
-    int expectedSAMLAttributeNumber = 
-      AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum;
+    int expectedSAMLAttributeNumber = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum;
+    
+    //remove one attribute from expected attributes if public SP target or wbPK is not part of AuthBlock
     if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
+    
+    //check number of attributes in AuthBlock response against expected number of attributes 
     int actualSAMLAttributeNumber = samlAttributes.length;
     if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
-      Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + 
-        expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
-      throw new ValidateException(
-        "validator.36", 
-        new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
+    	Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + 
+    			expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
+    	throw new ValidateException("validator.36", 
+    		  new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
+    	
     }
     
-    SAMLAttribute samlAttribute;
-    if (session.getSAMLAttributeGebeORwbpk()) {
-      // check the first attribute ("Geschaeftsbereich" or "wbPK")
-      samlAttribute = samlAttributes[0];
-      if (businessService) {
-        if (!samlAttribute.getName().equals("wbPK")) {
-          if (samlAttribute.getName().equals("Geschaeftsbereich")) {
-            throw new ValidateException("validator.26", null);
-          } else {
-            throw new ValidateException(
-            "validator.37", 
-            new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});
-          }
-        }          
-        if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {          
-          foundWBPK = true;
-          try {
-            Element attrValue = (Element)samlAttribute.getValue();
-            String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
-            String type =  ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
-            if (!value.equals(identityLink.getIdentificationValue())) {
-              throw new ValidateException("validator.28", null); 
-            }
-            if (!type.equals(identityLink.getIdentificationType())) {
-              throw new ValidateException("validator.28", null); 
-            }
-          } catch (Exception ex) {
-            throw new ValidateException("validator.29", null);
-          }
-        } else {
-          throw new ValidateException("validator.30", null);
-        }    
-      } else {
-        if (!samlAttribute.getName().equals("Geschaeftsbereich")) {
-          if (samlAttribute.getName().equals("wbPK")) {
-            throw new ValidateException("validator.26", null);
-          } else {
-            throw new ValidateException(
-            "validator.37", 
-            new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});
-          }
-        }
-        if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {          
-          foundGB = true;          
-          String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(gbTarget);
-          if (StringUtils.isEmpty(sectorName)) {
-        	  if (targetFriendlyName != null)
-        		  sectorName = targetFriendlyName; 
-          }
-          gbTarget = gbTarget + " (" + sectorName + ")";
-          //gbTarget = gbTarget + " (" + TargetToSectorNameMapper.getSectorNameViaTarget(gbTarget) + ")";
+    //now check every single attribute
+    SAMLAttribute samlAttribute = null;
+    Pair<String, String> userSectorId = null;
+    if (session.getSAMLAttributeGebeORwbpk()) {      
+    	//check the first attribute ("Geschaeftsbereich" or "wbPK")
+    	samlAttribute = samlAttributes[0];
+    	
+    	//calculate bPK or wbPK as reference value for validation    	
+    	if (MiscUtil.isNotEmpty(saml1RequestedTarget))
+    		userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+    				identityLink.getIdentificationValue(), identityLink.getIdentificationType(), 
+    				saml1RequestedTarget);
+    	else
+    		userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+    				identityLink.getIdentificationValue(), identityLink.getIdentificationType(), 
+    				oaParam.getAreaSpecificTargetIdentifier());
+    	
+    	//every sector specific identifier that has not 'urn:publicid:gv.at:cdid+' as prefix
+    	// is internally handled as an AuthBlock with wbPK 
+    	if (!userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+    		if (!samlAttribute.getName().equals("wbPK")) {
+    			if (samlAttribute.getName().equals("Geschaeftsbereich")) {
+    				throw new ValidateException("validator.26", null);
+    				
+    			} else {
+    				throw new ValidateException("validator.37", 
+    						new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});
+    			}
+    		}
+    		
+    		if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {          
+    			foundWBPK = true;
+    			try {
+    				Element attrValue = (Element)samlAttribute.getValue();
+    				String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
+    				String type =  ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
+    				if (!value.equals(userSectorId.getFirst()))
+    					throw new ValidateException("validator.28", null); 
 
-          if (!gbTarget.equals((String)samlAttribute.getValue())) {
-            throw new ValidateException("validator.13", null); 
-          }             
-        } else {
-          throw new ValidateException("validator.12", null);
-        }
-      }
-    } else {
-      offset--;
-    }
+    				if (!type.equals(userSectorId.getSecond()))
+    					throw new ValidateException("validator.28", null); 
+    				
+    			} catch (Exception ex) {
+    				throw new ValidateException("validator.29", null);
+    			}
+    			
+    		} else
+    			throw new ValidateException("validator.30", null);
+    		
+    	} else {
+    		if (!samlAttribute.getName().equals("Geschaeftsbereich")) {
+    			if (samlAttribute.getName().equals("wbPK"))
+    				throw new ValidateException("validator.26", null);
+          
+    			else
+    				throw new ValidateException("validator.37", 
+    						new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});
+    		}
+    	  
+    		if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {          
+    			foundGB = true;
+          
+    			String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(userSectorId.getSecond());
+    			if (StringUtils.isEmpty(sectorName)) {
+    				if (saml1RequestedFriendlyName != null)
+    					sectorName = saml1RequestedFriendlyName;
+    				else 
+    					sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+    			}
+    			
+    			String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
+    			if (!refValueSector.equals((String)samlAttribute.getValue()))
+    				throw new ValidateException("validator.13", null);             
+    	  
+    		} else
+    			throw new ValidateException("validator.12", null);
+    	  
+      		}
+    	
+    	} else
+    		//check nothing if wbPK or public SP target is not part of AuthBlock
+    		offset--;
+
+    	// check the second attribute (must be "OA")
+    	samlAttribute = samlAttributes[1 + offset];
+    	if (!samlAttribute.getName().equals("OA"))
+    		throw new ValidateException("validator.37", 
+    				new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
+
+    	if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+    		foundOA = true;            
+    		if (!oaURL.equals((String)samlAttribute.getValue()))             
+    			throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});
+    		
+    	} else
+    		throw new ValidateException("validator.15", null);
 
-    // check the second attribute (must be "OA")
-    samlAttribute = samlAttributes[1 + offset];
-    if (!samlAttribute.getName().equals("OA")) {
-      throw new ValidateException(
-          "validator.37", 
-          new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
-    }
-    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
-      foundOA = true;            
-      if (!oaURL.equals((String)samlAttribute.getValue())) {  // CHECKS für die AttributeVALUES fehlen noch             
-        throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); 
-      }             
-    } else {
-      throw new ValidateException("validator.15", null);
-    }
       
-    // check the third attribute (must be "Geburtsdatum")
-    samlAttribute = samlAttributes[2 + offset];
-    if (!samlAttribute.getName().equals("Geburtsdatum")) {
-      throw new ValidateException(
-          "validator.37", 
-          new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
-    }
-    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
-      String samlDateOfBirth = (String)samlAttribute.getValue();
-      String dateOfBirth = identityLink.getDateOfBirth();
-      if (!samlDateOfBirth.equals(dateOfBirth)) {
-        throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
-      }
-    } else {
-      throw new ValidateException("validator.35", null);
-    }
+    	// check the third attribute (must be "Geburtsdatum")
+    	samlAttribute = samlAttributes[2 + offset];
+    	if (!samlAttribute.getName().equals("Geburtsdatum"))
+    		throw new ValidateException("validator.37", 
+    				new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
+    	
+    	if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+    		String samlDateOfBirth = (String)samlAttribute.getValue();
+    		String dateOfBirth = identityLink.getDateOfBirth();
+    		if (!samlDateOfBirth.equals(dateOfBirth))
+    			throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
+    		
+    	} else
+    		throw new ValidateException("validator.35", null);
      
-    // check four attribute could be a special text
-    samlAttribute = samlAttributes[3 + offset];
-    if (!samlAttribute.getName().equals("SpecialText")) {
-      throw new ValidateException(
-          "validator.37", 
-          new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
-    }
-    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
-      String samlSpecialText = (String)samlAttribute.getValue();
-      samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
+    	// check four attribute could be a special text
+    	samlAttribute = samlAttributes[3 + offset];
+    	if (!samlAttribute.getName().equals("SpecialText"))
+    		throw new ValidateException("validator.37", 
+    				new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
+   
+    	if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+    		String samlSpecialText = (String)samlAttribute.getValue();
+    		samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
       
-      String text = "";
-      if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
-		Logger.info("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
-		text = oaParam.getAditionalAuthBlockText();
-      }
+    		String text = "";
+    		if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
+    			Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
+    			text = oaParam.getAditionalAuthBlockText();
+    			
+    		}
             
-      String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant);
-      if (!samlSpecialText.equals(specialText)) {
-    	  throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
-      }
-    } else {
-      throw new ValidateException("validator.35", null);
+    		String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, 
+    				AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
+    						pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
+    		if (!samlSpecialText.equals(specialText))
+    			throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
+    		
+    	} else
+    		throw new ValidateException("validator.35", null);
       
-    }
-    
-    
-    //check unique AuthBlock tokken
-    samlAttribute = samlAttributes[4 + offset];
-    if (!samlAttribute.getName().equals("UniqueTokken")) {
-      throw new ValidateException(
-          "validator.37", 
-          new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
-    }
-    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
-      String uniquetokken = (String)samlAttribute.getValue();
+        
+    	//check unique AuthBlock tokken
+    	samlAttribute = samlAttributes[4 + offset];
+    	if (!samlAttribute.getName().equals("UniqueTokken"))
+    		throw new ValidateException("validator.37", 
+    				new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
+    	
+    	if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+    		String uniquetokken = (String)samlAttribute.getValue();
            
-      if (!uniquetokken.equals(session.getAuthBlockTokken())) {
-        throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
-      }
-    } else {
-      throw new ValidateException("validator.35", null);
-    }
-    
-    
-    // now check the extended SAML attributes
-    int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
-    if (extendedSAMLAttributes != null) {
-      Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
-      while (it.hasNext()) {
-        ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
-        samlAttribute = samlAttributes[i];
-        String actualName = samlAttribute.getName();
-        String expectedName = extendedSAMLAttribute.getName();
-        if (!actualName.equals(expectedName)) {
-          throw new ValidateException(
-            "validator.38", 
-            new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
-        }
-        String actualNamespace = samlAttribute.getNamespace();
-        String expectedNamespace = extendedSAMLAttribute.getNameSpace();
-        if (!actualNamespace.equals(expectedNamespace)) {
-          throw new ValidateException(
-            "validator.38", 
-            new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
-        }
-        Object expectedValue = extendedSAMLAttribute.getValue();
-        Object actualValue = samlAttribute.getValue();
-        try {
-          if (expectedValue instanceof String) {
-            // replace \r\n because text might be base64-encoded
-            String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
-            expValue = StringUtils.replaceAll(expValue,"\n","");
-            String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
-            actValue = StringUtils.replaceAll(actValue,"\n","");
-            if (!expValue.equals(actValue)) {
-              throw new ValidateException(
-              "validator.38", 
-              new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });          
-            }
-          } else if (expectedValue instanceof Element) {
-            // only check the name of the element
-            String actualElementName = ((Element)actualValue).getNodeName();
-            String expectedElementName = ((Element)expectedValue).getNodeName();
-            if (!(expectedElementName.equals(actualElementName))){
-              throw new ValidateException(
-              "validator.38", 
-              new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});          
-            }
-          } else {
-            // should not happen
-            throw new ValidateException(
-              "validator.38", 
-              new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
-          }
-        } catch (ClassCastException e) {
-          throw new ValidateException(
-              "validator.38", 
-              new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
-        }
-        i++;
-      }
-    }
-    
+    		if (!uniquetokken.equals(session.getAuthBlockTokken()))
+    			throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
+    	} else
+    		throw new ValidateException("validator.35", null);
     
-    if (!foundOA) throw new ValidateException("validator.14", null); 
-    if (businessService) {
-      if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) throw new ValidateException("validator.31", null);
-    } else {
-      if (!foundGB) throw new ValidateException("validator.11", null);
-    }
+    	
+    	// now check the extended SAML attributes
+    	int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
+    	if (extendedSAMLAttributes != null) {
+    		Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
+    		while (it.hasNext()) {
+    			ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
+    			samlAttribute = samlAttributes[i];
+    			String actualName = samlAttribute.getName();
+    			String expectedName = extendedSAMLAttribute.getName();
+    			if (!actualName.equals(expectedName))
+    				throw new ValidateException("validator.38", 
+    						new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
+
+    			String actualNamespace = samlAttribute.getNamespace();
+    			String expectedNamespace = extendedSAMLAttribute.getNameSpace();
+    			if (!actualNamespace.equals(expectedNamespace))
+    				throw new ValidateException("validator.38", 
+    						new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
+
+    			Object expectedValue = extendedSAMLAttribute.getValue();
+    			Object actualValue = samlAttribute.getValue();
+    			try {
+    				if (expectedValue instanceof String) {
+    					// replace \r\n because text might be base64-encoded
+    					String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
+    					expValue = StringUtils.replaceAll(expValue,"\n","");
+    					String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
+    					actValue = StringUtils.replaceAll(actValue,"\n","");
+    					if (!expValue.equals(actValue))
+    						throw new ValidateException("validator.38", 
+    								new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });
+    					
+    				} else if (expectedValue instanceof Element) {
+    					// only check the name of the element
+    					String actualElementName = ((Element)actualValue).getNodeName();
+    					String expectedElementName = ((Element)expectedValue).getNodeName();
+    					if (!(expectedElementName.equals(actualElementName))) 
+    						throw new ValidateException("validator.38", 
+    								new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});
+    					
+    				} else
+    					// should not happen
+    					throw new ValidateException("validator.38", 
+    							new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
+        
+    			} catch (ClassCastException e) {
+    				throw new ValidateException("validator.38", 
+    						new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
+    			}
+    			
+    			i++;
+    		}
+    	}
+        
+    	if (!foundOA) 
+    		throw new ValidateException("validator.14", null);
+    	
+    	if (userSectorId != null && !userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+    		if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) 
+    			throw new ValidateException("validator.31", null);
+    	
+    	} else {
+    		if (!foundGB) 
+    			throw new ValidateException("validator.11", null);
+    	}
   
-     //Check if dsig:Signature exists
-//    NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature");
-//    if (nl.getLength() != 1) {
-//      throw new ValidateException("validator.05", null);
-//    }
-    Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
-    if (dsigSignature == null) {    
-      throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
-    }
+    	//Check if dsig:Signature exists
+    	Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
+    	if (dsigSignature == null)    
+    		throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
+    	
   }
   
   /**
@@ -521,7 +540,7 @@ public class CreateXMLSignatureResponseValidator {
       try {
     	 if (MiscUtil.isNotEmpty(AuthConfigurationProviderFactory.getInstance().getSSOSpecialText())) {
     		text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText();
-			Logger.info("Use addional AuthBlock Text from SSO=" +text);
+			Logger.debug("Use addional AuthBlock Text from SSO=" +text);
 			
     	 }
 		else
@@ -531,7 +550,9 @@ public class CreateXMLSignatureResponseValidator {
       }
       
       
-      	String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant);
+      	String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, 
+      			AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
+						pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
       	if (!samlSpecialText.equals(specialText)) {
       		throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
       	}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
index 4953dad02..c4ea80df9 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -183,7 +183,7 @@ public class VerifyXMLSignatureResponseValidator {
     // to be ignored
     boolean ignoreManifestValidationResult = false;
     if (whatToCheck.equals(CHECK_IDENTITY_LINK))    	
-    	ignoreManifestValidationResult = (oaParam.getBusinessService()) ? true
+    	ignoreManifestValidationResult = (oaParam.hasBaseIdInternalProcessingRestriction()) ? true
             : false;
     
     if (ignoreManifestValidationResult) {
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
index 55562176d..09c64c267 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
@@ -66,10 +66,10 @@ import org.w3c.dom.NodeList;
 import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
 import at.gv.egovernment.moa.id.auth.exception.BuildException;
 import at.gv.egovernment.moa.id.auth.exception.ParseException;
-import at.gv.egovernment.moa.id.auth.exception.ValidateException;
 import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException;
 import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.data.Pair;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.BoolUtils;
 import at.gv.egovernment.moa.util.Constants;
@@ -688,7 +688,7 @@ public class ParepUtils {
    *          <code>false</code> calculates (w)bPKs and changes also the <code>pr:Identifivation/pr:Type</code> elements.
    * @return The element where Stammzahlen are hidden.
    */
-  public static Element HideStammZahlen(Element hideElement, boolean businessApplication, String target, String registerID, boolean blank) 
+  public static Element HideStammZahlen(Element hideElement, boolean businessApplication, String oaTargetAreaId, boolean blank) 
     throws BuildException {
     try {
       if (hideElement != null) {
@@ -706,20 +706,11 @@ public class ParepUtils {
             }
             if (blank) {
               idValueNode.setNodeValue("");
-            } else {
-              String idValue = idValueNode.getNodeValue();
-              if (businessApplication) {
-                // wbPK berechnen
-                idTypeNode.setNodeValue(Constants.URN_PREFIX_WBPK + "+" + registerID);
-                String bpkBase64 = new BPKBuilder().buildWBPK(idValueNode.getNodeValue(), registerID);
-                idValueNode.setNodeValue(bpkBase64);
-
-              } else {
-                // bPK berechnen
-                idTypeNode.setNodeValue(Constants.URN_PREFIX_BPK);
-                String bpkBase64 = new BPKBuilder().buildBPK(idValueNode.getNodeValue(), target);
-                idValueNode.setNodeValue(bpkBase64);
-              }
+              
+            } else {              
+              Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier(idValueNode.getNodeValue(), oaTargetAreaId);
+              idValueNode.setNodeValue(calcId.getFirst());
+              
             }
           }
         }
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml
index 0db2b26a8..0207eb6c9 100644
--- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml
@@ -7,4 +7,35 @@
   </parent>
   <artifactId>moa-id-module-bkaMobilaAuthSAML2Test</artifactId>
   <description>BKA MobileAuth Test for SAML2 applications</description>
+  
+	<dependencies>
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcprov-jdk15on</artifactId>
+			<version>1.52</version>
+		</dependency>
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcpkix-jdk15on</artifactId>
+			<version>1.52</version>
+		</dependency>
+		
+						<!-- JSON JWT implementation -->
+		<dependency>
+			<groupId>com.googlecode.jsontoken</groupId>
+			<artifactId>jsontoken</artifactId>
+			<version>1.1</version>
+			<exclusions>
+				<exclusion>
+					<groupId>javax.servlet</groupId>
+					<artifactId>servlet-api</artifactId>
+				</exclusion>
+				<exclusion>
+					<artifactId>google-collections</artifactId>
+					<groupId>com.google.collections</groupId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+	</dependencies>
+  
 </project>
\ No newline at end of file
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java
index 44554e21d..0cef4cb41 100644
--- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java
@@ -30,9 +30,11 @@ import javax.annotation.PostConstruct;
 import org.springframework.beans.factory.annotation.Autowired;
 
 import at.gv.egovernment.moa.id.auth.modules.AuthModule;
+import at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.tasks.FirstBKAMobileAuthTask;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
+import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
@@ -45,7 +47,8 @@ public class BKAMobileAuthModule implements AuthModule {
 
 	private int priority = 1;
 	
-	@Autowired protected AuthConfiguration authConfig;
+	@Autowired(required=true) protected AuthConfiguration authConfig;
+	@Autowired(required=true) private AuthenticationManager authManager;
 	
 	private List<String> uniqueIDsDummyAuthEnabled = new ArrayList<String>();
 	
@@ -77,7 +80,10 @@ public class BKAMobileAuthModule implements AuthModule {
 				for (String el : uniqueIDsDummyAuthEnabled)
 					Logger.info("   EntityID: " + el);
 			}
-		}		
+		}
+		
+		//parameter to whiteList
+		authManager.addParameterNameToWhiteList(FirstBKAMobileAuthTask.REQ_PARAM_eID_BLOW);
 	}
 	
 	/* (non-Javadoc)
@@ -87,10 +93,22 @@ public class BKAMobileAuthModule implements AuthModule {
 	public String selectProcess(ExecutionContext context) {		
 		String spEntityID = (String) context.get(MOAIDAuthConstants.PROCESSCONTEXT_UNIQUE_OA_IDENTFIER);
 		if (MiscUtil.isNotEmpty(spEntityID)) {				
-			if (uniqueIDsDummyAuthEnabled.contains(spEntityID))			
-				return "BKAMobileAuthentication";
-			
-		}
+			if (uniqueIDsDummyAuthEnabled.contains(spEntityID)) {
+				String eIDBlob = (String)context.get(FirstBKAMobileAuthTask.REQ_PARAM_eID_BLOW);
+				if (eIDBlob != null && MiscUtil.isNotEmpty(eIDBlob.trim())) {				
+					return "BKAMobileAuthentication";
+					
+				} else {
+					Logger.debug("Dummy-auth are enabled for " + spEntityID + " but no '"
+							+ FirstBKAMobileAuthTask.REQ_PARAM_eID_BLOW + "' req. parameter available.");
+					
+				}
+				
+			} else
+				Logger.debug("Unique SP-Id: " + spEntityID + " is not in whitelist of mobile-auth module.");
+						
+		} else
+			Logger.debug("No unique service-provider identifier!");
 		
 		return null;
 	}
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java
index 884129453..aa16a9172 100644
--- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java
@@ -56,7 +56,7 @@ public class BKAMobileAuthSpringResourceProvider implements SpringResourceProvid
 	 */
 	@Override
 	public String getName() {
-		return "BKA MobileAuth SAML2 Test";
+		return "Module for 'Mobile-Auth with Crypto-Binding'";
 	}
 
 }
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java
index 66112edc5..43043ddd6 100644
--- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java
@@ -22,16 +22,56 @@
  */
 package at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.tasks;
 
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.KeySpec;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.SecretKeySpec;
+import javax.security.cert.CertificateException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.bouncycastle.asn1.cms.CMSObjectIdentifiers;
+import org.bouncycastle.cms.CMSSignedData;
+import org.joda.time.DateTime;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParseException;
+import com.google.gson.JsonParser;
+
+import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-import at.gv.egovernment.moa.id.auth.servlet.GeneralProcessEngineSignalController;
+import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession;
+import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponse;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponseElement;
+import at.gv.egovernment.moa.spss.api.common.SignerInfo;
+import at.gv.egovernment.moa.spss.api.impl.VerifyCMSSignatureRequestImpl;
+import at.gv.egovernment.moa.util.Base64Utils;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 
 /**
@@ -41,6 +81,20 @@ import at.gv.egovernment.moa.logging.Logger;
 @Component("FirstBKAMobileAuthTask")
 public class FirstBKAMobileAuthTask extends AbstractAuthServletTask {
 
+	private static final String CONF_MOASPSS_TRUSTPROFILE = "modules.bkamobileAuth.verify.trustprofile";
+	private static final String CONF_SIGNING_TIME_JITTER = "modules.bkamobileAuth.verify.time.jitter";
+	private static final String CONF_EID_TOKEN_ENCRYPTION_KEY = "modules.bkamobileAuth.eIDtoken.encryption.pass";
+	
+	private static final String EIDCONTAINER_KEY_SALT = "salt";
+	private static final String EIDCONTAINER_KEY_IV = "iv";
+	private static final String EIDCONTAINER_EID = "eid";
+	private static final String EIDCONTAINER_KEY_IDL = "idl";
+	private static final String EIDCONTAINER_KEY_BINDINGCERT = "cert";
+	
+	public static final String REQ_PARAM_eID_BLOW = "eidToken";
+	
+	@Autowired(required=true) private AuthConfiguration authConfig;
+		
 	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
 	 */
@@ -48,9 +102,196 @@ public class FirstBKAMobileAuthTask extends AbstractAuthServletTask {
 	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
 			throws TaskExecutionException {
 
-		Logger.info("Redirect to Second BKA Mobile Auth task");	
-		performRedirectToItself(pendingReq, response, GeneralProcessEngineSignalController.ENDPOINT_GENERIC);
+		try {
+			String eIDBlobRawB64 = request.getParameter(REQ_PARAM_eID_BLOW);
+			if (MiscUtil.isEmpty(eIDBlobRawB64)) {
+				//TODO: add dummy-auth functionality
+				
+				Logger.warn("NO eID data blob included!");
+				throw new MOAIDException("NO eID data blob included!", null);
+			}
+								
+			parseDemoValuesIntoMOASession(pendingReq, pendingReq.getMOASession(), eIDBlobRawB64);
+			
+		} catch (MOAIDException e) {
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		} catch (Exception e) {
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		}	
+				
+		//Logger.info("Redirect to Second BKA Mobile Auth task");	
+		//performRedirectToItself(pendingReq, response, GeneralProcessEngineSignalController.ENDPOINT_GENERIC);
+
+	}
+	
+	/**
+	 * @param pendingReq
+	 * @param moaSession
+	 * @param eIDBlobRaw 
+	 * @throws MOAIDException 
+	 * @throws IOException 
+	 */
+	private void parseDemoValuesIntoMOASession(IRequest pendingReq, IAuthenticationSession moaSession, String eIDBlobRawB64) throws MOAIDException, IOException {
+		Logger.debug("Check eID blob signature  ... ");
+		byte[] eIDBlobRaw = Base64Utils.decode(eIDBlobRawB64.trim(), false);
+		
+		VerifyCMSSignatureResponse cmsResp = SignatureVerificationInvoker.getInstance().verifyCMSSignature(
+				createCMSVerificationReq(eIDBlobRaw));
+		
+		if (cmsResp.getResponseElements().isEmpty()) {
+			Logger.warn("No CMS signature-verification response");
+			throw new MOAIDException("Signature verification FAILED: No response", null);
+			
+		}
+		VerifyCMSSignatureResponseElement sigVerifyResp = (VerifyCMSSignatureResponseElement) cmsResp.getResponseElements().get(0);
+		analyseCMSSignatureVerificationResponse(sigVerifyResp);
+
+		
+		Logger.info("eID blob signature is VALID!");
+		byte[] decRawEidBlob = null;
+		byte[] signedData = null;
+		try {
+			Logger.debug("Starting eID information extraction ... ");			
+			CMSSignedData cmsContent = new CMSSignedData(eIDBlobRaw);
+			signedData = (byte[])cmsContent.getSignedContent().getContent();
+			if (!cmsContent.getSignedContent().getContentType().equals(CMSObjectIdentifiers.data)) {
+				Logger.warn("Signature contains NO 'data' OID 1.2.840.113549.1.7.1");
+				throw new MOAIDException("Signature contains NO 'data' OID 1.2.840.113549.1.7.1", null);				
+			}
+			if (signedData == null) {
+				Logger.warn("CMS SignedData is empty or null");
+				throw new MOAIDException("CMS SignedData is empty or null", null);	
+			}
+			Logger.info("Signed content extracted");
+			
+			
+			Logger.debug("Starting  signed content decryption ... ");
+			JsonParser parser = new JsonParser();
+			JsonObject signedDataJson = (JsonObject) parser.parse(new String(signedData, "UTF-8"));						
+			byte[] salt = Base64Utils.decode(signedDataJson.get(EIDCONTAINER_KEY_SALT).getAsString(), false);
+			byte[] ivraw = Base64Utils.decode(signedDataJson.get(EIDCONTAINER_KEY_IV).getAsString(), false);
+			byte[] encRawEidBlob = Base64Utils.decode(signedDataJson.get(EIDCONTAINER_EID).getAsString(), false);			
+			SecretKey seckey = generateDecryptionKey(salt);					
+			IvParameterSpec iv = new IvParameterSpec(ivraw);									
+	        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+	        cipher.init(Cipher.DECRYPT_MODE, seckey, iv);
+	        decRawEidBlob = cipher.doFinal(encRawEidBlob);
+			Logger.info("eID data decryption completed");
+			
+			
+			Logger.debug("Starting eID-blob parsing ...");			
+		    JsonObject eIDBlobJson = (JsonObject) parser.parse(new String(decRawEidBlob, "UTF-8"));	
+		    String idlB64 = eIDBlobJson.get(
+		    		EIDCONTAINER_KEY_IDL).getAsString();
+		    String bindingCertB64 = eIDBlobJson.get(
+		    		EIDCONTAINER_KEY_BINDINGCERT).getAsString();	
+			javax.security.cert.X509Certificate bindingCert = javax.security.cert.X509Certificate.getInstance(Base64Utils.decode(bindingCertB64, false));
+		    if (!sigVerifyResp.getSignerInfo().getSignerCertificate().equals(bindingCert)) {
+		    	Logger.error("eID-blob signing certificate DOES NOT match to binding certificate included in eID blob!");
+		    	Logger.info("BindingCert: " + bindingCert.toString());
+		    	Logger.info("SigningCert: " + sigVerifyResp.getSignerInfo().getSignerCertificate().toString());
+		    	throw new MOAIDException("eID-blob signing certificate DOES NOT match to binding certificate included in eID blob!", null);
+		    	
+		    }
+		    Logger.info("eID-blob parsing completed");
+		    
+		    
+			Logger.debug("Parse eID information into MOA-Session ...");
+			byte[] rawIDL = Base64Utils.decode(idlB64, false);
+			IIdentityLink identityLink = new IdentityLinkAssertionParser(new ByteArrayInputStream(rawIDL)).parseIdentityLink();			
+			moaSession.setIdentityLink(identityLink);
+			moaSession.setUseMandates(false);
+			moaSession.setForeigner(false);			
+			moaSession.setBkuURL("http://egiz.gv.at/BKA_MobileAuthTest");			
+			moaSession.setQAALevel(PVPConstants.STORK_QAA_1_3);
+			Logger.info("Session Restore completed");
+			
+			
+		} catch (MOAIDException e) {
+			throw e;
+			
+		} catch (JsonParseException e) {
+			if (decRawEidBlob != null)
+				Logger.error("eID-blob parse error! blob: " + new String(decRawEidBlob, "UTF-8"), e);
+			
+			if (signedData != null)
+				Logger.error("eID-blob parse error! blob: " + new String(signedData, "UTF-8"), e);
+			
+			if (decRawEidBlob == null && signedData == null)
+				Logger.error("eID-blob parse error!", e);
+			
+			throw new MOAIDException("eID-blob parse error!", null);
+						
+		} catch (org.bouncycastle.cms.CMSException e) {
+			Logger.error("Can not parse CMS signature.", e);
+			throw new MOAIDException("Can not parse CMS signature.", null, e);
+			
+		} catch (InvalidAlgorithmParameterException| NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | IllegalBlockSizeException | BadPaddingException e) {
+			Logger.error("Can not decrypte eID data.", e);
+			throw new MOAIDException("Can not decrypte eID data", null, e);
 
+		} catch (CertificateException e) {
+			Logger.error("Can not extract mobile-app binding-certificate from eID blob.", e);
+			throw new MOAIDException("Can not extract mobile-app binding-certificate from eID blob.", null, e);
+						
+		} finally {
+						
+		}
+		
+	}
+	
+	private SecretKey generateDecryptionKey(byte[] salt) throws MOAIDException {
+		String decryptionPassPhrase = authConfig.getBasicMOAIDConfiguration(CONF_EID_TOKEN_ENCRYPTION_KEY, "DEFAULTPASSWORD");			
+		try {
+			SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
+			KeySpec spec = new PBEKeySpec(decryptionPassPhrase.toCharArray(), salt, 2000, 128);
+			SecretKey derivedKey = factory.generateSecret(spec);						
+			SecretKeySpec symKeySpec = new SecretKeySpec(derivedKey.getEncoded(), "AES");			
+			return symKeySpec;
+								
+		} catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
+			Logger.error("Mobile-Auth Module has an internal errror.", e);
+			throw new MOAIDException("Mobile-Auth Module has an internal errror.", null, e);
+			
+		}
+	}
+	
+	/**
+	 * @throws MOAIDException 
+	 * 
+	 */
+	private void analyseCMSSignatureVerificationResponse(VerifyCMSSignatureResponseElement verifySigResult) throws MOAIDException {
+		//validate CMS signature verification response
+		if (verifySigResult.getSignatureCheck().getCode() != 0) {
+			Logger.warn("CMS signature verification FAILED with StatusCode: " + verifySigResult.getSignatureCheck().getCode());
+			throw new MOAIDException("CMS signature verification FAILED with StatusCode: " + verifySigResult.getSignatureCheck().getCode(), null);
+			
+		}
+		if (verifySigResult.getCertificateCheck().getCode() != 0) {
+			Logger.warn("CMS certificate verification FAILED with StatusCode: " + verifySigResult.getCertificateCheck().getCode());
+			throw new MOAIDException("CMS certificate verification FAILED with StatusCode: " + verifySigResult.getCertificateCheck().getCode(), null);
+			
+		}
+		SignerInfo signerInfos = verifySigResult.getSignerInfo();
+		DateTime date = new DateTime(signerInfos.getSigningTime().getTime());
+		Integer signingTimeJitter = Integer.valueOf(authConfig.getBasicMOAIDConfiguration(CONF_SIGNING_TIME_JITTER, "5"));
+		if (date.plusMinutes(signingTimeJitter).isBeforeNow()) {
+			Logger.warn("CMS signature-time is before: " + date.plusMinutes(signingTimeJitter));
+			throw new MOAIDException("CMS signature-time is before: " + date.plusMinutes(signingTimeJitter), null);
+			
+		}
+		
 	}
 
+	private VerifyCMSSignatureRequest createCMSVerificationReq(byte[] eIDBlobRaw) {
+		VerifyCMSSignatureRequestImpl cmsSigVerifyReq = new VerifyCMSSignatureRequestImpl();		
+		cmsSigVerifyReq.setSignatories(VerifyCMSSignatureRequestImpl.ALL_SIGNATORIES);
+		cmsSigVerifyReq.setExtended(false);
+		cmsSigVerifyReq.setPDF(false);
+		cmsSigVerifyReq.setTrustProfileId(authConfig.getBasicMOAIDConfiguration(CONF_MOASPSS_TRUSTPROFILE, "!!NOT SET!!!"));
+		cmsSigVerifyReq.setCMSSignature(new ByteArrayInputStream(eIDBlobRaw));				
+		return cmsSigVerifyReq;		
+	}
 }
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml
index 4a0f4d5f2..6f41f347a 100644
--- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml
@@ -12,8 +12,10 @@
 	<pd:StartEvent id="start" />
 	
 	<pd:Transition from="start" to="firstStep" />	
-	<pd:Transition from="firstStep" to="secondStep"/>		
-	<pd:Transition from="secondStep" to="finalizeAuthentication" />
+	<!-- pd:Transition from="firstStep" to="secondStep"/>			
+	<pd:Transition from="secondStep" to="finalizeAuthentication" /-->
+	
+	<pd:Transition from="firstStep" to="finalizeAuthentication" />
 	
 	<pd:Transition from="finalizeAuthentication"    to="end" />
 	
diff --git a/id/server/modules/moa-id-module-eIDAS/pom.xml b/id/server/modules/moa-id-module-eIDAS/pom.xml
index f3d8eeb36..cf3325d24 100644
--- a/id/server/modules/moa-id-module-eIDAS/pom.xml
+++ b/id/server/modules/moa-id-module-eIDAS/pom.xml
@@ -12,11 +12,11 @@
   <properties>
 		<repositoryPath>${basedir}/../../../../repository</repositoryPath>
 		
-		<eidas-commons.version>1.4.0-SNAPSHOT</eidas-commons.version>
-		<eidas-light-commons.version>1.4.0-SNAPSHOT</eidas-light-commons.version>
-		<eidas-saml-engine.version>1.4.0-SNAPSHOT</eidas-saml-engine.version>
-		<eidas-encryption.version>1.4.0-SNAPSHOT</eidas-encryption.version>
-		<eidas-configmodule.version>1.4.0-SNAPSHOT</eidas-configmodule.version>
+		<eidas-commons.version>1.4.0</eidas-commons.version>
+		<eidas-light-commons.version>1.4.0</eidas-light-commons.version>
+		<eidas-saml-engine.version>1.4.0</eidas-saml-engine.version>
+		<eidas-encryption.version>1.4.0</eidas-encryption.version>
+		<eidas-configmodule.version>1.4.0</eidas-configmodule.version>
 				
 	</properties>
   
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java
index d5cbb2cfd..8779436e0 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java
@@ -93,7 +93,7 @@ public class ModifiedEncryptionSW extends KeyStoreSamlEngineEncryption {
 		//encryption is enabled by default in MOA-ID configuration object 				
 		try {
 			AuthConfiguration moaconfig = AuthConfigurationProviderFactory.getInstance();
-			Boolean useEncryption = moaconfig.getStorkConfig().getCPEPS(countryCode).isXMLSignatureSupported();
+			Boolean useEncryption = moaconfig.getStorkConfig().getCPEPSWithCC(countryCode).isXMLSignatureSupported();
 			String logResult = useEncryption ? " using encryption" : " do not use encrpytion";
 			Logger.debug("eIDAS respone for country " + countryCode + logResult);
 			return useEncryption;
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
index 490dc9dcf..a2ec47a45 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -189,8 +189,18 @@ public class MOAeIDASChainingMetadataProvider extends SimpleMOAMetadataProvider
 				}										
 			}			
 			for (String el : nonValidMetadataProvider) {
-				loadedproviders.remove(el);
-				isUpdateRequired = true;
+				HTTPMetadataProvider provider = loadedproviders.get(el);
+				
+				//destroy metadata provider
+				if (provider != null) {
+					provider.destroy();
+					loadedproviders.remove(el);
+					isUpdateRequired = true;
+					
+				} else {
+					Logger.error("Can not destroy eIDAS metadata for: " + el + " Reason: !!!!!NOT FOUND ANY MORE!!!!!!");
+					
+				}
 				
 			}
 
@@ -257,6 +267,8 @@ public class MOAeIDASChainingMetadataProvider extends SimpleMOAMetadataProvider
 			
 		}
 		
+		Logger.debug("Find #" + loadedproviders.size() + " eIDAS metadata provider");
+		
 		return loadedproviders;		
 	}
 	
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java
index 9895ca79f..5a2253cc8 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java
@@ -74,10 +74,10 @@ public class MoaEidasConditionsValidator extends ConditionsSpecValidator {
             throw new ValidationException("AudienceRestriction is required.");
         }
 
-        if (conditions.getOneTimeUse() == null) {
-
-            throw new ValidationException("OneTimeUse is required.");
-        }
+//        if (conditions.getOneTimeUse() == null) {
+//
+//            throw new ValidationException("OneTimeUse is required.");
+//        }
 
     }
 }
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index c55b5a749..7242795d4 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -104,7 +104,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
 				throw new AuthenticationException("eIDAS.03", new Object[] { "" });
 				
 			}
-			CPEPS cpeps = authConfig.getStorkConfig().getCPEPS(citizenCountryCode);
+			CPEPS cpeps = authConfig.getStorkConfig().getCPEPSWithFullName(citizenCountryCode);
 			if(null == cpeps) {
 				Logger.error("PEPS unknown for country", new Object[] {citizenCountryCode});
 				throw new AuthenticationException("eIDAS.04", new Object[] {citizenCountryCode});
@@ -227,7 +227,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
 			authnRequestBuilder.levelOfAssuranceComparison(LevelOfAssuranceComparison.MINIMUM);
 			
 			//set correct SPType for this online application
-			if (oaConfig.getBusinessService())
+			if (oaConfig.hasBaseIdTransferRestriction())
 				authnRequestBuilder.spType(SpType.PRIVATE.getValue());
 			else
 				authnRequestBuilder.spType(SpType.PUBLIC.getValue());
@@ -302,21 +302,20 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
 
             String actionType = "SAMLRequest";
             context.put(actionType, SAMLRequest);
-            Logger.debug("Encoded " + actionType + " original: " + SAMLRequest);
-
             context.put("RelayState", pendingReq.getRequestID());
+            context.put("action", authnReqEndpoint.getLocation());
             
             Logger.debug("Using SingleSignOnService url as action: " + authnReqEndpoint.getLocation());
-            context.put("action", authnReqEndpoint.getLocation());
+            Logger.debug("Encoded " + actionType + " original: " + SAMLRequest);
 
-            Logger.debug("Starting template merge");
+            Logger.trace("Starting template merge");
             StringWriter writer = new StringWriter();
 
-            Logger.debug("Doing template merge");
+            Logger.trace("Doing template merge");            
             template.merge(context, writer);
-            Logger.debug("Template merge done");
-
-            Logger.debug("Sending html content: " + writer.getBuffer().toString());
+            
+            Logger.trace("Template merge done");
+            Logger.trace("Sending html content: " + writer.getBuffer().toString());
             
             
             byte[] content = writer.getBuffer().toString().getBytes("UTF-8");	            
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
index 17e112c4c..5e83f0a3f 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
@@ -114,7 +114,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 			throw new TaskExecutionException(pendingReq, "eIDAS Response processing FAILED.", e);
 			
 		}catch (EIDASSAMLEngineException e) {
-			Logger.error("eIDAS AuthnRequest generation FAILED.", e);
+			Logger.warn("eIDAS Response validation FAILED.", e);
+			Logger.debug("eIDAS response was: " + request.getParameter("SAMLResponse"));
 			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq, 
 					MOAIDEventConstants.AUTHPROCESS_PEPS_RECEIVED_ERROR);
 			throw new TaskExecutionException(pendingReq, "eIDAS Response processing FAILED.", 
@@ -127,7 +128,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 					new MOAIDException("init.04", new Object[]{""}, e));
 			
 		} catch (Exception e) {
-			Logger.error("eIDAS Response processing FAILED.", e);
+			Logger.warn("eIDAS Response processing FAILED.", e);
 			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq, 
 					MOAIDEventConstants.AUTHPROCESS_PEPS_RECEIVED_ERROR);
 			throw new TaskExecutionException(pendingReq, e.getMessage(), 
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeBuilder.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeBuilder.java
index 22b94178e..f148421bd 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeBuilder.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeBuilder.java
@@ -155,17 +155,22 @@ public class eIDASAttributeBuilder extends PVPAttributeBuilder {
 	 * @return true if eIDAS attribute holds the unique ID, otherwise false
 	 */
 	private static boolean evaluateUniqueID(String attrName, boolean useMandate) {
-		//if no mandate is used the natural person identifier is the unique ID
-		if (!useMandate && 
-				attrName.equals(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.PERSON_IDENTIFIER.getNameUri().toString()))
-			return true;
-				
-		//if mandates are used the the legal person identifier or the natural person identifier of the mandator is the unique ID
-		else if (useMandate && 
-				attrName.equals(eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri().toString()))
+
+		//from eIDAS spec 1.2 there exists single attr. for representation
+		if (attrName.equals(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.PERSON_IDENTIFIER.getNameUri().toString()))
 			return true;
 		
-		//TODO: implement flag selector for mandates and natural persons
+		//if no mandate is used the natural person identifier is the unique ID
+//		if (!useMandate && 
+//				attrName.equals(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.PERSON_IDENTIFIER.getNameUri().toString()))
+//			return true;
+//				
+//		//if mandates are used the the legal person identifier or the natural person identifier of the mandator is the unique ID
+//		else if (useMandate && 
+//				attrName.equals(eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri().toString()))
+//			return true;
+//		
+//		//TODO: implement flag selector for mandates and natural persons
 		
 		
 		return false;
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 4b67370d6..1ce900ebb 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -270,7 +270,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
 			
 			//validate request country-code against eIDAS node config
 			String reqCC = samlReq.getOriginCountryCode();
-			String eIDASTarget = oaConfig.getIdentityLinkDomainIdentifier();
+			String eIDASTarget = oaConfig.getAreaSpecificTargetIdentifier();
 
 			//validate eIDAS target
 			Pattern pattern = Pattern.compile("^" + at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS 
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalName.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalName.java
index 51a2bd69b..63a4e89d5 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalName.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalName.java
@@ -28,6 +28,7 @@ import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonF
  * @author tlenz
  *
  */
+@Deprecated
 public class eIDASAttrLegalName extends MandateLegalPersonFullNameAttributeBuilder implements IeIDASAttribute {
 
 	@Override
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java
index c008048cb..4d89aec3d 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java
@@ -22,15 +22,47 @@
  */
 package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder;
 
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator;
 import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonSourcePinAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * @author tlenz
  *
  */
+@Deprecated
 public class eIDASAttrLegalPersonIdentifier extends MandateLegalPersonSourcePinAttributeBuilder implements IeIDASAttribute {
 
 	@Override
+	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeException {
+		if(authData.isUseMandate()) {
+			
+			//extract eIDAS unique Id prefix from naturalPerson bPK identifier
+			if (MiscUtil.isEmpty(authData.getBPKType())
+					|| !authData.getBPKType().startsWith(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS)) {
+				Logger.error("BPKType is empty or does not start with eIDAS bPKType prefix! bPKType:" + authData.getBPKType());
+				throw new AttributeException("Suspect bPKType for eIDAS identifier generation");
+				
+			} 
+			
+			//add eIDAS eID prefix to legal person identifier
+			String prefix = authData.getBPKType().substring(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS.length() + 1);
+			String legalPersonID = prefix.replaceAll("\\+", "/") + "/" + getLegalPersonIdentifierFromMandate(authData);						
+			return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, 
+					MANDATE_LEG_PER_SOURCE_PIN_NAME, legalPersonID);
+			
+		}
+		
+		return null;
+				
+	}
+	
+	@Override
 	public String getName() {
 		return eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri().toString();
 	}	
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeDateOfBirth.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeDateOfBirth.java
new file mode 100644
index 000000000..43d2f96c2
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeDateOfBirth.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder;
+
+import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonBirthDateAttributeBuilder;
+
+/**
+ * @author tlenz
+ *
+ */
+public class eIDASAttrRepresentativeDateOfBirth extends MandateNaturalPersonBirthDateAttributeBuilder implements IeIDASAttribute {
+
+	@Override
+	public String getName() {
+		return eu.eidas.auth.engine.core.eidas.spec.RepresentativeNaturalPersonSpec.Definitions.DATE_OF_BIRTH.getNameUri().toString();
+		
+	}
+	
+	
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeFamilyName.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeFamilyName.java
new file mode 100644
index 000000000..924a275b1
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeFamilyName.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder;
+
+import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonFamilyNameAttributeBuilder;
+
+/**
+ * @author tlenz
+ *
+ */
+public class eIDASAttrRepresentativeFamilyName extends MandateNaturalPersonFamilyNameAttributeBuilder implements IeIDASAttribute{
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder#getName()
+	 */
+	@Override
+	public String getName() {
+		return eu.eidas.auth.engine.core.eidas.spec.RepresentativeNaturalPersonSpec.Definitions.CURRENT_FAMILY_NAME.getNameUri().toString();		
+	}
+
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeGivenName.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeGivenName.java
new file mode 100644
index 000000000..2de585918
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeGivenName.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder;
+
+import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonGivenNameAttributeBuilder;
+
+/**
+ * @author tlenz
+ *
+ */
+public class eIDASAttrRepresentativeGivenName extends MandateNaturalPersonGivenNameAttributeBuilder implements IeIDASAttribute{
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder#getName()
+	 */
+	@Override
+	public String getName() {
+		return eu.eidas.auth.engine.core.eidas.spec.RepresentativeNaturalPersonSpec.Definitions.CURRENT_GIVEN_NAME.getNameUri().toString();		
+	}
+
+
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeLegalName.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeLegalName.java
new file mode 100644
index 000000000..92456d202
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeLegalName.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder;
+
+import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonFullNameAttributeBuilder;
+
+/**
+ * @author tlenz
+ *
+ */
+public class eIDASAttrRepresentativeLegalName extends MandateLegalPersonFullNameAttributeBuilder implements IeIDASAttribute {
+
+	@Override
+	public String getName() {
+		return eu.eidas.auth.engine.core.eidas.spec.RepresentativeLegalPersonSpec.Definitions.LEGAL_NAME.getNameUri().toString();
+	}	
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeLegalPersonIdentifier.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeLegalPersonIdentifier.java
new file mode 100644
index 000000000..47cc71e01
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeLegalPersonIdentifier.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder;
+
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonSourcePinAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+public class eIDASAttrRepresentativeLegalPersonIdentifier extends MandateLegalPersonSourcePinAttributeBuilder implements IeIDASAttribute {
+
+	@Override
+	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeException {
+		if(authData.isUseMandate()) {
+			
+			//extract eIDAS unique Id prefix from naturalPerson bPK identifier
+			if (MiscUtil.isEmpty(authData.getBPKType())
+					|| !authData.getBPKType().startsWith(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS)) {
+				Logger.error("BPKType is empty or does not start with eIDAS bPKType prefix! bPKType:" + authData.getBPKType());
+				throw new AttributeException("Suspect bPKType for eIDAS identifier generation");
+				
+			} 
+			
+			//add eIDAS eID prefix to legal person identifier
+			String prefix = authData.getBPKType().substring(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS.length() + 1);
+			String legalPersonID = prefix.replaceAll("\\+", "/") + "/" + getLegalPersonIdentifierFromMandate(authData);						
+			return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, 
+					MANDATE_LEG_PER_SOURCE_PIN_NAME, legalPersonID);
+			
+		}
+		
+		return null;
+				
+	}
+	
+	@Override
+	public String getName() {
+		return eu.eidas.auth.engine.core.eidas.spec.RepresentativeLegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri().toString();
+	}	
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeNaturalPersonalIdentifier.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeNaturalPersonalIdentifier.java
new file mode 100644
index 000000000..52396ae90
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeNaturalPersonalIdentifier.java
@@ -0,0 +1,133 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder;
+
+import java.security.MessageDigest;
+
+import at.gv.egovernment.moa.id.auth.modules.eidas.utils.eIDASAttributeProcessingUtils;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.data.Trible;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonBPKAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.eidas.EIDASData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.id.util.Random;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Base64Utils;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+public class eIDASAttrRepresentativeNaturalPersonalIdentifier extends MandateNaturalPersonBPKAttributeBuilder implements IeIDASAttribute{
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder#getName()
+	 */
+	@Override
+	public String getName() {
+		return eu.eidas.auth.engine.core.eidas.spec.RepresentativeNaturalPersonSpec.Definitions.PERSON_IDENTIFIER.getNameUri().toString();		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder#build(at.gv.egovernment.moa.id.commons.api.IOAAuthParameters, at.gv.egovernment.moa.id.data.IAuthData, at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator)
+	 */
+	@Override
+	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator<ATT> g)
+			throws AttributeException {	
+		
+		try {
+			Pair<String, String> calcResult = internalBPKGenerator(oaParam, authData);
+			if (calcResult != null) {
+				String personalID = calcResult.getFirst();
+				String type = calcResult.getSecond();
+				
+				//generate eIDAS conform 'PersonalIdentifier' attribute
+				if (!eIDASAttributeProcessingUtils.validateEidasPersonalIdentifier(personalID)) {
+					Logger.debug("preCalculated PersonalIdentifier does not include eIDAS conform prefixes ... add prefix now");
+					if (MiscUtil.isEmpty(type)
+							|| !type.startsWith(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS)) {
+						Logger.error("BPKType is empty or does not start with eIDAS bPKType prefix! bPKType:" + authData.getBPKType());
+						throw new AttributeException("Suspect bPKType for eIDAS identifier generation");
+						
+					} 
+					
+					String prefix = authData.getBPKType().substring(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS.length() + 1);
+					personalID = prefix.replaceAll("\\+", "/") + "/" + personalID;
+												
+				}
+				
+				//generate a transient unique identifier if it is requested
+				Boolean isTransiendIDRequested = 
+						authData.getGenericData(EIDASData.REQ_PARAM_eIDAS_AUTHN_TRANSIENT_ID, Boolean.class);
+				if (isTransiendIDRequested != null && isTransiendIDRequested)
+					personalID = generateTransientNameID(personalID);
+										
+				return g.buildStringAttribute(null, getName(), personalID);
+				
+			}
+
+		} catch (Exception e) {
+			Logger.info("Can not generate eIDAS attr: " + getName() + ". Reason:" + e.getMessage());
+			
+		}
+		
+		return null;
+									
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder#buildEmpty(at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator)
+	 */
+	@Override
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return null;
+	}
+
+	private String generateTransientNameID(String nameID) {
+		//extract source-country and destination country from persistent identifier 
+		Trible<String, String, String> split = eIDASAttributeProcessingUtils.parseEidasPersonalIdentifier(nameID);
+		if (split == null) {
+			Logger.error("eIDAS 'PersonalIdentifier' has a wrong format. There had to be a ERROR in implementation!!!!");
+			throw new IllegalStateException("eIDAS 'PersonalIdentifier' has a wrong format. There had to be a ERROR in implementation!!!!");
+			
+		} 
+		
+		//build correct formated transient identifier
+		String random = Random.nextLongRandom();		
+		try {
+			MessageDigest md = MessageDigest.getInstance("SHA-1");
+			byte[] hash = md.digest((split.getThird() + random).getBytes("ISO-8859-1"));			
+			return split.getFirst() + "/" + split.getSecond() + "/" + Base64Utils.encode(hash);
+			
+		} catch (Exception e) {
+			Logger.error("Can not generate transient personal identifier!", e);
+			return null;
+			
+		}
+		
+	}
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
index d0cda38c7..ee0f72f34 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
@@ -40,7 +40,6 @@ import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider;
 import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
 import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;
-import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SimpleEidasAttributeGenerator;
 import at.gv.egovernment.moa.id.auth.modules.eidas.utils.eIDASAttributeBuilder;
 import at.gv.egovernment.moa.id.commons.MOAIDConstants;
 import at.gv.egovernment.moa.id.commons.api.IRequest;
@@ -50,15 +49,17 @@ import at.gv.egovernment.moa.id.data.Pair;
 import at.gv.egovernment.moa.id.data.SLOInformationImpl;
 import at.gv.egovernment.moa.id.data.SLOInformationInterface;
 import at.gv.egovernment.moa.id.moduls.IAction;
-import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator;
 import at.gv.egovernment.moa.logging.Logger;
 import eu.eidas.auth.commons.EidasStringUtil;
 import eu.eidas.auth.commons.attribute.AttributeDefinition;
 import eu.eidas.auth.commons.attribute.AttributeValue;
 import eu.eidas.auth.commons.attribute.ImmutableAttributeMap;
+import eu.eidas.auth.commons.attribute.ImmutableAttributeMap.Builder;
 import eu.eidas.auth.commons.protocol.IResponseMessage;
 import eu.eidas.auth.commons.protocol.impl.AuthenticationResponse;
 import eu.eidas.auth.engine.ProtocolEngineI;
+import eu.eidas.auth.engine.core.eidas.spec.RepresentativeLegalPersonSpec;
+import eu.eidas.auth.engine.core.eidas.spec.RepresentativeNaturalPersonSpec;
 import eu.eidas.auth.engine.xml.opensaml.SAMLEngineUtils;
 
 
@@ -71,12 +72,12 @@ import eu.eidas.auth.engine.xml.opensaml.SAMLEngineUtils;
 
 @Service("eIDASAuthenticationRequest")
 public class eIDASAuthenticationRequest implements IAction {
-
-	private static IAttributeGenerator<String> generator = new SimpleEidasAttributeGenerator();
 	
 	@Autowired protected MOAReversionLogger revisionsLogger;
 	@Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider;
 	
+
+	
 	@Override
 	public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException {
 		EIDASData eidasRequest;
@@ -89,31 +90,55 @@ public class eIDASAuthenticationRequest implements IAction {
 		String subjectNameID = null;
 				
 		//gather attributes
-		ImmutableAttributeMap reqAttributeList = (ImmutableAttributeMap) eidasRequest.getEidasRequestedAttributes();		
-		ImmutableAttributeMap.Builder attrMapBuilder = ImmutableAttributeMap.builder();
-
-		//generate eIDAS attributes
-		for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions()) {
-			Pair<AttributeDefinition<?>, ImmutableSet<AttributeValue<?>>> eIDASAttr = eIDASAttributeBuilder.buildAttribute(
-					attr, req.getOnlineApplicationConfiguration(), authData);
+		ImmutableAttributeMap reqAttributeList = (ImmutableAttributeMap) eidasRequest.getEidasRequestedAttributes();
+		
+		//add mandate attr. to requested attributes of eMandates are used an no mandate attr. are requested
+		if (authData.isUseMandate()) {
+			Logger.trace("eMandates are used. Starting eIDAS requsted attr. update process ....");
+			Builder reqAttrWithMandates = ImmutableAttributeMap.builder(reqAttributeList);
+			
+			//check if the exists a local builder
+			for (AttributeDefinition<?> el : RepresentativeNaturalPersonSpec.REGISTRY.getAttributes()) {
+				if (eIDASAttributeBuilder.getAllProvideableeIDASAttributes().contains(el.getNameUri().toString())) {
+					if (reqAttributeList.getDefinitionByNameUri(el.getNameUri()) == null) {
+						Logger.debug("Add eIDAS attr: " + el.getNameUri().toString() + " to requested attributes");						
+						reqAttrWithMandates.put(AttributeDefinition.builder(el).required(false).build());
 						
-			if(eIDASAttr == null) {				
-				if (attr.isRequired()) {
-					Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available.");
-					throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()});
+					}
 										
 				} else
-					Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available.");	
-				
-			} else {
-				//add attribute to Map
-				attrMapBuilder.put(
-						(AttributeDefinition)eIDASAttr.getFirst(), 
-						(ImmutableSet)eIDASAttr.getSecond());
-				
+					Logger.trace("eIDAS attribute: " + el.getNameUri().toString() + " is not providable by Austrian eIDAS node.");
+															
+			}
+			for (AttributeDefinition<?> el : RepresentativeLegalPersonSpec.REGISTRY.getAttributes()) {
+				if (eIDASAttributeBuilder.getAllProvideableeIDASAttributes().contains(el.getNameUri().toString())) {
+					if (reqAttributeList.getDefinitionByNameUri(el.getNameUri()) == null) {
+						Logger.debug("Add eIDAS attr: " + el.getNameUri().toString() + " to requested attributes");						
+						reqAttrWithMandates.put(AttributeDefinition.builder(el).required(false).build());
+						
+					}
+										
+				} else
+					Logger.trace("eIDAS attribute: " + el.getNameUri().toString() + " is not providable by Austrian eIDAS node.");
+															
 			}
+			
+			reqAttributeList = reqAttrWithMandates.build();
+			Logger.trace("eIDAS requsted attr. update process finished");
+			
 		}
 		
+		Logger.trace("Starting eIDAS response generation ....");
+		
+		//generate eIDAS attributes
+		ImmutableAttributeMap.Builder attrMapBuilder = ImmutableAttributeMap.builder();
+		for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions())
+			buildAndAddAttribute(attrMapBuilder, attr, eidasRequest, authData);
+
+				
+		//build final attibute set
+		ImmutableAttributeMap eIDASAttrbutMap = attrMapBuilder.build();
+		
 		// construct eIDaS response
 		AuthenticationResponse.Builder responseBuilder = new AuthenticationResponse.Builder();
 		
@@ -127,7 +152,7 @@ public class eIDASAuthenticationRequest implements IAction {
 		responseBuilder.levelOfAssurance(authData.getEIDASQAALevel());
 		
 		//add attributes
-		responseBuilder.attributes(attrMapBuilder.build());
+		responseBuilder.attributes(eIDASAttrbutMap);
 		
 		//set success statuscode
 		responseBuilder.statusCode(StatusCode.SUCCESS_URI);
@@ -178,8 +203,6 @@ public class eIDASAuthenticationRequest implements IAction {
             template.merge(context, writer);
             Logger.trace("Template merge done");
 
-            Logger.trace("Sending html content  : " + new String(writer.getBuffer()));
-
             byte[] content = writer.getBuffer().toString().getBytes("UTF-8");
             httpResp.setContentType(MOAIDConstants.DEFAULT_CONTENT_TYPE_HTML_UTF8);
             httpResp.setContentLength(content.length);
@@ -221,6 +244,26 @@ public class eIDASAuthenticationRequest implements IAction {
 		return "eIDAS_AuthnRequest";
 	}
 
+	private void buildAndAddAttribute(ImmutableAttributeMap.Builder attrMapBuilder, AttributeDefinition<?> attr, IRequest req, IAuthData authData) throws MOAIDException {
+		Pair<AttributeDefinition<?>, ImmutableSet<AttributeValue<?>>> eIDASAttr = eIDASAttributeBuilder.buildAttribute(
+				attr, req.getOnlineApplicationConfiguration(), authData);
+					
+		if(eIDASAttr == null) {				
+			if (attr.isRequired()) {
+				Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available.");
+				throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()});
+									
+			} else
+				Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available.");	
+			
+		} else {
+			//add attribute to Map
+			attrMapBuilder.put(
+					(AttributeDefinition)eIDASAttr.getFirst(), 
+					(ImmutableSet)eIDASAttr.getSecond());
+			
+		}			
+	}
 
 	
 	
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder b/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder
index 62e7c20ab..3c11c725d 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder
@@ -2,5 +2,10 @@ at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrDateOfBirth
 at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrFamilyName
 at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrGivenName
 at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrNaturalPersonalIdentifier
-at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrLegalPersonIdentifier
-at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrLegalName
+at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrNaturalPersonalIdentifier
+at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeDateOfBirth
+at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeFamilyName
+at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeGivenName
+at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeLegalName
+at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeLegalPersonIdentifier
+at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeNaturalPersonalIdentifier
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.IeIDASAttribute b/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.IeIDASAttribute
index 62e7c20ab..ad87adb6a 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.IeIDASAttribute
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.IeIDASAttribute
@@ -2,5 +2,9 @@ at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrDateOfBirth
 at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrFamilyName
 at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrGivenName
 at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrNaturalPersonalIdentifier
-at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrLegalPersonIdentifier
-at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrLegalName
+at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeDateOfBirth
+at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeFamilyName
+at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeGivenName
+at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeLegalName
+at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeLegalPersonIdentifier
+at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeNaturalPersonalIdentifier
\ No newline at end of file
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
index d65d74c3f..299eb442e 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
@@ -48,6 +48,7 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
 import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
+import at.gv.egovernment.moa.id.data.Pair;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAuthnRequestBuilder;
@@ -150,7 +151,8 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask {
 			String sourcePinType = moasession.getIdentityLink().getIdentificationType();
 			String sourcePinValue = moasession.getIdentityLink().getIdentificationValue();			
 			if (sourcePinType.startsWith(Constants.URN_PREFIX_BASEID)) {
-				representativeBPK = new BPKBuilder().buildBPK(sourcePinValue, configTarget);
+				Pair<String, String> userId = new BPKBuilder().generateAreaSpecificPersonIdentifier(sourcePinValue, configTarget);
+				representativeBPK = userId.getFirst();
 				
 			} else {
 				Logger.debug("No 'SourcePin' found for representative. "
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
index f0cf45293..b2522ea33 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
@@ -142,11 +142,14 @@ class OAuth20AuthAction implements IAction {
 		// build id token and scope
 		Pair<String, String> pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest,
 				authData);
-		Logger.debug("RESPONSE ID_TOKEN: " + pair.getFirst());
+				
 		params.put(OAuth20Constants.RESPONSE_ID_TOKEN, pair.getFirst());
-		Logger.debug("RESPONSE SCOPE: " + pair.getSecond());
 		params.put(OAuth20Constants.PARAM_SCOPE, pair.getSecond());
 		
+		Logger.debug("OpenID-Connect ID_TOKEN completed");
+		Logger.trace("RESPONSE ID_TOKEN: " + pair.getFirst());
+		Logger.trace("RESPONSE SCOPE: " + pair.getSecond());
+				
 		return params;
 		
 	}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
index 75ea41449..d72fe9686 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
@@ -20,6 +20,7 @@ import com.google.gson.JsonObject;
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
 import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
+import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet;
 import at.gv.egovernment.moa.id.commons.api.IRequest;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.moduls.RequestImpl;
@@ -210,10 +211,13 @@ public class OAuth20Protocol extends AbstractAuthProtocolModulController {
 						URLEncoder.encode(errorUri + "#" + moaError, "UTF-8"));
 			
 			
+			String redirectURL = protocolRequest.getAuthURL() + RedirectServlet.SERVICE_ENDPOINT;
+			redirectURL = addURLParameter(redirectURL, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(url.toString(), "UTF-8"));
+						
 			response.setContentType("text/html");
 			response.setStatus(HttpServletResponse.SC_FOUND);
-			response.addHeader("Location", url.toString());
-			Logger.debug("REDIRECT TO: " + url.toString());
+			response.addHeader("Location", redirectURL);
+			Logger.debug("REDIRECT TO: " + redirectURL);
 			return true;
 			
 		} else {
@@ -255,4 +259,13 @@ public class OAuth20Protocol extends AbstractAuthProtocolModulController {
 		return true;
 	}
 	
+	protected static String addURLParameter(String url, String paramname,
+			String paramvalue) {
+		String param = paramname + "=" + paramvalue;
+		if (url.indexOf("?") < 0)
+			return url + "?" + param;
+		else
+			return url + "&" + param;
+	}
+	
 }
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java
index 985e1d1c5..2117e2ab8 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java
@@ -77,14 +77,15 @@ class OAuth20TokenAction implements IAction {
 			if (auth20SessionObject == null || !auth20SessionObject.getCode().equals(oAuthRequest.getCode())) {
 				throw new OAuth20UnauthorizedClientException();
 			} else {
-				Logger.debug("Loaded of OAuth20SessionObject was successful");
+				Logger.debug("Loaded of OAuth20SessionObject was successful. Build jSON response ...");
 			}
 			
 			// create response
 			JsonObject jsonObject = new JsonObject();
 			OAuth20Util.addProperytiesToJsonObject(jsonObject, auth20SessionObject.getAuthDataSession());
 			byte[] jsonResponse = jsonObject.toString().getBytes("UTF-8");
-			Logger.debug("JSON Response: " + new String(jsonResponse));
+			Logger.debug("jSON response completed.");
+			Logger.trace("jSON response: " + new String(jsonResponse));
 			
 			// write respone to http response
 			httpResp.setContentType("application/json");
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
index 2f6a54027..4ce77d861 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
@@ -75,14 +75,6 @@ public class SSOTransferAuthenticationData implements IAuthData {
 	}
 
 	/* (non-Javadoc)
-	 * @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService()
-	 */
-	@Override
-	public boolean isBusinessService() {
-		return this.isIDPPrivateService;
-	}
-
-	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.data.IAuthData#isSsoSession()
 	 */
 	@Override
@@ -362,4 +354,13 @@ public class SSOTransferAuthenticationData implements IAuthData {
 		return this.authSession.getGenericDataFromSession(key, clazz);
 	}
 
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.data.IAuthData#isBaseIDTransferRestrication()
+	 */
+	@Override
+	public boolean isBaseIDTransferRestrication() {
+		return this.isIDPPrivateService;
+	}
+
 }
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java
index 3affa17b3..c2132c1f9 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java
@@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.api.data.CPEPS;
 import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters;
 import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute;
 import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 
 /**
  * @author tlenz
@@ -42,15 +43,7 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters {
 	public SSOTransferOnlineApplication() {
 		
 	}
-	
-	/* (non-Javadoc)
-	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService()
-	 */
-	@Override
-	public boolean getBusinessService() {
-		return false;
-	}
-	
+
 	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSO()
 	 */
@@ -107,33 +100,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters {
 	}
 
 	/* (non-Javadoc)
-	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType()
-	 */
-	@Override
-	public String getOaType() {
-		// TODO Auto-generated method stub
-		return null;
-	}
-
-	/* (non-Javadoc)
-	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget()
-	 */
-	@Override
-	public String getTarget() {
-		// TODO Auto-generated method stub
-		return null;
-	}
-
-	/* (non-Javadoc)
-	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName()
-	 */
-	@Override
-	public String getTargetFriendlyName() {
-		// TODO Auto-generated method stub
-		return null;
-	}
-
-	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInderfederationIDP()
 	 */
 	@Override
@@ -151,14 +117,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters {
 		return false;
 	}
 
-	/* (non-Javadoc)
-	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier()
-	 */
-	@Override
-	public String getIdentityLinkDomainIdentifier() {
-		// TODO Auto-generated method stub
-		return null;
-	}
 
 	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getKeyBoxIdentifier()
@@ -226,15 +184,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters {
 	}
 
 	/* (non-Javadoc)
-	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType()
-	 */
-	@Override
-	public String getIdentityLinkDomainIdentifierType() {
-		// TODO Auto-generated method stub
-		return null;
-	}
-
-	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowMandateCheckBox()
 	 */
 	@Override
@@ -441,4 +390,38 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters {
 		return false;
 	}
 
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdInternalProcessingRestriction()
+	 */
+	@Override
+	public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException {
+		return false;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdTransferRestriction()
+	 */
+	@Override
+	public boolean hasBaseIdTransferRestriction() throws ConfigurationException {
+		return false;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifier()
+	 */
+	@Override
+	public String getAreaSpecificTargetIdentifier() throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifierFriendlyName()
+	 */
+	@Override
+	public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
 }
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/resources/sso_transfer_template.html b/id/server/modules/moa-id-module-ssoTransfer/src/main/resources/sso_transfer_template.html
index 962faa58f..c2195d300 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/resources/sso_transfer_template.html
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/resources/sso_transfer_template.html
@@ -3,379 +3,9 @@
   <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
   
    <!-- MOA-ID 2.x BKUSelection Layout CSS -->               
-    <style type="text/css">
-			@media screen and (min-width: 650px) {
-			
-				body {
-					margin:0;
-					padding:0;
-					color : #000;
-					background-color : #fff;
-			  	text-align: center;
-			  	background-color: #6B7B8B;
-				}
-  
-			  #page {
-			    display: block;
-			    border: 2px solid rgb(0,0,0);
-			    width: 650px;
-			    height: 460px;
-			    margin: 0 auto;
-			    margin-top: 5%;
-			    position: relative;
-			    border-radius: 25px;
-			    background: rgb(255,255,255);
-			  }
-			  
-			  #page1 {
-			    text-align: center;
-			  }
-			  
-			  #main {
-			    /*	clear:both; */
-				  position:relative;
-			    margin: 0 auto;
-			    width: 250px;
-			    text-align: center;
-			  }
-			  
-			  .OA_header {
-			/*	  background-color: white;*/
-			    font-size: 20pt;
-			    margin-bottom: 25px;
-			    margin-top: 25px;
-			  }
-			
-			  #leftcontent {
-			    /*float:left; */
-				  width:250px;
-				  margin-bottom: 25px;
-			    text-align: left;
-			    /*border: 1px solid rgb(0,0,0);*/
-			  }
-			
-			  #leftcontent {
-				 width: 300px;
-				 margin-top: 30px;
-			  }
-      
-        h2#tabheader{
-				  font-size: 1.1em; 
-          padding-left: 2%;
-          padding-right: 2%;
-          position: relative;
-			  }
-        		  
-			  .setAssertionButton_full {
-			  	background: #efefef;
-				  cursor: pointer;
-				  margin-top: 15px;
-			    width: 100px;
-			    height: 30px
-			  }
-			
-			  #leftbutton  {
-				 width: 30%; 
-				 float:left; 
-				 margin-left: 40px;
-			  }
-			
-			  #rightbutton {
-				 width: 30%; 
-				 float:right; 
-				 margin-right: 45px; 
-				 text-align: right;
-			  }
-        
-        button {
-          height: 25px;
-          width: 75px;
-          margin-bottom: 10px;
-        }
-        
-       #validation {
-        position: absolute;
-        bottom: 0px;
-        margin-left: 270px;
-        padding-bottom: 10px;
-      }
-			
-			}
-
-      @media screen and (max-width: 205px) {
-        #localBKU p {
-          font-size: 0.6em;
-        } 
-        
-        #localBKU input {
-          font-size: 0.6em;
-          min-width: 60px;
-         /* max-width: 65px; */
-          min-height: 1.0em;
-         /* border-radius: 5px; */
-        }
-        
-      }
-
-      @media screen and (max-width: 249px) and (min-width: 206px) {
-        #localBKU p {
-          font-size: 0.7em;
-        } 
-        
-        #localBKU input {
-          font-size: 0.7em;
-          min-width: 70px;
-       /*    max-width: 75px;    */
-          min-height: 0.95em;
-        /*  border-radius: 6px;    */
-        }
-         
-      }
-
-      @media screen and (max-width: 299px) and (min-width: 250px) {
-        #localBKU p {
-          font-size: 0.9em;
-        } 
-        
-        #localBKU input {
-          font-size: 0.8em;
-          min-width: 70px;
-       /*    max-width: 75px;      */
-      /*    border-radius: 6px;  */
-        }
-
-      }
-
-      @media screen and (max-width: 399px) and (min-width: 300px) {
-        #localBKU p {
-          font-size: 0.9em;
-        } 
-        
-        #localBKU input {
-          font-size: 0.8em;
-          min-width: 70px;
-      /*     max-width: 75px;     */
-      /*    border-radius: 6px;       */
-        }
-
-      }
-      
-      @media screen and (max-width: 649px) and (min-width: 400px) {
-        #localBKU p {
-          font-size: 0.9em;
-        } 
-        
-        #localBKU input {
-          font-size: 0.8em;
-          min-width: 70px;
-      /*     max-width: 80px;       */
-     /*     border-radius: 6px;          */
-        }
-
-      }
-
-
-			
-			@media screen and (max-width: 649px) {
-				
-        body {
-					margin:0;
-					padding:0;
-					color : #000;
-			  	text-align: center;
-          font-size: 100%;
-			  	background-color: #MAIN_BACKGOUNDCOLOR#;
-				}
-        				
-			  #page {
-			     visibility: hidden;
-			     margin-top: 0%;
-			  }
-			  
-			  #page1 {
-			    visibility: hidden;
-			  }
-			  
-			  #main {
-			    visibility: hidden;
-			  }
-        
-        #validation {
-          visibility: hidden;
-          display: none;
-        }
-			  
-			  .OA_header {
-			    margin-bottom: 0px;
-			    margin-top: 0px;
-			    font-size: 0pt;
-			    visibility: hidden;
-			  }
-			
-			  #leftcontent {
-			    visibility: visible;
-			    margin-bottom: 0px;
-			    text-align: left;
-			    border:none;
-          vertical-align: middle;
-          min-height: 173px;
-          min-width: 204px;
-          
-			  }
-        
-        input[type=button] {
-/*          height: 11%;  */
-          width: 70%;
-        }
-			}
-			      
-			* {
-				margin: 0;
-				padding: 0;
-        font-family: #FONTTYPE#;
-			}
-							      			
-			#selectArea {
-				padding-top: 10px;
-				padding-bottom: 55px;
-				padding-left: 10px;
-			}
-			
-			.setAssertionButton {
-				background: #efefef;
-				cursor: pointer;
-				margin-top: 15px;
-			  width: 70px;
-			  height: 25px;
-			}
-			
-			#leftbutton  {
-				width: 35%; 
-				float:left; 
-				margin-left: 15px;
-			}
-			
-			#rightbutton {
-				width: 35%; 
-				float:right; 
-				margin-right: 25px; 
-				text-align: right;
-			}
-
-/*		input[type=button], .sendButton {
-				background: #BUTTON_BACKGROUNDCOLOR#;
-        color: #BUTTON_COLOR#;
-/*				border:1px solid #000;  */
-/*				cursor: pointer;
-/*        box-shadow: 3px 3px 3px #222222;  */
-/*			}
-			
-/*      button:hover, button:focus, button:active, 
-      .sendButton:hover , .sendButton:focus, .sendButton:active,
-      #mandateCheckBox:hover, #mandateCheckBox:focus, #mandateCheckBox:active {
-				background: #BUTTON_BACKGROUNDCOLOR_FOCUS#;
-        color: #BUTTON_COLOR#;
-/*				border:1px solid #000;                */
-/*				cursor: pointer;
-/*        box-shadow: -1px -1px 3px #222222;  */
-/*			}
-      
-*/      
-			input {
-				/*border:1px solid #000;*/
-				cursor: pointer;
-			}
-      
-      #localBKU input {
-/*        color: #BUTTON_COLOR#;  */
-        border: 0px;
-        display: inline-block;
-        
-      }
-			
-      #localBKU input:hover, #localBKU input:focus, #localBKU input:active {
-        text-decoration: underline;
-      }
-      
-			#installJava, #BrowserNOK {
-				clear:both;
-				font-size:0.8em;
-				padding:4px;
-			}
-						
-			.selectText{
-			
-			}
-			
-			.selectTextHeader{
-			
-			}
-			
-			.sendButton {
-        width: 30%;
-        margin-bottom: 1%;	
-			}
-			
-			#leftcontent a {
-				text-decoration:none; 
-				color: #000;
-			/*	display:block;*/
-				padding:4px;	
-			}
-			
-			#leftcontent a:hover, #leftcontent a:focus, #leftcontent a:active {
-				text-decoration:underline;
-				color: #000;	
-			}
-						
-			.infobutton {
-				background-color: #005a00;
-				color: white;
-				font-family: serif;
-				text-decoration: none;
-				padding-top: 2px;
-				padding-right: 4px;
-				padding-bottom: 2px;
-				padding-left: 4px;
-				font-weight: bold;
-			}
-			
-			.hell {
-				background-color : #MAIN_BACKGOUNDCOLOR#;
-        color: #MAIN_COLOR#;	
-			}
-			
-			.dunkel {
-				background-color: #HEADER_BACKGROUNDCOLOR#;
-        color: #HEADER_COLOR#;
-			}
-			      
-			.main_header {
-			   color: black;
-			    font-size: 32pt;
-			    position: absolute;
-			    right: 10%;
-			    top: 40px;
-				
-			}
-      
-     	#alert {
-		    margin: 100px 250px;
-		    font-family: Verdana, Arial, Helvetica, sans-serif;
-		    font-size: 14px;
-		    font-weight: normal;
-		    color: red;
-	    }
-	
-	    .reqframe {
-		    /*display: none;*/
-        visibility: hidden;
-		  
-	    }
-      			                        
-    </style> 
+  <link rel="stylesheet" href="$contextPath/css/buildCSS" />
 
-	#if($timeoutURL)
+  	#if($timeoutURL)
 		<script type="text/javascript">
 			function sloTimeOut() {
 				window.location.href="$timeoutURL";
@@ -385,30 +15,31 @@
 		</script>
 	#end
 
-
   <title>Single Sign-On Session Transfer</title>
 </head>
 
+
 #if($timeoutURL)
 	<body onload='setTimeout(sloTimeOut, $timeout);'>
 #else
 	<body>
 #end
+
+<!--body-->
   <noscript>
 		<p>
 			<strong>Note:</strong> Since your browser does not support
-			JavaScript, you must press the Continue button to resume 
-			the authentication process after the SSO session transfer from smartphone to application is complete.
+			JavaScript, you must press the Continue button once to proceed.
 		</p>
-		
-		<a href="$timeoutURL">Press this link to resume</a>
+    
+    <a href="$timeoutURL">Press this link to resume</a>
 	</noscript>
 
   <div id="page">
 		<div id="page1" class="case selected-case" role="main">
 			<h2 class="OA_header" role="heading">MOA-ID Single Sign-On Session Transfer Service</h2>
 			<div id="main">
-				<div id="leftcontent" class="hell" role="application">
+				<!--div id="leftcontent" class="hell" role="application"-->
           
           #if($errorMsg)
 	         <div class="alert">
@@ -421,26 +52,26 @@
 		        <p>$successMsg</p> 
 	         </div>	
 	        #end
-	        
-	        #if($QRImage)
+          
+          #if($QRImage)
 	         <div>
-	         	<img src="data:image/gif;base64,$QRImage">
+	         	<img id="qrCode" src="data:image/gif;base64,$QRImage">
 	         </div>	
 	        #end
-	        
-				</div>
+          
+				<!--/div-->
 			</div>
 		</div>
-		<div id="validation">
+		<!--div id="validation">
 			<a href="http://validator.w3.org/check?uri="> <img
 				style="border: 0; width: 88px; height: 31px"
-				src="$contextpath/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
+				src="$contextPath/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
 			</a> <a href="http://jigsaw.w3.org/css-validator/"> <img
 				style="border: 0; width: 88px; height: 31px"
 				src="http://jigsaw.w3.org/css-validator/images/vcss-blue"
 				alt="CSS ist valide!" />
 			</a>
-		</div>
+		</div-->
 	</div>
 
 </body>
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java b/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java
index fe859c7bc..8ca087e1d 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java
@@ -232,6 +232,14 @@ public class Tests {
 	 */
 	public static void main(String[] args) {
 		
+		String org_resp = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwycDpSZXNwb25zZSBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L1NhbWwyL2Fjcy9wb3N0IiBJRD0iXzQ0MDVlMmE5NTBiYWVkODdjYTBjOWNhZWY4ZThhYzBmIiBJblJlc3BvbnNlVG89ImlkLWY3VUhoSU1BOFdqeXFkUEJ3IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PHNhbWwyOklzc3VlciB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdDwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGE1MTIiLz48ZHM6UmVmZXJlbmNlIFVSST0iI180NDA1ZTJhOTUwYmFlZDg3Y2EwYzljYWVmOGU4YWMwZiI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhNTEyIi8+PGRzOkRpZ2VzdFZhbHVlPng3a2RBVVRJTmlpak9sbmZNRVJnY29tZEFub2MwejIwTEI5NXN3TitIRXdnRTBCUUNaR0ZIZVJKQWVxbmxjRmZabUZNZnUyejE3OGFlRlVaK1VCOGpRPT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+cVFsWFRPdmtON2QzZ1BxaXR0VDRnNUtYNDkrNE45TWMza2NvS1p1RUhTZU1zd2p4dzNkZHpVcGd4bHJnUWc2QTl5cC80dTgxSlM3dVpSSWRESm9iRm81OUE4RWV0Qmh2cXptdElaOUt3ejJad0IyclhENlBFaERxOURnbHpZR0dOd05od2dFZXpPbzBlRTRpNHBETkRQdDkxaC9FOU1qMkxoR0NVM3U2ZEZ0ZHQ2R2FEa000RHVJcVZKeWdHQzdVZDJMeU14Q1NyVC9mRHpQSUN6RENCcDExRTNEaVRYWk55MTBaa1J2RU5tOUZrY0lPVHlRcmlrNXkrV25Ed0UrTDUzZUhNL1l4WkJBa2pGMjRRaEc0YVBxY1FhcFdEdWNSaDdYNkZsU1Y0bUpqNHp5TlMzSmZBeUFaN0J4S2w3anlxWjIzT1VTYm5MTkRIdVNpK2JzZkt3PT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUZ5VENDQkxHZ0F3SUJBZ0lDQXJRd0RRWUpLb1pJaHZjTkFRRUxCUUF3Z1pneEN6QUpCZ05WQkFZVEFrRlVNUTB3Q3dZRFZRUUkKRXdSWGFXVnVNU2N3SlFZRFZRUUtFeDVDZFc1a1pYTnRhVzVwYzNSbGNtbDFiU0JtZFdWeUlFbHVibVZ5WlhNeERqQU1CZ05WQkFzVApCVWxVTFUxVE1Sa3dGd1lEVlFRREV4QlFiM0owWVd4MlpYSmlkVzVrTFVOQk1TWXdKQVlKS29aSWh2Y05BUWtCRmhkaWJXa3RhWFl0Ck1pMWxMV05oUUdKdGFTNW5kaTVoZERBZUZ3MHhOakV5TWpBd09ETXlNVFphRncweE9UQXhNRGt3T0RNeU1UWmFNSUdITVFzd0NRWUQKVlFRR0V3SkJWREVOTUFzR0ExVUVDQk1FVjJsbGJqRVpNQmNHQTFVRUNoTVFRblZ1WkdWemEyRnVlbXhsY21GdGRERUxNQWtHQTFVRQpDeE1DU1ZReEhEQWFCZ05WQkFNVEUzTjBjQzFsYm5SM0xXSnJZUzFqYkdsbGJuUXhJekFoQmdrcWhraUc5dzBCQ1FFV0ZIcGxjblJwClptbHJZWFJBWW10aExtZDJMbUYwTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEya2lxMTZNQWNUTTkKRjJPUzlNZEJ0eHpqMmdnSmpuZWVjNFRvZitvZXBEVWRpTk5HRDFmSDFZRU9qZ3ZiSzhvc2tXZ3ptbmFRM1FyV0RrZmlEM2l1dXpLKwp1eWc3L3psSHdyV2VmY0sycGkvbTJqQXNqTXZXZFlDWk9raDNoL3dEN25oMkpRd0N4Sy91K1hxbnVMWnBHQkRlTExqMStHWTFQL3F0CktNWWxzZ2ZwWTNjWFlKL3dvWk9ZblZhK1liOE1USHNNempQcEpXVkw2QURFREhMU1lVZ3h2LzMzSDlISGFQUXNNRmpDejVuRitWUkUKQ0EwbnpWS3dXcFN1dWdabmk5KzdMNVlUUUR5VDNNUUtQeURxRmZnMUVQS21BV1F0UU84OXUvZ3JERVNZNldLMlFxV2JieUZ6Ykx4TQozVjI3Sit6OE8wV3dsMzlyTS9DVDdIcjNkd0lEQVFBQm80SUNLakNDQWlZd0NRWURWUjBUQkFJd0FEQUxCZ05WSFE4RUJBTUNCZUF3CkxBWUpZSVpJQVliNFFnRU5CQjhXSFU5d1pXNVRVMHdnUjJWdVpYSmhkR1ZrSUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdRV0JCUmcKUURkQnNoT1BpYUs0VGxNT3Nqdlltek04U0RDQjBRWURWUjBqQklISk1JSEdnQlNtSHZSZUdrTzBpTjZpeUwxb1pRUEZNRzltMDZHQgpxcVNCcHpDQnBERUxNQWtHQTFVRUJoTUNRVlF4RFRBTEJnTlZCQWdUQkZkcFpXNHhEVEFMQmdOVkJBY1RCRmRwWlc0eEp6QWxCZ05WCkJBb1RIa0oxYm1SbGMyMXBibWx6ZEdWeWFYVnRJR1oxWlhJZ1NXNXVaWEpsY3pFT01Bd0dBMVVFQ3hNRlNWUXRUVk14RmpBVUJnTlYKQkFNVERWQnZjblJoYkZKdmIzUXRRMEV4SmpBa0Jna3Foa2lHOXcwQkNRRVdGMkp0YVMxcGRpMHlMV1V0WTJGQVltMXBMbWQyTG1GMApnZ0VCTUI4R0ExVWRFUVFZTUJhQkZIcGxjblJwWm1scllYUkFZbXRoTG1kMkxtRjBNQ0lHQTFVZEVnUWJNQm1CRjJKdGFTMXBkaTB5CkxXVXRZMkZBWW0xcExtZDJMbUYwTUVVR0ExVWRId1ErTUR3d09xQTRvRGFHTkdoMGRIQTZMeTl3YjNKMFlXd3VZbTFwTG1kMkxtRjAKTDNKbFppOXdhMmt2Y0c5eWRHRnNRMEV2VUc5eWRHRnNWaTVqY213d1R3WUlLd1lCQlFVSEFRRUVRekJCTUQ4R0NDc0dBUVVGQnpBQwpoak5vZEhSd09pOHZjRzl5ZEdGc0xtSnRhUzVuZGk1aGRDOXlaV1l2Y0d0cEwzQnZjblJoYkVOQkwybHVaR1Y0TG1oMGJXd3dEZ1lICktpZ0FDZ0VCQVFRREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJtRGRkb2NaakNUMmlDOGx4bUNwdGQxTEtMaEUvdVVUTEYKZDVCUUlFMm52bUYrcUdwd09HSXlLUlhvSVJ2R04rZjU2Tm53cCthVTNqdjJONWh1OURoRWlubGYxbmRDTzJiSGlUYTZyS3FyZDY5dApTY0tjUWk5empHd25iOXV2MU5BR05UN0pxVWN5VGh3bTB6bnpGWU9CMXdZQnVyaC9kQWVaYkR4ekpDNnZLdjZZT2gvWWV5MWdDUGZNCkYxRlFnUVQ5QXRDZTFvTVA0dHQ4dXZVUldSYm0za3JEaFNsL3kxSDN0WDVJQlZ2cjl0cko0ekpiYkZNUGdLS0FXaERINEI0aUJaNmwKUzZILzBqWjlUSWsyRFpjbExISjUvNnVuajg4ZnBXcis2dUE4K3F3alNWUjY5RnZHdXJwckZzOVFMMDZCUjBELzRXNXkrNFFSUk9HWQpNYVVCPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWwycDpTdGF0dXM+PHNhbWwycDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWwycDpTdGF0dXM+PHNhbWwyOkFzc2VydGlvbiBJRD0iXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PHNhbWwyOklzc3Vlcj5odHRwczovL3N0cC1hdXRoLWFwcC5lbnR3LnBvcnRhbC5ia2EuZ3YuYXQvc3RkcG9ydGFsLWlkcC9wb3J0YWx2ZXJidW5kLmd2LmF0PC9zYW1sMjpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTUxMiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGE1MTIiLz48ZHM6RGlnZXN0VmFsdWU+TWZVYVFUQ3A4N05CejdHanBOcXU5LzJCUm0yNFRac1hFRWQvK0YwTDZHTjZMWlRvWFdoaTQ3b2g3WW8rQ0RySTcxUS9hUXp6NmdqZU5YeC9ManViaXc9PTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5rUXlmclkyb3phODBNOEY4VFh0SXJtVno4SEFuaHJOY0wxblJRSW1IY2d5VjBnMFcxMW9JaVMzM1ZCbDJLeHVZaVdicFg0ZXdzcW9rSTBaZWxGQ0RoU1ZtTFpZUlRzWGV4ellSZ3hhUUdQZnNnMUh6eStYRzVEQUFSRk9pdDh3SGlpeFE1QVIzOFJRendudml0bTJRYkNoVGhzVk5zeHp4RmpEZnh3ejlpNzcvd3VPZTVERlU5Z0hzWUtEVUxrVFVyT1BveGM0RFgyQjYvd0E0cFJ2Z1lhTnFSQVltenFpSWlQQW5DMnZETXdjemQ2M2wzb3NuNHZlb3k3a0pYN0JkZTVUM29MREx5Tno4VXFua1pHY2c3Nkp4WGVweGptdmtnSy8yRk91d3VvUTY4WnI5T25hRE1vNmRqTlFzU2xpL2ZlMGFjVVpHVDVrajRBUU12NDYyc3c9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRnlUQ0NCTEdnQXdJQkFnSUNBclF3RFFZSktvWklodmNOQVFFTEJRQXdnWmd4Q3pBSkJnTlZCQVlUQWtGVU1RMHdDd1lEVlFRSQpFd1JYYVdWdU1TY3dKUVlEVlFRS0V4NUNkVzVrWlhOdGFXNXBjM1JsY21sMWJTQm1kV1Z5SUVsdWJtVnlaWE14RGpBTUJnTlZCQXNUCkJVbFVMVTFUTVJrd0Z3WURWUVFERXhCUWIzSjBZV3gyWlhKaWRXNWtMVU5CTVNZd0pBWUpLb1pJaHZjTkFRa0JGaGRpYldrdGFYWXQKTWkxbExXTmhRR0p0YVM1bmRpNWhkREFlRncweE5qRXlNakF3T0RNeU1UWmFGdzB4T1RBeE1Ea3dPRE15TVRaYU1JR0hNUXN3Q1FZRApWUVFHRXdKQlZERU5NQXNHQTFVRUNCTUVWMmxsYmpFWk1CY0dBMVVFQ2hNUVFuVnVaR1Z6YTJGdWVteGxjbUZ0ZERFTE1Ba0dBMVVFCkN4TUNTVlF4SERBYUJnTlZCQU1URTNOMGNDMWxiblIzTFdKcllTMWpiR2xsYm5ReEl6QWhCZ2txaGtpRzl3MEJDUUVXRkhwbGNuUnAKWm1scllYUkFZbXRoTG1kMkxtRjBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTJraXExNk1BY1RNOQpGMk9TOU1kQnR4emoyZ2dKam5lZWM0VG9mK29lcERVZGlOTkdEMWZIMVlFT2pndmJLOG9za1dnem1uYVEzUXJXRGtmaUQzaXV1eksrCnV5ZzcvemxId3JXZWZjSzJwaS9tMmpBc2pNdldkWUNaT2toM2gvd0Q3bmgySlF3Q3hLL3UrWHFudUxacEdCRGVMTGoxK0dZMVAvcXQKS01ZbHNnZnBZM2NYWUovd29aT1luVmErWWI4TVRIc016alBwSldWTDZBREVESExTWVVneHYvMzNIOUhIYVBRc01GakN6NW5GK1ZSRQpDQTBuelZLd1dwU3V1Z1puaTkrN0w1WVRRRHlUM01RS1B5RHFGZmcxRVBLbUFXUXRRTzg5dS9nckRFU1k2V0syUXFXYmJ5RnpiTHhNCjNWMjdKK3o4TzBXd2wzOXJNL0NUN0hyM2R3SURBUUFCbzRJQ0tqQ0NBaVl3Q1FZRFZSMFRCQUl3QURBTEJnTlZIUThFQkFNQ0JlQXcKTEFZSllJWklBWWI0UWdFTkJCOFdIVTl3Wlc1VFUwd2dSMlZ1WlhKaGRHVmtJRU5sY25ScFptbGpZWFJsTUIwR0ExVWREZ1FXQkJSZwpRRGRCc2hPUGlhSzRUbE1Pc2p2WW16TThTRENCMFFZRFZSMGpCSUhKTUlIR2dCU21IdlJlR2tPMGlONml5TDFvWlFQRk1HOW0wNkdCCnFxU0JwekNCcERFTE1Ba0dBMVVFQmhNQ1FWUXhEVEFMQmdOVkJBZ1RCRmRwWlc0eERUQUxCZ05WQkFjVEJGZHBaVzR4SnpBbEJnTlYKQkFvVEhrSjFibVJsYzIxcGJtbHpkR1Z5YVhWdElHWjFaWElnU1c1dVpYSmxjekVPTUF3R0ExVUVDeE1GU1ZRdFRWTXhGakFVQmdOVgpCQU1URFZCdmNuUmhiRkp2YjNRdFEwRXhKakFrQmdrcWhraUc5dzBCQ1FFV0YySnRhUzFwZGkweUxXVXRZMkZBWW0xcExtZDJMbUYwCmdnRUJNQjhHQTFVZEVRUVlNQmFCRkhwbGNuUnBabWxyWVhSQVltdGhMbWQyTG1GME1DSUdBMVVkRWdRYk1CbUJGMkp0YVMxcGRpMHkKTFdVdFkyRkFZbTFwTG1kMkxtRjBNRVVHQTFVZEh3UStNRHd3T3FBNG9EYUdOR2gwZEhBNkx5OXdiM0owWVd3dVltMXBMbWQyTG1GMApMM0psWmk5d2Eya3ZjRzl5ZEdGc1EwRXZVRzl5ZEdGc1ZpNWpjbXd3VHdZSUt3WUJCUVVIQVFFRVF6QkJNRDhHQ0NzR0FRVUZCekFDCmhqTm9kSFJ3T2k4dmNHOXlkR0ZzTG1KdGFTNW5kaTVoZEM5eVpXWXZjR3RwTDNCdmNuUmhiRU5CTDJsdVpHVjRMbWgwYld3d0RnWUgKS2lnQUNnRUJBUVFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQm1EZGRvY1pqQ1QyaUM4bHhtQ3B0ZDFMS0xoRS91VVRMRgpkNUJRSUUybnZtRitxR3B3T0dJeUtSWG9JUnZHTitmNTZObndwK2FVM2p2Mk41aHU5RGhFaW5sZjFuZENPMmJIaVRhNnJLcXJkNjl0ClNjS2NRaTl6akd3bmI5dXYxTkFHTlQ3SnFVY3lUaHdtMHpuekZZT0Ixd1lCdXJoL2RBZVpiRHh6SkM2dkt2NllPaC9ZZXkxZ0NQZk0KRjFGUWdRVDlBdENlMW9NUDR0dDh1dlVSV1JibTNrckRoU2wveTFIM3RYNUlCVnZyOXRySjR6SmJiRk1QZ0tLQVdoREg0QjRpQlo2bApTNkgvMGpaOVRJazJEWmNsTEhKNS82dW5qODhmcFdyKzZ1QTgrcXdqU1ZSNjlGdkd1cnByRnM5UUwwNkJSMEQvNFc1eSs0UVJST0dZCk1hVUI8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6cGVyc2lzdGVudCIgTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdCIgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL3NhbWxwcm94eS10ZXN0LnVjb20uZ3YuYXQvc3AiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj54bnRHMDBlakpBZ0w3KzBtdVRJb3JoYUljeW89PC9zYW1sMjpOYW1lSUQ+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgQWRkcmVzcz0iMTI5LjI3LjE1Mi4xMjYiIEluUmVzcG9uc2VUbz0iaWQtZjdVSGhJTUE4V2p5cWRQQnciIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi42MjNaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc2FtbHByb3h5LXRlc3QudWNvbS5ndi5hdC9TYW1sMi9hY3MvcG9zdCIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q+PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE3LTA5LTIwVDE0OjQ5OjUyLjU5M1oiIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi41OTNaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U+aHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L3NwPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNDk1WiIgU2Vzc2lvbkluZGV4PSJfYjBhOGUxOTQ5YzQyMjU5NjA0MzAxMDUwNjBkMGQyYTgiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTctMDktMjBUMTU6MTk6NTIuNjAyWiI+PHNhbWwyOlN1YmplY3RMb2NhbGl0eSBBZGRyZXNzPSIxMjkuMjcuMTUyLjEyNiIvPjxzYW1sMjpBdXRobkNvbnRleHQ+PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPmh0dHA6Ly93d3cucmVmLmd2LmF0L25zL25hbWVzL2FnaXovcHZwL3NlY2NsYXNzLzAtMjwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sMjpBdXRobkNvbnRleHQ+PC9zYW1sMjpBdXRoblN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJDT1NULUNFTlRFUi1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+QVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQQVJUSUNJUEFOVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS43MSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCOjExMTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlBSSU5DSVBBTC1OQU1FIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjI2MS4yMCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5Nb2JpbGVBdXRoPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iT1UiIE5hbWU9InVybjpvaWQ6Mi41LjQuMTEiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+RHVtbXktT0U8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJNQUlMIiBOYW1lPSJ1cm46b2lkOjAuOS4yMzQyLjE5MjAwMzAwLjEwMC4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+bW9iaWxlLmF1dGguMkBia2EuZ3YuYXQ8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQVlAtVkVSU0lPTiIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+Mi4xPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iSU5WT0lDRS1SRUNQVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNDAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+QVQ6QjoxMTE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJPVS1PS1oiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMTUzIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlPkJLQS1EVU1NWTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlVTRVJJRCIgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlPm1vYmlsZS5hdXRoLjJAYmthLmd2LmF0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iUk9MRVMiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMjYxLjMwIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlPnVjb21tX1VzZXIoKTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IkdJVkVOLU5BTUUiIE5hbWU9InVybjpvaWQ6Mi41LjQuNDIiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+WndlaTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9Ik9VLUdWLU9VLUlEIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+QVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJHSUQiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCS0E6cGd1bHJyZHBvPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iU0VDQ0xBU1MiIE5hbWU9Imh0dHA6Ly9sZnJ6LmF0L3N0ZHBvcnRhbC9uYW1lcy9wdnAvc2VjQ2xhc3MiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+Mjwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sMjpBc3NlcnRpb24+PC9zYW1sMnA6UmVzcG9uc2U+";		
+		String org_req =  "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwycDpSZXNwb25zZSBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L1NhbWwyL2Fjcy9wb3N0IiBJRD0iXzQ0MDVlMmE5NTBiYWVkODdjYTBjOWNhZWY4ZThhYzBmIiBJblJlc3BvbnNlVG89ImlkLWY3VUhoSU1BOFdqeXFkUEJ3IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI%2BPHNhbWwyOklzc3VlciB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BaHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdDwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGE1MTIiLz48ZHM6UmVmZXJlbmNlIFVSST0iI180NDA1ZTJhOTUwYmFlZDg3Y2EwYzljYWVmOGU4YWMwZiI%2BPGRzOlRyYW5zZm9ybXM%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhNTEyIi8%2BPGRzOkRpZ2VzdFZhbHVlPng3a2RBVVRJTmlpak9sbmZNRVJnY29tZEFub2MwejIwTEI5NXN3TitIRXdnRTBCUUNaR0ZIZVJKQWVxbmxjRmZabUZNZnUyejE3OGFlRlVaK1VCOGpRPT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU%2BcVFsWFRPdmtON2QzZ1BxaXR0VDRnNUtYNDkrNE45TWMza2NvS1p1RUhTZU1zd2p4dzNkZHpVcGd4bHJnUWc2QTl5cC80dTgxSlM3dVpSSWRESm9iRm81OUE4RWV0Qmh2cXptdElaOUt3ejJad0IyclhENlBFaERxOURnbHpZR0dOd05od2dFZXpPbzBlRTRpNHBETkRQdDkxaC9FOU1qMkxoR0NVM3U2ZEZ0ZHQ2R2FEa000RHVJcVZKeWdHQzdVZDJMeU14Q1NyVC9mRHpQSUN6RENCcDExRTNEaVRYWk55MTBaa1J2RU5tOUZrY0lPVHlRcmlrNXkrV25Ed0UrTDUzZUhNL1l4WkJBa2pGMjRRaEc0YVBxY1FhcFdEdWNSaDdYNkZsU1Y0bUpqNHp5TlMzSmZBeUFaN0J4S2w3anlxWjIzT1VTYm5MTkRIdVNpK2JzZkt3PT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUZ5VENDQkxHZ0F3SUJBZ0lDQXJRd0RRWUpLb1pJaHZjTkFRRUxCUUF3Z1pneEN6QUpCZ05WQkFZVEFrRlVNUTB3Q3dZRFZRUUkKRXdSWGFXVnVNU2N3SlFZRFZRUUtFeDVDZFc1a1pYTnRhVzVwYzNSbGNtbDFiU0JtZFdWeUlFbHVibVZ5WlhNeERqQU1CZ05WQkFzVApCVWxVTFUxVE1Sa3dGd1lEVlFRREV4QlFiM0owWVd4MlpYSmlkVzVrTFVOQk1TWXdKQVlKS29aSWh2Y05BUWtCRmhkaWJXa3RhWFl0Ck1pMWxMV05oUUdKdGFTNW5kaTVoZERBZUZ3MHhOakV5TWpBd09ETXlNVFphRncweE9UQXhNRGt3T0RNeU1UWmFNSUdITVFzd0NRWUQKVlFRR0V3SkJWREVOTUFzR0ExVUVDQk1FVjJsbGJqRVpNQmNHQTFVRUNoTVFRblZ1WkdWemEyRnVlbXhsY21GdGRERUxNQWtHQTFVRQpDeE1DU1ZReEhEQWFCZ05WQkFNVEUzTjBjQzFsYm5SM0xXSnJZUzFqYkdsbGJuUXhJekFoQmdrcWhraUc5dzBCQ1FFV0ZIcGxjblJwClptbHJZWFJBWW10aExtZDJMbUYwTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEya2lxMTZNQWNUTTkKRjJPUzlNZEJ0eHpqMmdnSmpuZWVjNFRvZitvZXBEVWRpTk5HRDFmSDFZRU9qZ3ZiSzhvc2tXZ3ptbmFRM1FyV0RrZmlEM2l1dXpLKwp1eWc3L3psSHdyV2VmY0sycGkvbTJqQXNqTXZXZFlDWk9raDNoL3dEN25oMkpRd0N4Sy91K1hxbnVMWnBHQkRlTExqMStHWTFQL3F0CktNWWxzZ2ZwWTNjWFlKL3dvWk9ZblZhK1liOE1USHNNempQcEpXVkw2QURFREhMU1lVZ3h2LzMzSDlISGFQUXNNRmpDejVuRitWUkUKQ0EwbnpWS3dXcFN1dWdabmk5KzdMNVlUUUR5VDNNUUtQeURxRmZnMUVQS21BV1F0UU84OXUvZ3JERVNZNldLMlFxV2JieUZ6Ykx4TQozVjI3Sit6OE8wV3dsMzlyTS9DVDdIcjNkd0lEQVFBQm80SUNLakNDQWlZd0NRWURWUjBUQkFJd0FEQUxCZ05WSFE4RUJBTUNCZUF3CkxBWUpZSVpJQVliNFFnRU5CQjhXSFU5d1pXNVRVMHdnUjJWdVpYSmhkR1ZrSUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdRV0JCUmcKUURkQnNoT1BpYUs0VGxNT3Nqdlltek04U0RDQjBRWURWUjBqQklISk1JSEdnQlNtSHZSZUdrTzBpTjZpeUwxb1pRUEZNRzltMDZHQgpxcVNCcHpDQnBERUxNQWtHQTFVRUJoTUNRVlF4RFRBTEJnTlZCQWdUQkZkcFpXNHhEVEFMQmdOVkJBY1RCRmRwWlc0eEp6QWxCZ05WCkJBb1RIa0oxYm1SbGMyMXBibWx6ZEdWeWFYVnRJR1oxWlhJZ1NXNXVaWEpsY3pFT01Bd0dBMVVFQ3hNRlNWUXRUVk14RmpBVUJnTlYKQkFNVERWQnZjblJoYkZKdmIzUXRRMEV4SmpBa0Jna3Foa2lHOXcwQkNRRVdGMkp0YVMxcGRpMHlMV1V0WTJGQVltMXBMbWQyTG1GMApnZ0VCTUI4R0ExVWRFUVFZTUJhQkZIcGxjblJwWm1scllYUkFZbXRoTG1kMkxtRjBNQ0lHQTFVZEVnUWJNQm1CRjJKdGFTMXBkaTB5CkxXVXRZMkZBWW0xcExtZDJMbUYwTUVVR0ExVWRId1ErTUR3d09xQTRvRGFHTkdoMGRIQTZMeTl3YjNKMFlXd3VZbTFwTG1kMkxtRjAKTDNKbFppOXdhMmt2Y0c5eWRHRnNRMEV2VUc5eWRHRnNWaTVqY213d1R3WUlLd1lCQlFVSEFRRUVRekJCTUQ4R0NDc0dBUVVGQnpBQwpoak5vZEhSd09pOHZjRzl5ZEdGc0xtSnRhUzVuZGk1aGRDOXlaV1l2Y0d0cEwzQnZjblJoYkVOQkwybHVaR1Y0TG1oMGJXd3dEZ1lICktpZ0FDZ0VCQVFRREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJtRGRkb2NaakNUMmlDOGx4bUNwdGQxTEtMaEUvdVVUTEYKZDVCUUlFMm52bUYrcUdwd09HSXlLUlhvSVJ2R04rZjU2Tm53cCthVTNqdjJONWh1OURoRWlubGYxbmRDTzJiSGlUYTZyS3FyZDY5dApTY0tjUWk5empHd25iOXV2MU5BR05UN0pxVWN5VGh3bTB6bnpGWU9CMXdZQnVyaC9kQWVaYkR4ekpDNnZLdjZZT2gvWWV5MWdDUGZNCkYxRlFnUVQ5QXRDZTFvTVA0dHQ4dXZVUldSYm0za3JEaFNsL3kxSDN0WDVJQlZ2cjl0cko0ekpiYkZNUGdLS0FXaERINEI0aUJaNmwKUzZILzBqWjlUSWsyRFpjbExISjUvNnVuajg4ZnBXcis2dUE4K3F3alNWUjY5RnZHdXJwckZzOVFMMDZCUjBELzRXNXkrNFFSUk9HWQpNYVVCPC9kczpYNTA5Q2VydGlmaWNhdGU%2BPC9kczpYNTA5RGF0YT48L2RzOktleUluZm8%2BPC9kczpTaWduYXR1cmU%2BPHNhbWwycDpTdGF0dXM%2BPHNhbWwycDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWwycDpTdGF0dXM%2BPHNhbWwyOkFzc2VydGlvbiBJRD0iXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BPHNhbWwyOklzc3Vlcj5odHRwczovL3N0cC1hdXRoLWFwcC5lbnR3LnBvcnRhbC5ia2EuZ3YuYXQvc3RkcG9ydGFsLWlkcC9wb3J0YWx2ZXJidW5kLmd2LmF0PC9zYW1sMjpJc3N1ZXI%2BPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI%2BPGRzOlNpZ25lZEluZm8%2BPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTUxMiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGE1MTIiLz48ZHM6RGlnZXN0VmFsdWU%2BTWZVYVFUQ3A4N05CejdHanBOcXU5LzJCUm0yNFRac1hFRWQvK0YwTDZHTjZMWlRvWFdoaTQ3b2g3WW8rQ0RySTcxUS9hUXp6NmdqZU5YeC9ManViaXc9PTwvZHM6RGlnZXN0VmFsdWU%2BPC9kczpSZWZlcmVuY2U%2BPC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5rUXlmclkyb3phODBNOEY4VFh0SXJtVno4SEFuaHJOY0wxblJRSW1IY2d5VjBnMFcxMW9JaVMzM1ZCbDJLeHVZaVdicFg0ZXdzcW9rSTBaZWxGQ0RoU1ZtTFpZUlRzWGV4ellSZ3hhUUdQZnNnMUh6eStYRzVEQUFSRk9pdDh3SGlpeFE1QVIzOFJRendudml0bTJRYkNoVGhzVk5zeHp4RmpEZnh3ejlpNzcvd3VPZTVERlU5Z0hzWUtEVUxrVFVyT1BveGM0RFgyQjYvd0E0cFJ2Z1lhTnFSQVltenFpSWlQQW5DMnZETXdjemQ2M2wzb3NuNHZlb3k3a0pYN0JkZTVUM29MREx5Tno4VXFua1pHY2c3Nkp4WGVweGptdmtnSy8yRk91d3VvUTY4WnI5T25hRE1vNmRqTlFzU2xpL2ZlMGFjVVpHVDVrajRBUU12NDYyc3c9PTwvZHM6U2lnbmF0dXJlVmFsdWU%2BPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJRnlUQ0NCTEdnQXdJQkFnSUNBclF3RFFZSktvWklodmNOQVFFTEJRQXdnWmd4Q3pBSkJnTlZCQVlUQWtGVU1RMHdDd1lEVlFRSQpFd1JYYVdWdU1TY3dKUVlEVlFRS0V4NUNkVzVrWlhOdGFXNXBjM1JsY21sMWJTQm1kV1Z5SUVsdWJtVnlaWE14RGpBTUJnTlZCQXNUCkJVbFVMVTFUTVJrd0Z3WURWUVFERXhCUWIzSjBZV3gyWlhKaWRXNWtMVU5CTVNZd0pBWUpLb1pJaHZjTkFRa0JGaGRpYldrdGFYWXQKTWkxbExXTmhRR0p0YVM1bmRpNWhkREFlRncweE5qRXlNakF3T0RNeU1UWmFGdzB4T1RBeE1Ea3dPRE15TVRaYU1JR0hNUXN3Q1FZRApWUVFHRXdKQlZERU5NQXNHQTFVRUNCTUVWMmxsYmpFWk1CY0dBMVVFQ2hNUVFuVnVaR1Z6YTJGdWVteGxjbUZ0ZERFTE1Ba0dBMVVFCkN4TUNTVlF4SERBYUJnTlZCQU1URTNOMGNDMWxiblIzTFdKcllTMWpiR2xsYm5ReEl6QWhCZ2txaGtpRzl3MEJDUUVXRkhwbGNuUnAKWm1scllYUkFZbXRoTG1kMkxtRjBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTJraXExNk1BY1RNOQpGMk9TOU1kQnR4emoyZ2dKam5lZWM0VG9mK29lcERVZGlOTkdEMWZIMVlFT2pndmJLOG9za1dnem1uYVEzUXJXRGtmaUQzaXV1eksrCnV5ZzcvemxId3JXZWZjSzJwaS9tMmpBc2pNdldkWUNaT2toM2gvd0Q3bmgySlF3Q3hLL3UrWHFudUxacEdCRGVMTGoxK0dZMVAvcXQKS01ZbHNnZnBZM2NYWUovd29aT1luVmErWWI4TVRIc016alBwSldWTDZBREVESExTWVVneHYvMzNIOUhIYVBRc01GakN6NW5GK1ZSRQpDQTBuelZLd1dwU3V1Z1puaTkrN0w1WVRRRHlUM01RS1B5RHFGZmcxRVBLbUFXUXRRTzg5dS9nckRFU1k2V0syUXFXYmJ5RnpiTHhNCjNWMjdKK3o4TzBXd2wzOXJNL0NUN0hyM2R3SURBUUFCbzRJQ0tqQ0NBaVl3Q1FZRFZSMFRCQUl3QURBTEJnTlZIUThFQkFNQ0JlQXcKTEFZSllJWklBWWI0UWdFTkJCOFdIVTl3Wlc1VFUwd2dSMlZ1WlhKaGRHVmtJRU5sY25ScFptbGpZWFJsTUIwR0ExVWREZ1FXQkJSZwpRRGRCc2hPUGlhSzRUbE1Pc2p2WW16TThTRENCMFFZRFZSMGpCSUhKTUlIR2dCU21IdlJlR2tPMGlONml5TDFvWlFQRk1HOW0wNkdCCnFxU0JwekNCcERFTE1Ba0dBMVVFQmhNQ1FWUXhEVEFMQmdOVkJBZ1RCRmRwWlc0eERUQUxCZ05WQkFjVEJGZHBaVzR4SnpBbEJnTlYKQkFvVEhrSjFibVJsYzIxcGJtbHpkR1Z5YVhWdElHWjFaWElnU1c1dVpYSmxjekVPTUF3R0ExVUVDeE1GU1ZRdFRWTXhGakFVQmdOVgpCQU1URFZCdmNuUmhiRkp2YjNRdFEwRXhKakFrQmdrcWhraUc5dzBCQ1FFV0YySnRhUzFwZGkweUxXVXRZMkZBWW0xcExtZDJMbUYwCmdnRUJNQjhHQTFVZEVRUVlNQmFCRkhwbGNuUnBabWxyWVhSQVltdGhMbWQyTG1GME1DSUdBMVVkRWdRYk1CbUJGMkp0YVMxcGRpMHkKTFdVdFkyRkFZbTFwTG1kMkxtRjBNRVVHQTFVZEh3UStNRHd3T3FBNG9EYUdOR2gwZEhBNkx5OXdiM0owWVd3dVltMXBMbWQyTG1GMApMM0psWmk5d2Eya3ZjRzl5ZEdGc1EwRXZVRzl5ZEdGc1ZpNWpjbXd3VHdZSUt3WUJCUVVIQVFFRVF6QkJNRDhHQ0NzR0FRVUZCekFDCmhqTm9kSFJ3T2k4dmNHOXlkR0ZzTG1KdGFTNW5kaTVoZEM5eVpXWXZjR3RwTDNCdmNuUmhiRU5CTDJsdVpHVjRMbWgwYld3d0RnWUgKS2lnQUNnRUJBUVFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQm1EZGRvY1pqQ1QyaUM4bHhtQ3B0ZDFMS0xoRS91VVRMRgpkNUJRSUUybnZtRitxR3B3T0dJeUtSWG9JUnZHTitmNTZObndwK2FVM2p2Mk41aHU5RGhFaW5sZjFuZENPMmJIaVRhNnJLcXJkNjl0ClNjS2NRaTl6akd3bmI5dXYxTkFHTlQ3SnFVY3lUaHdtMHpuekZZT0Ixd1lCdXJoL2RBZVpiRHh6SkM2dkt2NllPaC9ZZXkxZ0NQZk0KRjFGUWdRVDlBdENlMW9NUDR0dDh1dlVSV1JibTNrckRoU2wveTFIM3RYNUlCVnZyOXRySjR6SmJiRk1QZ0tLQVdoREg0QjRpQlo2bApTNkgvMGpaOVRJazJEWmNsTEhKNS82dW5qODhmcFdyKzZ1QTgrcXdqU1ZSNjlGdkd1cnByRnM5UUwwNkJSMEQvNFc1eSs0UVJST0dZCk1hVUI8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6cGVyc2lzdGVudCIgTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdCIgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL3NhbWxwcm94eS10ZXN0LnVjb20uZ3YuYXQvc3AiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj54bnRHMDBlakpBZ0w3KzBtdVRJb3JoYUljeW89PC9zYW1sMjpOYW1lSUQ%2BPHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgQWRkcmVzcz0iMTI5LjI3LjE1Mi4xMjYiIEluUmVzcG9uc2VUbz0iaWQtZjdVSGhJTUE4V2p5cWRQQnciIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi42MjNaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc2FtbHByb3h5LXRlc3QudWNvbS5ndi5hdC9TYW1sMi9hY3MvcG9zdCIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q%2BPHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE3LTA5LTIwVDE0OjQ5OjUyLjU5M1oiIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi41OTNaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U%2BaHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L3NwPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24%2BPC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNDk1WiIgU2Vzc2lvbkluZGV4PSJfYjBhOGUxOTQ5YzQyMjU5NjA0MzAxMDUwNjBkMGQyYTgiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTctMDktMjBUMTU6MTk6NTIuNjAyWiI%2BPHNhbWwyOlN1YmplY3RMb2NhbGl0eSBBZGRyZXNzPSIxMjkuMjcuMTUyLjEyNiIvPjxzYW1sMjpBdXRobkNvbnRleHQ%2BPHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPmh0dHA6Ly93d3cucmVmLmd2LmF0L25zL25hbWVzL2FnaXovcHZwL3NlY2NsYXNzLzAtMjwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BPC9zYW1sMjpBdXRobkNvbnRleHQ%2BPC9zYW1sMjpBdXRoblN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJDT1NULUNFTlRFUi1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BQVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQQVJUSUNJUEFOVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS43MSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCOjExMTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlBSSU5DSVBBTC1OQU1FIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjI2MS4yMCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5Nb2JpbGVBdXRoPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iT1UiIE5hbWU9InVybjpvaWQ6Mi41LjQuMTEiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BRHVtbXktT0U8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJNQUlMIiBOYW1lPSJ1cm46b2lkOjAuOS4yMzQyLjE5MjAwMzAwLjEwMC4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BbW9iaWxlLmF1dGguMkBia2EuZ3YuYXQ8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQVlAtVkVSU0lPTiIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BMi4xPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iSU5WT0lDRS1SRUNQVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNDAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BQVQ6QjoxMTE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJPVS1PS1oiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMTUzIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlPkJLQS1EVU1NWTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlVTRVJJRCIgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlPm1vYmlsZS5hdXRoLjJAYmthLmd2LmF0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iUk9MRVMiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMjYxLjMwIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlPnVjb21tX1VzZXIoKTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IkdJVkVOLU5BTUUiIE5hbWU9InVybjpvaWQ6Mi41LjQuNDIiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BWndlaTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9Ik9VLUdWLU9VLUlEIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BQVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJHSUQiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCS0E6cGd1bHJyZHBvPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iU0VDQ0xBU1MiIE5hbWU9Imh0dHA6Ly9sZnJ6LmF0L3N0ZHBvcnRhbC9uYW1lcy9wdnAvc2VjQ2xhc3MiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BMjwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sMjpBc3NlcnRpb24%2BPC9zYW1sMnA6UmVzcG9uc2U%2B";
+		String req = java.net.URLEncoder.encode(org_resp);
+
+		System.out.println(org_resp);
+		System.out.println(req);
+		System.out.println(org_req);
+				
 		
 		/*
 		 * Test verifyable random functions with RSA
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
index d3ebffdfd..99d5d9063 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
@@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.data.SLOInformationImpl;
 import at.gv.egovernment.moa.id.data.SLOInformationInterface;
 import at.gv.egovernment.moa.id.moduls.IAction;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moa.util.URLEncoder;
 
 @Service("SAML1_GetArtifactAction")
@@ -84,10 +85,12 @@ public class GetArtifactAction implements IAction {
 			
 			String samlArtifactBase64 = saml1server.BuildSAMLArtifact(oaParam, authData, sourceID);
 			
+			String oaTargetArea = req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class);
+			
 			if (authData.isSsoSession()) {
-				String url = req.getAuthURL() + "/RedirectServlet";
+				String url = req.getAuthURL() + RedirectServlet.SERVICE_ENDPOINT;
 				url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8"));
-				if (!oaParam.getBusinessService())
+				if (MiscUtil.isNotEmpty(oaTargetArea))
 					url = addURLParameter(url, MOAIDAuthConstants.PARAM_TARGET, 
 							URLEncoder.encode(req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class), "UTF-8"));
 				url = addURLParameter(url, MOAIDAuthConstants.PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8"));
@@ -99,7 +102,7 @@ public class GetArtifactAction implements IAction {
 				
 			} else {
 				String redirectURL = oaURL;		
-				if (!oaParam.getBusinessService()) {
+				if (MiscUtil.isNotEmpty(oaTargetArea)) {
 					redirectURL = addURLParameter(redirectURL, MOAIDAuthConstants.PARAM_TARGET,
 					URLEncoder.encode(req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class), "UTF-8"));
 
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
index df8f13544..bf4a55e46 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
@@ -48,7 +48,6 @@ import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder;
 import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
 import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder;
 import at.gv.egovernment.moa.id.auth.builder.SAMLArtifactBuilder;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.BuildException;
 import at.gv.egovernment.moa.id.auth.exception.ParseException;
@@ -65,6 +64,7 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.data.AuthenticationData;
 import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.storage.ITransactionStorage;
 import at.gv.egovernment.moa.id.util.Random;
@@ -239,7 +239,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 			
 			//set prPersion
 			boolean provideStammzahl = saml1parameter.isProvideStammzahl() 
-					|| oaParam.getBusinessService();
+					|| oaParam.hasBaseIdTransferRestriction();
 			
 			String prPerson = "";
 			String ilAssertion = "";
@@ -268,7 +268,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 				id.setValue(value  );
 								
 				if ( MiscUtil.isNotEmpty(authData.getIdentificationValue()) &&  
-						saml1parameter.isProvideIdentityLink() && !authData.isBusinessService()) {					
+						saml1parameter.isProvideIdentityLink() && !authData.isBaseIDTransferRestrication()) {					
 					//add baseID if it is requested and available and SP is publicService 
 					value.setValue(authData.getIdentificationValue());
 					id.setType(authData.getIdentificationType());
@@ -332,7 +332,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 					try {
 															
 						ExtendedSAMLAttribute[] extendedSAMLAttributes = addExtendedSamlAttributes(
-								authData.getMISMandate(), oaParam.getBusinessService(), 
+								authData.getMISMandate(), oaParam.hasBaseIdTransferRestriction(), 
 								saml1parameter.isProvideStammzahl());
 						
 						if (extendedSAMLAttributes != null) {
@@ -406,7 +406,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 						ilAssertion, 
 						authData.getBkuURL(), 
 						signerCertificateBase64, 
-						oaParam.getBusinessService(),  
+						oaParam.hasBaseIdTransferRestriction(),  
 						oaAttributes, 
 						useCondition, 
 						conditionLength);
@@ -419,7 +419,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 					ilAssertion, 
 					authData.getBkuURL(),
 					signerCertificateBase64,
-					oaParam.getBusinessService(),
+					oaParam.hasBaseIdTransferRestriction(),
 					authData.getExtendedSAMLAttributesOA(), 
 					useCondition,
 					conditionLength);
@@ -486,27 +486,20 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 				
 				prPerson = ParepUtils.extractPrPersonOfMandate(mandate);
 				if (physical
-						&& oaParam.getBusinessService()
+						&& oaParam.hasBaseIdTransferRestriction()
 						&& identificationType != null
 						&& Constants.URN_PREFIX_BASEID
 								.equals(identificationType)) {
 					// now we calculate the wbPK and do so if we got it from the
 					// BKU
 					
-
-					//load IdentityLinkDomainType from OAParam 
-					String type = oaParam.getIdentityLinkDomainIdentifier();	
-					if (type.startsWith(Constants.URN_PREFIX_WBPK + "+"))
-						identificationType = type;
-					else
-						identificationType = Constants.URN_PREFIX_WBPK + "+"
-								+ type;
-					
-					
-					identificationValue = new BPKBuilder().buildWBPK(
-							identificationValue, identificationType);
-					ParepUtils
-							.HideStammZahlen(prPerson, true, null, null, true);
+					//load IdentityLinkDomainType from OAParam 					
+					Pair<String, String> targedId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+							identificationValue, oaParam.getAreaSpecificTargetIdentifier());					
+					identificationValue = targedId.getFirst();
+					identificationType = targedId.getSecond();
+					 																	
+					ParepUtils.HideStammZahlen(prPerson, true, null, true);
 				}
 			}
 			
@@ -520,18 +513,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 		
 		try {						
 			boolean provideStammzahl = oaParam.getSAML1Parameter().isProvideStammzahl();
-			String oatargetType;			
-	        if(oaParam.getBusinessService()) {
-	        	if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
-	        		oatargetType = oaParam.getIdentityLinkDomainIdentifier();
-	        	else
-	        		oatargetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+oaParam.getIdentityLinkDomainIdentifier();
-	        	
-	        } else {
-	        	oatargetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget();
-	        	
-	        }
-			
+			String oatargetType = oaParam.getAreaSpecificTargetIdentifier();			
 			Element prIdentification = (Element) prPerson.
 					getElementsByTagNameNS(Constants.PD_NS_URI,"Identification").item(0);
 	        
@@ -544,7 +526,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 						String baseid = getBaseId(prPerson);
 						Element identificationBpK;
 						if (MiscUtil.isNotEmpty(baseid)) {
-							identificationBpK = createIdentificationBPK(prPerson, baseid, oaParam.getTarget());
+							identificationBpK = createIdentificationBPK(prPerson, baseid, oatargetType);
 							
 							if (!provideStammzahl) {
 								prIdentification.getFirstChild().setTextContent("");
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
index 37d66d29b..19fadb318 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
@@ -40,6 +40,7 @@ import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
 import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.IRequest;
 import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters;
@@ -118,7 +119,7 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController {
 		
 		//preProcess SAML1 Request
 		preProcess(req, resp, pendingReq);
-			
+		
 		performAuthentication(req, resp, pendingReq);
 		return;
 				
@@ -190,14 +191,19 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController {
 			
 			if (MiscUtil.isNotEmpty(target)) {
 				pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, target);
-				pendingRequest.setTarget(target);
+				pendingRequest.setTarget(MOAIDAuthConstants.PREFIX_CDID + target);
+			
+			} else {
+				String targetArea = oaParam.getAreaSpecificTargetIdentifier();
+				pendingRequest.setTarget(targetArea);
+				
+				if (targetArea.startsWith(MOAIDAuthConstants.PREFIX_CDID))
+					pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, 
+							targetArea.substring(MOAIDAuthConstants.PREFIX_CDID.length()));
 				
-			}
-			else {
-				pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, oaParam.getTarget());
-				pendingRequest.setTarget(oaParam.getTarget());
 				
 			}
+				
 	
 			//AuthnRequest needs authentication
 			pendingRequest.setNeedAuthentication(true);
diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringController.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringController.java
index b232b9512..fdc1c9cc1 100644
--- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringController.java
+++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringController.java
@@ -30,6 +30,7 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -58,11 +59,9 @@ public class MonitoringController {
 			    throws ServletException, IOException{
 		  
 		  if (authConfig.isMonitoringActive()) {
-			Logger.debug("Monitoring Servlet received request");
-
-			
+			Logger.debug("Monitoring Servlet received request");					
+			String modulename = StringEscapeUtils.escapeHtml(req.getParameter(REQUEST_ATTR_MODULE));
 			
-			String modulename = req.getParameter(REQUEST_ATTR_MODULE);
 			if (MiscUtil.isEmpty(modulename)) {
 			
 				List<String> error = tests.executeTests();
diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java
index 6372fefa8..a56be1f46 100644
--- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java
+++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java
@@ -78,7 +78,8 @@ public class IdentityLinkTestModule implements TestModuleInterface {
 					domVerifyXMLSignatureResponse).parseData();
 		
 			DynamicOAAuthParameters oaParam = new DynamicOAAuthParameters();
-			oaParam.setBusinessService(true);
+			oaParam.setHasBaseIdProcessingRestriction(true);
+			oaParam.setHasBaseIdTransfergRestriction(true);
 			
 			VerifyXMLSignatureResponseValidator.getInstance().validate(
 					verifyXMLSignatureResponse,